Speakers
A Year of NO: building organizational IAM guardrail policies that work
Theme: Inside & Outside
VideoSpeaker
Noam Dahan | Research Lead, Ermetic
Noam Dahan is a Senior Security Researcher at Ermetic with several years of experience in embedded security. He is a graduate of the Talpiot program at the Israel Defense Forces and spent several years in the 8200 Intelligence Corps. Noam was also a competitive debater and a World Debating Champion.
Abstract
Organizational policies are a key part of every organization’s cloud IAM strategy. They supplement least-privilege best practices by establishing guardrails that protect the organization from unknown threats, and limit the extent of damage that can potentially be caused by compromised identities, workloads or credentials. In this talk, we will explore how to build, test, and deploy effective organizational policies. We will do so by being mindful of the real threats and TTPs we’re trying to protect ourselves from, along with the crown jewels we need to protect, the vulnerable points in our environment, and the data perimeter. We will also dive into the implementation of organizational IAM policies in each cloud provider, their different behaviors in edge cases, and how we should adjust our strategy to accommodate these differences. Lastly, we will discuss strategies for building, testing, and deploying organizational policies, and recommend a process for creating and evaluating them (including how to build detection mechanisms in case of violations).
AWS Identity Center - Extending Cloudsplaining to score Users & Permission sets risks
Theme: Control & data
VideoSpeaker
Rodrigo Montoro | Head of Threat and Detection Research, Clavis Security
Rodrigo Montoro has more than 22 years of experience in Information Technology and Computer Security. Most of his career worked with open source security software (firewalls, IDS, IPS, HIDS, log management, endpoint monitoring), incident detection & response, and Cloud Security. Currently, he is Head of Threat & Detection Research at Clavis Security. Before that, he worked as Cloud Researcher at Tenchi Security, Head of Research and Development at Apura Cyber Intelligence, SOC/Researcher at Tempest Security, Senior Security Administrator at Sucuri, Researcher at Spiderlabs. Author of 2 patented technologies involving innovation in the detection field. One is related to discovering malicious digital documents. The second one is in how to analyze malicious HTTP traffic. Rodrigo has spoken at several opensource and security conferences (Defcon Cloud Village, OWASP AppSec, SANS (DFIR, SIEM Summit & CloudSecNext), Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE, ZonCon (Amazon Internal Conference), Blackhat Brazil, BSides (Las Vegas e SP)).
Abstract
There are multiple methods to access an AWS account: IAM Users, Cross Accounts, Federated users, and Identity Center. Since the name change from AWS SSO to Identity Center, AWS is putting more effort into customers using more Identity Center. Using it, you have some significant advantages such as short-term keys, centralized logging when using Organizations and multiple accounts, easier management, etc.
Many tools and projects handle permissions management for IAM users, but using Identity Center, we have new challenges trying to map excessive permission. There are no easy and visual ways to match users and permissions that are riskier. Based on this new challenge, we extended Cloudsplaining and created a flow based only on open-source stuff to map those Identity Center Risks.
Explaining the flow, we map all accounts belonging to an Organization, mapping accounts, users, permission sets, and related policies associated (both Managed and Customer policies). With that, we start mapping permissions in those accounts that belong to this organization using our Risk Score research based on Cloudsplaining and putting them all together, showing all risk findings that an Identity User is capable of. More importantly, in a visual way, with Kibana, you will graphically have a dashboard to help your prioritization and map Identity Center users with their risks in a single place.
The audience will learn a step-by-step method to replicate this at the end of the talk, using only open-source projects such as sso-reporter, Cloudsplaining, and Elastic stack. We’ll provide all scripts and risk-scoring enrichments based on Cloudsplaining findings, logstash configurations, and kibana visualizations. And on top of this, we will discuss some Identity Center actions that you should monitor closely to avoid privilege escalation attempts.
AWS Presigned URLs: The Good, The Bad, and The Ugly
Theme: Control & data
VideoSpeaker
Jarom Brown | Capital One
Jarom is a Sr Lead Security Engineer working on the Bug Bounty/Responsible Disclosure team at Capital One. His previous role was as a software engineer solving problems in the Threat Intel space. He got his start as a full-stack software engineer. While not working he enjoys doing CTFs, bug bounty, tinkering, working out, and relaxing with his family.
Abstract
AWS presigned URLs are a powerful mechanism for granting temporary access to resources in AWS services. However, they can also be exploited by attackers to gain unauthorized access, perform data exfiltration, and execute other malicious or unwanted actions. In this talk, I will explore the different attack scenarios that can leverage presigned URLs and methods to detect and prevent such attacks.
Beyond the AWS Security Maturity Roadmap
Theme: Infrastructure & superstructure
VideoSpeaker
Rami McCarthy | Figma
Rami works on Infrastructure and Cloud Security at Figma. He previously worked as a security consultant and helped scale security for a health-tech unicorn, and infrequently writes about security on tldrsec.com.
Abstract
Scott (Piper)’s AWS Security Maturity Roadmap is the definitive resource for cloud-native companies to build a security program and posture in AWS. It does an amazing job at providing broadly applicable guidance along the maturity curve. However, for many fwd:cloudsec attendees, the roadmap ends too soon.
In my experience there is a set of technical capabilities and controls that companies should consider once they’ve “shipped the roadmap.” In this talk, I’ll take you on a rapid fire tour beyond Scott’s paved road, focusing on the problems you’ll encounter scaling a cloud security program. A key framework will be “build versus buy,” and the talk will be opinionated about where cloud security teams can fall into the trap of undifferentiated work.
The goal is to walk away with a clear view of the possibilities at the leading edge of cloud security, risk-informed guidance on priorities, and a crucial new reference for writing cloud security roadmaps.
Billions Served: Processing Security Event Logs with the AWS Serverless Stack
Theme: Infrastructure & superstructure
VideoSpeaker
Josh Liburdi | Senior Security Engineer, Brex
Josh Liburdi is a security engineer and tech lead at Brex who focuses on threat detection, incident response, and distributed systems. He has more than a decade of industry experience and has worked at several diverse organizations, including Splunk, Target, and CrowdStrike. He is also a published author (Bluenomicon from Splunk, Huntpedia from Sqrrl) and is active in the open source security community and has contributed to many projects, including Substation at Brex (creator / lead), Strelka at Target (creator), and the Zeek network analysis framework.
Abstract
Security event and audit logs are a foundational requirement for threat hunting, threat detection, and incident response, but most security teams have little to no control over their data and rely on vendors who charge thousands of dollars per day for “log management.” There must be a better way!
In this talk we will discuss the challenges, best practices, and secrets for building large scale, affordable data processing systems using the AWS serverless stack, including how to choose the best streaming data storage service, techniques for real-time event enrichment on billions of logs, and optimizing for both speed and cost.
CloudFox + CloudFoxable: A Powerful Duo for Mastering the Art of Identifying and Exploiting AWS Attack Paths
Theme: Infrastructure & superstructure
VideoSpeaker
Seth Art | Bishop Fox
Seth Art is a Principal Security Consultant and the Cloud Penetration Testing Lead at Bishop Fox. Before becoming captivated by Cloud Security and Kubernetes, Seth hacked on web applications, mobile applications, wireless networks, internal corporate networks, and even got paid to legally break into a few buildings.
Seth is the author of multiple open-source projects including CloudFox, IAM Vulnerable, Bad Pods, celeryStalk, Nodejs-SSRF-App, and PyCodeInjection. He has presented at security conferences including DerbyCon and BSidesDC, published multiple CVEs, and is the founder of IthacaSec, a security meetup in upstate NY.
Abstract
CloudFox helps penetration testers and security professionals find exploitable attack paths in cloud infrastructure. However, what if you want to find and exploit services not yet present in your current environment? What if you lack access to an enterprise AWS environment?
Enter CloudFoxable, an intentionally vulnerable AWS environment created specifically to showcase CloudFox’s capabilities and help you find latent attack paths more effectively. Drawing inspiration from CloudGoat, flaws.cloud, and Metasploitable, CloudFoxable provides a wide array of flags and attack paths in a CTF format.
In this talk, we’ll demonstrate some of CloudFoxable’s CTF challenges that “blur the lines”, including an IAM role that trusts a GitHub repository via OIDC, an SNS topic with an overly permissive resource policy that leads to remote code execution, and an exploit path that leads from a vulnerable AWS OpenSearch domain to a private GitHub repository with the flag.
Evading Logging in the Cloud: Disrupting and Bypassing AWS CloudTrail
Theme: Inside & Outside
VideoSpeaker
Nick Frichette | Senior Security Researcher, Datadog
Nick Frichette is a Senior Security Researcher at Datadog, where he specializes in AWS offensive security. He is known for finding multiple zero-day vulnerabilities in AWS services and regularly publishing on new attack techniques. In addition to his research, Nick is the creator and primary contributor to Hacking the Cloud, an open source encyclopedia of offensive security capabilities for cloud environments. He is also a part of the AWS Community Builder Program, where he develops content on AWS security.
Abstract
AWS customers rely on CloudTrail for continuous monitoring and detection of security incidents within their cloud environments. However, what if an adversary were able to circumvent this crucial security layer, enabling them to perform stealthy reconnaissance and even altering the environment without leaving a trace?
In this talk I will discuss techniques seen in the wild to disable CloudTrail logging and how security teams can respond to this. In addition, I will cover multiple vulnerabilities that allowed me to bypass CloudTrail logging. I will go in depth as to how these vulnerabilities worked, and discuss how this research could potentially be applied to future bypasses. Security practitioners will come away with an understanding of both common and cutting edge log evasion techniques in AWS.
From 'huh?' to privilege escalation: finding vulnerabilities from a bug in the AWS console
Theme: Inside & Outside
VideoSpeaker
Ben Bridts | AWS Technologist, Cloudar
Ben has been using AWS professionally since 2015 and, as an AWS Technologist at Cloudar, works with businesses ranging from start-ups to enterprises. Being part of a Premier AWS Consulting Partner, he provides architectural and operational support and shares his experiences along the way. He is also an AWS Authorized Instructor and gives AWS Classroom Training at The Campus.
He has a broad interest in serverless, automation and enabling builders. Currently, he counts CloudFormation, Lambda, and KMS among his favorite services. Still, he has a soft spot for everything related to operational tasks, like Systems Manager.
Sometimes Ben likes to use AWS APIs in non-standard ways. Previously he did that to turn public S3 Buckets in AWS Account IDs.
Abstract
Security research is not something that’s only done by dedicated teams and companies. Sometimes it will be a developer or platform engineer that makes the jump from “that’s not how I expect it to work” to “that’s not how it’s supposed to work”.
In this talk we’ll walk through the process we took when we found strange behaviour in the AWS console, tried to debug what’s going wrong and ended up finding an API that didn’t check iam:PassRole correctly. We’ll see that in a lot of cases the needs of a person who’s debugging and a security researcher will overlap and that features like CloudTrail and documented APIs are useful resources for everyone.
Google Cloud Threat Detection: A Study in Google Cloud
Theme: Inside & Outside
VideoSpeaker
Day Johnson | Security Engineer, Datadog
Day is a Security Engineer at Datadog where he researches and develops various detections that protect Datadog’s Customers from Cloud Threats. In his free time Day creates Cybersecurity content on his youtube channel (Day Cyberwox) where he provides technical and career resources. His passion for the Cybersecurity industry makes him enjoy what he does to the fullest and drives him to continue to grow, become better at what he does, and help others break into the field.
Abstract
If you have ever read the Sherlock Holmes story ‘A Study in Scarlet’, there is a quote: “If you have all the details of a thousand misdeeds at your finger ends, it is odd if you can’t unravel the thousand and first.” What this tells us is that by studying known threat activity, we can guide our efforts in the development of threat detection content.
In this talk, we’ll delve into several real-world Google Cloud Platform (GCP) attacks and highlight how to use the available telemetry to identify and detect these attacks. In particular, we’ll dive into tactics used by threat actors such as lateral movement, privilege escalation, data exfiltration and the types of event logging to aid the detection process. At the end of the talk, attendees will better understand how to build targeted detections and enhance their overall security posture.
Helping developers drink from a champagne flute and not a firehose when it comes to cloud security
Theme: Infrastructure & superstructure
VideoSpeakers
Tyson Garrett | CTO, TrustOnCloud
For over 12 years Tyson has been securing cloud environments either his own at a Packetloop (the first big data security analytics company that was 100% cloud based), or for customers where whilst at AWS where he worked with multiple service teams on helping define the AWS Security Foundational Best Practices standard and the AWS config conformance packs in addition to other control guidance many AWS customers rely on. Now at TrustOnCloud, as well as being CTO, Tyson leads the Azure practice in researching threats and controls for Azure services.
Jason Nelson
Jason Nelson is an executive leader in Financial Services industry.
He spent his 20+ year career practicing information security as a penetration tester, security architect, management, consulting advisor, and many other roles unnamed performed around the world. He has had a passion for information security in many forms which continues to evolve with each year. In the few hours away from information security Jason likes travel with his family to places warmer than Chicago.
Abstract
TrustOnCloud delivers comprehensive, continuously updated threat models of cloud services (such as Amazon SageMaker and Google BigQuery), empowering the Citi Threat Modelling team to swiftly assess and onboard cloud services. This approach enables developers within Citi to consume secured cloud services for the applications built on them while not overwhelming them with complicated service configurations and platform controls. Attendees of this talk will come away with approaches to staying up to date with new threats and controls in the cloud, managing this information, and how to make it digestible for developers in a way that will help them think more deeply about the security of their applications.
How Citi advanced their containment capabilities through automation
Theme: Control & data
VideoSpeakers
Damien Burks | Cloud Security Engineer - VP, Citi
Damien Burks (he/him) is an accomplished cybersecurity expert and software developer based in the Dallas-Fort Worth (DFW) Metroplex. With an analytical mind and a talent for problem-solving, he is an established leader in Cloud Security and DevOps. He has held various roles in his career, with the most recent being Cloud Security Engineer - VP at Citi. At Citi, he designed and built CLI tools to enhance custom security frameworks within AWS. In addition, he has designed and built a CLI tool using boto3 libraries to improve the user experience of the custom security framework, formally known as the Cloud Containment Automation Framework.
Damien maintains DataCop and AWSome-Honey-Pot as an open-source developer while contributing to Open Policy Agent (OPA) and Python Fire. As an AWS Community Builder, he also creates and publishes cloud security content such as articles, YouTube videos, and blog posts. In addition to community contributions, he has spoken at several conferences throughout his career, which include DevOpsDays Dallas, BSides DFW, and FS-ISAC FinCyber Today.
Excelling in his studies and professional training, Damien holds a Master of Science in Cybersecurity Technology from the University of Maryland Global Campus (UMGC). In addition, he has several licenses and certifications across multiple cloud service providers such as AWS and GCP. When not working, or studying, Damien is a mentor to BIPOC LGBTQ+ tech professionals who wish to break into the tech industry. His hobbies include playing video games, attending local car meets within the DFW Metroplex, and spending time with his partner, and their two cats.
Elvis Veliz
Elvis is a passionate and dedicated leader in the field of cyber security and Cloud. He has been working with Citibank for the past 10+ years and has held multiple roles in cybersecurity. Due to his extensive expertise and due diligence in the field, he currently leads a multi-disciplinary team of teams as the Global Head of Cloud Security Operations.
Elvis is adept at driving cybersecurity services and solutions that enable Citi to securely adopt private, hybrid, and public cloud platforms. His most notable achievements as the Global Head of Cloud Security Operations include establishing robust cross-functional partnerships with teams building NexGen Cloud applications. Elvis is a natural team player who has helped teams embed and operate security controls across the Identify, Protect, Detect, and Recover cybersecurity pillars.
Elvis’ drive for being a skilled Cloud security professional has prompted him to acquire dozens of industry certifications across various cloud providers and technologies. Prior to his role as Global Head of Cloud Security Operations, Elvis worked at Citi for 7+ years in Cyber Security offensive capabilities. Starting off as a penetration tester, he helped build and eventually led the Citi Red Team, an advanced penetration testing team in charge of assessing the enterprise’s security posture (people, processes, and technology) through adversary emulation.
Elvis excelled in his studies at Florida International University (FIU) where he earned a Master of Science degree in Management Information Systems (MIS) and a Bachelor of Science in Computer Science from Florida International University.
Abstract
Incident response is critical for ensuring the reliability and security of AWS environments. Supporting 28 AWS services, Citi implemented a highly scalable cloud incident response framework specifically designed for their AWS environment. Using AWS Step Functions and AWS Lambda, Citi’s automation and orchestration of NIST’s incident response plan has significantly improved response time to security incidents by reducing containment actions by an average of 5 hours and eliminating the risk of human error. Utilizing real-world scenarios and examples, attendees will learn how to leverage AWS Step Functions and core AWS services to effectively build and design scalable incident responses solutions.
How do you set boundaries? i.e AWS Permissions boundaries in large cloud environments
Theme: Inside & Outside
VideoSpeaker
Kushagra Sharma | Senior Platform Security Engineer, Booking.com
Kushagra is a Senior Platform Security Engineer at Booking.com in the cloud security space. He previously worked with FinTech scale-ups and in the consulting industry architecting and building solutions in a hybrid cloud environment tackling regulated cloud environments with the goal to make security frictionless. A strong believer of a Cloud-First strategy with a Cloud-Native approach.
Abstract
Often you hear about “security” creating friction during cloud adoption, especially in large regulated organizations where setting boundaries pose a challenge amongst myriad requirements from risk and compliance teams and it doesn’t get easier while you demystify the AWS IAM universe.
But there’s always a eureka moment and for us, it was the “AWS Permissions boundaries” so with this talk, we’ll show how central security teams can empower development teams to focus on faster cloud adoption and delivering value to the business, while security teams incorporate boundaries in their security baseline moving towards a self-service IAM model.
There are always security exceptions and making a “one size fits all” boundary sounds impossible, right? So we would show how at Booking.com, we built “flavored” permissions boundaries on the fly to tackle edge cases and AWS account-level exceptions making every account boundary unique yet secure and at the same time, highlighting how we overcame some challenges faced along the way.
I Trusted You: A Demonstrated Abuse of Cloud Kerberos Trust
Theme: Inside & Outside
VideoSpeakers
Daniel Heinsen | Cloud Security Researcher, SpecterOps
Daniel Heinsen is a red team operator, offensive tools developer, and security researcher at SpecterOps. Prior to working at SpecterOps, Daniel spent over 10 years within the U.S. Department of Defense as a software developer and capabilities specialist. Daniel has experience in offensive tool development, Windows internals, and web application exploitation. Since joining SpecterOps, Daniel has directed his research focus to novel initial access vectors and AWS. He maintains several projects at https://github.com/hotnops and posts to his blog at https://medium.com/@hotnops.
Elad Shamir | SpecterOps
Elad is a cybersecurity professional primarily focused on security research and delivering offensive security services. His global career has spanned from Israel to Australia, and now finds him in the United States, where he is a member of the renowned SpecterOps team.
Elad excels in identifying security flaws in complex systems and weaponizing intended functionality for offensive capabilities, with particular prowess in Windows and Active Directory environments. Throughout his journey, Elad has remained committed to learning, refining, and sharing his knowledge and expertise to better secure organizations in an ever-evolving cyber threat landscape.
Abstract
Microsoft has introduced a variety of protocols to abate the issue of authenticating to Azure AD and AD seamlessly. In the Windows Hello For Business setup, Cloud Kerberos Trust has been introduced to enable users to authenticate to Azure AD and still be able to access resources protected by legacy authentication mechanisms, like Kerberos. While this deployment model offers greater convenience, the ability to forge authentication material is delegated to Azure AD. This ability can be abused by attackers to breach the Cloud/On-Premises security boundary in a variety of ways. In this talk, we will discuss the implications of entrusting an external entity with such a sensitive capability and the existential issue of synchronizing data between two equally important sources of truth. We will demonstrate how an attacker can abuse Cloud Kerberos Trust to authenticate as non-synced on-premises users, violating the security boundary between Azure AD and Active Directory and ensuring that attackers don’t need to rely on a misconfiguration such as an administrator being synced to Azure AD. Lastly, we will discuss how to mitigate the issue and how to identify potential misconfigurations that may lead to issues unique to your environment.
IMDS: The Gatekeeper to Your Cloud Castles (And How to Keep the Dragons Out)
Theme: Inside & Outside
VideoSpeakers
Liv Matan | Security Researcher, Ermetic
Liv Matan is a cloud security researcher at Ermetic, where he specializes in application and web security. He previously served in the 8200 Intelligence Corps unit as a software developer. As a bug bounty hunter, Liv has found several vulnerabilities in popular software platforms, such as Azure web services, Facebook and Gitlab. In his free time, Liv boxes, lifts and plays Capture the Flag (CTF). Liv studied computer science at the Weizmann Institute of Science, in Israel.
Lior Zatlavi | Sr. Cloud Security Architect, Ermetic
Lior Zatlavi has over 15 years of experience in cyber security, having spent most of that time working as a security architect, product manager and developer for the Israeli government. Lior served in an elite cyber security unit of the IDF (retired Major) after which he worked in a cyber security division of Israel’s Prime Minister’s Office. After leaving the public sector, Lior worked as an independent consultant specializing in Cloud security and identity management. Lior holds a B.Sc in Applied Mathematics from Bar Ilan university (Cum Laude) and an M.Sc in Electrical Engineering from Tel Aviv university.
Abstract
Most of us know IMDS as a tool for seamlessly maintaining and supplying credentials for applications running on instances to access resources in cloud environments. However, a deep understanding of IMDS implementations across cloud providers is what separates the security novices from the advanced practitioners - and can be crucial for the security of your cloud environment.
During this talk we’ll take a deep dive into the protections offered by different cloud service providers for the IMDS used by computing instances, and how they have evolved over time. We’ll demonstrate how these mechanisms could mean the difference between a critical and non-critical vulnerability, through the story of a real-life vulnerability we found in a leading cloud provider. We’ll talk about the customer’s part of the shared responsibility model in this context - and how that must evolve as well.
We’ll demonstrate how vulnerable software may be leveraged by an attacker to gain access to credentials and talk about the kind of compensating controls which may be used to mitigate this risk.
IYKYK: Negotiating the Scope of Security Audits (Even if You DREAD Compliance)
Theme: Control & data
VideoSpeakers
Jasmine Henry | Senior Director of Data Security and Privacy
Jasmine is an inadvertent career specialist in security data, data security, and privacy for cloud-native startups. She is the current Senior Director of Data Security and Privacy at JupiterOne and a former Security Director at other high-tech startups. As a permanent student, Jasmine is finishing her PhD in Computer & Information Science with a focus on Information Quality at University of Arkansas, Little Rock. She loves Furiosa, WNBA, and her black rescue cat Nandor.
George Tang | Director, JupiterOne
https://www.linkedin.com/in/georgetang/
Abstract
Death, taxes, and cybersecurity audits are inevitable for most of us. Chances are, you will have to participate in an external cybersecurity audit at some point. Luckily, learning to control your audit scope is a game changing skill for everyone in cyber (perhaps especially folks who dread compliance and those who struggle to scale compliance to cloud). Negotiating scope will protect you from seemingly outdated audit requirements or evidence requests that feel pointless!
This interactive session is formatted as an interactive, mock negotiation between two industry experts - a frazzled cybersecurity pro and a seasoned SOC 2 auditor - who negotiate the scope of controls for a fake cloud-native company. Collectively, the speakers have over two decades of experience in their respective roles, so you can watch them redline notes on a control list and hear them explain their positioning. Will the cloud cyber pro prevail against the big firm audit firm CPA that’s auditing her security? Can she avoid burnout and death by evidence requests?
Attend this session to learn critical skills in security audit scope negotiation for cloud-native environments!
Incident Response Game Day Challenge
Theme: Odds & Ends
Speakers
Will Bengtson
Will Bengtson is the Head of Security Engineering at HashiCorp focused on security engineering, operations, and tooling. Prior to HashiCorp, Bengtson has a background in security and has worked at many large tech companies, such as Netflix, solving security problems at scale. In his spare time, Bengtson enjoys research, bourbon, and traveling.
Rich Mogull | FireMon
Cloud security miscreant for far too long. But officially…
Rich is the SVP of Cloud Security at FireMon where he focuses on leading-edge cloud security research and implementation. Rich joined FireMon through the acquisition of DisruptOps, a cloud security automation platform based on his research while as CEO of Securosis. He has over 25 years of security experience and currently specializes in cloud security and DevSecOps, having starting working hands-on in cloud over 10 years ago. He is also the principle course designer of the Cloud Security Alliance training class, primary author of the latest version of the CSA Security Guidance, and actively works on developing hands-on cloud security techniques. Prior to founding Securosis and DisruptOps, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator.
Rich is the Security Editor of TidBITS and a frequent contributor to industry publications. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DefCon, and has spoken on every continent except Antarctica (where he’s happy to speak for free – assuming travel is covered).Rich Mogull, Analyst & CEO
Abstract
Come test your cloud incident response skills and see how high you score on our live-fire training range that simulates real-world attacks. Come alone or bring your team as we issue you a fully-instrumented AWS account and start hitting you with a timed series of attacks. Don’t worry if you’re new, attacks can scale to skill levels and our instructors will be right there to teach in a fun game-day environment.
It's Just a Name, Right?
Theme: Inside & Outside
VideoSpeaker
Nathan Eades | Sr. Threat Researcher, Permiso
Experienced engineer in threat detection and threat research, I have an abundance of knowledge gained from years of actively uncovering, constructing, scrutinizing, and validating security measures across leading cloud service providers.
In addition, I have successfully designed and managed well known Security Information and Event Management (SIEM) platforms, effectively implemented data loss prevention initiatives, executed comprehensive risk assessments, and consistently engage in coding endeavors through various personal projects.
I’m dedicated to advancing cloud security and have a commitment to staying at the forefront of industry trends. I am thrilled to share my insights and experiences with my peers.
Abstract
Permiso’s p0 labs is privileged to have access to diverse data sets that enable the identification of interesting forms of attack, obfuscation, and anomalies. While cloud service providers like AWS allow for broad naming inputs to identities and resources, this approach can lead to some unforeseen consequences. In this talk, we will explore different scenarios we’ve discovered through our research that highlight how the loose nature of AWS’s naming conventions allows for inputs that can negatively affect detection capabilities and potentially obscure an attack.
Throughout the presentation, I will provide a breakdown of the potential consequences of these scenarios, including their impact on detection and the possible motivations behind them. Additionally, I will discuss a case in which an instance of broad input generated false positive detections in an environment years later. By analyzing these scenarios, we hope to provide insights into the importance of keeping your eyes open when reviewing logs, spark some ideas of your own, and maybe help you down the path to find similar instances in your own environments.
MITRE ATT&CK® for Cloud: Challenges and Opportunities
Theme: Birds-of-a-feather, business & behind-the-scenes "balk talks"
Speakers
Casey Knerr | Cybersecurity Engineer, MITRE
Casey Knerr is a cybersecurity engineer at MITRE and a member of the MITRE ATT&CK for Enterprise team, where she provides cloud expertise updating the ATT&CK knowledge base with novel defensive ideas and adversary techniques. Prior to joining MITRE, she worked as a penetration tester and completed a BSFS in Science, Technology, and International Affairs at Georgetown University and an MSc in Computer Science at the University of Oxford. Her specialties and interests include web development, web and cloud security, and international cyber policy. In her spare time, she can often be found flying stunt kites or playing Dungeons & Dragons.
Jesse Griggs | MITRE
Jesse Griggs is a Cyber Operations Lead at The MITRE Corporation and a member of the MITRE ATT&CK for Enterprise team focusing on improving the ATT&CK for Cloud knowledge base. He supports various projects providing threat hunting expertise on systems ranging from offline to cloud. Outside the lab, he likes to spend his time sailing or playing board games, though typically not at the same time.
Abstract
In 2019, ATT&CK - a free, globally accessible knowledge base of adversary tactics and techniques - released its Cloud Matrix to capture the increasing threats targeting organizations’ cloud-based technologies. Since then, we’ve discovered that behaviors easily mapped to techniques in “traditional” on-prem spaces don’t always fit into the same neat boxes in the cloud.
For example, in a cloud environment, what distinguishes collection (in which the adversary gathers data of interest) from data exfiltration (in which the adversary steals data from the target network) - especially when adversaries can directly view and download sensitive information via the CLI or web console? What happens when traditional persistence methods, such as adding roles to users, end up also resulting in privilege escalation due to the complexity of cloud permissions? What is lateral movement in the cloud, and can it also exist within a tenant as well as between tenants, or between a tenant and a corresponding on-premises environment? And what distinguishes execution in the cloud from execution in a cloud-hosted instance?
Join two members of the ATT&CK for Cloud team for a group discussion as we try to work through these issues and determine how to better capture and ultimately defend against adversary behaviors in the cloud.
Operationalizing GCP's Asset Inventory for Cloud Enlightenment
Theme: Inside & Outside
VideoSpeakers
Randy Heins | Security Engineer, Nuro
Randy Heins is a cyber security engineer at Nuro focused on detection and prevention of advanced threat activity. He enjoys making novel detection systems work at scale to answer difficult questions.
Jeffrey Zhang | Security Engineer
TBD
Abstract
Security engineers at Nuro will demonstrate how they have extended GCP’s native Cloud Asset Inventory to gain better awareness of their cloud environment to improve incident response time, reduce cloud costs, and allow for better resource planning. They will demonstrate the benefits of their custom application, CLARITY, which streamlines inventorying efforts to improve situational awareness.
Passing The Security Burden - How To See The Unforeseen
Theme: Control & data
VideoSpeaker
Matthew Keogh | WithSecure
Matt is a Security Consultant at WithSecure with a keen focus on all things cloud. He has several years’ experience building and securing enterprise applications at scale. Prior to joining the security industry Matt worked in systems operation assisting organizations to move large applications from on premise into the cloud.
Outside of work Matt likes to travel and go on long walks with his dog Max.
Abstract
What really happens when you start using a new service within your cloud estate? This talk will look at how services can introduce risks into a cloud estate when part of their functionality is dependent on existing services, whether this be in your own account/tenant or a provided controlled one. Specifically, we will break down the AWS Elastic Disaster Recovery service and demonstrate how a service that, on the outside appears to safeguard resources by ensuring they are backed up, can be used for malicious purposes due to its dependency on the EC2 service. By the end of the talk, you will have identified how to spot the not so common security concerns that can be raised when using a new service and have a clear process to follow when reviewing new services in the future.
Patterns in S3 Data Access: Protecting and enhancing access to data banks, lakes, and bases
Theme: Control & data
VideoSpeaker
Josh Snyder
Josh is a software engineer whose specializations include infrastructure automation, databases, and cryptography. His recent work has focused on software supply chain and infrastructure security.
Abstract
Large scale heterogeneous data sets cannot always be locked down using readily available tools, like AWS IAM. With some understanding of how access is provisioned and requests are signed, however, we can build a dynamic control plane that provides access to data in a flexible and highly auditable manner that is compatible with least privilege. This talk will cover techniques for providing just-in-time access to data in any cloud datastore, with primary focus on Amazon’s S3 and Google’s GCS object stores.
Pivoting Clouds in AWS Organizations
Theme: Infrastructure & superstructure
VideoSpeaker
Scott Weston | Senior Security Consultant, NetSPI
Scott Weston is a remote Senior Security Consultant at NetSPI based out of San Diego, CA. He has 2-3 years of experience in information security/pentesting with his involvement including general web applications, GraphQL, and cloud environments (specifically AWS). He has contributed to the open-source AWS pentesting tool, Pacu, by adding an enumeration module for AWS Organizations. He also created a large AWS deck designed for beginners to present to his local San Diego Defcon group located here. He has participated in some bug bounties/VDPs and is mentioned on the International Committee of the Red Cross (ICRC) hall of fame. In his spare time, he enjoys pursuing individual bug bounties and interesting avenues of pentesting.
Abstract
AWS Organizations is a service offered by AWS that allows a user to logically bind together a large number of AWS accounts under one “organization”. While this helps for organizational purposes, it presents several unique pathways for a pentester allowing one to tunnel through the inherent boundaries that might exist in a single AWS account. Using AWS Organizations, I show how one can turn a single account takeover into a multi-account takeover drastically increasing the blast radius. The talk hopes to provide both a technical perspective and abstract-enough overview to be useful to both in-the-weeds pentesters and general managers/business owners alike.
The talk covers
- AWS Organization overview
- Easy way to pivot to member account (account creation)
- Trusted access & delegated administration overview
- Using trusted access & delegated administration to indirectly/directly access member accounts
- A new Organization security feature released late last year + security implications
- An overview of available tooling created by the speaker to assist in enumerating organizations in the open source tool Pacu.
Rolling out AWS Infrastructure Everywhere with Space Ships
Theme: Infrastructure & superstructure
VideoSpeaker
Mike Grima | Staff Cloud Security Engineer, Gemini
My name is Mike Grima. I’m a Staff Cloud Security Engineer at Gemini. Prior to Gemini, I was a Senior Cloud Security Engineer at Netflix for several years. Cloud Security is a topic that I am very passionate about, and I love building open source tools to help solve very large scale security issues in the cloud.
Abstract
AWS Organizations lacks a lot of the features that cloud security engineers need. It often lacks support for rolling out security specific infrastructure that you need where you need it. Unfortunately, there is also a lack of good open or closed source options available for security engineers to roll out infrastructure wide components. Often, security engineers and developers have to build out their own quick and dirty and bespoke scripts to accomplish these tasks. In this talk, we discuss the problem space in greater depth and how we are working around this problem. We have also built an open source project called Starfleet that solves the problems in this space that you can use without having to start from scratch. Starfleet is a whole infrastructure AWS automation framework that allows you to easily run workloads with AWS account and region context. This enables security engineers to place infrastructure components everywhere they need it, and configured exactly how they need it; guaranteed without drift. More details on Starfleet can be found here: https://gemini-oss.github.io/starfleet/
Scanning the internet for external cloud exposures
Theme: Control & data
VideoSpeakers
Nir Ohfeld | Security Researcher, Wiz
Nir Ohfeld is a 25-years-old senior security researcher at Wiz. Ohfeld focuses on cloud-related security research and specializes in research and exploitation of cloud service providers, web applications, application security, and in finding vulnerabilities in complex high-level systems. Ohfeld and his colleagues disclosed some of the most notable cloud vulnerabilities, including ChaosDB and OMIGOD.
Hillai Ben-Sasson | Security Researcher, Wiz
Hillai Ben-Sasson is a security researcher based in Israel. As part of the Wiz Research Team, Hillai specializes in research and exploitation of web applications, application security, and finding vulnerabilities in complex high-level systems.
Abstract
Remote hacking of traditional web applications is a widely-discussed topic with many tools and resources. However, penetration testing of publicly exposed cloud resources remains uncharted territory. Many devastating configuration mistakes can go unnoticed simply because of a lack of proper scanning tools. In this talk, we will demonstrate practical approaches to scanning and exploiting exposed cloud resources by showcasing newly developed methodologies for discovering these issues from external sources.
This session will cover several cloud services that may be erroneously configured as publicly accessible, including AWS and Azure’s queues, notification channels, managed identity providers, and different managed storage. We will examine how each of these services can inadvertently be made available to the public, how to scan for them externally, and potential exploitation methods.
Furthermore, we will provide statistics on the prevalence of exposed services found on the internet and our assessment of the issue’s scale.
Join us to learn how to scan and map any organization’s external cloud exposure, finding misconfigurations and vulnerabilities at scale.
Stop the Bulldozers: Hardening the AWS CDK deployment process
Theme: Infrastructure & superstructure
VideoSpeaker
Dawn Cooper
Dawn likes to tinker with cloud infrastructure and security, and regularly goes down rabbit holes in a futile search for ways to develop systems that are both reliable and impenetrable. As well as accidental accessibility advocacy, Dawn can regularly be found sharing knowledge within the Melbourne cloud infrastructure and DevOps communities.
Outside work, Dawn is an occasional author, kitchen alchemist, and raging sportsball fan.
Abstract
As companies migrate to the cloud, it’s common to see uplift projects with the goal of deploying everything as Infrastructure as Code. AWS CDK has been widely adopted since it launched in 2019, partly because it allows dev teams to set up and deploy infrastructure using the programming languages that they’re familiar with.
However, unlike most other IaC tools out there, CDK relies on a bootstrapping process which is typically done via CLI. The roles created by this process are highly privileged by default, which introduces the risk of privilege escalation issues.
In this talk, we’ll look at a few different ways to reduce the attack surface of the default CDK roles, and enforce least privilege access for AWS resource deployment.
Success Criteria for your CSPM
Theme: Control & data
VideoSpeaker
David White | Senior Cloud Security Engineer, Nextdoor
David is a cloud security engineer who enjoys writing code, solving problems and leaving environments more secure than he found them.
When not working or tinkering, David can be found going on road-trips and visiting new places.
Abstract
CSPM vendors are a dime a dozen, and all of them claim they can do all the things. Buy this product, write the check, send the money and you’re all done, right? Wrong!
Every environment is different and it is important to make the right choice when choosing a CSPM provider. But what goes into making that choice? Are you making the right choice and investment and do you feel good about it?
In this talk, I will discuss our CSPM evaluation matrix, things we found as we were comparing vendors, and give tips from the trenches on what to look for in your own tooling. By the end of this talk, you will be asking if your tooling/vendored CSPM solution is meeting all of your needs.
Swimming with the Sharks. IR Kubed.
Theme: Infrastructure & superstructure
VideoSpeakers
Nathan Case | Datadog
Nathan Case is a successful executive and builder, pushing for change in security and the culture surrounding it. Leading strategic initiatives and the creation of new technologies in the healthcare, information technology and cloud industries, focusing on security. A passion for Incident Response, and operational security in all forms. Pushing the bounds of threat detection and response.
Alon Girmonsky
A repeat entrepreneur and an open-source enthusiast with a relentless passion for building dev-tools. Ex Founder and CEO of BlazeMeter, the performance and load testing company that was acquired by CA technologies in 2017, and now the co-creator of Kubeshark, the API traffic Analyzer for Kubernetes.
Abstract
Kubernetes’ (K8s) poses unique challenges during incident investigation, API debugging, threat hunting, and detection. In this talk attendees will see an immersive exploration of incident response inside Kubernetes focusing on three common indicators of compromise: increased API throughput, suspicious payloads on ingress, and known bad IPs communicating with pods. We’ll cover API logging, network monitoring, and best practices for preparing your pods for security incidents.
Network overlays and service meshes, like Istio, also introduce additional layers of complexity which makes it difficult to keep an accurate record of traffic inside of a K8s cluster. Just having VPC flow logs or traditional network monitoring is often not enough. We’ll take a look at the pros and cons of implementing overlays and how they can lead to observability blind spots that could leave you in the dark in the event of an incident.
Whether you’re a seasoned K8s user or just starting out, don’t miss this opportunity to look at K8s configuration and operation from the perspective of a seasoned incident responder.
Tales From the Sewer: A plumber's view of building a data security platform
Theme: Control & data
VideoSpeaker
Christopher Webber | Director of Engineering, IT/Product Operations, Open Raven
Christopher Webber is an experienced Director of Engineering with a strong background in cloud computing, particularly with AWS. As the Director of Engineering for Product and IT Operations at Open Raven, he oversees the company’s cloud infrastructure including its numerous Kubernetes clusters. Previously, Christopher managed SRE teams at Tenable and has worked with cloud platforms at Chef, Demand Media, and UC Riverside. He was also an early participant in the DevOps movement and has a deep understanding of management practices in technology organizations. In addition to his professional work, Christopher is a devoted family man and an active member of Rotary, participating in various community events, including providing music as DJ Dad at his children’s events.
Abstract
Over the last four years Open Raven has been building a data security platform for the cloud. During that time I have been tasked as the Head of Operations to not just run the platform but also be one of our subject matter experts. From $40,000 mistakes S3, lambda pooping out logs like rabbits, and other crazy adventures around IAM, we will dive into a number of the technical lessons learned and touch a bit on the weird edge cases that scare me.
The Good, the Bad, and the Vulnerable: A comprehensive overview of vulnerabilities in cloud environments
Theme: Inside & Outside
VideoSpeakers
Amitai Cohen | Wiz
Amitai is a Threat Researcher at Wiz (a cloud security company), where he investigates cloud threats and works to advance research and detection methodology. His background is in cyber threat intelligence analysis and writing, and he enjoys learning new things about science and technology, making diagrams to help him better understand these things, contemplating the philosophy of science (and cyber), reading science fiction and fantasy (or diving into wiki rabbit holes), and marveling at gadgets.
Merav Bar
Merav is a threat analyst in the Wiz Threat Research team. Merav specializes in vulnerability analysis, threat intelligence, researching emerging threats, and creating proactive detections to stop and prevent new security risks. She’s also pursuing a degree in History.
Abstract
As our world continues to shift from on-premises environments to cloud environments, the impact and nature of vulnerabilities also change.
In this session, we will examine the top vulnerabilities of 2022 and see how they affected the cloud - when might an otherwise critical vulnerability pose minimal risk to cloud environments? What does a critical cloud vulnerability even look like? Through the analysis of cloud, application and OS vulnerabilities, attendees will gain a deeper understanding of the factors that make vulnerabilities less or more significant in cloud environments.
The Ground Shifts Underneath Us
Theme: Birds-of-a-feather, business & behind-the-scenes "balk talks"
Speaker
Brandon Sherman 👾 | Cloud Security 👾, Temporal Technologies Inc.
Brandon has been working in cloud security for long enough, he remembers when it was possible to know all the services AWS had (it did require counting on his fingers and toes). Currently, he is on the Security team at Temporal Technologies, Inc. where he is securing a system which strives to be as reliable as running water. Previously, Brandon did cloud mischief at Twilio and Intuit.
Brandon has a habit of jamming emojis into any text field he can find because it passes for an admittedly strange form of “fun”. When not laying hands to keyboards, you can probably find him geeking out about — and working on — cars. After an altercation with himself, he is part mechazombie. While waiting for the future, you can find him teaching anyone who will listen they can be a “security person” too.
Abstract
One of the hardest parts of working in a cloud environment is the unstable ground we build on. While the APIs themselves are usually quite stable, the actual implementation of those APIs in the cloud provider’s systems can— and do— frequently change. What were once safe assumptions and architectures can, and have, been broken by updates to services.
The Ins and Outs of Building an AWS Data Perimeter
Theme: Inside & Outside
VideoSpeaker
John Burgess | Stripe
John Burgess is a cloud security engineer at Stripe, where he builds centralized security controls to maintain strong security invariants in an environment with high developer velocity. Before joining Stripe in 2021, John worked on Alexa infrastructure at Amazon. In his free time, he makes complex origami and stares wistfully out to sea.
Abstract
Drawing a boundary between what’s yours and what’s not - that should be easy, right? Wrong!
In this presentation, we’ll walk through how to build an AWS Data Perimeter in an existing and complex cloud environment. How to define that boundary and audit access through it, the various guardrails at our disposal, and the bizarre exceptions you’re going to run into.
The Unholy Marriage of AWS IAM Roles and Instance Profiles
Theme: Control & data
VideoSpeaker
Andre Rall | Director of Cloud Security, Uptycs
Andre Rall: A Dedicated Cloud Security Professional
Rapid7: Beginning the Journey as a Security Sales Engineer
Andre’s career started at Rapid7, a leading provider of security solutions. In his role as a Security Sales Engineer, he facilitated technical conversations with customers and prospects for the company’s flagship products. This experience helped him develop a strong foundation in security concepts and customer relations, preparing him for the challenges ahead.
Rackspace: Building Expertise in Security and Operations
After Rapid7, Andre joined Rackspace, a managed cloud computing company, where he spent seven years overseeing various security and operations teams. During this time, he cultivated a deep understanding of network security and the importance of robust, proactive measures to safeguard sensitive data, working with products from Cisco, Duo Security (now part of Cisco), RSA, Alert Logic, and Imperva.
Amazon Web Services: Addressing Account Takeover Challenges
After Rackspace, Andre joined Amazon Web Services (AWS) and dedicated the majority of his time there to the Fraud Prevention organization. He was responsible for overseeing the account takeover division, focusing on detecting and mitigating threat actors aiming to compromise legitimate AWS accounts. His steadfast commitment to protecting AWS customers’ data and resources contributed to the company’s success in this area.
Uptycs: Advancing Cloud Security Solutions
After five plus years at AWS, Andre joined Uptycs, a leading cloud-native security analytics platform. He now serves as the Director of Cloud Security. In this role, his team identifies cloud security TTPs and researches new cloud security threats, helping customers with their cloud security posture.
Certifications and Commitment to Growth
Holding the AWS Specialty - Security certification, combined with hands-on experience, Andre demonstrates his expertise in the field. He continually strives to learn and adapt, experimenting with different environments to uncover vulnerabilities and strengthen security measures. This dedication to growth helps him stay ahead in the ever-evolving landscape of cloud security.
Abstract
Cloud infrastructure teams often focus on traditional security measures like CSPM, DLP, and network protection. However, there are hidden aspects of cloud infrastructure that warrant attention to ensure a robust and secure environment. In this article, we take a deep dive into the lesser-known quirks of AWS Identity and Access Management (IAM) roles and instance profiles, revealing unexpected behaviors that could impact security and resource management.
Our exploration uncovers surprising findings when modifying IAM roles and instance profiles, such as the persistence of role credentials even after removing a role from an instance profile, the discrepancies in credential refresh timings, and the survival of instance profiles after role deletion. We also discuss the implications of these behaviors on security and resource management in AWS ecosystems, highlighting the importance of understanding and managing IAM roles and instance profiles correctly.
Join us as we unravel the mysteries of AWS IAM roles and instance profiles, equipping you with the knowledge to guard your cloud environment against hidden threats and ensure a secure, efficient infrastructure
Threat intelligence in the age of cloud
Theme: Birds-of-a-feather, business & behind-the-scenes "balk talks"
Speakers
Noam Dahan | Research Lead, Ermetic
Noam Dahan is a Senior Security Researcher at Ermetic with several years of experience in embedded security. He is a graduate of the Talpiot program at the Israel Defense Forces and spent several years in the 8200 Intelligence Corps. Noam was also a competitive debater and a World Debating Champion.
Igal Gofman | Director of Security Research, Ermetic
Igal Gofman is Director of Security Research at Ermetic. Igal has a proven track record in vulnerability research, cloud security, network security and threat intelligence. His research interests include operating systems, cloud security, and Active Directory. Prior to Ermetic, Igal held roles at Microsoft, XM-Cyber, and Check Point Software Technologies. Igal’s extensive experience in security has led him to speak at conferences like Black Hat and DEFCON.
Abstract
Threat Intelligence is one of the most important inputs when investigating breaches, and enables faster, better informed security decisions. However, implementing a successful threat intelligence strategy heavily depends on the feed quality and how data is cross-referenced with other intel sources. This talk highlights the challenges of building good threat intel in a cloud-based world and offers a way forward for better threat intel through collaboration. In the discussion we will present a model for evaluating cloud threat intelligence feeds, map the units of threat intelligence that are uniquely relevant to the cloud, discuss channels for sharing intel, and strategize regarding how to encourage transparency from cloud providers. We believe this session can kick off a wider conversation to improve cloud threat intelligence.
Unmasking the Subnet: Lookalike IP Ranges in Cloud Environments
Theme: Inside & Outside
VideoSpeaker
Asaf Aprozper
Asaf’s work in information security spans well over a decade, primarily focusing on security research, cloud security and external attack surface, malware analysis, threat hunting, and incident response. Today working as the Head of SecOps at Moon Active.
His career in cybersecurity began at the Israeli intelligence agency, and continued in the private sector as a Cyber Analyst in the largest bank in Israel, even before joining AVG as a mobile security researcher. Asaf also gained a wealth of practical experience in the industry as a Security Researcher at Minerva Labs where he perfomed malware analysis and worked as the Head of Research at Reposify for scanning the global internet for publicly exposed assets for companies.
Asaf has previously presented talks at multiple world’s leading information security conferences, including CodeBlue Japan, BSidesCyprus, and arsenal talk at Black Hat USA. As well as published various security research articles, and developed open-source security tools that were published to the community.
Abstract
In the world of cloud computing, protecting networks from unauthorized access is critical. While some misconfigurations, such as allowing access from any IP address are widely known, a new and less-discussed risk has emerged: the use of lookalike private IP ranges. In a proactive hunt for possible unknown misconfigurations, it was revealed that cloud users mistakenly configured Security Groups and VPCs with IP ranges they believed were internal, but were actually publicly exposed to US cellular networks and potentially for malicious actors. Such issues blur the lines between customer and cloud vendor responsibility, as customers are responsible for configuring their own networks, but cloud providers can easily assist in mitigating such misconfigurations.
To evaluate this new misconfiguration and the possible critical risk that is associated with it, we purchased a T-Mobile lookalike private IP address for just a few bucks and implemented it over ProxyChains and NMAP to lookalike the private IP range and scan for open services across AWS ASN. This presentation will highlight the security risks of lookalike IP addresses in cloud environments and introduce a new community-driven framework called CloudHunting, which uses Sigma rules mapped by MITRE ATT&CK to proactively detect such misconfigurations that could lead to threats, including this newly identified one.
Vulnerabilities and Misconfigurations in GitHub Actions
Theme: Infrastructure & superstructure
VideoSpeaker
Rojan Rijal | Staff Security Researcher, Tinder Security Labs
Rojan Rijal is a Security Researcher at Tinder Security Labs. Rojan focuses on security research against cloud environments, on-premise web applications and enterprise Software-as-a-Service (SaaS) products.
Abstract
GitHub Actions has helped companies automate their CI/CD pipeline with ease by directly integrating with their code sources. This ease however can come with pain when various vulnerabilities arise due to misconfigurations, code vulnerabilities and supply-chain attack vectors.
This talk will cover three different vulnerability types in GitHub Actions. We’ll go over basic code execution examples due to unsanitized user inputs, and two unique vulnerabilities seen by us. The first vulnerability will cover a supply chain attack by exploiting vulnerable third-party actions used by companies and government agencies. The second exploit will cover misconfiguration in OIDCs connected between GitHub Actions and Amazon Web Services that affected large organizations.
The talk will wrap up with some mitigation measures on how these vulnerabilities can be detected and patched. In addition, we will cover some detection examples of how potential abuse/exploitations of the vulnerabilities can be properly triaged.
Welcome
Theme: Odds & Ends
VideoSpeaker
Aaron Zollman
Aaron is one of the organizers of fwd:cloudsec and currently serves as Board President. In his day job, he is CISO & VP of Platform Engineering for Cedar, a health-tech financial platform based in New York City. He’s been building on top of AWS since 2010, but dates his time in security to his first vuln - in Novell - in 1995.
Abstract
Kicking off the conference, our organizers will present a short overview of how the conference works, who to thank for it, and what to expect over the next two days.
What Could Go Wrong? DEI-informed Perspectives on Threat Modeling in the Age of Terrifying Feature Requests
Theme: Birds-of-a-feather, business & behind-the-scenes "balk talks"
Speakers
Jasmine Henry | Senior Director of Data Security and Privacy
Jasmine is an inadvertent career specialist in security data, data security, and privacy for cloud-native startups. She is the current Senior Director of Data Security and Privacy at JupiterOne and a former Security Director at other high-tech startups. As a permanent student, Jasmine is finishing her PhD in Computer & Information Science with a focus on Information Quality at University of Arkansas, Little Rock. She loves Furiosa, WNBA, and her black rescue cat Nandor.
Renee Beckloff
Having been one of the first women to explore and make a career of the industry called “cybersecurity” , Renee has witnessed the evolution of diversity within the field. Renee has worked for such notable companies as VeriSign, Qualys, CrowdStrike, Cylance and now JupiterOne. During the Pandemic, Renee took a break to focus on academia and her work in how Gender and Religion impact Cyberwarfare and Threat Intel.
Abstract
“Can you do a security review of our new AI feature by tomorrow?”
Security practitioners face a hard truth. We don’t know what could go wrong with the new AI chatbot or machine learning mode. But, how do you set guardrails for security, safety, or privacy solo in a world where there are few reliable safety guidelines for next quarter’s product roadmap? To achieve safer and more secure outcomes, cloud security practitioners should consider it imperative to adapt to more diversity, equity, and inclusion-informed (DEI) approaches to building threat models.
Easier said than done, right?
While it’s never easy to navigate new collaborative models, cloud security practitioners all have an opportunity to create more diverse, equitable, and inclusive conversations about risk and threats at every stage of the feature lifecycle. This is a practitioner talk given through an intersectional and DEI-focused lens with a particular focus on facilitating greater inclusion and collaboration at every stage of the feature lifecycle. Attendees will learn how to foster greater self-service decisions among product managers, facilitate inclusive premortem meetings, drive a culture of ‘fearless risk documentation,’ and launch a risk amnesty program for anonymous reporting.
fwd:cloudsec State of the Union
Theme: Odds & Ends
VideoSpeaker
Scott Piper
Scott has been one of the organizers for fwd:cloudsec since its founding and is an admin for the Cloud Security Forum Slack.
Abstract
How does this conference exist? Who pays for the Cloud Security Forum Slack? Learn about the organization of the non-profit entity behind all this, the motivations that drive it, and how you might want to get involved with it.
gVisor: The Future of Container Security
Theme: Infrastructure & superstructure
VideoSpeaker
Andy Nguyen | Senior Information Security Engineer, Google
I am a Senior Information Security Engineer at Google and I work on Cloud Vulnerability Research with a focus on low-level security. I am also a PlayStation hobbyist hacker and have found and exploited dozens of bugs on the PS Vita, PS4 and PS5.
Abstract
gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system.
In this talk, we will dive into the architecture and some of the platforms of gVisor, and what security boundaries it provides for untrusted workloads. Next, we will explain its threat model and Google’s approach to continuously securing it. Finally, we will do a case study on some vulnerabilities that we have uncovered and analyze their exploitability.