Speakers
The True Power of AWS Tags
VideoSpeakers
Yoav Yanilov —Just your typical dev-turned-devops engineer, trying to make cloud security make sense.
Itamar Bareket — IslandDevOps Engineer @ Island, I solve problems for breakfast
Abstract
While AWS IAM is packed with ABAC features, enforcing who-can-tag-what at scale can be frustrating. We'll introduce the concept of "Control Tags" - a tag based control plane for tagging operations and its applications in Similarweb, most notably enforcing the two-person rule for sensitive actions, resources and 3rd-party systems like EKS and Hashicorp Vault.
Everything you never wanted to know about flow logs
VideoSpeaker
Daniel Wyleczuk-SternDaniel is a recent convert to the blue team after spending the majority of his career breaking systems at Praetorian and the US Air Force. At Snowflake, he spends his time improving the threat detection program. When he's not working, you can find him spending time with his wife and cats, enjoying a nice cup of coffee, or in the gym practicing Muay Thai and Brazilian Jiu Jitsu.
Abstract
In the world of security, network logs are fundamental to security operations and response in . So what could possibly be new to learn? Like most simple things, the cloud's gone and *#?!ed it all up. In this talk, I'll be sharing my experience unraveling the unexpected and sometimes bizarre behavior of flow logs in the 3 major cloud service providers (AWS, Azure, and GCP). We'll summarize how the simple has become complicated and uncover some of the gotchas (some documented and some not) when using these logs. I'll walk through examples of how to actually derive use from these flow logs using examples from an organization that collects and analyzes billions of records and hundreds of terabytes of flow logs per day.
Abusing the Replicator: Silently Exfiltrating Data with the AWS S3 ReplicationService
VideoSpeaker
Kat Traxler — Vectra AIKat Traxler the Principal Security Researcher for Public Cloud at Vectra AI with a primary focus on AWS, GCP and Cloud-Native infrastructure, and calls the Twin Cities home. She has spent her career performing penetration testing, security architecture design, and research in the areas of web Security, IAM, payment technologies, and Cloud Native Technologies. She has presented at various conferences including SANS Security Summit and and fwd:CloudSec on topics such as privilege escalation in GCP, and bug-hunting in the cloud. In addition to her work at Vectra AI, she is also the author of the SANS SEC549 - Enterprise Cloud Security Architecture and currently multiple GIAC certifications. Kat Traxler is obsessed with the attack surface at the confluence of Identity and Cloud Platform APIs and thinks you should be too.
Abstract
A comprehensive backup strategy is a cornerstone of any DR plan.
But how would you distinguish between legitimate backup activity and malicious data exfiltration?
Cyber attackers are increasingly gaining access to backup services, even those in the cloud, and leveraging them to exfiltrate data from across an organization's production environment. In this talk, we will look closely at how an attacker can abuse S3 Replication to efficiently migrate your data out of your environment.
The AWS S3 Service is no longer the 'Simple Storage Service' it was made out to be. With dozens of features and integrations, it has become the data store of choice for enterprise AWS customers. It's also so complicated that it is difficult to understand and thus secure all its capabilities.
One of S3's numerous features is the capability to create and manage backups, across regions and accounts. Cross-account replication can assist organizations in recovery from a data-loss event. In the wrong hands, the replication service allows threat actors to siphon off data to untrusted locations.
In this talk, we'll demonstrate the techniques an adversary can employ to abuse the S3 Replication Service to exfiltrate data. I'll also highlight how the authorized movement of data via the S3 Replication Service is less than transparent making it especially difficult to hunt for data exfiltration, enabling an attacker to hide their activity in plain sight within your cloud environment.
Security tools don't fix security issues; people do: How to make compliance data relatable and actionable
VideoSpeakers
Jay Thoden van Velzen — SAPJay heads the Multicloud SecDevOps team at SAP and comes with a background in analytics before finding his way into full time security roles. Jay brings his experience in consulting, analytics, and security to multicloud security operations in order to drive security compliance efforts across a large and complex organization.
Andrea Edwards — SAPI've been a SecDevOps Engineer for about a year and am enjoying it immensely. My specialities are documentation, data/reporting, security ops and am currently working on my security+ certification and learning more about pen testing.
Abstract
SAP operates a multi cloud landscape across AWS, Azure, GCP, Alibaba, AWS China and Azure China of over 10,000 cloud accounts, with a wide variety of internal and customer-facing workloads. These workloads are operated by hundreds of teams in business units across eight board areas, each with their own organizations, different levels of operational support or cloud-native sophistication, and multiple layers of organizational hierarchy - all of which can be hard to navigate, is rarely clear cut and change quickly. How to ensure security compliance scans not just get conducted across a landscape this large and varied, but also enriched with metadata collected through strict cloud asset management processes, and shared through multiple layers of the organizational hierarchy is a complex task. Along the way we ran into scalability challenges, how to make sense of a large data set, and figuring out how to meet stakeholders where they are, with multiple data formats targeting different personas and roles. This came paired with organizational support structures, board area delegate weekly briefings, weekly Office Hours and executive reporting that brough accountability through the organization and drove remediation and enforcement efforts. We'd like to share our experience and successes in driving visibility and accountability up-and-down the organization to drive continuous improvements in SAP's security compliance posture in this complex landscape.
Auditing PassRole: Finding the Hidden Trails of a Problematic Privilege Escalation Permission
VideoSpeaker
Noam Dahan — ErmeticNoam Dahan is a Senior Security Researcher at Ermetic with several years of experience in embedded security. He is a graduate of the Talpiot program at the Israel Defense Forces and spent several years in the 8200 Intelligence Corps. Noam was a competitive debater and is a former World Debating Champion.
Abstract
The iam:PassRole permission is one of the most common open privilege escalation vector in AWS accounts today, The basic idea of iam:PassRole is simple: whenever a principal (which can be a user or a role, a human, code or a service) uses a service that needs to perform other actions, the AWS architecture often has that service assume an AWS role to perform the actions. When that happens, the service performing the actions is "passed" a role by the calling principal and implicitly (without performing sts:AssumeRole) assumes that role to perform the actions. The privileges associated with the role are different from — and can be greater than — those of the principal calling the action.
Consider launching an EC2 instance with a certain IAM Instance profile. The instance profile is resolved to an IAM role whose permissions determine what the instance can and can't do. Whenever behavior like this happens, AWS checks, behind the scenes, if the calling principal has the permission iam:PassRole to pass the role to the service.
PassRole is both a facilitator of critical privilege escalation and a permission for which is remarkably difficult to monitor, control and create policies for.
In this talk, we'll walk through the work we did to automatically map hundreds of potential actions requiring iam:PassRole and the manual and automatic methods we used to sift through these to isolate the actions which truly require the permission. We'll discuss tips and tricks picked up along the way and how to use these to provision, control and limit iam:PassRole in AWS environments.
Cloudy with a chance of IoCs
VideoSpeaker
Zack Allen — DatadogZack Allen helps lead the Security Detection & Research efforts at Datadog. Previously, he worked in threat research for the US Air Force, Fastly, and ZeroFox. Outside of his professional life, Zack is a full-time dad and husband, MBA candidate at NYU Stern, a part time red teamer for security competitions such as CCDC and ISTS, and a part time independent researcher. He is also one of the founders of SPARSA, a 501(c)(3) non-profit organization dedicated to security education.
Abstract
An Indicators of compromise (IoCs) feed can be a useful tool in a defense in depth approach for security practitioners. IoCs help describe observed attacks in the wild, and are supposed to be validated by machines or humans before being disseminated for consumption. Creating, transforming, ingesting and disseminating IoCs is an industry in itself, and mostly focuses on artifacts seen in the network or host, which arguably exists solely in the data plane.
But what about IoCs for the control plane? In this talk, we'll describe how IoCs are typically used, how there aren't any good descriptions or resources for control-plane IoCs, and describe a methodology to shape control-plane IoCs into the MITRE ATT&CK Sightings format, ready to be consumed by cloud practitioners.
"Shifting right" with policy as code
Speaker
Gabe Schuyler — WizGabe is a seasoned security and automation practitioner with decades of experience. By day, he is a solutions engineer at Wiz, Inc., securing the cloud. Prior to that he worked at Palo Alto Networks, PuppetLabs, and Sony Playstation. (He's in the credits of over twenty video games!) Off the clock, he tinkers with wireless, picks locks (poorly), and promotes the use of technology for positive social change.
Abstract
So you've "shifted left," adding security to the software development lifecycle. Developers are checking for vulnerabilities in their work as they create, merge, test, and deploy. But you're missing half the equation if you're not "shifting right," so to speak, to leverage developers' knowledge in the security practice as well.
"Policy as code" lets developers codify the expected inputs, outputs, and behavior of applications. And once codified, defenses can be kept always up-to-date, without slowing you down.
In this talk, you'll learn the basics of policy as code, see some real-world examples, and learn how to get started applying the technology and techniques in your own environment.
Defending against cloud cross-tenant vulnerabilities
VideoSpeakers
Tzah Pahima — OrcaTzah Pahima is a cloud security researcher in Orca Security's vulnerability research team. He focuses on researching different cloud providers and exploiting flaws in the cloud ecosystem. His main specialties are vulnerability research and web security. Before joining Orca, Tzah served for five years in an Israeli military intelligence unit.
Yanir Tsarimi — OrcaYanir is a cloud security researcher in Orca Security's vulnerability research team. Having years of experience in security and software, he hunts for vulnerabilities in the biggest cloud environments. He loves to search for practical, logical vulnerabilities with big impact.
Abstract
Recent times showed that cloud cross-tenant vulnerabilities are very real and dangerous. Most vulnerabilities disclosed show that even if you do everything right in your cloud environment, you can still be at risk because of your cloud provider's mistakes.
In this talk, we will explore some of the recent vulnerabilities we've found in Azure, explain their impact, and show how you could still defend against them in case of exposure. While this talk focuses on Azure, the methods apply to all cloud providers alike.
Real-World Detection Evasion Techniques in the Cloud
VideoSpeaker
Christopher Doman — Cado SecurityChris Doman is a co-founder of Cado Security. He joined the industry after winning a cyber-security competition run by the US DoD. Chris is known for building the popular threat intelligence portal ThreatCrowd, which subsequently merged into the AlienVault Open Threat Exchange. Whilst working at PwC and ATT AlienVault in research and development, Chris published a number of widely read articles and papers on targeted cyber attacks. His research on topics such as the North Korean government's crypto-currency theft schemes, and China's attacks against dissident websites, have been widely discussed in the media. He has given interviews to print, radio, and TV such as CNN and BBC News. Chris has previously spoken at conferences including Blackhat and various Bsides.
Abstract
Recent cloud-focused malware campaigns have shown adversary groups possess an advanced knowledge of cloud technologies and their security mechanisms, with this knowledge being used to their advantage in a range of attacks. These attacks are no longer focused solely on cloud compute environments. Adversaries are now shifting focus to target serverless environments and containers.
In this session, Chris will provide an overview of three malware campaigns (TeamTNT, Denonia, Abcbot) where novel TTPs leveraged against cloud technologies were observed. Chris will guide the audience through notable examples of anti-forensics, credential theft and system-weakening techniques used in real-world attacks on cloud infrastructure. This includes techniques such as changing file timestamps post-compromise and evasion at the network level.
Unlocking Cloud Build Security with OIDC
Video SlidesSpeaker
Zach Steindler — GitHubZach is a staff security engineer at GitHub, where he works on cloud security and container security internally, as well as open source security externally. He enjoys time away from the computer biking and homesteading.
Abstract
Isolated, ephemeral builders are table stakes for a secure build system, which is why people are turning to cloud CI/CD solutions like Tekton, GCP Cloud Build, or GitHub Actions. Moving your build to the cloud isn't all roses though, as existing build processes often rely on access to infrastructure on prem or in another cloud provider. In the past year, cloud CI/CD systems have added OIDC as a way to provide that access. This is quite different than an end-user OAuth2 flow, so we'll go over what it looks like, common security pitfalls, and how to avoid them. We'll then take it a step further, and show how the open source sigstore project can use OIDC to attest to the build process, and even sign your builds without managing a private key.
Using AI to harden cloud security by mitigating IAM configuration errors
VideoSpeaker
Mikhail Kazdagli — Symmetry SystemsMikhail Kazdagli is the Head of AI at Symmetry Systems Inc. Mikhail is responsible for bringing cutting-edge AI/ML research into production to identify potential vulnerabilities, detect malicious actors before they can incur significant damage, and improve security posture. At Symmetry Systems Mikhail leads the development of a threat intelligence platform and it has already been deployed to multiple Symmetry Systems' clients, including Fortune-500 companies. Mikhail has an extensive background in computer security and machine learning. He holds a Ph.D. degree in Computer Security/ML from the University of Texas at Austin, USA.
Abstract
Modern software systems rely on mining insights from business-sensitive data stored in public clouds. A data breach usually incurs significant (monetary and reputational) loss for a company. Conceptually, cloud security heavily relies on Identity Access Management (IAM) policies that IT admins need to properly configure and periodically update. Security negligence and human errors often lead to misconfigured IAM policies which may open backdoors for attackers. In this presentation, we present a framework for addressing these challenges. First, we demonstrate a novel visualization tool to uncover issues among IAM policies used by real-world commercial organizations. Second, we develop a novel framework to generate optimal IAM policies using constraint programming (CP). We use the least privilege principle as an optimality criterion, which intuitively implies minimizing unnecessary permissions. Third, to make IAM policies interpretable, we use graph representation learning using historical access patterns of users to encode similarity constraints: similar users should be grouped together within permission groups/roles. Finally, we describe multiple attack models and show that our optimized IAM policies significantly reduce the impact of security attacks using real data from multiple commercial organizations and synthetic instances.
Achieving AWS IAM zen in a Google Cloud world
VideoSpeaker
Caleb Tennis — Sequoia CapitalCaleb is security principal at Sequoia Capital, overseeing global application and infrastructure security engineering efforts for the investing partnership. Prior to that he was a security engineering manager at Reverb (now Etsy), managing infrastructure and application security efforts for the e-commerce website. Caleb has been using AWS since 2009 and was an early practitioner of cloud security efforts for a multitude of startups.
Abstract
While AWS IAM can be a tricky beast, those of us in the cloud security practitioner world follow the best practices of reducing surface attack area by eliminating IAM user static credentials and relying on assume-role style access for our integrations with AWS APIs.
In Google Cloud, things aren't so great. Almost every reference document, 3rd party integration, API library you will run across gives the same advice: create a GCP service account and then download a static keyfile for that account and pass it around as needed. This is a huge step back on the security front, and very little discussion exists on how to improve the situation. Furthermore, if your organization uses Google Workspace, and even if you aren't running any workloads in Google Cloud, it's very likely you may have service accounts and static credentials floating around with access to key resources in your org - and not know it.
Fortunately, there are solutions.
In this talk, we'll review the state of affairs as to how IAM auth in Google Cloud compares to that of AWS, and how Google Cloud and Google Workspace credentials overlap. We'll especially look at improvements to the process using Google's Workload Identity Federation, with emphasis on how to eliminate static credentials. We'll see that some Google tooling doesn't even work with their own solutions for authentication, and how you can work around it. And finally we'll look at how you can even leverage AWS IAM as an identity provider for Google Cloud.
The evolution of cloud security in a consolidating market - expanding quadrants
Speaker
Jeremy SnyderJeremy is a serial startup person with global experience. Jeremy has worked in cloud security since 2016 and is now the founder of a stealth mode cyber startup. His career has been 5 startups (3 co-founded) and Amazon Web Services. Jeremy has a BA in Linguistics from UNC Chapel Hill and an MBA from George Mason. Jeremy has lived in 4 countries, speaks several languages, once went 3 days without seeing another human and another time got kicked off a train in central Sweden.
Abstract
Cloud security has seen a flood of acquisitions in the last 4 years. What does this mean? Are we really moving from "best in breed" to "best in suite"? While working in strategy and corporate development in this field, I developed a 4-quadrant view on cloud security that may be useful.
Cloudy With a Chance of Vulnerabilities - Finding and exploiting vulnerabilities in the cloud
VideoSpeakers
Sagi Tzadik — WizSagi Tzadik is a security researcher in the Wiz Research Team. Sagi specializes in research and exploitation of web applications vulnerabilities, as well as network security and protocols. He is also a Game-Hacking and Reverse-Engineering enthusiast.
Nir Ohfeld — WizNir Ohfeld is a security researcher from Israel. Nir currently does cloud-related security research at Wiz. Nir specializes in the exploitation of web applications, application security and in finding vulnerabilities in complex high-level systems.
Abstract
Cloud service providers (CSPs) offer immense and ever-growing functionality. While this greatly benefits organizations and their business, it also generates a much broader attack-surface compared to traditional application security research.
In this session, we share the methodologies and internally developed strategy we used to successfully uncover multiple critical vulnerabilities and design issues in the core of major CSPs. Covering the whole research process - from choosing a target to exploiting a remote code execution vulnerability on a managed service, we will explain how we found issues that affected thousands of cloud customers and organizations.
We will dive into the bits and bytes of some of our major findings (ChaosDB, OMIGOD, AWS confused deputy vulnerabilities, ExtraReplica and more), explain our mindset and approach and discuss common pitfalls to avoid performing a security audit of a target. Attendees should expect to better understand the fundamentals behind real-world cloud security exploits and gain practical tools to enhance their own independent cloud security research.
Human vs. Robot: Why you should automate your vulnerability management program
VideoSpeakers
Keziah Plattner — AirbnbKeziah Plattner is a Senior Software Engineer at Airbnb. After getting her undergraduate and graduate degrees at Stanford University, she joined Airbnb's Information Security team. She started in Production Infrastructure Security, and after 3 years, moved to Vulnerability Management. She specializes in using a software engineering mindset to tackle security problems, and has worked on everything from cloud infrastructure security, patch management, and the vulnerability management lifecycle. She lives in San Francisco with her partner and two cats and enjoys cooking, video games, and becoming a tarot expert in her free time.
Kadia Mashal — AirbnbKadia is currently an Engineering Manager at Airbnb. She started her career in Europe but now calls California home. Kadia has an electrical engineering background and over 10 years of Information Security experience. She has worked with multiple Silicon Valley startups and Fortune 100 companies on reducing security risk. Kadia is now leading an engineering team focusing on vulnerability management, offensive security, and infrastructure hardening.
Abstract
Vulnerability Management can be a tedious and time consuming job of trying to sift through a never ending stream of new, old or undefined CVEs. It can be challenging to prioritize severity-based SLAs when default assessments are inaccurate: they don't factor in the criticality of the affected asset, or understand custom infrastructure and existing mitigations and/or gaps. Ultimately, having low confidence in scanning results and reported vulnerabilities leads to alert fatigue and diminishes trust in the security team.
In our talk, we will lay out our team's approach towards automating vulnerability management for our entirely cloud-based infrastructure and why standard industry approaches were lacking. We will discuss our work of centralizing all vulnerabilities and automating detection, risk assessment, vulnerability reporting, and vulnerability fix verification in a scalable manner. We want to share how we developed internal tooling that allows us to be vendor agnostic, not rely on default risk severities, and reduce operational work as much as possible.
Secret Agents: Demystifying (and Pwning) Cloud Middleware
VideoSpeakers
Nir Ohfeld — WizNir Ohfeld is a security researcher from Israel. Nir currently does cloud-related security research at Wiz. Nir specializes in the exploitation of web applications, application security and in finding vulnerabilities in complex high-level systems.
Rotem Lipowitch — WizRotem Lipowitch is a threat researcher at the Wiz Research team. She specializes in emerging cyber security threats and vulnerability analysis, researching and developing new ways to detect cyber security threats. Aside from infosec, Rotem loves interior design, painting, and CrossFit.
Abstract
In this session, we will unveil new research on the unseen risk of "cloud middleware" - the proprietary software that bridges customers' virtual machines and cloud service providers' integrations. We found that this software is commonly installed on customers' virtual machines without the customer's awareness or explicit consent and can often introduce new potential attack surfaces to cloud environments.
When Microsoft patched vulnerabilities found in the secretly installed agent Open Management Infrastructure (OMI), it was initially the customers' responsibility to update all the vulnerable agents running across their environments - agents they were not aware existed! Even today, the maintenance of implicitly-installed cloud agents does not perfectly fit the shared responsibility model. Are cloud service providers responsible for keeping the agents they are installing up-to-date as most customers expect? In our session, we will present unique statistics regarding how long cloud middleware agents remain vulnerable after exploits are made public, and discuss details about the patching process.
Dismantling the Beast: Formally Proving Access at Scale in AWS
VideoSpeakers
Nick Jones — WithSecureNick Jones is a principal consultant at WithSecure, where he leads the cloud security consulting team. He focuses on AWS security and attack detection in large, complex estates and forward-thinking cloud-native organizations. He has previously spoken at fwd:cloudsec, RSA, Def Con Cloud Village, t2 and others, and is an AWS Community Builder.
Mohit Gupta — WithSecureMohit Gupta is a senior consultant at WithSecure, where he specialises in AWS and Kubernetes, and is the technical lead for all things containerisation and orchestration. He has previously spoken at Steelcon, Def Con Cloud Village and Texas Cyber Summit.
Abstract
Identity and access management is proving to be one of the primary challenges in the cloud, at least partly due to the complexity of the systems involved. Nowhere is this more apparent than AWS, which currently tracks over 13,000 unique granular permissions and at least 7 methods to approve or deny a particular action. Maintaining an accurate picture of who can really do what is challenging at best when combined with role assumption and the scale of some cloud estates, reaching hundreds or thousands of AWS accounts.
This talk demonstrates IAMSpy, a new policy analysis engine designed to operate offline against large AWS organizations, and built on the same underlying technology powering AWS IAM Access Analyser. IAMSpy uses an SMT solver to formally prove whether an action by a given IAM entity is possible against a particular resource. SMT solvers resolve whether a given mathematical formula (in our case, the set of conditions that make up an account's IAM configuration) is true for any set of input variables. This can then be used to resolve actions across entire organizations. The speakers will talk through several existing use cases and how to leverage it in your own projects, and discuss future directions for the tooling and technology.
Evading AWS GuardDuty and Network Firewall using Privacy Enhancing tech
VideoSpeaker
Dhruv AHUJA — Chaser SystemsDhruv is a former SRE and presently the Chief Engineer at Chaser Systems. He's mostly Wiresharking, tinkering with PKI or tuning stacks as he had to once in the low latency world of financial data, only this time for firewalls. He is also a Rust programmer, cares deeply about developer experience, dabbles in cryptography and holds a Master's degree in Advanced Software Engineering from King's College London. The most novel ideas occur to him when faced with a formidable opponent on the piste 🤺, led by such electrical signals to defeat that he suspects to be not tamper-resistant.
Abstract
AWS offer many threat-detection and containment services, some of which we have come to rely on for a sense of security. In this presentation, we will look at GuardDuty's network-related findings, Route 53 Resolver DNS Firewall and Network Firewall, and demonstrate evading them using commonly available tools.
The evasion techniques will be an application of privacy-enhancing technologies meant for individuals behind Great Firewalls, but in a role swap, have recently been seen used by malware (such as denonia discovered by Cado Security) to circumvent sensors built into AWS.
All hope is not lost as we look at the Achilles heel, encrypted DNS masquerading as HTTPS traffic, and identify the infrastructure empowering its enablement. Could GuardDuty be supplemented with this knowledge and alert on some of this?
In the case of Network Firewall, we look at the interplay between DNS and TLS to baffle it, and discuss how AWS' advice on mitigating that is neither robust nor practical.
Finally, with the upcoming TLS extension to encrypt the handshake a little more (ESNI/ECH), we look at VPC Flow Logs and Network Firewall again to discover their packet-parsing limits and therefore guide ourselves in hiding our tracks on them.
Stop Guessing and Start Proving: Demystifying AWS Zelkova
VideoSpeaker
Kaushik Devireddy — UCLAKaushik is an undergraduate student and sponsored researcher in the UCLA connection Lab, working on the intersection of formal methods and cloud security. In addition, he is an intern at a cloud-security startup (dassana.io), blending his academic background in security with practical approaches.
Abstract
As cloud environments continue to explode in complexity, formal methods have started to gain attention for their potential to secure clouds at scale. AWS undoubtedly pioneered this space by developing Tiros + Zelkova and pushing their capabilities across the shared-responsibility boundary in the form of point-solutions (ex. Access Analyzer). We'll start by briefly discussing how your organization can find easy wins on existing infrastructure with these point-solutions. However, the killer use-case for formal-methods is applying them pre-deployment, ensuring the cloud is "correct-by-construction". While Zelkova can be leveraged to do exactly this for IAM, it is not directly available for some customers. To address this, we implemented a simplified IAM policy parser which determines relative permissiveness using an SMT solver based on the original Zelkova paper.
We'll take you through this process to explore what makes IAM policies difficult to evaluate, how Zelkova works, and discover Zelkova's quirks (are there instances where Zelkova can't compute permissiveness before timeout?). More importantly, we'll go through policy reasoning examples to argue that Zelkova's use of automated reasoning and formal guarantees are likely unnecessary for the problem space. To conclude the talk, we'll discuss what makes a good specification for Zelkova to verify. After all, your verification is only as strong as your specification. In doing this, we'll demonstrate why Zelkova's relative permissiveness API makes writing broad specifications difficult.
Ultimately, the audience will be encouraged to adopt formal method tooling such as Zelkova for their cloud environment, while remaining prudent about the value formal methods provide for their organization.
We built a community cloud vulnerability database, now what?
VideoSpeakers
Alon Schindel — WizAlon Schindel is the Director of Data and Threat Research at Wiz. He's an experienced cybersecurity professional who has filled various lead roles in both development and research of cybersecurity products and specializes in threats and how to detect them. In the past year, Alon leads the CloudCVE effort. He is also enthusiastic about data research and AI and holds an MSc in Computational Neuroscience from the Hebrew University.
Amitai Cohen — WizAmitai is a Threat Researcher at Wiz, where he investigates cloud threats and works to advance research and detection methodology. Amitai is an experienced cyber threat intelligence analyst and writer who enjoys contemplating philosophy of science, marveling at new technology and gadgets, and appreciating video games.
Abstract
The shared responsibility model is broken! In the pre-cloud era, the responsibility for security was fully in the hands of the users. Multiple recent cloud vulnerabilities such as ChaosDB, ExtraReplica revealed that the current cloud model isn't sufficient.
Companies are unable to keep up with cloud complexity, while vendors & cloud providers do not provide clear identification, tracking or severity for vulnerabilities discovered in their platforms. Moreover, there is an inherent lack of transparency, as cloud providers do not share full details of exposure, impact, mitigations steps of vulnerabilities discovered in their platform.
In the past year we initiated a community effort, that started with characterizing the gaps in the current model and continued in building a new community-based cloud vulnerabilities database. We will share our insights from this process along with the learnings of the Wiz Research team from the disclosure process of multiple unprecedented vulnerabilities in Azure, AWS and GCP.
We will review the weaknesses of the cloud that the new central database unveils, and present novel findings about the security impact that the lack of cloud vulnerabilities model results. We will make the case for extending the current CVE model to be more cloud friendly as the current model is broken and call everyone to join the movement for change.
A Tacky Graph and Listless Defenders: Looking Beneath the Attack Surface
VideoSpeaker
Jasmine Henry — JupiterOneJasmine is Field Security Director at JupiterOne, lead author of The 2022 State of Cyber Assets Report, and executive editor of "Reinventing Cybersecurity." She is an accidental career specialist in applied graph theory for cloud-native startup security. Jasmine has a MS in Informatics & Analytics from Lipscomb University in Nashville, TN. She is on the board of directors for The Diana Initiative. Jasmine has worked with Esper.io, IBM Security, HPE, the ADP Research Institute, Philips, the Tennessee Valley Authority (TVA), and other organizations in her career.
Abstract
John Lambert is well known for his quote, "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win." But is this always true? Based on new research leveraging data across 1,300 organizations, we discovered areas where it is appropriate to continue using lists and other areas where graphs are more helpful to defenders. This presentation will examine various types of attack surfaces and attack paths to determine the type of techniques (e.g., lists vs graphs) and controls (e.g., bounded vs unbounded) that are potentially most useful for defenders.
We will also examine how different architectural designs might affect these attack surfaces and paths and how the principles of the D.I.E. Triad (distributed, immutable, ephemeral) influence the size of the attack surfaces and the depths of the paths that are underneath that surface.
Leveraging Azure Resource Graph for Good and for Evil
VideoSpeaker
Darwin Salazar — DatadogProduct Detection Engineer @ Datadog. Formerly medical device security and cloud security consulting for a couple of Fortune 500s. I enjoy reading, working out, spending time with family and attending security conferences.
Abstract
Azure Resource Graph (ARG) is a little known service that you interact with daily if you work with Azure. It powers the Azure Portal search bar giving it God-level visibility across your assets. ARG Explorer is a sub-service that empowers you to carry out in-depth resource exploration across subscriptions with limited permissions. This makes it a double-edged sword and an extremely powerful tool for attackers in the Discovery phase. Resource Graph Explorer is faster, more efficient and less noisy than Azure CLI, PowerShell and various Azure pen testing tools. In this session, you'll learn how to leverage Azure Resource Graph Explorer to enhance your organization's attack surface visibility, operations and security posture as well as how to quickly identify vulnerable and critical assets AKA attractive targets. You will also learn a bit of Kusto Query Language (KQL) Kung FU!