DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

Overview

DIAL


dial-logo

Workloads on cloud provide equal opportunities for hackers as much as they do for internal teams. Cloud-native companies are open to attacks from both outside forces and from within. With ever growing risk of a security breach and cloud misconfiguration being one of the most common factor of the same, the mean time to detect is supposed to be reduced to seconds instead of minutes/hours/days. Hence, we introduce our inhouse tool DIAL(Did I Alert Lambda?) which helps us to monitor any number of AWS accounts at any given period of time.

What is DIAL?


DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda. Few of the key features of DIAL includes.

  • It's an event driven framework, because of which maximum detection time for any misconfigurations is < 7 seconds. MTTD(Mean Time to Detect) < 4 secs.
  • It will only be triggered when event of interest are generated.
  • Highly scalable and Cost efficient as it is built on top of AWS lambda and it gets triggered when events of interest are seen.
  • Modular architecture; Which means you can easily add more event handlers and usecases according to your needs.

To read more about the same, you can go through the following technical blog.

You will be getting actionable alerts as shown below with all the relevant details:

alert-1

alert-2

alert-3

alert-4

Architecture


dial-arch

The architecture is broken down into two different components:

  • Parent Controller
  • Child Controller

Child Controller; The child controller acts as an event handler, which needs to be deployed in all accounts/regions you want the detection framework, which is connected to Event Bridge as a trigger which in turn triggers Child controller when any event of interest happens. This controller is also responsible for sending out alerts to the user configured SLACK channel along with the severity that is defined under the config file. It then forwards the whole response object to the Parent controller for further processing and storage.

Parent Controller; DIAL’s framework just needs one Parent Controller which acts as an aggregator for your SIEM, IR and persistent storage of alerts. Parent Controller works along with API Gateway which is connected with one AWS Lambda at the backend, whose sole purpose is to collect data. The request to API gateway is supposed to be Authenticated which is again configurable according to end user’s needs.

Note: Here we have used TheHive project as an open source IR tool to ingest data, you can simply change the function on the Parent controller to send the response object to any SIEM/IR tool of your choice, just make sure to change the necessary parameters that needs to be added on top of it.

Services covered:


  • EC2
  • S3
  • IAM
  • Security Group
  • GuardDuty
  • VPC
  • RDS
  • DynamoDB
  • Secret Manager
  • Parameter Store(System Manager)

UseCases covered


We are currently releasing the detection module of DIAL, which will help you to detect any misconfigurations, we do plan to release the remediation module in near future. The following are the detection usecases that DIAL is currently capable of detecting and alerting.

  • IAM

    • Any priv escalations via “CreatePolicy/AttachPolicy/CreatePolicyVersion”
    • Inactive access Keys made public
    • Admin policy attached to any user/role
    • Console Sign In by any-user
    • MFA deleted/removed
  • S3

    • S3 bucket made public
    • S3 object made public
    • S3 bucket policy misconfigured
    • Misconfigured ACL for bucket/object
  • EC2

    • VPC Peering connection to unknown account
    • Laxed Security groups(0.0.0.0/0 access on ports)
    • Associating private subnet with public route table
    • Un realistic instance type creation(p4d.24xlarge etc)
  • Secret Manager/SSM Parameter Store

    • Critical secret parameters called by which user
    • Any deletion of secret parameters
  • Database(RDS/DynamoDB)

    • Snapshot creation of available DBs
    • Modification of DB to make them public
    • Creating DB with public access True
  • GuardDuty

    • Guard duty findings

Installation and Deployment


Please refer the following file

Owner
CRED
CRED
Python client for the iNaturalist APIs

pyinaturalist Introduction iNaturalist is a community science platform that helps people get involved in the natural world by observing and identifyin

Nicolas Noé 79 Dec 22, 2022
A Telegram bot written in python.

telegram_bot This bot is currently a beta project. Features A telegram bot which can: Send current COVID-19 cases/stats of Germany Send current worth

HuhnCares 1 Jan 11, 2022
Creates Spotify playlists from Spinitron playlists.

spin2spot Creates Spotify playlists from Spinitron playlists. Quick Start You can use spin2spot as a command-line tool: Erik Didriksen 1 Aug 28, 2021

This is a scalable system that reads messages from public Telegram channels using Telethon and stores the data in a PostgreSQL database.

This is a scalable system that reads messages from public Telegram channels using Telethon and stores the data in a PostgreSQL database. Its original intention is to monitor cryptocurrency related ch

Greg 3 Jun 07, 2022
A tool to build scripts to toggle between minimal & default services in Windows based on user defined lists.

A tool to build scripts to toggle between minimal & default services in Windows based on user defined lists.

AMIT 29 Jan 01, 2023
PlexAutoSkip - Automatically skip content in Plex

PlexAutoSkip Automatically skip tagged content in Plex A background python scrip

Michael Higgins 97 Dec 21, 2022
The aim is to contain multiple models for materials discovery under a common interface

Aviary The aviary contains: - roost, - wren, cgcnn. The aim is to contain multiple models for materials discovery under a common interface Environment

Rhys Goodall 20 Jan 06, 2023
Talon accessibility - Experimental Talon integrations using macOS accessibility APIs

talon_accessibility Experimental Talon integrations using macOS accessibility AP

Phil Cohen 11 Dec 23, 2022
A multi-purpose Discord bot with simple moderation commands, reaction roles, reminders, and much more!

Nokari This is the rewrite of Nokari. There are still a lot of things to be done. I'm still working on the internal logic, so the bot basically has no

Norizon 13 Nov 17, 2022
A modular dynamical-systems model of Ethereum's validator economics.

CADLabs Ethereum Economic Model A modular dynamical-systems model of Ethereum's validator economics, based on the open-source Python library radCAD, a

CADLabs 104 Jan 03, 2023
Semplice pagina di informazione per sapere se e quando è uscito Joypad, il podcast a tema videoludico di Matteo Bordone (Corri!), Francesco Fossetti (Salta!) e Alessandro Zampini (Spara! per finta).

È uscito Joypad? Semplice pagina di informazione per sapere se e quando è uscito Joypad, il podcast a tema videoludico di Matteo Bordone (Corri!), Fra

Paolo Donadeo 32 Jan 02, 2023
4 Oct 28, 2021
Enumerate Microsoft 365 Groups in a tenant with their metadata

Enumerate Microsoft 365 Groups in a tenant with their metadata Description The all_groups.py script allows to enumerate all Microsoft 365 Groups in a

Clément Notin 46 Dec 26, 2022
An script where it logs in your instagram account and follows people and likes their posts

InstaFollower An script where it logs in your instagram account and follows people and likes their posts (uses the tags to fetch people) Requirements:

Bless 3 Nov 29, 2022
A discord program that will send a message to nearly every user in a discord server

Discord Mass DM Scrapes users from a discord server to promote/mass dm Report Bug · Request Feature Features Asynchronous Easy to use Free Auto scrape

dropout 56 Jan 02, 2023
AWS Lambda - Parsing Cloudwatch Data and sending the response via email.

AWS Lambda - Parsing Cloudwatch Data and sending the response via email. Author: Evan Erickson Language: Python Backend: AWS / Serverless / AWS Lambda

Evan Scott Erickson 1 Nov 14, 2021
A simple Discord bot that can fetch definitions and post them in chat.

A simple Discord bot that can fetch definitions and post them in chat. If you are connected to a voice channel, the bot will also read out the definition to you.

Tycho Bellers 4 Sep 29, 2022
A Bot To Find Telegram User ID Easily

Telegram ID Bot 🤖 A Bot To Find Telegram User ID Easily Made with Python3 (C) @BXBotz Copyright permission under MIT License License - https://githu

MuFaz-TG 6 Nov 21, 2022
Twitter FakeNFT With Python

This project is a server that fetches your Twitter profile picture and applies the hexagonal transparency mask displayed on the profiles of users who have an NFT profile picture.

Mathis HAMMEL 29 Apr 23, 2022
Url-shortener - A url shortener made in python using the API's from the pyshorteners lib

URL Shortener Um encurtador de link feito em python usando as API's da lib pysho

Spyware 3 Jan 07, 2022