DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda

Overview

DIAL


dial-logo

Workloads on cloud provide equal opportunities for hackers as much as they do for internal teams. Cloud-native companies are open to attacks from both outside forces and from within. With ever growing risk of a security breach and cloud misconfiguration being one of the most common factor of the same, the mean time to detect is supposed to be reduced to seconds instead of minutes/hours/days. Hence, we introduce our inhouse tool DIAL(Did I Alert Lambda?) which helps us to monitor any number of AWS accounts at any given period of time.

What is DIAL?


DIAL(Did I Alert Lambda?) is a centralised security misconfiguration detection framework which completely runs on AWS Managed services like AWS API Gateway, AWS Event Bridge & AWS Lambda. Few of the key features of DIAL includes.

  • It's an event driven framework, because of which maximum detection time for any misconfigurations is < 7 seconds. MTTD(Mean Time to Detect) < 4 secs.
  • It will only be triggered when event of interest are generated.
  • Highly scalable and Cost efficient as it is built on top of AWS lambda and it gets triggered when events of interest are seen.
  • Modular architecture; Which means you can easily add more event handlers and usecases according to your needs.

To read more about the same, you can go through the following technical blog.

You will be getting actionable alerts as shown below with all the relevant details:

alert-1

alert-2

alert-3

alert-4

Architecture


dial-arch

The architecture is broken down into two different components:

  • Parent Controller
  • Child Controller

Child Controller; The child controller acts as an event handler, which needs to be deployed in all accounts/regions you want the detection framework, which is connected to Event Bridge as a trigger which in turn triggers Child controller when any event of interest happens. This controller is also responsible for sending out alerts to the user configured SLACK channel along with the severity that is defined under the config file. It then forwards the whole response object to the Parent controller for further processing and storage.

Parent Controller; DIAL’s framework just needs one Parent Controller which acts as an aggregator for your SIEM, IR and persistent storage of alerts. Parent Controller works along with API Gateway which is connected with one AWS Lambda at the backend, whose sole purpose is to collect data. The request to API gateway is supposed to be Authenticated which is again configurable according to end user’s needs.

Note: Here we have used TheHive project as an open source IR tool to ingest data, you can simply change the function on the Parent controller to send the response object to any SIEM/IR tool of your choice, just make sure to change the necessary parameters that needs to be added on top of it.

Services covered:


  • EC2
  • S3
  • IAM
  • Security Group
  • GuardDuty
  • VPC
  • RDS
  • DynamoDB
  • Secret Manager
  • Parameter Store(System Manager)

UseCases covered


We are currently releasing the detection module of DIAL, which will help you to detect any misconfigurations, we do plan to release the remediation module in near future. The following are the detection usecases that DIAL is currently capable of detecting and alerting.

  • IAM

    • Any priv escalations via “CreatePolicy/AttachPolicy/CreatePolicyVersion”
    • Inactive access Keys made public
    • Admin policy attached to any user/role
    • Console Sign In by any-user
    • MFA deleted/removed
  • S3

    • S3 bucket made public
    • S3 object made public
    • S3 bucket policy misconfigured
    • Misconfigured ACL for bucket/object
  • EC2

    • VPC Peering connection to unknown account
    • Laxed Security groups(0.0.0.0/0 access on ports)
    • Associating private subnet with public route table
    • Un realistic instance type creation(p4d.24xlarge etc)
  • Secret Manager/SSM Parameter Store

    • Critical secret parameters called by which user
    • Any deletion of secret parameters
  • Database(RDS/DynamoDB)

    • Snapshot creation of available DBs
    • Modification of DB to make them public
    • Creating DB with public access True
  • GuardDuty

    • Guard duty findings

Installation and Deployment


Please refer the following file

Owner
CRED
CRED
ESOLinuxAddonManager - Very simple addon manager for Elder Scrolls Online running on Linux.

ESOLinuxAddonManager Very simple addon manager for Elder Scrolls Online running on Linux. Well, more a downloader for now. Currently it's quite ugly b

Akseli 25 Aug 28, 2022
Coronavirus whatsapp chatbot to give real time info on covid

Covy Developed a coronavirus whatsapp chatbot which gives case counts in a particular district, city, state or country. It also predicts future cases

Devinco (Rachit) 0 Oct 03, 2021
A python to scratch API connector. Can fetch data from the API and send it back in cloud variables.

Scratch2py Scratch2py or S2py is a easy to use, versatile tool to communicate with the Scratch API Based of scratchclient by Raihan142857 Installation

20 Jun 18, 2022
Python library for RetroMMO related stuff, including API wrapper

python library for RetroMMO related stuff, including API wrapper.

1 Nov 25, 2021
An API wrapper around the pythonanywhere's API.

pyaww An API wrapper around the pythonanywhere's API. The name stands for pythonanywherewrapper. 100% API coverage Most of the codebase is documented

7 Dec 11, 2022
Zalo AI challenge 2021 5K-Compliance

Zalo AI challenge 2021 5K-Compliance Prepare data: Dữ liệu của ban tổ chức cung

Nguyễn nhật hoàng 32 Nov 21, 2022
Build a better understanding of your data in PostgreSQL.

Data Fluent for PostgreSQL Build a better understanding of your data in PostgreSQL. The following shows an example report generated by this tool. It g

Mark Litwintschik 28 Aug 30, 2022
Telegram bot to check availability of vaccination slots in India.

cowincheckbot Telegram bot to check availability of vaccination slots in India. Setup Install requirements using pip3 install -r requirements.txt Crea

Muhammed Shameem 10 Jun 11, 2022
A client that allows a user, specifiy their discord token, to send images remotely to discord

ImageBot_for_Discord A client that allows a user, specifiy their discord token, to send images remotely to discord. Can select images using a file dia

0 Aug 24, 2022
Backlog API v2 Client Library for Python

BacklogPy - Backlog API v2 Client Library for Python BacklogPy is Backlog API v2 Client Library for Python 2/3 Install You can install the client libr

Koudai Aono 7 Dec 16, 2022
Yes, it's true :yellow_heart: This repository has 326 stars.

Yes, it's true! Inspired by a similar repository from @RealPeha, but implemented using a webhook on AWS Lambda and API Gateway, so it's serverless! If

510 Dec 28, 2022
Create a roles overview page for all Ansible roles/playbooks in Gitlab

ansible-create-roles-overview Overview The script ./create_roles_overview.py queries a Gitlab API for Ansible roles and playbooks. It will iterate ove

2 Oct 11, 2021
Bezlik Year Calendar Planner

Bezlik Year Calendar Planner Scribus script for creating year planners on one page A1 paper format. Script is based on Year-Calendar-Script-for-Scribu

Bohdan Bobrowski 2 May 24, 2022
Migration Manager (MM) is a very small utility that can list source servers in a target account and apply mass launch template modifications.

Migration Manager Migration Manager (MM) is a very small utility that can list source servers in a target account and apply mass launch template modif

Cody 2 Nov 04, 2021
A Telegram bot to all media and documents files to web link .

FileStreamBot A Telegram bot to all media and documents files to web link . Report a Bug | Request Feature 🍁 About This Bot : This bot will give you

Code X Mania 129 Jan 03, 2023
Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

Discovery is an open-source Discord Bot with the main features Tickets, Moderation, Giveaways and Reaction roles.

1 Dec 29, 2021
𝗖𝝠𝝦𝝩𝝠𝝞𝝥 𝝦𝗥𝝞𝗖𝝽°™️ 🇱🇰 Is An All In One Media Inline Bot Made For Inline Your Media Effectively With Some Advance Security Tools♥️

𝗖𝝠𝝦𝝩𝝠𝝞𝝥 𝝦𝗥𝝞𝗖𝝽° ™️ 🇱🇰 𝗙𝗘𝝠𝝩𝗨𝗥𝗘𝗦 Auto Filter IMDB Admin Commands Broadcast Index IMDB Search Inline Search Random Pics Ids & User I

Kɪꜱᴀʀᴀ Pᴇꜱᴀɴᴊɪᴛʜ Pᴇʀᴇʀᴀ 〄 13 Jun 21, 2022
WhatsApp Api Python - This documentation aims to exemplify the use of Moorse Whatsapp API in Python

WhatsApp API Python ChatBot Este repositório contém uma aplicação que se utiliza

Moorse.io 3 Jan 08, 2022
An inline Telegram bot to keep your private messages hidden from prying eyes.

Hide This Bot Hide This Bot is an inline Telegram bot to keep your private messages hidden from prying eyes.     How do I host it? Here is a brief gui

41 Dec 02, 2022
Demonstrating attacks, mitigations, and monitoring on AWS

About Inspectaroo is a web app which allows users to upload images to view metadata. It is designed to show off many AWS services including EC2, Lambd

Alex McCormack 1 Feb 11, 2022