Speakers
A practitioner's playbook to shift (all the way) left, to build secure serverless GenAI applications in public cloud
Theme: Democratize Cloud Security Models and Organizations
Speaker
Murali M
Have been building Software and Product Teams for about 25 years and over the last 7 years as a CTO at Softrams, one of the fastest-growing digital services firms working with Federal Agencies, leveraged various strategies and frameworks used in this talk to deliver empowering software solutions, in some of the most demanding environments. We grew from about 40 to 650+ strong team in the last 7 years and supported a variety of workloads and digital transformations for products that have been evolving over 20+ years. I bring a more practical systems approach to building teams and software and a full product life cycle view as a CTO.
Abstract
The “Shift Left” concept is not a new one, as it advocates for the early integration of security into the software development lifecycle. However, many organizations and practitioners tend to only shift application security “testing” to the left. It is imperative and even more relevant for GenAI applications that teams consider security as part of the overall experience and at every stage of the life cycle, not just during development life cycle but throughout the product life cycle.
It is not practical for a majority of teams and organizations to build, train and deploy their own LLMs to build GenAI applications. Many organizations, small and large, use “hosted” and “fully managed” LLMs and serverless solutions like OpenAI API, Azure OpenAI Services, AWS Bedrock or Google Vertex AI.
This field is fast evolving and not many teams fully grasp the security boundaries, shared responsibility implications of generative AI solutions built on top of these serverless services. And GenAI systems are not traditional deterministic solutions either, to test and certify deterministic behavior. At best, many teams are trying to map their experiences building and operating traditional software solutions to this new breed of generative AI applications.
In this talk, would like to share our journey and practical examples of building variety of chatbots (Q&A, Conversational, AI for BI and Chatbots with RAG) and Agents, including threat modeling for GenAI Applications particularly in the context of serverless applications like building using AWS Bedrock, how to build guardrails at design time, RBAC for RAG Knowledge bases and continuous monitoring and evaluation strategies beyond traditional vulnerability management.
AWS Data Perimeter at USAA - Things we knew, things we thought we knew and things you should know!
Theme: A Long Train of Abuses and Usurpations
Speakers
Tyler Warren
Tyler Warren helps lead USAA’s cloud security engineering teams and has over 10 years experience in IT. Outside of work, he enjoys cheering on his hometown team, the San Antonio Spurs, and spending time chasing his raucous young son with his amazing wife.
Caleb McDonald
Caleb is an enterprise architect responsible for Data Security at USAA. He has 19 years of experience in consulting and financial services industries.
Abstract
Many companies see the value of least privilege controls within AWS to ensure a secure cloud data perimeter. However, in reality, implementing your cloud native data perimeter may not be as simple as it seems. What appears to be a straightforward effort on the surface actually requires careful analysis for considerations such as the various data plane control points in the cloud, meeting your own standards for internal and external zones of trust, data movement across hybrid networks, ensuring a positive developer experience, and strategies to minimize operational complexity.
In this talk, we’ll dissect the data perimeter controls we’ve implemented in our AWS environment, including things we wished we knew when we started, cloud native service capabilities we wished we had, and shed light on potential pitfalls that could lead to security control gaps, operational inefficiencies and technical debt.
Balancing Security and Costs in AWS VPC Interface Endpoints
Theme: Democratize Cloud Security Models and Organizations
Speaker
Meg Ashby
Meg is a Senior Cloud Security Engineer at Alloy, a NYC-based FinTech. As part of her role, she does a bit of everything and everything as relates to AWS and security. Previously, she worked in security and software engineering at Marcus by Goldman Sachs, and received a degree in Honors Mathematics (aka ‘math party tricks’) from the University of Texas at Austin. Outside of work, Meg enjoys taking ballet classes around the city with her friends.
Abstract
Many AWS cloud practitioners know VPC Endpoints (VPCEs) are best practice for securely accessing AWS and partner services privately within a VPC, but those who have worked with Interface VPCEs can tell you the per-hour running costs of those VPCEs can add up quickly. Thankfully, AWS provides a solution - a centralized access pattern for sharing Interface VPCEs and subscribing to those VPCEs from multiple VPCs. There is just one catch - with shared VPCEs come shared VPCE policies, traditionally limiting the specificity of such policies. Must least privilege be sacrificed to make the finance team happy? Not any longer! This session will cover how practitioners can shape their centralized VPCE policies to mimic functionality available in a distributed VPCE architecture.
To level set understanding, this talk will cover a short overview of the centralized VPCE architecture, but familiarity with VPCs and Interface VPCE functionality and concepts will be assumed. Following that, we will cover VPC connectivity options (VPC Peering and Transit Gateway) and high-level considerations including character limits on the VPCE policies and how VPCE policies interact with IAM-policies and resource-based policies. Then we will cover key IAM policy condition keys which can be used to restrict policies based on VPC / CIDR blocks (for subnet-level controls). Finally we will put it all together with a live demo of various VPCE policies in action in a centralized VPCE architecture. At the end of the talk participants will understand the centralized VPCE architecture and how to utilize Interface VPCE policies to design distinct permissions for each subscribed VPC.
Behind the Curtain: Unmasking the Hidden APIs of Azure and Entra
Theme: A Long Train of Abuses and Usurpations
Speaker
Aled Mehta
Aled is an experienced security professional focusing primarily on cloud security research, having worked with Microsoft Cloud services for 9+ years. Since establishing Dolphin Labs in 2024, his primary focuses have been exploring nuanced and novel security issues in Microsoft cloud services, developing security tooling, and sharing knowledge and learnings with the wider security community.
Abstract
Cloud Security Practitioners are typically familiar in the publicly documented APIs provided by cloud services, understanding their core potential for both defensive and offensive security strategies. Despite this familiarity, the nuanced implementation of these APIs often introduces significant security challenges.
Yet, these challenges extend beyond these documented interfaces. What about the APIs that remain undocumented? As organizations enhance their security operations, Microsoft improves detective and logging capabilities, and as third-party tools simplify implementation and adoption, adversaries increasingly seek out less protected or monitored attack vectors.
These vectors often include legacy and undocumented APIs, which, due to their obscurity, are less likely to be monitored or restricted appropriately.
This talk aims to shed light on some of these lesser-known APIs within Azure and Entra, exploring their potential for exploitation and, crucially, the measures Cloud Security Practitioners can take to mitigate these risks. In some instances, coverage gaps exist at the platform level, offering limited recourse for defenders.
Through the documentation of these APIs’ functionality, detectability, and impact, we aim to provide the Cloud Security community with the knowledge to close some of these gaps, enabling more secure and resilient cloud environments.
Bulletproofing Your Cloud: Lessons from inside the Borg
Theme: Democratize Cloud Security Models and Organizations
Speaker
David Challoner
Hi - I’m a TL for Google’s Regulated Cloud - our team builds and operates the systems that are used across Cloud and Google to implement different types of compliance and data access controls. These systems enable Google Cloud offerings like Assured Workloads or Access Transparency.
Abstract
This talk will delve into the security controls of Google’s internal cloud (a.k.a Borg), the differences when running workloads on GCP, and how to bridge the gap - giving examples how you can do the same (either on GCP or in your own infrastructure).
Cloud Service Provider Partnership Portals: A Perfect Storm Of Half-Baked IAM Controls, Non-Technical Users, And Permissions-Hungry Vendors
Theme: A Long Train of Abuses and Usurpations
Speaker
Laura Haller
Laura Haller is a Senior Cloud Security Engineer at HashiCorp with just under a decade of experience in the fields of security engineering and cloud security. Prior to HashiCorp, she assisted financial institutions such as Capital One and Charles Schwab during their respective migrations from on-prem to AWS and GCP, and received a sometimes-useful-at-defcon Electrical Engineering degree from the University of Illinois. When she’s not spelunking into the depths of Azure during her day job, she finds great value in mentoring women who are new to the field or trying to break in.
Abstract
While Cloud Service Provider (CSP) Partner Centers don’t contain traditional cloud infrastructure like VMs, ALBs, or VPCs, they are a crucial part of the cloud ecosystem: they’re how your company delivers marketplace offerings to other cloud customers. If they’re compromised, your company’s reputation is on the line, and compromised offerings could wreak havoc in customer environments.
The talk will dive into the technical details of how these portals fail to give security teams a full set of guardrails, how cloud security practitioners can work with what’s currently given to them, and how CSPs can improve their offerings.
This talk is particularly relevant for those who work at companies that publish products to the public cloud marketplaces, and possibly eye-opening for those that work at companies that consume those offerings.
Cloudy with a Chance of Chaos: Do you have your own "Shared Responsibility Model" for security "IN" the cloud ready?
Theme: Democratize Cloud Security Models and Organizations
Speaker
Kushagra Sharma
Kushagra is a Senior Security Engineer at Booking.com in the cloud security space. He previously worked with FinTech scale-ups and in the consulting industry architecting and building solutions in regulated hybrid cloud environments with the goal to make security frictionless. A strong believer of a Cloud-First strategy with a Cloud-Native approach.
Abstract
Everyone must’ve heard about the AWS Shared Responsibility Model referred to as Security OF the Cloud versus Security IN the Cloud.
Let’s simplify the AWS model: Imagine you’re building a house. You hire a construction company to build the foundation, walls, and roof (eg: Amazon Web Services - AWS). They make sure the structure is strong and secure, and they also put up some basic security measures like fences and gates around the property (eg: physical data center security).
However, once the house is built, it’s up to us to make sure everything inside is safe. we need to lock the doors, close the windows (eg: preventative controls like SCPs), and install a security system (eg: detective/monitoring controls) - this is our responsibility as the customer for using AWS services.
That’s a good model, right? We have clear segregation in terms of responsibilities between our cloud provider and us as a customer BUT often what most organizations miss is that the Security IN the Cloud which is the customer responsibility needs to have a clear division and definition of responsibilities within their organization.
So in session, we’ll take you through Booking.com journey to define our own Shared Responsibility Model which helped us optimise resource allocation, mitigate risks, ensure compliance, adopting a collaborative approach to safeguarding our AWS resources and setting the expectation right for development teams in an ever-changing threat landscape.
Detecting Cloud Threats with Dynamic Clouds
Theme: A Long Train of Abuses and Usurpations
Speakers
Nathaniel "Q" Quist
Nathaniel Quist is the Manager for Prisma Cloud’s Threat Intelligence Team, working with Palo Alto Networks’ Unit 42 threat research team to identify and track threat actor groups who target and leverage public cloud platforms, tools, and services. He holds a Master of Science in Information Security Engineering (MSISE) from The SANS Institute and is the author of multiple blogs, reports, and whitepapers published by Palo Alto Networks’ Unit 42 and Prisma Cloud and the SANS InfoSec Reading Room.
William Gamazo
Nelson William Gamazo Sanchez is a Principal Researcher at Palo Alto Networks, currently working on Cloud Security. Prior to joining Palo Alto Networks he was a Threat Security Researcher at ZDI Trend Micro, in the Threat Hunting Team, leading the ITW hunting initiative where he published and presented multiple and unique findings. He has worked in the security field since 2000, playing different roles in multiple security-oriented companies, including anti-malware and computer forensics companies where he has worked in multiple areas as reversing engineer, vulnerability analyst, vulnerability researcher and threat researcher. Nelson William Gamazo Sanchez is an engineering graduate and has a Master’s degree in Teleinformatics.
Abstract
In the rapidly changing cybersecurity landscape, fully automated and dynamically scaled offensive cloud-targeted attacks are evading some of our strongest defensive strategies. In this presentation, we introduce the “ HoneyCloud “ project - a novel approach for collecting and analyzing cloud-centric cyber threats. This talk aims to provide a comprehensive understanding and analysis of how our cloud environments are targeted by fully automated and dynamically scaled offensive operations. We will discuss how the design and implementation of a HoneyCloud can allow researchers to forensically collect malicious operations from live cloud environments. During this presentation, we will deep-dive into three real-world threats displaying the capabilities of this detection platform. First, The EleKtra-Leak Attack - a cryptojacking operation beginning with exposed credentials in a public GitHub repository. The second, P2PInfect - a novel peer-to-peer worm. The third event, called RansomWorm - a ransomware and extortion operation targeting cloud storage and database services, also triggered reconnaissance indicators in our HoneyCloud before the incident was reported. We will discuss how threat actors have improved their secret scanning services and how they increased their effectiveness in controlling cloud resources, as well as where the threat actor’s OPSEC mistakes lead to their geolocation exposure. The audience will walk away with knowledge of how a HoneyCloud project can collect cloud-targeting Indicators of Compromise (IOCs) and the unique capabilities of the project for tracking Cloud Threat Actor Groups (CTAGs) within live cloud environments. Using real cloud threat findings, the audience will discover how CTAGs target weak cloud deployments at scale, allowing them to compromise hundreds of victims within minutes. We will demonstrate how HoneyCloud can automate the collection of highly automated and dynamically scalable cloud-targeted cyber attacks. This session aims to present a novel approach for enhancing threat discovery for cybersecurity professionals seeking to understand how threat actors are targeting and manipulating cloud environments.
Discover the AWS Account ID of any S3 bucket
Theme: A Long Train of Abuses and Usurpations
Speaker
Sam Cox
Sam is the CTO & co-founder of Tracebit where he’s building a platform that deploys and leverages cloud honeypots for intrusion detection. He previously led engineering teams to architect and build cloud-native SMTP gateways at scale at Tessian. He’s interested in all things cloud security and is particularly susceptible to going down any rabbit holes involving CloudTrail!
Abstract
This talk presents a new technique for discovering the AWS Account ID of private S3 buckets where previously this was only possible for public buckets. We’ll break down this intricate technique, invite participants to consider where else they could apply a similar approach and explore the implications of S3 bucket’s Account IDs now becoming public. We’ll use the interaction of IAM condition keys, VPC Endpoint policies and CloudTrail to uncover the account ID of a bucket to which we don’t have access.
Don't water your AI Security frameworks garden!
Theme: Democratize Cloud Security Models and Organizations
Speaker
Natalia Semenova
Natalia is a cybersecurity professional based in Toronto, Canada. She has over 15 years of experience in cryptography, identity and access management and cloud security. Within the past 3 years Natalia has been doing extensive research in AI security and MLSecOps as a part of her work at Google. She is passionate about open source and mentoring the new generation of cybersecurity specialists.
Abstract
You have just finished mapping your cloud security controls to NIST CSF/ISO27001… and now have to deal with NIST AI RMF, MITRE ATLAS and ISO27053, because your organization is adopting AI/ML. Do you really need to water this enormous garden of frameworks? Would it be possible to make a neat herbarium instead and reuse already existing mappings to demonstrate your compliance? Do all major cloud providers (AWS, Azure, GCP) even offer similar controls for MLSecOps? In this talk I will explain how you can reuse existing control mappings for a multi-cloud environment to shorten the time you need to complete AI/ML compliance report and identify missing MLSecOps controls.
Engineering Chaos to Secure Cloud Foundations
Theme: Declare Cyber Sovereignty
Speaker
Jonathan Walker
With over a decade of hands-on experience with AWS and six years of leadership in infrastructure security, I bring a wealth of knowledge in protecting cloud infrastructure. As a former Senior Engineering Manager of Infrastructure Security at Tinder, I have a proven track record of effectively mitigating critical alerts, optimizing controls, and streamlining security programs and processes.
Abstract
Alert fatigue is a constant battle we all must fight on a daily basis as cloud security practitioners. Keeping your alerts as high signal as possible while ensuring you have appropriate coverage of your security posture is critical to keeping your posture moving in a positive direction. In this talk we will be demonstrating how you can incorporate security chaos engineering to identity areas lacking coverage and ensure you are getting the alerts that matter to you.
Forged in Fire: Forging a Multi-Cloud Open Source Swiss-Army Knife
Theme: Declare Cyber Sovereignty
Speakers
Toni de la Fuente
I’m the creator of Prowler Open Source, the tool for cloud security, co-founder and CTO at Prowler. I also worked for AWS as senior security engineer, senior security consultant and incident responder. I’m passionate about FLOSS (Free Libre Open Source Software) in general and Information Security, Incident Response and Digital Forensics in particular. I like everything related to cloud computing and automation. Over the last 25 years done some things for security and the Open Source community like phpRADmin, Nagios plugins, Alfresco BART (backup tool). I’ve also contributed in books and courses related to Linux, Monitoring and AWS Security for Packt Publishing. I spoke on many conferences including BlackHat, DEFCON, RootedCon, BSides Vegas, BSides Augusta and others.
Sergio Garcia
I’m a Cloud Security Engineer with mainly experience in AWS. Among my roles, I completed an internship in Amazon and support a digital bank to secure its assets in the cloud for 2 years. I’m passionate about cloud automation, even more if it helps to ease the security management. Currently, I am working at Prowler being one of the maintainers of Prowler Open Source, since 2 years.
Abstract
Do you want to build a big OSS swiss-army knife tool? Go for it my friends, but please know: it’s dangerous to go alone.
After 12 years of securing cloud workloads and building open-source cloud security tools, I will share my expertise, war stories, and gotchas on how cloud security has evolved over the years by way of AWS, Azure, Google Cloud and Kubernetes; and how you can meet the challenges of securing a multi-cloud environment without dying trying.
In the dynamic world of cloud computing, navigating the complexities of building an open-source security tool for multi-cloud environments is very difficult. This talk will walk you through the challenges of authentication, variety of SDKs (python in this case), cloud provider inconsistencies and the madness of compliance and attribute mapping; the trials and tribulations of allowing users to build their own visualization; and creating output and reporting formats to satisfy compliance officers, auditors, and practitioners.
You will walk away with a better understanding of how to improve your security posture by building a multi-faceted tool and also with tips for keeping the tool simple, effective, and user-friendly.
Join us for a session full of fire, iron and, why not, a bit of blood and tears to forge your best tool in your arsenal.
Outline:
Introduction (5 minutes):
- Brief personal introduction and background in cloud security and open-source tools.
- Overview of the evolution of cloud computing and security challenges across AWS, Azure, Google Cloud, and Kubernetes.
- Highlight the main goal: to share knowledge on building a robust, multi-cloud open-source security tool.
The Genesis of Multi-Cloud Security Tools (5 minutes):
- Historical context: the early days of cloud computing and initial security challenges.
- The evolution of threats and security measures over the past 12 years.
- The motivation behind creating a tool for cloud security.
Core Challenges and war-stories in Multi-Cloud Environments (25 minutes):
- Authentication maze: navigating through different cloud providers and their authentication and authorization capabilities.
- SDK diversity: handling Python SDKs across AWS, Azure, Google Cloud and Kubernetes.
- Cloud provider inconsistencies: dealing with varying features and services.
- Compliance and attribute mapping madness: satisfying diverse regulatory requirements and how to make it easier.
- Results and reporting: crafting output formats that meet the needs of compliance officers, auditors, and practitioners alike.
- UI-UX and User-Driven visualization: allowing users to customize their security visibility.
- Performance: Concurrency, throttling and other cloud APIs tales.
Maintaining Your Tool now and in the future: Best Practices and Lessons Learned (5 minutes):
- Open Source Cloud Security Community is a different Open Source Security Community.
- Insights on future-proofing your security tool against evolving threats and cloud services.
Conclusion and Q&A (5 minutes):
- Recap of the key points covered and the importance of a robust multi-cloud security tool.
- Encouragement and advice for those embarking on the journey of building their own open-source tools.
- Open floor for questions, sharing experiences, and further discussion.
Freeing Identity From Infrastructure: Automating Virtual Cloud IAM in a Multi-Account, Multi-Cloud Environment
Theme: Declare Cyber Sovereignty
Speaker
Ian Ferguson
Ian Ferguson is a Staff Engineer at Datadog, where he works in the infrastructure group that builds and operates Datadog’s cloud and Kubernetes platforms.
Abstract
Our organization runs dozens of Kubernetes clusters, tens of thousands of hosts, and millions of containers in a multi-cloud environment that includes AWS, Azure, and Google Cloud resources. When we designed this infrastructure, we had to ensure that the hundreds of engineers working on our product could safely and easily access resources across these different cloud providers.
To achieve this, we have built a zero-configuration injected sidecar container that emulates cloud provider instance metadata service (IMDS) APIs. We are now able to transparently provide our Kubernetes pods access to resources in cloud providers and accounts independently of what cloud platform the underlying virtual machine is in—and without engineers needing to write code in their services to configure provider-specific credentials.
We’ll talk about how baking identity- and security-focused automation into our runtime platforms allowed us to produce a system that was good for user experience, operator efficiency, and security efficacy. Then, we will demo a system that utilizes these techniques to show the audience how they can use similar concepts to build their own secure, zero-configuration multi-cloud environment.
From Intrusion to Insight: Lessons learned from of a month long AWS compromise
Theme: A Long Train of Abuses and Usurpations
Speaker
Korstiaan Stam
TBD
Abstract
Join this session if you want to get all the details of an interesting AWS compromise which took place in the beginning of 2024. We will share details of the attack including some ‘unknown’ attack techniques. This talk also aims to share AWS IR tips and tricks that help(ed) us get to to the bottom of this attack and that can be applied in your own environment.
Whether you are a seasoned defender of AWS environments or new to the field, this session helps you with practical takeaways. Discover effective methods that helped us get to the bottom of this attack and apply them in your own environment.
GCPwn: A Pentesting Tool For GCP
Theme: Democratize Cloud Security Models and Organizations
Speaker
Scott Weston
Scott Weston is a remote Senior Security Consultant at NetSPI based out of Minneapolis, MN. He has 3-4 years of experience in information security/pentesting with his involvement including general web applications, GraphQL, AWS, and GCP. He has contributed to the open-source AWS pentesting tool, Pacu, by adding an enumeration module for AWS Organizations. He also created a large AWS deck designed for beginners to present to the local San Diego Defcon group located here(https://www.linkedin.com/posts/webbinroot_aws-from-zero-to-pacu-activity-6996999634782994432-q0oy/). He has participated in some bug bounties/VDPs and is mentioned on the International Committee of the Red Cross (ICRC) hall of fame(https://www.icrc.org/en/vulnerability-disclosure/hall-of-fame). He has recently been working on developing tooling for GCP pentesting. In his spare time, he enjoys pursuing individual bug bounties and interesting avenues of pentesting.
Abstract
When discussing the various cloud providers within the last decade, Google Cloud Platform (GCP) is often seen as the smaller provider following AWS and Azure with regards to market share. While GCP might appear smaller than its rival cloud providers, it still is very much in use today, and with this use comes the opportunities for developing pentesting tools. As I’ve been learning GCP over the last year, I have been making a framework in python (much like Pacu for AWS) specifically for GCP. This includes enumeration modules for some of the core services (Cloud Storage, Cloud Functions, Cloud Compute, IAM) along with the incorporation of numerous exploit modules, many of them rooted in Rhino Security’s currently public GCP exploit repository (https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/tree/master). In addition, the framework is built such that it should be easy for a first-time GCP user or beginner to code and develop modules that focus on purely navigating individual resources and easily drop those into the framework. The overall goal is to make an up-to-date, maintained enumeration and exploit toolset for GCP pentesters/red teams/researchers alike that reduces the barrier of entry for learning GCP by allowing average users to make their own modules that easily incorporate with the overall framework.
Get into AWS security research as a n00bcake
Theme: Declare Cyber Sovereignty
Speaker
Dan Grzelak
Daniel is some guy on the internet. He once opened the AWS web console and is now totally an expert in hacking AWS. He is also the Chief Innovation Officer at Plerion where he files TPS reports so that you don’t steal his red stapler.
Abstract
Want to get into AWS security research but don’t know where to start, and don’t own a suit? I’m your guy and this presentation is for you. Listen to real world research adventures — how to poke around AWS, find the quirky bits, and maybe save the internet a little. It’s about building stuff, breaking it (responsibly), and then telling the tale. No PhD required, just you, your interest, and a sense of adventure.
Hacking clouds using the power of the sun
Theme: A Long Train of Abuses and Usurpations
Speaker
Ian Mckay
As an AWS Community Hero and Ambassador, Ian tends to speak his mind when it comes to cloud security. When he’s not busy making open-source tools, he’s squatting S3 buckets, popping data lakes, and breaking every rule in the AWS Terms of Service. He also has a day job as the Cloud Principal at Kablamo, a cloud consultancy from Sydney, Australia.
Abstract
The security of the cloud is based on a foundation of security controls that ensure the integrity of traffic destined to endpoints of the cloud service provider, but what would happen if you could somehow intercept this traffic? In this talk, I walk through a year-long research project that utilises a new take on a decade-old vulnerability against AWS, Azure and Google Cloud and talk through the theoretical and practical impacts.
How a control plane fail can help you learn about Azure security
Theme: A Long Train of Abuses and Usurpations
Speaker
Tyson Garrett
For over 13 years Tyson has been securing cloud environments either his own at a Packetloop (the first big data security analytics company that was 100% cloud based), or for customers where whilst at AWS where he worked with multiple service teams on helping define the AWS Security Foundational Best Practices standard and the AWS config conformance packs in addition to other control guidance many AWS customers rely on. Now at TrustOnCloud, as well as being CTO, Tyson is a Principal researcher.
Abstract
Using a control plane bypass in Azure OpenAI as an example of when things go wrong, this talk will discuss how Azure RBAC and other Azure platform security controls work for those who have to secure Azure environments but are coming from a different cloud background. Attendees of this talk will come away with understanding differences in how permission controls work in Azure compared to AWS, other neat security controls that are natively present in Azure, using Azure permissions to find unpublished APIs, how to use the published REST APIs to discover vulnerabilities, a concrete example of why managed/built-in roles need to be carefully examined and why wildcards are bad.
How do we deal with AWS threatening partnerships and censoring researchers?
Theme:
Speaker
Abstract
TBD
Hunting AWS Threat Actors with Access Analyzer Policy Suggestions
Theme: Declare Cyber Sovereignty
Speaker
Rodrigo Montoro
Rodrigo Montoro has more than 24 years of experience in Information Technology and Computer Security. Most of his career worked with open source security software (firewalls, IDS, IPS, HIDS, log management, endpoint monitoring), incident detection & response, and Cloud Security. Currently, he is Head of Threat & Detection Research at Clavis Security. Before that, he worked as Cloud Researcher at Tenchi Security, Head of Research and Development at Apura Cyber Intelligence, SOC/Researcher at Tempest Security, Senior Security Administrator at Sucuri, Researcher at Spiderlabs. Author of 2 patented technologies involving innovation in the detection field. One is related to discovering malicious digital documents. The second one is in how to analyze malicious HTTP traffic. Rodrigo has spoken at several opensource and security conferences (Defcon Cloud Village, OWASP AppSec, SANS (DFIR, SIEM Summit & CloudSecNext), fwdcloudsec (USA), Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE, ZonCon (Amazon Internal Conference), Blackhat Brazil, BSides (Las Vegas e SP)).
Abstract
Researching AWS threats requires you to cover over 400 services, 16,000 actions, and innumerable attack paths across access levels and specific threats. The main goal of cloud threat detection is to differentiate between regular and non-compliant usage while accounting for daily administrative actions.
In our past talk, “Tales of an AWS Detection Engineering”, we discussed the challenge of baselining behavior for detection engineering. In this talk, we build on that research by demonstrating the use of AWS Access Analyzer to create such a baseline and provide some ideas (and Jupyter notebooks) for hunting.
AWS Access Analyzer can programmatically generate a policy based on a principal’s activity in the last 90 days. We then distill this data into behavioral baselines per principal, enriched with additional details like risk level per action, risk scoring for toxic action combinations, and risk assigned for historically unused services.
To demonstrate, we will use Tactics, Techniques, and Procedures (TTPs) to emulate common threat actors and discuss the resulting hunting detections. At the end of this talk, we will provide a method for creating principal behavior-hunting detection for AWS that is SIEM-agnostic, and that you can apply to your environment.
I'm Doing My Part! By Mapping Cloud Incidents to ATT&CK Techniques
Theme: Democratize Cloud Security Models and Organizations
Speaker
Casey Knerr
Casey Knerr is a cybersecurity engineer at MITRE and the Cloud Lead for the MITRE ATT&CK for Enterprise team, where she provides cloud expertise updating the ATT&CK knowledge base with novel defensive ideas and adversary techniques. Prior to joining MITRE, she worked as a penetration tester and completed a BSFS in Science, Technology, and International Affairs at Georgetown University and an MSc in Computer Science at the University of Oxford. Her specialties and interests include web development, web and cloud security, and international cyber policy. In her spare time, she can often be found flying stunt kites or playing Dungeons & Dragons.
Abstract
Does working with MITRE ATT&CK® fill you with dread? Do you worry about not knowing the newest cloud TTPs? Are you afraid of ridicule from your friends and family for getting a mapping “wrong”? Are you haunted by the seemingly never-ending story of abuse of valid cloud credentials (#T1078.004)? If any, or potentially all of the above is true, you’re in the right place!
In this talk, join two members of the ATT&CK team in a walkthrough of mapping real incidents to ATT&CK for Cloud. Using Scattered Spider and APT29 as examples, we will explore not only the process of creating technique mappings, but also the value-add of bringing together CTI, detection, and other stakeholders in order to better understand and track threats. We will explore tips, tricks, and some of our own errors analyzing data and reporting to chain techniques together to tell a meaningful and actionable story for defenders.
Illuminating Azure: Navigating Log Complexities with a Novel Key
Theme: A Long Train of Abuses and Usurpations
Speaker
Nathan Eades
B.S. in Computer Information Systems and an M.S. in Information Security from Robert Morris University, I bring over 9 years of diverse experience in the IT industry. My career journey has spanned roles in software development, cybersecurity consulting, data loss prevention, threat detection, and threat research. Over the last 6 years, my primary focus has been on the proactive identification of potential threats. I have honed my skills in developing sophisticated methods for detecting these threats, ensuring that defense mechanisms remain a step ahead of malicious actors.
Abstract
In the intricate ecosystem of cloud computing, Azure Monitor Activity Logs serve as a critical tool for tracking and understanding operations within Azure environments. However, navigating these logs can be as challenging as it is essential, with complexities that can obscure crucial insights. This session aims to shed light on the nuances of Azure Monitor Activity Logs, highlighting both their strengths and the obstacles they present. I will introduce the concept of a composite key designed to re-orient and review events with a “correlation” that goes beyond Azure’s existing correlation and operation ID constructs, offering a clearer perspective. This approach promises to provide enhanced clarity and actionable insights for your Azure infrastructure.
Intercloud Identities: The Risks and Mitigations of Access Between Cloud Providers
Theme: A Long Train of Abuses and Usurpations
Speakers
Noam Dahan
Noam Dahan is a Staff Security Researcher at Tenable with several years of experience in embedded security and cloud security. He previously spoke at Black Hat USA, DEF CON Cloud Village, DEF CON DemoLabs and fwd:cloudsec. Noam was a competitive debater and is a former World Debating Champion.
Ari Eitan
Ari Eitan is a Research Team Lead at Tenable. Ari began his career as a security researcher for the Israeli Defense Force (IDF). He quickly became Head of the IDF’s cyber incident response team (IDF CERT), honing his expertise in incident response, malware analysis, and reverse engineering. Before joining Tenable, Ari was the VP of Research at Intezer and presented his research at several government and information security events, including fwd:cloudsec, AVAR, BSidesTLV, CyberTech, Hack.lu, Hacktivity, Infosec, IP EXPO, Kaspersky SAS, and the Forum of Incident Response and Security Teams (FIRST).
Abstract
The vast majority of organizations are deploying a multi-cloud or a hybrid cloud strategy. A central key to the multi-cloud machine is intercloud (or cross-cloud) access. Not just personnel access, but access by nonhuman identities from different cloud providers or on-premise workloads to the public cloud. While this form of access is key, it is easy to get it wrong. Attackers are already primed to exploit these opportunities to move laterally within organizations.
In this session, we will explore the gears of the multi-cloud access engine, including different shared secret mechanisms and workload identity authentication. We will start with an overview of the primary mechanisms used for intercloud access. Afterwards, we’ll dive into the actual implementations, and understand the differences between cloud providers. We will dive into the implications of these differences and understand the risks associated with them. We will show TTPs for exploiting these interfaces and implementations, and discuss known uses by attackers.
By examining known malicious and grayware files and scripts, we present an important finding: Because some attacker tools are built to work on multiple cloud providers, if these are deployed to a machine built on a cross-cloud deployment, they would enable attackers to perform cross-cloud lateral movement.
We will offer actionable prevention and detection strategies for organizations and practitioners to take home and implement. We will offer advice on choosing the right intercloud access mechanisms, configuring them, and detecting intrusions and anomalies.
Is LLM all you need for Cloudtrail analysis?
Theme: A Long Train of Abuses and Usurpations
Speakers
Rex Guo
He is currently the Co-founder/CEO of Culminate Inc. A company that builds an AI SOC analyst that investigates every alert like a tier-1 analyst and augment the rest of the SOC.
Previously, he built attack path analysis, polygraph threat detection, and CIEM at Lacework. Before Lacework, he worked in two early stage security companies. He was the Head of Research at Confluera (an XDR company acquired by XMCyber). Earlier than that, he was an Engineering Manager at Tetration (a CWPP company acquired by Cisco). Along his career building detection and response tools, he has investigated dozens of security incidents involving sophisticated attacks in data center and cloud.
He has authored 40+ patents and publications. He has presented multiple times at Black Hat, DEFCON and others conferences. He is also a MITRE ATT&CK contributor and has disclosed vulnerabilities in critical software. He holds a PhD from New York University.
Diane Lin
Dr. Diane Lin is CTO at Culminate, which is building auto-pilot for SOC automation. She was Director of Machine Learning at Zscaler. Her team builds effective ML systems, including the one helped FBI to take down Qakbot.
Dr. Lin earned her PhD in Machine Learning from Imperial College London. She is one of the pioneers on AGI, including a stint at MIT where she worked on one-shot learning. Later, she joined Amazon Alexa as a Machine Learning Scientist and made significant contributions to improving Alexa’s question-answering abilities. Her innovative work in natural language understanding techniques earned her Amazon’s ‘think big’ award.
Following her time at Amazon, Dr. Lin continued her work in Artificial General Intelligence at the robotics company Vicarious, which was recently acquired by Google DeepMind. Overall, Dr. Lin has a proven track record of success and has made significant contributions to the field of AGI and machine learning throughout her career.
Abstract
No doubt everybody is curious if you can use large language models (LLMs) for security operations such as cloud trail analysis.
In this talk, we will demonstrate how you can and can’t use LLMs like GPT4 to analyze cloudtrail logs, and discuss in detail the promise and limitations of using LLMs this way.
We will go deep on how LLMs work and share state-of-the-art techniques for using them in the cloudtrail analysis contexts.
LUCR-3: Cloud Clepto & SaaS-y Scattered Spider Shenanigans
Theme: A Long Train of Abuses and Usurpations
Speaker
Ian Ahl
Ian Ahl, SVP of Permiso’s P0 Labs
- Mandiant 10’ish Years
- Advanced Practices Lead
- Incident Response
- @TekDefense
- USMC
Abstract
The on premise tactics of LUCR-3 (Scattered Spider) are well known. In this talk I will walk through the less known TTPs of LUCR-3 in cloud, identity, and SaaS environments. From Initial Access through mission completion, no step will be left untraced. Detection ideas, hunting approaches, and a large collection of rules will be shared!
Making Insights Driven Decisions in an Ecosystem of Ecosystems
Theme: Declare Cyber Sovereignty
Speakers
Prahathess Rengasamy
Prahathess Rengasamy is a Security engineer focusing on security engineering and automation, striving to enhance efficiency and robustness across various security domains. Previously securing products and clouds at Block, Apple, and CreditKarma, currently focussed on building the next big thing
Stephanie Shi
Stephanie [pronounced Stephanie] is a Security Engineer in the Cloud Security Team at Block. Previously has worked in Identity and Access as well as Infrastructure teams throughout her career.
Abstract
Block is an ecosystem of ecosystems, each with distinct needs and diverse use cases for the cloud. From Bitcoin transactions to conventional banking to hi-fi music, we encompass it all. Our Cloud Security team plays a pivotal role in safeguarding this eclectic environment.
That being said even at this scale the basic questions still apply:
- Paved roads & north star requirements: How do we determine the necessary guardrails, frameworks, and patterns?
- Guardrails: When is the right time to enforce a guardrail?
- Buy vs build: How do we decide whether to build a solution in-house or purchase one?
- Developer empowerment via remarkable solutions: What practices are appropriate for each specific business, recognizing that a one-size-fits-all approach is not feasible?
Our goal is to minimize the uncertainty and unknowns in these decision-making processes, leveraging what we can quantify using various tools at our disposal. In this way, we empower our developers to make sound security decisions while still harnessing the power of cloud resources and compute.
In this presentation, we will delve into our data-driven approach to measure, secure, and monitor this unique environment. Topics include:
- Our insights technology stack. (Data warehouse, ETL, BI analytics, etc)
- Alternative strategies in cloud security. (Beyond the out of the box CSPM, arbitrary tech)
- A detailed case study on static credentials.
- Driving business decisions and prioritization via insights
- Additional examples where metrics have guided our decisions.
- Key learnings and insights gained.
- Future direction.
- Reducing alerts and gaining developer trust using foundational components
Normalization of CSP audit logs with open standards. How to search everywhere at once.
Theme: Democratize Cloud Security Models and Organizations
Speaker
Jake Berkowsky
Jake Berkowsky, is a Principal Cybersecurity Architect at Snowflake and the engineering lead for their cybersecurity workload. Prior to joining Snowflake, Jake has a diverse background of technical and leadership roles having most recently served as Co-Founder and CTO of a Cloud Consulting and Data Intelligence company. He regularly maintains his experience and interests in the areas of cloud, devops and development and is an active outdoorsman and nature enthusiast.
Abstract
This conference talk explores the intersection of security and data engineering in the context of open security normalization standards and architectural implementations within a multi-cloud environment. We will examine the current state of security data normalization and investigate the most effective methods and ideal points for normalization within the data pipeline. Concluding with a live demonstration of a platform-agnostic vanilla SQL implementation, attendees will gain practical insights and a deeper understanding of security data normalization in multi-cloud environments.
One Click, Six Services: Abusing The Dangerous Multi-service Orchestration Pattern
Theme: A Long Train of Abuses and Usurpations
Speaker
Liv Matan
Liv Matan is a Senior Security Researcher at Tenable, where he specializes in application and web security. As a bug bounty hunter, Liv has found several vulnerabilities in popular software platforms, such as Azure, Google Cloud, AWS, Facebook, Gitlab, was recognized as Microsoft’s Most Valuable Researcher, and presented at conferences such as DEF CON Cloud Village and fwd:cloudsec. In his free time, he boxes, lift weights and plays Capture the Flag (CTF).
Abstract
Cloud providers build their services a little like Jenga towers. They use their core services as the foundation of more popular customer-facing offerings. You may think you’re just creating a GCP cloud function in an empty account. In reality, with one click, you’re creating resources in six different services: a Cloud Build instance, a Storage Bucket, an Artifact Registry or a Container Registry, and possibly a Cloud Run instance and Eventarc triggers. The security of the entire stack is only as strong as the weakest link. By looking at the entire stack, we can find privilege escalation techniques and even vulnerabilities that are hidden behind the stack. In my research, I was able to find a novel privilege escalation vulnerability and several privilege escalation techniques in GCP.
The talk will showcase a key concept, sometimes not discussed enough: cloud services are built on top of each other, and one click in the console can cause many things to happen behind the scenes. More services mean more risks and a larger attack surface.
The next part will dive deep into the vulnerable GCP cloud functions deployment flow. I will showcase the vulnerability I found in this flow, which enables an attacker to run code as the default Cloud Build service account by exploiting the deployment flow and the flawed trust between services resulting in a large fix and change in GCP IAM and Cloud Functions. This would grant an attacker high privileges to key services such as Storage, Artifact Registry, and Cloud Build.
However, this talk is about more than just a vulnerability. By understanding cross-service dependency, we can reveal a broad attack surface for many possible privilege escalation vectors between services. I will demo a simple tool I wrote to find the hidden APIs that are called by the CSP when performing an action.
By the end of this talk, the audience will learn the dangers of treating cloud services like a black box. The talk explains the hidden deployment flow behind one important stack, and provides the tools to uncover the risks of many more.
One extra large cloud assessment please? - Why testing at scale needs a different approach
Theme: Democratize Cloud Security Models and Organizations
Speakers
Mohit Gupta
Mohit Gupta is a principal security consultant at WithSecure, where he specialises in AWS and Kubernetes, and is the technical lead for all things containerisation and orchestration.
Christian Philipov
Chris is a senior security consultant and heads up the Cloud Security capability area within WithSecure Consulting. As part of his day to day he leads the global team that deals with various different types of engagements of both a transactional and more bespoke nature. Chris specialises in Microsoft Azure predominantly with GCP and AWS as an additional background.
Abstract
Cloud estates can vary vastly in size, from small single accounts, to large estates spanning multiple cloud providers. Assessing and assuring these larger environments is often a very complex undertaking, with large numbers of resources to review and secure. CSPM and CWPP solutions can cover a lot, but there’s still a fair amount that requires a human-led assessment to properly assure. While it’s common to see organisations performing small-scale penetration testing of individual workloads, these are time-consuming and scale poorly for larger environments.
This talk presents the methodologies and approaches developed by the speakers for effectively and efficiently performing large-scale cloud assessments covering an organisation’s entire estate. It’ll compare and contrast these against common existing approaches and outline why new approaches were required. It’ll also cover common areas to prioritise for human assessment, how best to leverage existing tooling to support large-scale human assessments, and how to optimise the time and effort spent to provide the best levels of assurance.
Attendees can expect to gain insight into how to approach human-led assessments of large scale cloud environments, either as the assessor or as an organisation procuring such services. This includes the benefits of such approaches, key focus areas within environments that could affect swathes of the estate and how to use knowledge and information from internal tooling and subject matter experts to better inform assessments.
Open-Sourcing AWS Pentest Methodology
Theme: Democratize Cloud Security Models and Organizations
Speaker
Lizzie Moratti
Lizzie Moratti is a penetration testing consultant with a project management background. She specializes in AWS pentesting and releases her research on her personal blog.
Abstract
Cloud penetration testing has evolved significantly, providing ample learning resources, from attack technique encyclopedias to numerous security blogs. However, a critical gap remains in teaching new cloud pentesters how to integrate this wealth of knowledge effectively.
This talk addresses the critical gaps in existing AWS pentest methodologies and introduces my practical approach developed to navigate these challenges effectively. I’ll also discuss the limitations of a methodology made by one person and the critical role of open source-driven methodologies in shaping industry standards.
Pipeline Precognition: Predicting Attack Paths Before Apply
Theme: Declare Cyber Sovereignty
Speaker
Brad Geesaman
Brad Geesaman is a Staff Security Engineer at Ghost Security and focuses on researching and building cloud-native systems with a security practitioner’s mindset. When he’s not hacking on cloud and containerized environments, he enjoys spending time with his family in Virginia, eating Mexican food, and collecting an impractical amount of ebooks.
Abstract
The ability to model our cloud, identity, and vulnerability resource metadata using graph database technologies can be a security team superpower for identifying actual risks via attack paths in our running environments. But why are we only able to realize this value after they are deployed? What fundamental assumptions and limitations are holding us back from being able to address truly risky infrastructure changes before they are applied?
Let’s have fun together rethinking some of those limitations and exploring the possibilities where they no longer exist. We’ll leverage Caizen, a new open source project that models a real GCP environment in a graph database in near-time with automatically calculated attack paths. We’ll then demo its companion tool in a CI pipeline, Psychiac, that can cleverly capture proposed infrastructure changes and analyze them using Caizen’s graph to understand which attack paths were introduced and address them-all before we apply. Finally, we’ll discuss the benefits of a future state of cloud security with precognition and what’s left to make it a true reality.
Ransomware Riddle: Untying Cloud Security Mysteries
Theme: A Long Train of Abuses and Usurpations
Speaker
Ram Pliskin
Ram is a Principal Security Research Manager at Microsoft Defender for Cloud. Ram gained his expertise from over a decade of service with the IDF Intelligence Corp, where he led teams of security researchers and software developers.
Abstract
Ransomware campaigns continue to pose a global threat, with financially driven threat actors using them to extort companies across the globe. As organizations navigate the digital transformation into the Cloud, these threat actors have not only adapted their strategies but also exploited built-in cloud tools to efficiently carry out ransomware campaigns.
This evolution presents a challenge to researchers and security products to create innovative detection methods that can effectively traverse this altered landscape. In this session, I will share actual instances of hybrid ransomware attacks that have resulted in damages amounting to millions of dollars. We will delve into the latest trends and techniques employed by threat actors to compromise both on-premises and cloud environments of victims, including their lateral movement between the two. Furthermore, we will highlight the novel techniques used by threat actors to quickly identify and encrypt an organization’s most vital assets.
This presentation will introduce a pioneering approach to detecting these complex attacks. By employing contextual graph-based correlations, we can reveal a pathway to connect the dots of an attack, even when a direct connection is not apparent. During this talk, I will demonstrate how this innovative methodology has proven instrumental in saving countless investigative hours and enhancing the effectiveness of response efforts in real-life incidents.
Responding to Sophisticated Ransom Attacks in the Cloud: A Real-World Case Study
Theme: A Long Train of Abuses and Usurpations
Speaker
Yotam Meitar
Yotam has spent the last ten years managing and responding to some of the most sophisticated global cyber operations. He’s worked with technical teams and executives to defeat attacks and leverage cyber as a competitive advantage across incident response, purple teaming, posture enhancements, and executive wargames. In his current role, Yotam focuses on developing cloud-specific incident response methodology and collaborating with practitioners on developing robust cloud security frameworks. Yotam’s previous positions include Director of Incident Response at Sygnia and command positions in the IDF.
Abstract
Ransom attacks in the cloud are on the rise. Unlike traditional ransomware operations in which attackers fully compromise an on-prem environment before encrypting critical systems, most cloud ransom attack attacks follow a more straightforward playbook: compromising a credential, exfiltrating data, and demanding ransom payments to avoid publication of sensitive data. The speed and sophistication of these attacks are creating new challenges defenders must adapt to in order to survive.
In this session we’ll share the details of a real-world incident response to a sophisticated cloud ransom attack, in which paying the ransom only started the clock on the real battle. Validating the scope of stolen information under looming legal deadlines through unique data forensics, uncovering expert impersonation of a unique identity provider, and revealing clever privilege escalation from a Kubernetes vulnerability to full administrative access, were all instrumental to the success of this incident response.
In addition to the thrilling minute-by-minute technical story, we’ll share key takeaways and intelligence for performing cloud incident response against these rising attacks in a rapidly evolving threat landscape.
Songs To Enjoy While Your Servers Deploy
Theme: Odds & Ends
Speaker
Forrest Brazeal
Forrest Brazeal is a cloud architect, writer, speaker, and cartoonist, currently based in Charlotte, NC. He is also an AWS Serverless Hero and an active member of the SFWA. He collects old books in the forlorn hope that someday his children will enjoy reading them as much as he does.
Abstract
Join us at the Permiso Happy Hour for some special musical entertainment
Taking Over VMs the Cloud-native Ways
Theme: A Long Train of Abuses and Usurpations
Speaker
Jay Chen
Jay Chen is a Cloud Security Researcher with Prisma Cloud and Unit 42 at Palo Alto Networks. He has extensive research experience in cloud security. In his role at Palo Alto Networks, he focuses on investigating the vulnerabilities, design flaws, and adversarial TTPs in cloud-native technologies such as containers and public cloud services. He works to develop methodologies for identifying and remediating security gaps in public clouds and works to protect Prisma Cloud customers from threats. In previous roles, he has researched mobile cloud security and distributed storage security, and Blockchain. Jay has authored 25+ academic and industrial papers.
Abstract
VMs are among the most frequently deployed resources in every cloud environment. While VMs may not be the most novel cloud technology today, they continue to host many vital cloud workloads. Their widespread use also makes them a prime target for attackers. If a VM is compromised, attackers could exfiltrate sensitive data, hijack computational resources, and obtain the cloud permissions granted to the VM.
This talk will dissect and compare various techniques that attackers may employ to take control over VM instances in AWS, Azure, and GCP. These techniques, mostly relying on the cloud APIs, abuse legitimate cloud features to facilitate malicious activities. For example, updating startup scripts, executing scripts via cloud agents, and pushing SSH keys. If attackers manage to obtain the necessary permissions, they could gain access to a target VM without even needing the VM’s login credentials.
We will delve into the specific conditions and configurations across different cloud platforms that could make these techniques possible. Attendees will gain a new perspective of these cloud features and learn the strategies for identifying and mitigating the risks. Join us to explore, brainstorm, and safeguard VM’s attack surface.
The Dark Economy of Stolen Cloud Accounts in Phishing Attacks
Theme: A Long Train of Abuses and Usurpations
Speakers
Alessandro Brucato
Alessandro is a Sr. Threat Research Engineer at Sysdig with a background in penetration testing of web and mobile applications. His research includes cloud and container security, with a specific focus on supply chain attacks and cloud platform exploitation. While studying computer science and engineering at Politecnico di Milano, he participated in various bug bounty programs where he received rewards from several large companies. Alessandro is also a contributor to Falco, an incubation-level CNCF project.
Stefano Chierici
Stefano Chierici is a Threat Research Lead Manager at Sysdig, where his research focuses on defending containerized and cloud environments from attacks ranging from web to kernel. Stefano is one of the Falco contributors to an incubation-level CNCF project. He studied cyber security in Italy, and before joining Sysdig, he was a pentester. He obtained the OSCP Certification in 2019. He was a security engineer and a red team member.
Abstract
Have you ever wondered what lies behind a phishing email? That may be the tip of the iceberg of a more complex dark economy of stolen cloud accounts to abuse email services. Illicitly buying compromised accounts with Amazon Simple Email Service (SES) ready to use is like having access to a phishing weapon that can be immediately leveraged against thousands of users. Join us in an insightful session that will bring light to the lucrative market for Amazon SES Accounts and uncover an offensive operation where the AWS account of a compromised organization is used to send phishing emails. We will share the techniques and tactics of the two threat actors involved: an Indonesian group that took over AWS accounts with Amazon SES enabled, and a French threat actor who later bought these accounts to launch a phishing campaign against French travel card users. Furthermore, we will talk about the multiple impacts of this attack. During the talk, we will reveal new detection methods we employed to detect events that are not logged in CloudTrail, specifically the APIs to send emails. Our procedure involves Amazon Simple Notification Service, CloudWatch and Lambda functions to log email events, configure alerts and implement incident response. Having the complete picture of the dark market and threat actors behind phishing emails in cloud-native environments allows defenders to neutralize those attacks more easily.
The EKS Hacking Playbook: Lessons From 3 Years of Cloud Security Research
Theme: A Long Train of Abuses and Usurpations
Speakers
Nir Ohfeld
Nir Ohfeld is a senior security researcher at Wiz. Ohfeld focuses on cloud-related security research and specializes in research and exploitation of cloud service providers, web applications, application security, and in finding vulnerabilities in complex high-level systems. Ohfeld and his colleagues disclosed some of the most notable cloud vulnerabilities, including ChaosDB and OMIGOD.
Hillai Ben-Sasson
Hillai Ben-Sasson is a security researcher based in Israel. As part of the Wiz Research Team, Hillai specializes in research and exploitation of web applications, application security, and finding vulnerabilities in complex high-level systems.
Abstract
Amazon Elastic Kubernetes Service (EKS) is one of the leading Kubernetes solutions in the cloud-managed space. Its flexibility, scalability, and integration with the AWS ecosystem have made it an industry standard. However, EKS is a two-headed beast. On one hand, it’s a full-fledged Kubernetes cluster, but on the other hand, it’s an AWS service. The combination of the two allows for seamless integration with other AWS services, but can also introduce unique security challenges. Simple but common misconfigurations can expose critical assets to external attackers.
Our experience in cloud security research, which includes critical findings affecting many of the world’s leading cloud providers and services, has led us to find common patterns of EKS security mistakes. We saw many large organizations apply similar misconfigurations across the board, ranging from network issues to unique RBAC issues. Drawing from this experience, we created a playbook for ourselves - what do we look for, as security researchers, when in a production EKS environment.
In this talk, we will walk the audience through common misconfigurations and mistakes prevalent in EKS setups. Each example will present the mistake from the engineer’s point of view, as well as the opposite point of view - how we exploited it as researchers. For each section, we will also present an example from one of our research engagements, to showcase how these kinds of misconfigurations can compromise a world-leading service’s production environment.
Finally, we will showcase ways to hunt and mitigate these issues on your own EKS environments, including remediation and detection techniques based on existing AWS utilities. By sharing these findings and methodologies, we hope to arm cloud engineers, as well as security and DevOps teams, with the tools and knowledge they need to secure their EKS environments.
The Oracle Awakens: Demystifying Privilege Escalation in the cloud
Theme: A Long Train of Abuses and Usurpations
Speakers
Felipe
Felipe Espósito also known as Pr0teus, graduated in Information Technology at UNICAMP and has a master’s degree in Systems and Computing Engineering from COPPE-UFRJ, both among the top technology universities in Brazil. He has over ten years of experience in information security and IT, with an emphasis on security monitoring, networking, data visualization, threat hunting, and Cloud Security. Over the last years he has worked as a Security Researcher for Tenchi Security, a Startup focused in third-party risk managemnet, he also presented at respected conferences such as Hackers 2 Hackers Conference, BHACK, BSides (Las Vegas and São Paulo), FISL, Latinoware, SecTor, SANS SIEM Summit, and Defcon’s CloudSec and Recon Village.
Lucas Andrade Cioffi
Information security professional that has done a little bit of everything, but is now focused on Cloud Security at Tenchi. Visit my blog! https://pomba.net
Abstract
In this talk, we explore privilege escalation mechanisms and paths within Oracle Cloud. Privilege escalation, the process by which an attacker gains elevated access and permissions beyond those intended by the cloud administrator, poses a significant threat in cloud environments and can significantly aid an attacker or pentester.
Our discussion will focus on identifying privilege escalation paths, understanding how cloud administrators can misconfigure policies, and the methods attackers can use to exploit these vulnerabilities. Through carefully designed scenarios and real-world examples, attendees will learn to recognize signs of privilege escalation, thereby enhancing their security posture.
The Path to Zero-Touch Production
Theme: A Long Train of Abuses and Usurpations
Speaker
Rami McCarthy
Rami is a bit of a security wonk. Most recently, he helped build the Infrastructure Security program at Figma. Before that, he worked as a security consultant and helped scale security for a health-tech unicorn. He writes about security over at ramimac.me and for tldrsec.com.
Abstract
Zero Touch Prod is a Google-ism, and also a good idea. It’s common that engineers, even at companies with strong security programs and cloud-native architecture, organically evolve operational processes that require they touch production daily.
As security practitioners, it’s our job to keep our companies safe - both from bad actors, and also humans making mistakes. Allowing humans to work directly in production infrastructure introduces mitigable risks.
This talk shares my universal theory of how to incrementally and collaboratively move a cloud-native organization to Zero Touch Prod. We’ll talk about why people touch prod, how they touch prod, and what we can do about it. I’ll include a summary of the various production access primitives available in AWS, when to use them, and how to do so safely. We’ll dive deep on the implementation options for building blocks like JIT/Temporary Access and operational script running.
Wherever you are in your Access Journey, you’ll walk away with practical and pragmatic next steps!
Thinking outside the cloud: Preventing cloud compromise by focusing on-premise
Theme: A Long Train of Abuses and Usurpations
Speakers
Will Silverstone
Will Silverstone is a Senior Consultant at Google Cloud / Mandiant. In addition to delivering proactive cloud security assessments and transformation, Will has extensive experience leading large-scale incident response remediation engagements across major cloud platforms.
Omar ElAhdan
Omar ElAhdan is a Principal Incident Response and Remediation Consultant at Google Cloud / Mandiant. He specializes in leading remediation engagements, providing tactical and strategic recommendations for hardening infrastructure and cloud environments during and after cyber incidents.
Abstract
If you ask a cloud security professional what are the biggest risks to their cloud environment, their answer would probably include things like publicly exposed storage buckets, leaked credentials, or over-permissive network access. But if we look beyond these commonly known mistakes and misconfigurations, it’s often the case that the weak point of many cloud environments lies in the integration with on-premise or non-cloud infrastructure. Even with state of the art cloud security controls, a poorly secured Active Directory, for example, can often allow an attacker to walk in the back door and compromise a cloud environment. This talk will explore the common scenarios of how this occurs and why cloud security professionals should still be concerned with securing on-premise. We will provide case studies from Mandiant incident response engagements that cover how specific gaps in network security, access management, and logging have exposed organizations to new threats in the cloud.
Trust Me Bro: Preexisting Trust is the New Initial Access Vector
Theme: A Long Train of Abuses and Usurpations
Speaker
Nick Frichette
Nick Frichette is a Staff Security Researcher at Datadog, where he specializes in AWS offensive security. He is known for finding multiple zero-day vulnerabilities in AWS services and regularly publishing on new attack techniques. In addition to his research, Nick is the creator and primary contributor to Hacking the Cloud, an open source encyclopedia of offensive security capabilities for cloud environments. He is also a part of the AWS Community Builder Program, where he develops content on AWS security.
Abstract
The state of AWS security is rapidly evolving; AWS continues to mitigate use of IMDSv1, protecting customers from a well-known cause of cloud breaches. While long-lived access keys are not going away anytime soon, security teams are more aware of the threat that these credentials pose than ever before. These advancements are a problem for attackers who need to establish a foothold in an AWS environment. What methods are left for initial access?
In this talk we will explore how adversaries can abuse existing trusts in various AWS services to gain initial access to an AWS environment.
We will start by looking at how IAM roles with misconfigured trust relationships to AWS services could allow anyone in the world the ability to assume them. We will dive into Amazon Cognito and GitHub Actions OIDC identities, demonstrating how an attacker could access these misconfigured roles. Next, we’ll take a look at a vulnerability we found in a popular AWS service which made roles associated with it publicly vulnerable.
Finally, we will also look at a worst-case scenario: what happens when an attacker finds a vulnerability in PassRole and is able to assume roles in other accounts? Sound far-fetched? We’ll cover a real world example of a vulnerability we found in AWS AppSync that lets us do just that. We’ll also discuss how security practitioners can secure their environments, even against a zero-day like this one.
Welcome
Theme: Odds & Ends
Speaker
Aaron Zollman
Aaron helped with the first fwd:cloudsec and has served in multiple roles to bring the conference and community to life. In his day job, he leads security & platform at a health-tech company.
Abstract
Setting the stage for this, our fifth fwd:cloudsec - and our first run fully independently of any other security conference.
What's the Worst That Could Happen: Sharing Your AWS Account ID With the World
Theme: A Long Train of Abuses and Usurpations
Speaker
Jarom Brown
Jarom is a Sr Lead Security Engineer working on the Bug Bounty/Responsible Disclosure team at Capital One. His previous role was as a software engineer solving problems in the Threat Intel space. He got his start as a full-stack software engineer. While not working he enjoys doing CTFs, bug bounty, tinkering, working out, and relaxing with his family.
Abstract
During this talk I will build upon the research of others as I explore nearly 200K discovered AWS account IDs and the resources they expose publicly.
Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs
Theme: A Long Train of Abuses and Usurpations
Speaker
Gabriel \ Gavriel Fried
Gavriel Fried is a Senior Security Researcher at Mitiga. Prior to working at Mitiga, Gavriel’s history in the cyber security field includes various research positions such as UEBA, Deception, Network and DPI, Red Teaming, Digital Forensics and some Malware Analysis. Gavriel researches potential attacks, anomalies and abuses on cloud services and SaaS
Abstract
Have you ever wondered how to see what your K8S pod is doing in your GCP project? What about your AWS role integration? Did you see in your GCP cloud audit logs the event getAccessToken and didn’t know what it is all about? Join us for a journey into the heart of Google Cloud Platform (GCP) authentication, where we’ll unravel the mysteries within GCP audit logs. In this session, we’ll delve into the complexities of principal identification and authentication mechanisms. Through real-world examples and practical demonstrations, you’ll gain invaluable insights into deciphering audit logs to detect authentication methods and uncover the true identities behind cloud actions. Whether you’re a seasoned cloud security expert or an eager learner, this lecture promises to equip you with the knowledge and skills needed to navigate the intricate landscape of GCP.
[Customers only] Are vendors worth the money? Which ones are you getting value from?
Theme:
Speaker
Abstract
TBD
yubidisaster: Building Robust Emergency Admin Access to AWS Accounts
Theme: Declare Cyber Sovereignty
Speakers
Greg Kerr
Greg is a tech lead on the Cryptographic Identity team at Block working on establishing secure and verifiable identities in our cloud mesh. He has previously worked in the security engineering and software development space at Google. Past security publishing experiences including REcon and Phrack.
Brett Caley
TBD
Matt Jones
Matt Jones is an identity management practitioner with over 15 years of experience. Currently, the Identity Infrastructure Lead at Square, Matt manages an organization developing identity, credentials, and access management solutions for a hybrid multi-cloud environment. Previously, at Google, Matt managed the Production PKI team and was the tech lead for Security and Privacy on Google Cloud Storage. Matt has worked in a range of roles across industry and government to make the Internet safer for everyone.
Abstract
In this talk, we will explore the process of building an in house emergency admin access to our AWS accounts at Block, leveraging standard technologies like smart cards and x.509 certificates that should work with many vendors using hardware owned by the business.
In our specific case, we used AWS RolesAnywhere authentication technology, AWS PCA for certificate issuance, and Yubikey PIV mode for secure certificate protection.
This talk will provide insights into the complexities of implementing secure emergency access, the challenges we faced, and how we overcame them to create a more secure and efficient system. The system has been successfully used in production.