Speaker: Igal Flegmann

Date: 14 Aug

Time: 12:50 - 13:30 PDT

Twitter: @igal_fs

Abstract:

In the last decade, the major cloud companies have been fighting to get market share by offering the easiest to use cloud with most services. Allowing you get a simple site up and running in a few minutes and quickly being able to scale it. While cloud providers market themselves as the most secure infrastructure for your code, their defaults are far from secure. With: certificates being able to be issued without proof of domain ownership, insecure SSH by default, default passwords, and more the move to the cloud is making it easier for you and your attackers to get into your infrastructure. In this talk we will talk about common Azure errors that will get you in trouble.

Igal started his career in Microsoft’s Azure Security team creating and managing identity services for Azure’s secure production tenants. After a successful career in Azure Security, Igal transferred teams to work in Azure’s ASCII (Azure Special Capabilities, Infrastructure, and Innovation) team, where he used his identity and security expertise to design and create security services to protect the critical infrastructure devices of the world.
To follow passion for identity and security, Igal decided to leave Microsoft and Co-found Keytos, a security company with the mission of eliminating passwords by creating easy to use PKI offerings.

Speaker: Jay Chen

Date: 14 Aug

Time: 11:50 - 12:30 PDT

Abstract:

The principle of least privilege states that a subject should be given only those privileges needed for it to complete its task. The concept is not new, but our recent research on 18,000 production cloud accounts across AWS and Azure showed that 99% of the cloud identities were overly-permissive. The majority of the identities only used less than 10% of their granted permissions.
While I investigated the issue further, one interesting pattern quickly surfaced, many overly-permissive permissions were granted by CSP-managed permission policies. CSP-managed policies were granted 2.5 times more permissions than customer-managed policies. These excessive permissions unnecessarily increased the attack surface and risks of the cloud workloads. In particular, many identities could abuse the granted permissions to obtain admin privilege.
These findings raised a few questions. Are we all doing something terribly wrong? Is the principle of least privilege a realistic and necessary goal in modern cloud environments? What can be done to mitigate the problem? Knowing the problem and the risks, I will then introduce an open-source tool IAM-Deescalate to shine a light on the problem.
IAM-Deescalate can help identify and mitigate the privilege escalation risks in AWS. It models the relationship between every user and role in an AWS account as a graph using PMapper. It then identifies the possible privilege escalation paths that allow non-admin principals to reach admin principals. For each path, IAM-Deescalate revokes a minimal set of permissions to break the path to remediate the risks. At the time of writing, IAM-Deescalate can remediate 24 out of the 31 publicly known privilege escalation techniques. On average, it remediates 75% of the privilege escalation vulnerabilities that existing open-source tools can detect.
The audience will gain a new perspective on IAM security and pick up a new tool for their security toolbox.

Jay Chen is a security researcher with Palo Alto Networks. He has extensive research experience in cloud-native, public clouds, and edge computing. His current research focuses on investigating the vulnerabilities, design flaws, and adversary tactics in cloud-native technologies. In the past, he also researched Blockchain and mobile cloud security. Jay has authored 20+ academic and industrial papers.

Speaker: Ricardo Sanchez

Date: 14 Aug

Time: 10:40 - 11:20 PDT

Twitter: @ric_rojo

Abstract:

"Cloud security is evolving rapidly and can be challenging. The growing need for remote working over the last year enhances this development. How can companies keep up with the pace of change? How do you know you are secure? Are the default installations secure? How do you find and fix your Cloud misconfigurations? How do you even start doing a Cloud assessment? Is it like an on-premise one?
At the end of the conversation you will have a detailed guide with tools and examples of how can you hack/secure a cloud environment in only #4Steps.

Ricardo is a senior security specialist with business development and consultant background and over 10 years of experience. He exceeds in translating business needs into technical needs, and vice versa. He is currently the Lead of the Cloud Business Unit of one of the most important Cyber Security companies of the Netherlands. On top of that, he wrote two books with international distribution, has two patent applications as main inventor.

Speaker: Rodrigo Montoro

Date: 14 Aug

Time: 10:00 - 10:40 PDT

Twitter: @spookerlabs

Abstract:

Amazon Web Services (AWS) is a complex ecosystem with hundreds of different services. In the case of a security breach or compromised credentials, attackers look for ways to abuse the customer's configuration of services with their compromised credentials, as the credentials are often granted more IAM permissions than is usually needed. Most research to date has focused on the core AWS services, such as , S3, EC2, IAM, CodeBuild, Lambda, KMS, etc. In our research, we present our analysis on a previously overlooked attack surface that is ripe for abuse in the wrong hands - an AWS Service called Amazon AppStream 2.0.
Amazon AppStream 2.0 is a fully managed desktop service that provides users with instant access to their desktop applications from anywhere. Using AppStream 2.0, you can add your desktop applications to a virtual machine and share access to the VM by sharing a link - without requiring any credentials, you can share an image (an attack toolset) with a target account without needing any approval from the other side or attach some privileged role to an image and get those credentials.
In this talk, you'll learn about how AppStream works, how misconfigurations and excessive IAM permissions can be abused to compromise your AWS environment and allow attackers to control your entire AWS account. We'll cover tactics such as persistence, lateral movement, exfiltration, social engineering, and privilege escalation. We will also cover the key indicators of compromise for security incidents in AppStream and how to prevent these abuse cases, showing how excessive privileges without great monitoring could become a nightmare in your Cloud Security posture, making possible attackers control your AWS account.

Rodrigo "Sp0oKeR'' Montoro has more than 20 years of experience in Information Technology and Computer Security. Most of his career worked with open source security software (firewalls, IDS, IPS, HIDS, log management, endpoint monitoring), incident detection & response, and Cloud Security. Currently, he is a Senior Threat Detection Engineer at Tempest Security. Before that, he worked as Cloud Researcher at Tenchi Security, Head of Research and Development at Apura Cyber Intelligence, SOC/Researcher at Clavis, Senior Security Administrator at Sucuri, Researcher at Spiderlabs. Author of 2 patented technologies involving innovation in the detection field. One is related to discovering malicious digital documents. The second one is in how to analyze malicious HTTP traffic. Rodrigo has spoken at several open-source and security conferences (OWASP AppSec, SANS (DFIR ,SIEM Summit and CloudSecNext), Defcon Cloud Village, Toorcon (USA), H2HC (Sπo Paulo and Mexico), SecTor (Canada - 5x), CNASI, SOURCE Boston & Seattle, ZonCon (Amazon Internal Conference), Blackhat Brazil, BSides (Las Vegas e Sπo Paulo)).

Speaker: Felipe Esp≤sito

Date: 13 Aug

Time: 13:40 - 14:20 PDT

Twitter: @Pr0teusBR

Abstract:

Attackers do not always land close to their objectives (data to steal). Consequently, they often need to move laterally to accomplish their goals. That is also the case in cloud environments, where most organizations are increasingly storing their most valuable data. So as a defender, understanding the possibilities of lateral movements in the cloud is a must.
Because the control plane APIs are exposed and well documented, attackers can move between networks and AWS accounts by assuming roles, pivoting, and escalating privileges. It is also possible for attackers to move relatively easily from the data plane to the control plane and vice-versa.
In this talk, we are going to explore how attackers can leverage AWS Control and Data Planes to move laterally and achieve their objectives. We will explore some scenarios that we discovered with our clients and how we approached the problem. We will also share a tool we created to help us visualize and understand those paths.

Felipe Esp≤sito also known as Pr0teus, graduated in Information Technology at UNICAMP and has a master's degree in Systems and Computing Engineering from COPPE-UFRJ, both among the top technology universities in Brazil. He has over ten years of experience in information security and IT, with an emphasis on security monitoring, networking, data visualization, threat hunting, and Cloud Security. Over the last years he has worked as a Security Researcher for Tenchi Security, a Startup focused in secure the cloud, he also presented at respected conferences such as Hackers 2 Hackers Conference, BHACK, BSides (Las Vegas and Sπo Paulo), FISL, Latinoware, SecTor, SANS SIEM Summit, and Defcon's CloudSec Village.

Speaker: Kat Fitzgerald

Date: 13 Aug

Time: 12:30 - 13:10 PDT

Twitter: @rnbwkat

Abstract:

Intro time (5 mins) Well, I have to say who I am and why I'm here and my qualifications, otherwise people leave. Ok, maybe they don't leave, but I want to explain how/why I do this and how I'm going to make it a fun project for everyone after the talk!
Baking something fluffy (10 mins) Now I take a few minutes to explain the common concepts of cloud configurations such as IAM/ORG policies and how they compare to redteaming 'on-prem'. It's all about understanding the magic that is the cloud in clear terms that everyone can follow along with - and yes, there are funny jokes and memes throughout. A happy crowd is an engaged crowd! Seriously, in a quick 10 minutes, 'Pizza as a Service' is used to explain the concepts of the cloud, the attack vectors presented and how pentesters and bad actors use these attack points to their advantage.
It's clobberin time (10 mins) Let's get to it with lots of example of misconfigurations and the attack vectors they pose. This is both live (with recorded backup) demo time and OSS tool demonstrations to help find misconfigured cloud services. Not much else to say about this part. It is interactive, fun and really shows off how simple mistakes can lead to serious incidents like exposing millions of records to the public 'accidentally' or how a public github repo was used to launch over 300 VMs for crypto mining and no one knew until a month later. Oh yeah, and a brief description of how cryptomining is a fun diversion to take your attention away from what the attacker was really doing will be discussed. Peace offerings to the demo gods will be made prior to the live portion of course.
Great, now how do we fix it? (10 mins) Well, attendees have to come away with some clear AIs to be able to apply to their cloud configurations and some suggestions on how to avoid misconfigurations in the first place. Auditing tools are discussed and shown (not in demo, but output from audits are shared and discussed) Tools discussed are all OSS and nothing, (and I mean nothing!) is commercial! Before and afters of misconfigured cloud projects will be shown with some general automation suggestions to help remove the 'human threat' factor from the process.
Key Takeaways (5 mins) Let's bring it all to a neat and tidy conclusion with specific takeaways so attendees feel like they got something out of this. What good is any talk without identified specifics of what we learned and how to apply them, am I right? And there you have it, tied up neatly with a lovely bow and ready to take home!
Q/A (5 mins)

Based in Seattle and a natural creature of winter, you can typically find me sipping Grand Mayan Extra Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos. Honeypots & Refrigerators are a few of my favorite things! Fun Fact: I rescue Feral Pop Tarts and have the only Pop Tart Sanctuary in the Seattle area.

Speaker: Christophe Tafani-Dereeper

Date: 13 Aug

Time: 11:20 - 12:00 PDT

Twitter: @christophetd

Abstract:

To detect evil in the cloud, you must first know what 'evil' looks like. Then, it's critical to have an easy way to reproduce common attack techniques in live environments, to validate that our threat detection and logging pipelines work as intended. In this talk, we present Stratus Red Team, an open-source project for adversary emulation and end-to-end validation of threat detection in AWS, Kubernetes and Azure.
We discuss the motivation behind the project, design choices, and the philosophy behind Stratus Red Team: helping blue teams focus on real-world, documented attack techniques and empower them to iteratively build high-quality detections. We also discuss more advanced use-cases that Stratus Red Team allows, such as running it on a schedule in your CI/CD to continuously validate that the expected alerts are popping up in your SIEM.
We conclude with a live demo where we 'detonate' attack techniques against a live Kubernetes cluster and AWS account.

Christophe is a cloud security researcher and advocate at Datadog. He's passionate about threat detection in the cloud, and cloud-native technologies in general. He previously worked as a software developer, penetration tester, SOC analyst and cloud security engineer. He likes to write about technology he likes, uses, dislikes and misuses. Living in Switzerland, you can tell he's French when he speaks.

Speaker: Daniel Prizmant

Date: 13 Aug

Time: 10:40 - 11:20 PDT

Twitter: @pushrsp

Abstract:

What is Serverless? Serverless computing is a cloud computing execution model in which the cloud provider allocates machine resources on-demand, taking care of the servers on behalf of their customers.
"Serverless" is a misnomer in the sense that servers are still used by cloud service providers to execute code for developers.
How does Serverless work? Where is this Serverless code executed? Who's in charge of securing it? There are many questions surrounding the topic of Serverless computing.
In this talk, I will present to you my research on Serverless Functions. I will show you how I managed to break the serverless interface barrier and what is hidden behind it. I will also show you how I managed to break out of the container that was supposed to contain my possibly malicious code and get to the underlying host.
I will start by explaining what is Serverless and the idea behind it. I will show some prime examples of what Serverless is supposed to be used for. I will continue with a break out of the cloud provider interface to show you the infrastructure of the machine, the server of the serverless function, that is actually running the code.
After that, I will begin walking you through my research and journey from the point of view of an attacker. I will show you how I discovered the image that the container was running and the steps I took to reverse engineer it.
From there, the path to an elevation of privileges to root to escaping the container was short. I will walk you through a very old but useful exploit I used to escalate my containerized root access to a full-on container breakout.
To finish the talk, I will discuss some of the mitigations that were in place in this instance by the cloud provider, and why they were critical in this scenario.

Daniel started out his career developing hacks for video games and soon became a professional in the information security field. He is an expert in anything related to reverse engineering, vulnerability research, and the development of fuzzers and other research tools. To this day Daniel is passionate about reverse engineering video games at his leisure. Daniel holds a Bachelor of Computer Science from Ben Gurion University.

Speaker: Jenko Hwong

Date: 13 Aug

Time: 10:00 - 10:40 PDT

Twitter: @jenkohwong

Abstract:

Join in this deep dive looking at new abuses of OAuth 2.0. We'll look at a variety of attacks including phishing and stolen credential attacks, starting with Microsoft authorization code grant to Google authorization code grant using copy/paste. We'll then move on to new attacks including: OWA browser attacks, Chrome attacks, different SaaS OAuth implementations, upstream SSO attacks, and hidden uses of OAuth in Google App Scripting and Google Cloud Shell.
In a nod to Penn and Teller, with each attack, we'll reveal the underlying secret techniques used, why and how it works, and what can be generalized. We'll then show how the most common defensive measures (e.g. MFA, IP allow lists, application allow lists, authorization controls) are used to mitigate each attack, then adjust the attack to bypass the defensive measure. We'll also discuss what vendors have been doing to mitigate these attacks and whether they are effective.
Code for any demo/POCs will be made available as open-source.

Jenko Hwong is a Principal Researcher on Netskope's Threat Research Team, focusing on cloud threats/vectors. He's spent time in engineering and product roles at various security startups in vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, and windows security.

Speaker: Nestori Syynimaa

Date: 12 Aug

Time: 10:50 - 11:30 PDT

Twitter: @DrAzureAD

Abstract:

Microsoft Cloud bug bounty programs are one of the most well-paid programs, including Microsoft Identity program. This program covers cloud-related Elevation of Privilege vulnerabilities, having bounties up to $100,000! But as all vulnerabilities are not worth 100k, it's good to know how to make most of the low-bounty vulnerabilities.
In this talk, I'll share my experiences on the Microsoft bounty programs from 2021, when I made $65k in bounties with six vulnerabilities. I'll show how I turned a vulnerability initially categorized as 'by-design' to $40k in bounties and how I tripled the initial $5k bounty by reporting similar findings smartly.

Dr Nestori Syynimaa (@DrAzureAD) is one of the leading Azure AD / M365 security experts globally and the developer of the AADInternals toolkit. For over a decade, he has worked with Microsoft cloud services and was awarded Microsoft Most Valuable Security Researcher for 2021. Currently, Dr Syynimaa works as a Senior Principal Security Researcher for Secureworks Counter Threat Unit and hunts for vulnerabilities full time. He has spoken at many international scientific and professional conferences, including IEEE TrustCom, Black Hat Arsenal USA and Europe, RSA Conference, and TROOPERS.

Speaker: BridgeCrew

Date: 12 Aug

Time: 13:40 - 14:20 PDT

Twitter: @bridgecrewio

Abstract:

Our journey to open source and GitOps has exposed new security challenges as our CI platforms are exposed to the outside world. The soft underbelly of our development pipeline is just as visible to willing contributors as it is to malicious subversives looking for the keys to the cloud. In this talk, we'll look at some known disruptions to GitHub Actions workflows to show how simple misconfigurations or straight-up bad practices can leave our software supply chain wide open to attackers. We'll also take an ounce of prevention to not be the weak link for supply chain attacks.

Speaker: Cassandra Young

Date: 12 Aug

Time: 13:10 - 13:40 PDT

Twitter: @muteki_rtw

Abstract:

Securing application or infrastructure code in the Cloud is more than just scoping permissions in IAM and scanning ECS, EKS and EC2 instances. Attackers can use poisoned container instances, malicious code and dependencies, and vulnerable CI/CD pipelines to break into your environment, requiring you to consider the entire development lifecycle, from who's writing the code, to how it's deployed. This short talk will introduce you to basic but powerful practices you can put in place now, such as signed Git commits, securing repo access, code analysis, CI/CD permissions, and resource scanning and hardening.

Cassandra works full time in information security consulting, specializing in Cloud Security Architecture and Engineering. She holds a master's degree in Computer Science, focusing on cloud-based app development and academic research on serverless security and privacy/anonymity technology. Additionally, as one of the directors of Blue Team Village, Cassandra works to bring free Blue Team talks, workshops and more to the broader InfoSec community.

Speaker: Shannon McHale

Date: 12 Aug

Time: 12:30 - 13:10 PDT

Twitter: @_shannon_mchale

Abstract:

Default Google Cloud Platform (GCP) configurations include open ports, high numbers of excessive permissions, limited logging, and credential expiration dates, which security professionals would typically never let happen. But, we cannot expect users in GCP environments to know and prioritize the most secure option for each setting when they configure a resource. This inadvertently leads to unsafe environments that attackers can leverage.
In this talk, we will review the 'dangerous defaults' of GCP and how they can be abused by attackers. We'll also provide specific policies cloud architects and cloud administrators should implement to stop their users from deploying default configurations and outline how to set up policies that reduce decision fatigue on their users. The goal is for cloud architects, engineers, and Blue Teamers to implement what they see in this talk and scale their environment to be significantly more secure. It will also give my fellow Red Teamers a list of items to check for during their assessments to help organizations further harden their environments.

Shannon McHale, Associate Consultant at Mandiant, has spent her first year in the security industry focused on Red- Teaming cloud environments and recently passed the Google Cloud Certified Professional Cloud Security Engineer (PCSE) exam. As one of Mandiant's Google Cloud Platform (GCP) Subject Matter Experts (SME), she works hard on enhancing and delivering the GCP Penetration Test methodology. This is her first DefCon, but she has presented at ShmooCon and the Women in Cybersecurity (WiCyS) conferences, while simultaneously obtaining her Bachelor's of Science in Computing Security from Rochester Institute of Technology.

Speaker: Noam Dahan

Date: 12 Aug

Time: 14:20 - 14:50 PDT

Twitter: @NoamDahan

Abstract:

Every system has its blind spots. The major cloud providers are no different. The shadows in which attackers can hide out of sight (or in plain sight), and the doors that are too often left open are important parts of the cloud security landscape.
The pressure to create usability, the need to support legacy systems and workflows in a rapidly evolving landscape and the porting over of on-prem systems are just some factors that lead to these exploitable parts of cloud security.
In this talk, we'll map out a few of these built-in blind spots, focusing on AWS, Azure, and GCP in three key areas: 1) Hard knock life: Critical security areas that are hard to get right or confusingly misrepresented. 2) Trust no one! Cloud provider design flaws and backdoors that limit the degree of security that can be reached. 3) Too old for this s***: Legacy support and dirty fixes that make for great hiding places for attackers.
We'll explore cool ways to penetrate cloud environments, escalate privilege and achieve stealth. By identifying what these weak points have in common, we can also figure out how to spot more such oversights in the future.

Noam Dahan is a Senior Security Researcher at Ermetic with several years of experience in embedded security. He is a graduate of the Talpiot program at the Israel Defense Forces and spent several years in the 8200 Intelligence Corps. Noam was a competitive debater and is a former World Debating Champion.

Speaker: Alexandre Sieira

Date: 12 Aug

Time: 11:30 - 12:10 PDT

Twitter: @AlexandreSieira

Abstract:

Recently the Conti ransomware group internal chat leaks was fascinating reading. Among other things, it reminded us that both well-intentioned and malicious actors are constantly trying to find ways to find vulnerabilities and develop exploits to widely used IT products. This is particularly true those that are externally exposed firewalls, VPNs and load balancers, or security products that might thwart their techniques and tools.
The timeline from the chats seems to show a gap of several months between Conti members trying to procure either appliances or commercial software that they were trying to get for these purposes. This got us thinking about how the major cloud service providers these days have marketplaces where you can easily buy virtual appliances or SaaS licenses for lots of widely used IT and security products with little more than a valid credit card, in minutes. And we decided to check how feasible it is to use this to conduct vulnerability research.
In this presentation we will show what kind of access one can get to the internals of IT and security products using these marketplaces, particularly in the case of products only typically offered in hardware appliances. Which cloud providers try to prevent this sort of activity, how they do it, which ones simply don't care, and what techniques we were able to use to access these appliance's internals.
The objective here is threefold: 1) help well intentioned vulnerability researchers find an easier avenue to do their work; 2) allow cloud providers to get a better understanding of how their marketplaces can be abused and which controls they could implement to mitigate that risk, and 3) let IT and security vendors realize the added exposure of publishing their products on these marketplaces.

Alexandre (or Alex) Sieira is a successful information security entrepreneur in the information security field with a global footprint since 2003. He began his security career as a Co-Founder and CTO of CIPHER, an international security consulting and MSSP headquartered in Brazil which was later acquired by Prosegur. In 2015, he became Co-Founder and CTO of Niddel, a bootstrapped security analytics SaaS startup running entirely on the cloud, which was awarded a Gartner Cool Vendor award in 2016. After the acquisition of Niddel by Verizon in January 2018, he became the Senior manager and global leader of the Managed Security Services - analytics products under the Detect & Respond portfolio tower at Verizon. Currently is the CEO and Co-Founder of Tenchi Security, a company focused on cloud security.
Alex is also an experienced speaker having presented at Black Hat, BSides SF, FIRST Conference, DEF CON Cloud Village and local events in Brazil several times over his career.

Speaker: Karl Fosaaen

Date: 12 Aug

Time: 10:10 - 10:50 PDT

Twitter: @kfosaaen

Abstract:

Microsoft's Azure cloud platform has over 200 services available to use, so why are we picking on just one? Automation Accounts are used in almost every Azure subscription and have been the source of two different CVEs in the last year, including one issue that exposed credentials between tenants. Given the credentials and access that are often associated with Automation Accounts, they're an easy target for attackers in an Azure subscription. In this talk, we will go over how Automation Accounts function within Azure, and how attackers can abuse built-in functionality to gain access to credentials, privileged identities, and sensitive information. Furthermore, we will do a deep dive on four vulnerabilities from the last year that all apply to Azure Automation Accounts.

As a Senior Director at NetSPI, Karl leads the Cloud Penetration Testing service line and oversees NetSPI's Portland, OR office. Karl holds a BS in Computer Science from the University of Minnesota and is approaching 15 years of consulting experience in the security industry. Karl spends most of his research time focusing on Azure security and contributing to the NetSPI blog. As part of this research, Karl created the MicroBurst toolkit (https://github.com/Netspi/Microburst) to house many of the PowerShell tools that he uses for testing Azure. In 2021, Karl co-authored the book 'Penetration Testing Azure for Ethical Hackers' with David Okeyode. Over the years, Karl has held the Security+, CISSP, and GXPN certifications. Since DEF CON 19, Karl has spent most of his conference time selling merchandise as a Goon on the Merch (formerly SWAG) team.