DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

Overview

DIAL


dial-logo

Workloads on cloud provide equal opportunities for hackers as much as they do for internal teams. Cloud-native companies are open to attacks from both outside forces and from within. With ever growing risk of a security breach and cloud misconfiguration being one of the most common factor of the same, the mean time to detect is supposed to be reduced to seconds instead of minutes/hours/days. Hence, we introduce our inhouse tool DIAL(Did I Alert Lambda?) which helps us to monitor any number of AWS accounts at any given period of time.

What is DIAL?


DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda. Few of the key features of DIAL includes.

  • It's an event driven framework, because of which maximum detection time for any misconfigurations is < 7 seconds. MTTD(Mean Time to Detect) < 4 secs.
  • It will only be triggered when event of interest are generated.
  • Highly scalable and Cost efficient as it is built on top of AWS lambda and it gets triggered when events of interest are seen.
  • Modular architecture; Which means you can easily add more event handlers and usecases according to your needs.

To read more about the same, you can go through the following technical blog.

You will be getting actionable alerts as shown below with all the relevant details:

alert-1

alert-2

alert-3

alert-4

Architecture


dial-arch

The architecture is broken down into two different components:

  • Parent Controller
  • Child Controller

Child Controller; The child controller acts as an event handler, which needs to be deployed in all accounts/regions you want the detection framework, which is connected to Event Bridge as a trigger which in turn triggers Child controller when any event of interest happens. This controller is also responsible for sending out alerts to the user configured SLACK channel along with the severity that is defined under the config file. It then forwards the whole response object to the Parent controller for further processing and storage.

Parent Controller; DIAL’s framework just needs one Parent Controller which acts as an aggregator for your SIEM, IR and persistent storage of alerts. Parent Controller works along with API Gateway which is connected with one AWS Lambda at the backend, whose sole purpose is to collect data. The request to API gateway is supposed to be Authenticated which is again configurable according to end user’s needs.

Note: Here we have used TheHive project as an open source IR tool to ingest data, you can simply change the function on the Parent controller to send the response object to any SIEM/IR tool of your choice, just make sure to change the necessary parameters that needs to be added on top of it.

Services covered:


  • EC2
  • S3
  • IAM
  • Security Group
  • GuardDuty
  • VPC
  • RDS
  • DynamoDB
  • Secret Manager
  • Parameter Store(System Manager)

UseCases covered


We are currently releasing the detection module of DIAL, which will help you to detect any misconfigurations, we do plan to release the remediation module in near future. The following are the detection usecases that DIAL is currently capable of detecting and alerting.

  • IAM

    • Any priv escalations via “CreatePolicy/AttachPolicy/CreatePolicyVersion”
    • Inactive access Keys made public
    • Admin policy attached to any user/role
    • Console Sign In by any-user
    • MFA deleted/removed
  • S3

    • S3 bucket made public
    • S3 object made public
    • S3 bucket policy misconfigured
    • Misconfigured ACL for bucket/object
  • EC2

    • VPC Peering connection to unknown account
    • Laxed Security groups(0.0.0.0/0 access on ports)
    • Associating private subnet with public route table
    • Un realistic instance type creation(p4d.24xlarge etc)
  • Secret Manager/SSM Parameter Store

    • Critical secret parameters called by which user
    • Any deletion of secret parameters
  • Database(RDS/DynamoDB)

    • Snapshot creation of available DBs
    • Modification of DB to make them public
    • Creating DB with public access True
  • GuardDuty

    • Guard duty findings

Installation and Deployment


Please refer the following file

Owner
CRED
CRED
An async-ready Python wrapper around FerrisChat's API.

FerrisWheel An async-ready Python wrapper around FerrisChat's API. Installation Instructions Linux: $ python3.9 -m pip install -U ferriswheel Python 3

FerrisChat 8 Feb 08, 2022
An automated tool that fetches information about your crypto stake and generates historical data in time.

Introduction Yield explorer is a WIP! I needed a tool that would show me historical data and performance of my staked crypto but was unable to find a

Sedat Can Yalçın 42 Nov 26, 2022
Faux is a chatbot bridge between urbit and discord.

Faux Faux is a chatbot bridge between urbit and discord. Whenever a member posts in your discord group, a bot will echo their message in your urbit gr

10 Dec 27, 2022
Weee - Advanced project's versions bumper

Weee - Advanced project's versions bumper

Yan Kurbatov 2 Jun 06, 2022
Create a roles overview page for all Ansible roles/playbooks in Gitlab

ansible-create-roles-overview Overview The script ./create_roles_overview.py queries a Gitlab API for Ansible roles and playbooks. It will iterate ove

2 Oct 11, 2021
A file-based quote bot written in Python

Let's Write a Python Quote Bot! This repository will get you started with building a quote bot in Python. It's meant to be used along with the Learnin

Jyoti prakash Rout 1 Jan 08, 2022
A telegram bot that sends a meme a day, from reddit's top meme of the day

MemeBot A telegram bot that sends a meme a day, from reddit's top meme of the day You can use the bot either with an external scheduler (ex: pythonany

Michele Vitulli 1 Dec 13, 2021
Yes, it's true :purple_heart: This repository has 353 stars.

Yes, it's true! Inspired by a similar repository from @RealPeha, but implemented using a webhook on AWS Lambda and API Gateway, so it's serverless! If

510 Dec 28, 2022
One destination for all the developer's learning resources.

DevResources One destination for all the developer's learning resources. Find all of your learning resources under one roof and add your own. Live ✨ Y

Gaurav Sharma 33 Oct 21, 2022
WebCash is an experimental new electronic cash ("e-cash") that enables decentralized and instant payments to anyone

Webcash WebCash is an experimental new electronic cash ("e-cash") that enables decentralized and instant payments to anyone, anywhere in the world. Us

Bryan Bishop 24 Dec 11, 2022
Simple Discord bot for the Collectez community.

Harvey - Discord Bot Simple Discord bot for the Collectez community. Features Ping the current status of Collectez's Teztools node. Steal emojis from

delintkhaum 1 Dec 26, 2021
Heroku app to explore boardgame data

A Dashboard for the Board Game Geeks among us Link to Application As many Board Game Geeks like myself track the scores of board game matches I decide

Maarten Grootendorst 20 Nov 23, 2022
52pojie 吾爱破解论坛 签到 支持云函数/服务器等Py3环境运行

52pojie-Checkin 52pojie 吾爱破解论坛 签到 Py3单程序 支持云函数/服务器等Py3环境运行 只需要Cookie即可运行 新版说明 依赖包请用项目 https://github.com/BlueSkyXN/requirements-serverless 需要填写的参数有 co

BlueSkyXN 22 Sep 15, 2022
Trading bot - A Trading bot With Python

Trading_bot Trading bot intended for 1) Tracking current prices of tokens 2) Set

Tymur Kotkov 29 Dec 01, 2022
A Simple and User-Friendly Google Collab Notebook with UI to transfer your data from Mega to Google Drive.

Mega to Google Drive (UI Added! 😊 ) A Simple and User-Friendly Google Collab Notebook with UI to transfer your data from Mega to Google Drive. ⚙️ How

Dr.Caduceus 18 Aug 16, 2022
It was increasingly cumbersome to eye-grep CF output in the AWS console.

cfplot Overview It was increasingly cumbersome to eye-grep CF output in the AWS console. I couldn't find another tool out there to provide individual

46 Dec 26, 2022
Invites link generator for telegram(made for channel referral links)

InviteLinkGen Invites link generator for telegram(for channel referral links) made for @HelakuruEsana channel Spotify Giveaway

Jaindu Charindith 7 Feb 01, 2022
Generate and Visualize Data Lineage from query history

Tokern Lineage Engine Tokern Lineage Engine is fast and easy to use application to collect, visualize and analyze column-level data lineage in databas

Tokern 237 Dec 29, 2022
Simple-nft-tutorial - A simple tutorial on making nft/memecoins on algorand

nft/memecoin Tutorial on Algorand Let's make a simple NFT/memecoin on the Algora

2 Feb 05, 2022
Template to create a telegram bot in python

Template for Telegram Bot Template to create a telegram bot in python. How to Run First add src to PYTHONPATH: export PYTHONPATH=${PWD} Then run: pyt

Ali Hejazizo 12 Dec 24, 2022