L o a d i n g
CLOUD VILLAGE @DEF CON 27 ARCHIVE 2019

Cloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security.

About

Cloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security. The village is home to various activities like talks, workshops, CTFs and discussions targeted around cloud services.

If you are a professional who is looking to gain knowledge on securely maintaining the cloud stack and loves to be around like-minded security folks who share the similar zeal towards the community, Cloud Village is the perfect place for you.

Crew Members:

CFP Review Panel (DEFCON 27):

Cloud CTF

Cloud Village CTF @DEF CON 27: http://ctf.cloud-village.org

CTF start time - 9th August, 12:15 PM

CTF close time - 11th August, 12:00 PM



Our CTF is three days jeopardy style contest where we will create bunch of challenges in multiple categories, related to cloud services though.

Teams / Individuals gain some points, (or loose points on using hints) on solving each challenge. Teams or Individuals who gain maximum points gets the winning rewards.

CTF winners @DEF CON 27

Team Name Members
Thomasvandoren

thomasvandoren

Alexis Pork

jstrassburg

justlongenough

Vulns_as_a_service

Trace

tadl

positron

ZI-O

ozzy

PolkaMan

mob

mitch

Sentinel1

Sentinel

jaycee

CTF stats @DEF CON 27

Teams registered - 127

Users registered - 176

Challenges - 11

Correct submissions - 22

Wrong submissions - 386

Most solves - URL game with 17 solves with 100 Points

Least solves - The Backup of all Backups with 1 solves with 400 Points

Talks (DEF CON 27)


Presentation Slide 

Speaker: Sean Metcalf

Twitter: @PyroTek3

Abstract: The cloud is compelling and in many cases necessary for organizations to effectively operate.

Cloud security on the other hand is not as clear. Many cloud services need a hook into the on-premises environment in order to synchronize users and groups. Additionally, the cloud security controls vary by provider in availability, capability, and cost. This results in a disjointed view of user authentication, security, and potential configuration issues.

This talk explores some common cloud configuration scenarios and the associated security issues.

About Sean: Sean Metcalf is founder and principal consultant at Trimarc (www.TrimarcSecurity.com), a professional services company which focuses on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) certification, is a Microsoft MVP, and has presented on Active Directory & Microsoft Cloud attack and defense at Black Hat, BSides, DEF CON, DerbyCon, Microsoft BlueHat, Shakacon and Walmart Sp4rkCon security conferences. He currently provides security consulting services to customers and posts interesting Active Directory security information on his blog, ADSecurity.org

Presentation Slide 

Speaker: Colin Estep

Twitter: @colinestep

Abstract: Identity and Access Management (IAM) in any public cloud provider can be tricky to configure appropriately. We've all seen the headlines about storage buckets being open to the public and exposing sensitive information, but what about the permissions we are giving our users and apps that run in our cloud environment? It's becoming more difficult to understand who has permissions over resources and what the implications of those permissions are as more controls proliferate across the public cloud providers.

In this talk, we will take a closer look at the Google Cloud Platform (GCP) IAM model. You'll be introduced to the relevant concepts to understand the different types of identities, IAM permissions, and scopes. We'll examine the permissions and scopes assigned to the compute engine service account created for you by default. Did you know that the default IAM policy for the compute engine service account includes the ability to impersonate other service accounts, among other things?

Most importantly, we'll learn how to leverage certain configurations of the service account to escalate privileges from a virtual machine. I will show a demo where I use a shell on a virtual machine to tear down another security control to allow data exfiltration out of the environment. By the end of the talk, you'll understand how to impersonate service accounts, conduct recon, and escalate your privileges from a virtual machine. You'll also get some ideas on how to mitigate against these attacks.

About Colin: Currently a threat researcher at Netskope focused on AWS and GCP. Colin was previously the CSO at Sift Security (acquired by Netskope), where he helped move the product towards breach detection for IaaS. He was a senior engineer on the security teams at Netflix and Apple before joining Sift. He was also a FBI Agent specializing in Cyber crime, where he spent a fair amount of time coordinating with other countries to locate and arrest malware authors and botnet operators.

Speaker: Rotem Bar

Twitter: @rotembar

Abstract: In this talk I will share my experience about how I hacked different automotive clouds, techniques I used and goals I pursue after connecting.

In this talk I will give real life examples of:

  • From zero to hero – Full backend control with examples
  • Common fails which allow me to jump between networks
  • Dangers of connected cars - Taking over a car from the cloud
  • How to break a production line
  • Cloud credentials leakage

I will talk about the main connectivity areas I look for, supplier integrations and differences between normal clouds and automotive clouds. Once I got a good foothold, Possible targets and places which can harm the most. Where can I jump next inside and how deep the rabbit hole goes.

This will be a technical talk going into places I've experienced personally in the last few years and will try to give a glimpse of the fun life of hacking into the vehicle ecosystem

About Rotem: I work in the automotive field for about 4 years now, Started my way with red-teaming production plants and different cloud providers with the goal of getting as deep as possible and showing full impact.I love breaking stuff, especially when its in mass scale. taking control over entire systems and seeing my clients in awe and shock as I give them live annotations of what I'm doing to them.

Presentation Slide 

Speaker: Chris Le Roy

Twitter: @brompwnie

Abstract: Containers,Cloud,DevOps and SDLC are all terms that are increasing in terms of usage in the InfoSec world. In this talk, we discuss how a container exploitation tool (BOtB) was developed to identify and autopwn common vulnerabilities in container technologies such as Docker and LXC and how this tool was used in a modern SDLC environment using common CI/CD technologies to identify, exploit and remediate container vulnerabilities before releases were made to production.

In this talk we elaborate on how and why BOtB was built to be used by pentesters to exploit container vulnerabilities and how BOtB can be used by engineers to secure their container environments. The talk will also explain the technical details around the vulnerabilities that can be exploited by BOtB.

About Chris: Chris is a security researcher based in London. He has not had an unusual entrance to infosec coming from a Computer Science background which led him to dabble in software development for sometime. This resulted in Chris realising he is a terrible dev and prefers breaking things which led him to breaking things full-time. The breaking of things full-time has allowed Chris to share his ramblings at multiple conferences in the USA and Europe.

Presentation Slide 

Speaker: Erick Galinkin

Twitter: @erickgalinkin

Abstract: What happens when attackers start taking advantage of whitelisted APIs as a form of obfuscated command and control? Companies both large and small are moving workloads to the cloud and are very concerned with how to secure their resources which actually live in AWS, GCP, and Azure. However, they don't address how enabling this access changes their internal attack surface and weakens their defenses.

In this talk, we demonstrate that attackers no longer have any reason to rely on conventional CNC, being able to outsource their costs and infrastructure management to the likes of Slack, Github, Pastebin, Dropbox, Google, and social media sites. Using these sorts of techniques, URL blacklisting becomes obsolete, IDS becomes less effective, and attackers no longer have to waste their time writing domain generation algorithms.

Specifically, I will demo a proof-of-concept malware which uses multiple SaaS services, social networks, and more conventional "cloud infrastructure" (S3) that would be extremely difficult to mitigate generically with today's IPS solutions, and we discuss how the same techniques can be used by red teams and attackers to quietly maintain persistence and exfiltrate data.

About Erick: Erick is a security researcher at Netskope focused on malicious SaaS usage and attacks against Microsoft Azure. He previously was previously at Cisco's Talos group where he focused on hunting exploit kits. As part of his academic research at Johns Hopkins University, he conducts research on neural networks, verifiable computing, and computational complexity.

Speaker: Ayman Elsawah

Twitter: @coffeewithayman

Abstract: In this talk I am going to walk through how we can use pareto's principle to secure all our AWS accounts. What this means is with just 20% of effort, we can accomplish 80% security of our AWS accounts. We will be leveraging the power of AWS Organizations and IAM to accomplish our goals. This will be a technical talk and guide on how to secure your account.

This talk assumes you have secured your individual AWS accounts at the basic level by locking down your root accounts with 2FA, and etc.

About Ayman: Ayman Elsawah is a veteran Information Security Professional and Educator having worked in a variety of industries including Financial, Social Media, Global E-Commerce, Silicon Valley Startups, and the Movie/Entertainment Industry. An early user of AWS, Ayman specializes in AWS Security and helps companies operationalize their presence in the cloud and take their security maturity to the next level. He has built custom tools internally for organizations with hundreds of AWS accounts helping streamline their operations. His specializations are in Centralized Log Management and Identity and Access Management (IAM). He is also the host of the Getting Into Infosec Podcast and author of a book Breaking IN: A Practical Guide to Starting a Career In Information Security. He loves teaches others about Information Security and Cloud.

Presentation Slide 

Speaker: Dani Goland & Mohsan Farid

Twitter: @DaniGoland

Twitter: @Pwn__Star

Abstract: The interaction between attackers and defenders is like a ping pong game, and that is exactly how we did this research. On the offensive Mo will share his tools and tactics attacking AWS Infrastructures from Recon to Attacks to Post Exploitation on different services with a focus on Elastic Container Service(ECS). After each attack step, Dani will explain the defensive side and tools and tactics for hardening the AWS Infrastructure from Designing a secure Cloud Architecture to Detection to Hardening specific services like Docker containers on ECS. After the battle, we will both walk-through common misconfiguration problems, one-click solutions for monitoring and attack detection, and workflows for pentesters on AWS. One of the most important lessons from our research is the importance of the interaction between pentesters and developers/DevOps engineers, and how a few days of working side by side can help us secure our current systems and learn to develop future systems with security in mind.

Dani and Mohsan will demonstrate an entire kill chain on a hypothetical organization operating in an AWS environment and pivoting into their internal Active Directory network. The demonstration will cover reconnaissance methods for a cloud environment, an attack on a AWS hosted webserver that results in compromise of access keys. The access keys will be utilized to access a separate AWS service, followed by escalation of privileges to administrator. We will further demonstrate exfiltration methods, setting up persistence in AWS, and last but not least pivoting to the internal AD environment and obtaining Domain Admin privileges.

Many open source tools will be used as well as some custom python scripts on the offensive side, for example: TruffleHog for scanning for leaked keys on github, S3Scanner for enumerating S3 buckets, amass for DNS Mapping and Subdomain Enumeration, Cloud Mapper for reconnaissance and auditing, Prowler for assessing security, Pacu and Metasploit for exploitation, and more.

On the defensive side, we will introduce Open Source tools like HashiCorp Vault and AWS Parameter Store for secret management, NAXSI as an open source WAF, Vulnerability scanners for Docker, AWS KMS for creating and rotating keys for in-transit and at-rest data encryption, CloudTrail and CloudWatch for detection of suspicious activity and alarming, and more.

About Dani: At the age of 20 he founded his own boutique company for innovative software and hardware solutions. He is a certified AWS Cloud Solutions Architect. While gaining experience in business and finance, Dani did not neglect his hands-on capabilities in both making and breaking systems. Dani recently relocated from Israel to the United States to study Data Science at the prestigious UC Berkeley. During his studies, Dani found VirusBay, a collaborative malware research community which skyrocket amongst the global security community with over 2500 researchers. After serving in the Israeli Defense Forces as a commander of a Field Intelligence unit, Dani went on an 8-month journey across South America. He loves snowboarding, music concerts, and having crazy, breathtaking experiences such as spending 5 days in the Bolivian Jungle with no food or water.

About Mohsan: Mohsan has over 13 years of experience in cyber security. Mohsan has ran the gamut in the security space: from penetration testing for Rapid7 as a consultant, penetration testing for numerous federal agencies, pentesting mobile applications for HP, pentesting Fortune 500 companies, and contributing exploits to the Metasploit framework as well as contributing to open source projects. When Mohsan isn't breaking things, he likes to travel the globe in search of incredible surf, scuba diving, rock climbing, hiking, and is an avid yogi.

Speaker: Pratik Shah

Twitter: @7echSec

Abstract: This talk familiarize the attendees with different techniques and approach of cloud hacking. We will start from the very basic and gradually build-up to the level where we will look into different cloud architecture and common issues/misconfigurations identified in them. The complete focus of this talk would be to explain cloud hacking methodology and cover well-known attacks around the cloud infrastructure.

In this talk, we will discuss some interesting case studies and we'll understand the root cause. We will also talk about different techniques which can lead to gaining an initial foothold and then we will look into multiple post-exploitation techniques.

About Pratik: Pratik is an information security enthusiast with a strong interest in infrastructure penetration testing, web application security assessments and cloud penetration testing, which has led to extensive penetration testing experience for Fortune 500 companies involving web applications, networks, Infra, and Red Team. Pratik took part in multiple Bug Bounty programs and in over the years he has reported multiple vulnerabilities through HackerOne, Synack Red Team, and Cobalt Core. He has also contributed to Metasploit exploit development (written exploit for Windows local privilege escalation).

Presentation Slide 

Speaker: Tanya Janca & Teri Radichel

Twitter: @SheHacksPurple

Twitter: @TeriRadichel

Abstract: PenTesters, Blue & Red teamers, network admins and cloud enthusiasts, this talk will layout from start to finish how to verify the security of your Azure implementation. This talk will be 80%+ demos of where to look, what to do, and how to prioritize what you find. Topics include: Azure Security Center, setting scope, setting policy, threat protection, more.

Detailed Outline: There are two articles as well as a video we will share at the end to give the audience more information and a checklist of how they can assess their own Azure instances after the talk is over.

Here is the outline of what we plan to cover in this session:
Do not test the Azure Infrastructure. That is violation of the user agreement for Azure and will get you into hot water with Microsoft. No one wants that.
Be extremely careful to only test things that are IN SCOPE for your client.
Is Azure Security Center turned on? If not, turn it on. I ❤ ASC.
Do all subscriptions/sub-subscriptions have it on? Do you have complete coverage? If not, definitely report it.
Is there a policy set (settings that the org has chosen as "secure", such as all storage must be encrypted at rest)? If so, what are the settings? Do they look good? Also, what level of compliance do they have? Everything that is not compliant should be reported.
Is threat protection (storage and databases only), monitoring and auditing set up on every possible resource? If not, report it.
Look at the network, in the same way you would look at a traditional network, is anything out of place? Also, are they doing Zoning or Zero-trust or something else? Which network security model are they using? Make sure they are compliant with their own plan. Ask them what their plan is for their network to start. If they don't have an answer, that's another issue altogether.
Do they have "just in time" (JIT) set up on all ports on all servers/VMs? Or are they using a JumpBox to access VMs from outside Azure? Or is that not allowed at all? They should use JIT and Network Security Groups (NSGs)for *everything*.Do they have app whitelisting enabled on VMs? It's called Adaptive Application Controls, and it's right underneath JIT in the security center (ASC) menu, under "Advanced Cloud Defense". They should have that turned on for *all* servers.Are they using a SIEM (Security incident and event management system)? Are they using it well? Are they monitoring it? What kind of coverage is it getting? Does ASC feed into it? It should.
Are they using a WAF (Web Application Firewall)? If so, test it. If they aren't, mark it as advice for improvement.Any other 3rd party security tools (IPS/IDS/HIPS/Other)? If so, are those getting complete coverage of all assets that are covered by this test? And are they configured well?
Look in "Recommendations" tab of Azure Security Center and it will tell you all the problems (network issues, config errors, missing patches, more) that you haven't spotted yet. 😊 Really, you could likely start here. This is a list of everything that is not compliant with your policy, in order of importance.
If you are assessing web apps within Azure, APIs and functions (serverless), that's a whole other topic, but all of the regular security testing rules would apply, Azure or not.
If your org is using Azure DevOps I suggest adding several security tests to your pipeline including Azure Secure DevOps Kit. It's strict; you likely won't pass the first few times around, so prepare your developers for a bit of disappointment. There are a TON of great security tools in the Azure Marketplace, add a few, one is not enough.Turn on VA for SQL DataBases as part of the Azure Threat Protection, and kick off a scan right away to see if anything is happening. It will likely had a lot of advice for you.
Look in the Threat Detection part of Security Centre, verify that there are no active attacks happening or recent ones, investigate accordingly.

About Tanya: Tanya Janca, also known as SheHacksPurple, is a senior cloud advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs, public speaking and community events. As an ethical hacker, OWASP Project Leader, Women of Security (WoSEC) chapter leader, software developer and professional computer geek of 20+ years, she is a person who is truly fascinated by the 'science' of computer science.

About Teri: Teri has helped 1000's of companies with cloud security through consulting, writing, research, and training. She moved a web hosting business to the cloud and then started the Seattle AWS Architects and Engineers Meetup in 2013 which now has over 2500 members. She was on the original team that helped Capital One move production workloads to AWS. Another company recruited her to help them move to the cloud. She led a team of 30 people in two countries, architected a SAAS IOT solution on AWS and delivered a secure CI/CD pipeline based on her whitepaper, Balancing Security and Innovation with Event Driven Automation. She then moved into security research, writing articles for publications such as Dark Reading and Infosecurity Magazine and reverse engineering malware. When someone told her packet capture was not possible in the cloud, she wrote a white paper Packet Capture on AWS proving that it was.
Teri has presented on cloud security at major security conferences including RSA, AWS re:Invent, Countermeasure, SANS Networking, SANS Cloud Summit, and BSides. She is an IANS Faculty member and received the SANS Differences Makers Award for security innovation. Teri has 25 years of professional technical experience including software architecture and engineering, cyber security, and business operations. She was on the initial SANS cloud security advisory board and provided information and updates for SANS cloud curriculum. She taught the cloud security class for SANS Institute in 2018. She holds a business degree from the University of Washington, a Master of Software Engineering from Seattle University, and is currently finishing a Master of Information Security Engineering from SANS Institute. She got started with computers when she taught herself to program on a TI99/4A when she was 12 years old.

Presentation Slide 

Speaker 1: Rod Soto

Twitter: @rodsoto

Speaker 2: Jose Hernandez

Twitter: @d1vious

Abstract: This presentation shows how to use Splunk to provide the analyst with a comprehensive vision of AWS/GCP/Azure security posture. Presenters will outline how to ingest the audit data provided by open source tool Cloud Security Suite into Splunk to analyze cloud vulnerability, harden multi-cloud deployments and visualize multi-cloud threat surface. Presenters will also demonstrate use cases based on Splunk knowledge objects (Tables, Dashboards, Alerts, Field extractions, Lookups, etc), in order to take advantage of the information provided by various supporting tools like Scout2 and G-Scout projects for cloud API auditing.

About Rod: Rod Soto has over 15 years of experience in information technology and security. Currently working as Principal Security Research Engineer at Splunk. He has spoken at ISSA, ISC2, OWASP, DEFCON, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 BlackHat Las vegas CTF competition and is the founder and lead developer of the Kommand && KonTroll competitive hacking Tournament series.

About José: José is a Principal Security Researcher at Splunk. He started his professional career at Prolexic Technologies (now Akamai), fighting DDOS attacks from “anonymous” and “lulzsec” against Fortune 100 companies. As a engineering co-founder of Zenedge Inc. (acquired by Oracle Inc.), José helped build technologies to fight bots and web-application attacks. While working at Splunk as a Security Architect, he built and released an auto-mitigation framework that has been used to automatically fight attacks in large organizations. He has also built security operation centers and run a public threat-intelligence service. Although security information has been the focus of his career, José has found that his true passion is in solving problems and creating solutions. As an example, he built an underwater remote-control vehicle called the SensorSub, which was used to test and measure toxicity in Miami's waterways.

Presentation Slide 

Speaker: James Strassburg

Twitter: @jstrassburg

Abstract: The programmability of the cloud has revolutionized infrastructure deployments at scale and, at the same time, has enabled the automation of both the attack and defense of these deployments. In this talk, I will discuss the open-source tools and the techniques that my organization has used to scale security in the cloud to keep pace with our deployments. I'll also cover how we've used automation to adapt security processes to cloud strategies such as immutable servers. Some topics include: temporal leasing of API access keys and database credentials, automation of patching groups and scans, and automated enforcement of configuration policy.

About James: James Strassburg is an experienced software engineer, architect, researcher, and speaker. He has been building distributed software systems and web applications for the past 20 years. Most recently specializing in cloud migration and search engineering, he is an automation fanatic who has also worked on systems engineering, full-stack development, information security, artificial intelligence (AI), and DevOps, and has spoken on several related topics.

Presentation Slide 

Speaker: Cheryl Biswas

Twitter: @3ncr1pt3d

Abstract: Cloud. It's the land of opportunity. Enterprises are doing mass migrations from older and legacy systems to harness greater power and efficiency from innovative new tech. Following that money trail are opportunistic attackers, seeking the computing strength and near-invisibility afforded by enterprise cloud environments to mine bitcoin. Cryptominers are everywhere. And yes, Virginia, they are in the Cloud.
These nebulous power-rich realms let attackers set up mining rigs to feast on enterprise resources, while flying below the detection of cloud or conventional security resources. The concern here is that once attackers gain access to our networks, they can pivot and move laterally, to find even greater reward in the vast amounts of data available.
Let's talk about what we do and don't know when it comes to securing our cloud environments against malicious miners. Because it isn't just a question of what they can take – it's about the payloads they can leave behind.
Introduction: (5 min)
• Enterprise and Cloud: If you work for a major organization, you're probably undergoing or have just gone through a major migration to the Cloud. This is the big push according to a recent Gartner report, with 37% of enterprises reporting it as their top priority, and ranking at 39% for CIOs, ahead of cybersecurity (why are we not surprised).
• An Evolution of Evil: the rise of miners. Easy to get into. Low bar for entry. Starter toolkits cost $30 online. Cryptojacking increased by 4000% in 2018.
• Major miners like XMRig
• Main attack vectors: brute force credentials for access; leverage multiple vulnerabilities for access and movement internally.
• Motivation: almost 100% return on investment. No overhead
Miners in the Sky: (5 min)
• Why it's expected to continue
o The return on investment is lucrative in terms of computing power
o Lack of detection
• Most organizations don't have mature cloud security programs. By design, yes, in reality – not so much. Cloud has huge amounts of processing power with built-in auto-scaling
• attackers can operate with almost no detection
• The bigger the account, the longer attackers can go
• Enterprises are migrating to the Cloud. We love our containers: Docker, AWS, Azure.
Charting the rise of malicious miners in cloud environments by attacks: (10 min)
Overview of what we're seeing:
• attacks on containers and container management
• control panel exploitation
• theft of APIs
• spreading malicious Docker images
• leveraging current and older enterprise vulnerabilities
• EternalBlue
Let's Start Here: The attack on Tesla's AWS S3 public cloud in February 2018. Researchers at RedLock found mining malware from a wide-spread, well-concealed cryptomining campaign in Tesla's AWS cloud. RedLock found it when they scanned public internet for misconfigured and unsecured cloud servers – there's been a few of those. They saw an open server. Further investigation revealed it was running Kubernetes, the open source admin console for cloud application mgmt., which was doing cryptomining. The Kubernetes console was not password protected. The attackers found login credentials for Tesla's AWS in one of the pods. They went from there to deploy malware scripts for Stratum bitcoin mining.
Abusing exposed Docker APIs: Hundreds of vulnerable and exposed Docker hosts were abused in cryptojacking campaigns in March this year. Attackers exploited CVE-2019-5736, a runc vulnerability identified in February, that could trigger a container escape. Now, that kind of defeats the whole purpose of having a container when it means the attacker can access the host filesystem and overwrite the runc binary to run arbitrary commands on the host. Attackers scan for exposed Docker APIs on port 2375. They deployed malicious self-propagating Docker images infected with malware to load Monero miners and find other vulnerable targets via Shodan. External access to API ports will enable attackers to gain ownership of the host. They can tamper with instances running inside, drop malware, access user's servers and resources. Discussion point: Misconfiguration is prevalent – why? How can we help users do this better?
Uninstalling Cloud Security: A new cryptomining malware family that targets Linux servers gained admin rights on systems by uninstalling cloud security products. We'll talk about the Chinese-language threat actor behind this and other attacks, Rocke group. Consider how nation-state adversaries and advanced persistent threats (APTs) could seek to leverage this kind of attack in sophisticated campaigns.
Discussion point: We've seen conventional malware evade and disable existing AV. If we can't detect it, how do we protect against it? How are we extending this to malware targeting Cloud?
Targeting Elasticsearch servers: in the "Cryptosink" campaign, attackers exploit a five year old vulnerability that could lead to executing arbitrary Java code, CVE-2014-3120, that affects Elasticsearch running on both Windows and Linux platforms. They download malware that has not been detected by AV on Linux. The attackers backdoor the servers for future access, eliminate competitors on the infected system by redirecting their mining pool traffic to a sinkhole, and achieve persistence by replacing the Linux remove command.
What else could be at risk: Abusing instant metadata API. This functionality is offered by all cloud providers. If it isn't secured or monitored well, and attacker can exploit it via vulnerable reverse proxies or malicious Docker images.
What could this lead to: Once attackers are in your network, they aren't limited to just mining Monero. They have access to all your data-rich environments. If the attacker is looking for satisfaction that money can't buy, yes they can deliver a very damaging payload with ransomware or worse. Think NotPetya.
Review of Vulnerabilities & Exploits: (5 min)
• Misconfiguration: security researcher and attackers are actively seeking and finding many exposed and unsecured instances online. Human error is at the brunt of things, but Cloud isn't traditional infrastructure. It's a complex, dynamic network that requires specialized knowledge and training to do configuration right.
• EternalBlue: believe it. There are still plenty of unpatched instances out there and attackers continue to leverage this exploit to gain access, spread and move laterally within networks
• Oracle WebLogic vulnerability CVE-2019-2725: There have been a series of critical vulnerabilities in this popular enterprise software
• Remote code execution: Miners have been using a group of vulnerabilities for RCE as initial access and more
o CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities.
o CVE-2010-1871: JBoss Seam Framework
o JBoss AS 3/4/5/6: CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
o CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
o Hadoop YARN ResourceManager - Command Execution
o CVE-2016-3088: Apache ActiveMQ Fileserver File Upload
• PSMiner targets known vulnerabilities in Elasticsearch, Hadoop, PHP, Oracle WebLogic
• Fake certificates: attackers increasingly use this to evade detection and infiltrate conventional systems. How can we apply what we're learning to protect in the Cloud?
What we can do: (5 min)
• Countermeasures:
o rotate access keys
o restrict outbound traffic
o cryptojacking blockers for Web browsers
• Monitoring user behavior
• Follow the principle of least privilege when issuing credentials
• EternalBlue is still actively leveraged against vulnerable systems. Think third party compromise
• Visibility. Be able to see down to the process level.
• Micro-segmentation to control lateral movement and spread
• Apply, monitor and enforce best practices
• Resources like Yara rules to detect miners (will make available)
• Unusual deletions or spinning up containers
• IoCs
Conclusion and Q&A

About Cheryl: Cheryl Biswas, aka 3ncr1pt3d, is a Strategic Threat Intel Analyst with a major bank in Toronto, Canada. Cheryl has experience with security audits and assessments, privacy, DRP, project management, vendor management and change management. She has an ITIL certification and a degree in Political Science. She is actively involved in the security community as a speaker and a volunteer at conferences and encourages women and diversity in Infosec as a founding member of the "The Diana Initiative".

Presentation Slide 

Speaker 1: Ashwin Vamshi

Twitter: @_ashwin_vamshi

Speaker 2: Abhinav Singh

Twitter: @abhinavbom

Abstract: Cloud services are built for increased collaboration and productivity, and provide capabilities like auto sync and API level communication. This has led enterprises to exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End users as well as security products tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google, and SaaS app vendors such as Box, Salesforce, DropBox. As a result, cybercriminals have started launching their attacks from these trusted cloud services. This talk will focus on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect.
We will begin the presentation by sharing some statistics that illustrate the wide-scale adoption of cloud services by cybercriminals. In particular, we focus in on the usage of cloud services as a launching point of an attack. In the next section, we will discuss some of the novel, offensive phishing techniques that the attackers have employed, including: abusing SaaS APIs, abusing trusted API redirects, and hosting attack pages in cloud services.
We will deep dive into three specific techniques we discovered in the wild:
Targeted BEC (Business email compromise) - phishing attacks abusing popular services like S3, GCS, Azure Storage, and GCP Google's App engine. The S3, GCS, and Azure Storage based attacks used static web hosting to serve up convincing baits, complete with Amazon, Google, or Microsoft issued SSL certs. We will provide a few examples of some successful attacks of this type. The App Engine attack used an open redirect to make it appear that the bait was being delivered from Google. We provide a detailed breakdown of how this was done and what made this attack successful. At the time of writing this draft, Google shows its standard redirection notice when users click on one of these AppEngine links, making it more obvious to the user that they are being redirected.
"Default Allow" action in popular PDF readers and Annotations used in themed decoy templates. This action only warns the user that it is trying to connect to a trusted cloud service, which looks benign at face value. By taking advantage of the "default allow" action in popular PDF readers, the attacker can easily deploy multiple attacks without getting the security warning after the first alert. In this section, we provide examples of multiple attacks leveraging this techniques, including the preceding BEC.
PhaaS(Phishing-as-a-Service): Criminals hosting a full-fledged phishing infrastructure over cloud and selling it as a B-to-C model. These on-demand service based models provides an essence of a criminal version of software-as-a-service which allows purchasing site login accounts along with crafting and hosting phished links. In this section, we provide an overview of one of these services and describe how it is using public cloud services to drive its success.
The idea is to educate our audience about the new wave of sophisticated attacks abusing highly trusted services like Google and its App engine APIs, object stores in AWS/Azure/GCP and other Tier-1 SaaS applications. The attackers not only craft a "near original" phishing bait but also make it hard for security products to detect such attacks.
We will then discuss some inherent design constraints and weaknesses in these services which are benefiting the cybercriminals in creating attacks to bypass modern day security solutions. Most end users are savvy enough now to understand that links that include random IP addresses or suspicious sounding domain names should not be clicked on, but they don't have a similar awareness of risk associated with cloud services. Users tend to click on an email invite from a cloud application or a phishing document hosted in a cloud environment as it is convincing and difficult to recognize as phishing.
We will then understand the motivation behind this new trend, its monetary impact in the cybercrime market and its simplicity, which is appealing more and more novice cybercriminals into building their attack surfaces by abusing such services.
We will conclude the talk by sharing details about our responsible disclosure to tier 1 vendors and proposing detection and remediation techniques for such type of attacks

About Ashwin: Ashwin Vamshi is a Security Researcher with innate interest in targeted attacks and malwares using cloud services. His research has been quoted in Forbes and also in several infosec magazines and online portals. Currently, he is working in Netskope primarily focusing in identifying malwares, campaigns and threat actors using 'cloud as an attack vector'.

About Abhinav: Abhinav Singh is an information security researcher for Netskope, Inc. He is the author of Metasploit Penetration Testing Cookbook (first, second & third editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community in the form of paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines, and digital portals. He is a frequent speaker at eminent international conferences like Black Hat and RSA. His areas of expertise include malware research, reverse engineering, enterprise security, forensics, and cloud security.

Presentation Slide 

Speaker: Jenko Hwong

Twitter: @jenkohwong

Abstract: I'll explore the limitations of temporary tokens including:

  • The lack of visibility/management
  • Minimal logging
  • Limited remediation options
  • How this can be taken advantage of, especially in combination with other techniques such as assuming of roles, pre-signed URLs, log attacks, and serverless functions to achieve persistence, lateral movement, and obfuscation.

In addition, I'll look at common defensive techniques and best practices around lockdown, provisioning, logging and alerting to see whether these are practical and can shift the field.

About Jenko: Jenko Hwong is on the Security Research Team at Netskope, focusing on cloud threats/vectors. He's spent time in engineering and product at a few too many security startups in vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, and windows security.

Speaker 1: Michael Gianarakis

Twitter: @mgianarakis

Speaker 2: Sean Yeoh

Twitter: @

Abstract: I'll explore the limitations of temporary tokens including:

  • The lack of visibility/management
  • Minimal logging
  • Limited remediation options
  • How this can be taken advantage of, especially in combination with other techniques such as assuming of roles, pre-signed URLs, log attacks, and serverless functions to achieve persistence, lateral movement, and obfuscation.

In addition, I'll look at common defensive techniques and best practices around lockdown, provisioning, logging and alerting to see whether these are practical and can shift the field.

About Michael: Michael has presented at various industry events and meetups including DEF CON, Black Hat Asia, Thotcon, 44Con and Hack in the Box. Michael is also actively involved in the local security community in Australia where he is one of organizers of the monthly SecTalks meetup as well as the hacker camp TuskCon.

About Sean: Sean Yeoh is the Lead Architecture and DevOps engineer at Assetnote, ensuring that the build is continuously broken and logging of the engine is too verbose. Sean previously participating religiously in CTFs as part of his University CTF team, winning the past two Cyber Security Challenge Australia CTFs. He lectures Advanced Web Application Security and Software Security Assessment (Formerly 9447) at UNSW and spends his free time doing bug bounties and wrangling kubernetes.

Presentation Slide 

Speaker: Rich Mogull

Twitter: @rmogull

Abstract: Automating cloud security operations takes a little more than slapping together a quick lambda to fix an open S3 bucket (but that isn't a bad start). In this workshop we will cover the major categories of security automations and present practical implementation techniques. Come prepared to build your own (or use our starter scripts) as we:

  • Review the three major categories of automations- guardrails, workflows, and orchestrations.
  • Build demo versions of each (in AWS, bring your own account), incorporating techniques including assessments, event-driven guardrails, and an incident response workflow.
  • See demonstrations of cross-product orchestrations that integrate commercial tools.
  • Learn the tricks of the trade, based on 10 years of hands-on research and implementation (for realz, check the intertubes if you don't believe us).
  • See what it takes to implement automations at global scale.

About Rich: Rich Mogull, Analyst & CEO.Rich has twenty years experience in information security, physical security, and risk management. These days he specializes in cloud security and DevSecOps, having starting working hands-on in cloud nearly 10 years ago. He is also the principle course designer of the Cloud Security Alliance training class, primary author of the latest version of the CSA Security Guidance, and actively works on developing hands-on cloud security techniques. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator.
Rich is the Security Editor of TidBITS and a frequent contributor to industry publications. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DefCon, and has spoken on every continent except Antarctica (where he's happy to speak for free -- assuming travel is covered).

Presentation Slide 

Speaker 1: Andrew Krug

Twitter: @andrewkrug

Speaker 2: Nathan Case

In this workshop, you learn about open-source projects and how they can support your security detection and response in the cloud. Learn how open-source technologies can help you assess and deal with incidents in your environment. Look at automated response, and learn how to respond to and remediate issues in your cloud environment using open-source systems, specifically Mozilla MozDef : Enterprise Defense Platform.

About Andrew: Andrew Krug is the founder of open source project ThreatResponse which includes popular tools like AWS_IR and MargaritaShotgun. Krug works as a Staff Security Engineer at Mozilla focused on Identity and Access Management and Cloud Security. Previously Krug has been a re: Invent, re: Inforce, BlackHat, BSides PDX speaker, and more.

About Nathan: Security Geek AWS

Presentation Slide 

Speaker 1: Olaf Hartong

Twitter: @netevert

Speaker 2: Edoardo Gerosa

Twitter: @olafhartong

Abstract: Azure Sentinel, Microsoft's new cloud SIEM solution, was recently released on the market. Notwithstanding its strengths Sentinel offers limited threat hunting capabilities out of the box and setting up an effective hunting solution is not straightforward. The Sentinel ATT&CK GitHub project is designed to provide guidance on setting up an ATT&CK-driven process monitoring solution within Sentinel; giving DFIR professionals a tool to effectively hunt in the Azure cloud.

The project, building on previous work from the open source DFIR community, provides instructions on how to properly configure Sysmon to monitor and detect specific processes in alignment with MITRE's ATT&CK framework. Secondly it provides clarity on how to onboard Sysmon logs from Windows virtual machines, shedding light on some poorly documented areas, while also offering an open source parser to correctly ingest Sysmon data in conformity with the Open Source Security Event Metadata information model. Thirdly it offers around 120 open source Kusto Query Language alerts ready for deployment; each mapped to a unique MITRE ATT&CK technique. Fourthly it provides a dedicated threat hunting dashboard to help DFIR professionals monitor their environment and execute precise hunts. Finally, Sentinel ATT&CK provides ready-made hunting queries to be leveraged when responding to alert notifications raised by the threat hunting dashboard.

This talk delivers an overview of how the Sentinel ATT&CK project can help organisations establish an effective threat hunting capability in Azure as well as an opportunity to share with the community the strengths and shortcomings of Sentinel when it comes to hunting adversaries within the Microsoft cloud.

The talk will be structured as follows:

  • Introductions (2 minutes): A brief introduction to provide our short biographies and a description of our current roles - both speakers
  • Project background (3 minutes): An overview of how the project came to be, covering previous Splunk work from the DFIR open source community that helped establish the foundations of Sentinel ATT&CK - both speakers
  • The problem (5 minutes): Although Azure Sentinel contains excellent features – for e.g. threat response automation with Logic Apps (1 minute), a powerful query language (1 minute) and incident grouping (1 minute); the platform offers limited threat hunting capabilities out of the box. Moreover, two major downsides make it difficult to quickly set up a robust, well-structured threat hunting capability; these are a) poor documentation around log onboarding (1 minute) and b) very limited data normalisation features at ingestion time (1 minute) - Edoardo Gerosa
  • The solution – Sentinel ATT&CK (10 minutes): An overview of the project and how it can help with quickly deploying an effective threat hunting solution for Sentinel – starting with a lighting overview of MITRE ATT&CK (1 minute) , then covering how to configure Sysmon to monitor specific ATT&CK techniques (2 minutes), how to onboard Sysmon logs into Azure (2 minutes), Sentinel parsing best practices (2 minutes), using Kusto to execute hunts (2 minutes) and concluding with an overview of the project's threat hunting dashboard (1 minute) - Edoardo Gerosa
  • Demo and Q&A session (10 minutes): we'll showcase a live instance of Sentinel ATT&CK deployed on our Azure lab to walk through the functionalities of the platform, execute a demo hunt and, if necessary, to provide practical deep-dives to participant questions - Olaf Hartong

In order to stimulate discussion during the demo and Q&A session we will have three questions in our back-pocket to ask participants; these will be as follows:

  • Who has used Sentinel and what is their opinion of the platform?
  • Who uses Sysmon as a process monitoring solution in their network and what is their opinion of the tool?
  • What are some of the response activities that could be performed with Sentinel on compromised virtual machines, especially considering the in-built SOAR capabilities of the platform?

About Edoardo: Edoardo Gerosa works for Deloitte AG's Cyber Risk Services, where he leads a team specialised in providing technical consultancy services to client SOC's across Switzerland. Previously he led Deloitte UK's Cyber Engineering DevOps team, where he oversaw the development of automated reconnaissance tools to support red teaming and cyber threat intelligence engagements. He loves the shores of Zürisee much more than the streets of London, where he previously used to live.

About Olaf: Photographer | DFIR | Threat hunter | Data Dweller | Splunk | Sysmon |

Presentation Slide 

Speaker: Setu Parimi

Twitter: NA

Abstract: Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions.

PacBot packs in powerful visualization features, giving a simplified view of compliance and making it easy to analyze and remediate policy violations. PacBot is more than a tool to manage cloud misconfiguration, it is a generic platform that can be used to do continuous compliance monitoring and reporting for any domain.

About Setu: Cloud Security Architect with specialization towards defense in depth and incident response in cloud.

Presentation Slide 

Speaker: Jane Miceli

Twitter: @janemiceli

Abstract: Learn about a breach, what happens in the aftermath and why I can't tell my peers what happen. Learn the fallout and more importantly what application developers aren't thinking about.

About Jane: Enterprise Cloud Architect, 9 years exp in cloud, former lead cloud SRE