CLOUD VILLAGE @DEFCON32 - 2024

Cloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security.

About

Cloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security. The village is home to various activities like talks, workshops, CTFs and discussions targeted around cloud services.

If you are a professional who is looking to gain knowledge on securely maintaining the cloud stack and loves to be around like-minded security folks who share the similar zeal towards the community, Cloud Village is the perfect place for you.

This year Cloud Village will be in-person at DEF CON 32, Las Vegas Convention Center.

Crew Members:

Jayesh Singh Chauhan (@jayeshsch)
Max G (@maxg)
Aniruddha Biyani (@malprxctice)
Kumar Ashwin (@0xCardinal)
Mike Ruth (@MF_Ruth)
Dharmendra Gupta (@ItsDg4u)
Luis (@G0TH3R_IO)
Hans Raj (@0xh4ns)
Harsh Akshit (@explorash)
Mayank Sharma (@ping_mayank)
Krithika (@krithikamm)
Bridget Kelly (@N_Y_X11)
Pratinav Chandra (@inf0spec)
Jenko Hwong (@jenkohwong)
Rohit Bansal (@banro21)
Swar Shah (@swar_shah05)
Yash Roongta (@acc3ssp0int)
Upmanyu Jha (@hackergod00001)
Rachit Arora (@rach1tarora)
Ari Kalfus (artis3n.bsky.social)
Hari Pranav Arun Kumar (@aharipranav)
Ritvik arya (@rtvkiz)
Varun Singh (@v4run75)
Himanshu Sharma (@H1mSR0cK)
Dhruv Nagpal (@dnagpaldtg)
Karthik Ekanathan (@0Sold3rMystic)
Foley
Tom Ganem
Rebecca James
Vinayak Khandelwal
Katie Tucker
Chi Phong Huynh

CFP Review Panel:

Anant Srivastava (@anantshri)
Bruce Kunz (@TweekFawkes)
Sarah Young (@_sarahyo)

Cloud CTF

Cloud Village CTF @DEF CON 31: 9th & 10th August 2024

CTF start - 10:00 PT on 9th August 2024

CTF close - 23:59 PT on 10th August 2024

Registrations Open - Closed

CTF Site - ctf.cloud-village.org

If you ever wanted to break stuff on the cloud, or if you like rabbit holes that take you places you did not think you would go to, follow complicated story lines to only find you could have reached to the flag without scratching your head so much - then this CTF is for you!

Our CTF is a two days jeopardy style contest where we have a bunch of challenges hosted across multiple Cloud providers across multiple categories of difficulty.

You can register as teams or go solo, use hints or stay away from them, in the end it will be all for glory or nothing. Plus the prizes. Did we not mention the prizes? :D

See you on the other side!

+

The Rise of the Planet of the Agents: LLM-based AI Agents and Cloud Security APIs

+

Speaker: Roberto Rodriguez

Date: 11 Aug

Time: 11:45 - 12:20 PDT

X: @Cyb3rWard0g

Bio:

Roberto Rodriguez, also known as Cyb3rWard0g in the Infosec community, is a respected security researcher at the Microsoft Security Research organization. He is well-known for his contributions to the field, including the creation of influential open-source projects such as the Threat Hunter Playbook, Security Datasets, OSSEM, SimuLand and ATT&CK Python Client. Roberto's work has had a significant impact on the cyber security community, promoting proactive threat hunting and knowledge sharing. His expertise and dedication have made a lasting impact on the industry and has helped shape the future of cyber security.

Abstract:

In the rapidly evolving domain of cloud security, the ability to dynamically interact with cloud services is crucial for security teams. Understanding cloud APIs is key to effectively managing everything from administrative tasks to security operations. Security researchers often face the challenge of selecting from numerous API definitions. What if there was a system capable of autonomously selecting the right APIs and intelligently chaining them to achieve specific goals?

In this presentation, I will share insights from my research on LLM-based AI agents. These agents utilize LLMs as reasoning engines, enabling them to handle complex tasks in natural language and autonomously determine their next actions based on user input and previous interactions. I will explain how we can transform Microsoft Graph API definitions into schemas that align with LLM function-calling capabilities. This transformation allows an LLM to select the appropriate tools and supply the correct arguments for an AI agent to execute. By integrating generative AI with cybersecurity, we can automate tasks and discover new ways to chain APIs for various operations, significantly enhancing the capabilities of security researchers to innovate in security operations and automation.

+

Creating Azure Policy Compliant Backdoor

+

Speaker: Viktor Gazdag

Date: 11 Aug

Time: 11:10 - 11:45 PDT

X: @wucpi

Bio:

Viktor Gazdag has worked as pentester and security consultant for 9 years, lead cloud research working group and M365 capability service. He has reported numerous vulnerabilities in products and plugins from companies such as Oracle, SAP, Atlassian, Jenkins, CloudBees Jenkins, JetBrains, Sonatype. He gave talks about CI/CD security at DevOps World, Black Hat USA, DefCon and DoD CyberDT XSWG. He holds multiple AWS/Azure/GCP, Infra as Code, DevOps and Hacking certs and Jenkins Security MVP award.

Abstract:

Azure Policy is a built-on service that helps creating security and compliance policies to enforce organizational standards in the cloud environment. It evaluates resources by comparing the properties of the resources and with the help of remediation tasks, it can fix or remediate any issues with those resources. Have you ever wondered if you could abuse or bend these policies? Can you do more than just listing the storage accounts with public access and not be in the logs? How about creating a backdoor?

In this talk I will answer these questions by talking about what Azure Policy is, how to write one, what the logs contain, what permission you need, what does resource enumeration could look like etc. At the end I will present a proof-of-concept solution to bend the Azure Policy and create a backdoor account in Azure.

+

Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access

+

Speaker: Nick Frichette

Date: 11 Aug

Time: 10:35 - 11:10 PDT

X: @Frichette_n

Bio:

Nick Frichette is a Staff Security Researcher at Datadog, where he specializes in offensive AWS security. He is known for finding multiple zero-day vulnerabilities in AWS services and regularly publishing on new attack techniques. In addition to his research, Nick is the creator and primary contributor to Hacking the Cloud, an open source encyclopedia of offensive security capabilities for cloud environments. He is also a part of the AWS Community Builder Program, where he develops content on AWS security.

Abstract:

In this talk we will explore vulnerabilities in Amazon Web Services (AWS) products which allowed us to gain access to cloud environments.

Traditionally, adversaries have abused misconfigurations and leaked credentials to gain access to AWS workloads. Things like exposed long-lived access keys and exploiting the privileges of virtual machines have allowed adversaries to breach cloud resources. However, these mistakes are on the customer side of the shared responsibility model. In this session, we will cover vulnerabilities in AWS services that have been fixed and that previously allowed us to access cloud resources.

We will start with an exploration of how Identity and Access Management (IAM) roles establish trust with AWS services. Covering how roles associated with Amazon Cognito and GitHub Actions could be misconfigured to allow anyone in the world to access them. From here, we’ll cover a vulnerability we found in AWS Amplify which exposed IAM roles associated with the service to takeover, allowing anyone the ability to assume these roles.

Finally, we will also look at a worst-case scenario: what happens when an attacker finds a confused deputy vulnerability and is able to assume roles in other accounts? Sounds far-fetched? We’ll cover a real world example of a vulnerability we found in AWS AppSync that lets us do just that. We’ll also discuss how security practitioners can secure their environments, even against a zero-day like this one.

Join us to learn how attackers search for and exploit vulnerabilities in AWS services to gain access to cloud environments.

+

Cloud Tripwires: fighting stealth with stealth

+

Speaker: Jenko Hwong

Date: 11 Aug

Time: 10:00 - 10:35 PDT

X: @jenkohwong

Bio:

Jenko Hwong is a Principal Researcher on Netskope's Threat Research Team, focusing on cloud threats/vectors and identity abuse. He's spent time in engineering and product roles at various security startups in vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, and windows security.

Abstract:

Cloud attacks continue to evolve e.g., AWS enumeration without logging (Fourchette), Azure OAuth tokens used for EoP and persistence (Blizzard), Cloud Shell backdoors, code abuse in GSuite scripting (Bryant), and tool evolution (Rhinolabs pacu), with current defensive approaches of lagging further and further behind.

This talk covers research and tooling to improve cloud defenses in AWS, Azure, and GCP, using more stealthy measures which complement existing techniques. We call the approach cloud tripwires, which involves stealthy defensive techniques that can provide low-FP detections of malicious actors.

Through analysis of cloud provider IAM design, published attack techniques and common attack tools, we show multiple stealthy detection techniques such as: restricted admin roles that are not used by valid users; seeding of the restricted admin roles in regular user policies; honey resources (buckets, files) with detections to flag access; seeding of honey resources within user policies; cached honey credentials seeded in CLI installations in external client environments, EC2 instances, and Cloud Shells; unrestricted cross-account roles to restricted accounts; metadata proxy/iptables config on EC2 instances that issue restricted temporary tokens; and full CRUD/reporting/auditing functionality.

+

Runtime Reachability: Prioritizing Vulnerabilities with eBPF & Continuous Profiling

+

Speaker: Sam "Frenchie" Stewart

Date: 10 Aug

Time: 13:10 - 13:50 PDT

X: @nffrenchie

Bio:

Frenchie is the founder & CEO of Ensignia Security. Previously: InfraSec @ Brex/Cruise/Culture Amp. He has previously presented on cloud, cluster, container & CI/CD security (anything starting with a C, really) at BSidesSF/Melbourne/Canberra, ProjectDiscovery's Hardly Strictly Security and Kiwicon conferences, amongst others. Frenchie is far too biased to answer this question, and instead chooses to break the 4th wall.

Abstract:

As security engineers, managing risk means making informed decisions about which vulnerabilities to address first. We are often too time constrained, and the signal-to-noise ratio of current SAST/SCA tooling is too low.

This talk introduces "Runtime Reachability," a novel approach that leverages Continuous Profiling via eBPF to quantify how often a vulnerable method/codepath is called, in actual production usage. By understanding the runtime behavior of applications, security teams can effectively filter out low-likelihood vulnerabilities, prioritize fixes more effectively, reduce toil & the overall risk to their organization.

+

Identity Theft is not a Joke, Azure!

+

Speaker: Karl Fosaaen

Date: 10 Aug

Time: 11:10 - 11:50 PDT

X: @kfosaaen

Bio:

As a VP of Research, Karl is part of a team developing new services and product offerings at NetSPI. Karl previously oversaw the Cloud Penetration Testing service lines at NetSPI and is one of the founding members of NetSPI's Portland, OR team. Karl has a Bachelors of Computer Science from the University of Minnesota and has been in the security consulting industry for 15 years. Karl spends most of his research time focusing on Azure security and contributing to the NetSPI blog. As part of this research, Karl created the MicroBurst toolkit to house many of the PowerShell tools that he uses for testing Azure. In 2021, Karl co-authored the book "Penetration Testing Azure for Ethical Hackers" with David Okeyode.

Abstract:

As Azure services continue to expand and evolve, their associated authentication methodologies have also changed. Having mostly moved away from storing credentials in cleartext, most Azure services utilize Managed Identities to offer a more secure approach to access management. However, Managed Identities can bring their own challenges and risks.
In this talk, we delve into the nuanced landscape of Managed Identities across multiple Azure services. We explore how attackers exploit access to services with these identities to escalate privileges, move laterally, and establish persistence within Azure tenants. We will also provide helpful tips for defenders trying to identify these attacks. Finally, we will showcase a tool designed to automate attacks against User-Assigned Managed Identities.

+

Terraform Unleashed: Crafting Custom Provider Exploits for Ultimate Control

+

Speaker: Rupali, Alex Foley

Date: 10 Aug

Time: 10:30 - 11:10 PDT

X: @rupali0405, @axlf

Bio:

Rupali Dash brings over 8 years of cybersecurity experience, specializing in penetration testing and red teaming. Currently a Lead Security Architect at Axl.net Security, she oversees cloud security and penetration testing engagements. Her credentials include notable certifications like OSCP, OSWE, AWS Security Specialist, and GCPN. She has presented at prominent conferences like Black Hat Asia, DevSecCon, and CoCon.

Alex Foley is a broadly experienced security professional with over 25 years of experience in IT and cybersecurity. He is the founder and CEO of Axl.net Security. He has operated and continues to operate as the vCISO of multiple startup companies with the support of the team from Axl.net Security. Throughout his career, he's had the opportunity to wear many hats and do "all the things" within product development, operations, and security. This broad experience has enabled Alex to bring this depth of understanding to the CISO roles. Alex's skill set focuses on blue team operations, which complements Rupali's expertise in red team activities. Alex holds a CISSP, which he knows cannot hold a candle to Rupali's technical cred.

Abstract:

Terraform is a leading Infrastructure as Code (IaC) solution. It empowers developers to create custom providers for provisioning a wide array of infrastructure resources. Terraform provider functions as binary files on the server and interacts with terraform binary through RPC communication during terraform run. These providers, running as binary files on the Terraform server, enable developers to build custom functions that could be exploited to gain unauthorised access, potentially compromising the Terraform server, and exposing sensitive credentials and data.

In this talk, we'll explore the inner workings of custom provider modules and how their functions can be leveraged to exploit vulnerabilities in Terraform Enterprise. We will also cover developing a custom provider and utilities the same for gaining access to the terraform server extracting the cloud credentials. We will also present various architectural solutions around TFE and best practices for minimising these attack vectors. Furthermore, the session will provide actionable steps for assessing the security posture of custom providers to ensure a robust defence.

+

Attacking and Defending Software Supply Chains: How we got Admin in your Clouds!

+

Speaker: Mike Ruth

Date: 09 Aug

Time: 14:30 - 15:10 PDT

X: @MF_Ruth

Bio:

Mike is a Senior Staff Security Engineer at Rippling, where he works on securing the world’s best All-In-One HR & IT Platform. Previously the technical lead for Infrastructure Security at companies such as Brex & Cruise, Mike has over thirteen years of experience securing, designing, and deploying cloud infrastructure & SaaS services.

Abstract:

This talk will explore how default configurations in reference architectures of our most commonly used software supply chain services can lead to a handful of unsavory outcomes including secrets exfiltration, lateral movement, and privilege escalation within production cloud and SaaS environments. We'll take a close look at how many of the interactions between people and CI|CD services are not as safe as we think. Some examples we’ll look at:

- Abusing PRs against Github repositories allows for execution of code prior to code review & merge, for all downstream services (GH Actions, Buildkite, & Terraform)
- Multi-tenant infrastructures in CI like Buildkite lead to over-authorization & access to production cloud secrets
- Lacking Pipeline Based Access Control (PBAC) in CI services like Buildkite leads to code execution in production cloud environments

After we identify the pitfalls in our by-default configurations, we’ll demonstrate how best to modify them using available tools, services, & best practices.

+

UnOAuthorized: Discovering the path to privilege elevation to Global Administrator

+

Speaker: Eric Woodruff

Date: 09 Aug

Time: 14:00 - 14:30 PDT

X: @ericonidentity

Bio:

Throughout his 24-year career in the IT field, Eric has sought out and held a diverse range of roles, including technical manager in the public sector, Sr. Premier Field Engineer at Microsoft, and Security and Identity Architect in the Microsoft Partner ecosystem. Currently he is a Sr. Cloud Security Architect working as part of the Security Research team at Semperis. Eric is a Microsoft MVP for security, recognized for his expertise in the Microsoft identity ecosystem. Outside of work, Eric supports the professional community, providing his insights and expertise at conferences, participating on the IDPro Body of Knowledge committee, and blogging about Entra and related cloud security topics.

Abstract:

For customers of Microsoft 365 and Azure, obtaining the role of Global Administrator (GA) is every attacker's dream - it is the Domain Administrator of the cloud. This makes Global Administrator every organization's nightmare of being owned by a threat group or hacker. Luckily, well-defined role-based access control and a strict application consent model can severely limit who gets their fingers on Global Administrator - or does it?

This talk explores a novel discovery that resulted in privilege elevation to Global Administrator in Entra ID (Azure AD). Part conversation about the research background, part discussion of the foundational components involved, this talk will walk step-by-step through the path to privilege elevation, and owning Global Admin.

+

Exploit K8S via Misconfiguration .YAML in CSP environments

+

Speaker: Wooseok Kim, Changhyun Park

Date: 09 Aug

Time: 13:25 - 14:00 PDT

X: @woooseokkim

Bio:

Wooseok Kim - Goorm | Site Reliability Engineer | K8S, CSP | SKKU

Changhyun Park - MatchGroup | Hyperconnect | Security Compliance Analyst | Cloud, GRC | SKKU

Abstract:

In this presentation, we researched vulnerable security configurations that enable attacks on Kubernetes (K8s) clusters and examined how these settings can be exploited in CNCF projects. Kubernetes (K8s) uses YAML files to manage various security settings, leading to potential attacks such as information leakage, excessive permission acquisition, and container escape.

Initially, this study focused on three security configuration areas in K8s: RBAC, HostPID, and Security Context. We explained the threats present if vulnerable settings are included.

- RBAC: Excessive permission in K8s resources allows sensitive information theft or access to other nodes
- HostPID: Access to node process information enables container escape attacks
- Security Context: Incorrect security settings enable node escape and host access

Next, we created patterns for identifying weak security settings through YAML files. To do this, we conducted a literature review and expanded the vulnerable patterns centered on RBAC proposed in various papers. Additionally, we included other security settings (HostPID, Security Context).
[Our Pattern vs Paper Pattern]

1. RBAC:

- Our: Daemonset, Deployment SA > node Patch and Secret Get/List
- Paper: Daemonset > node Patch and Secret Get/List

2. Kind:

Our: Cluster Role, Role, Role Binding
Paper: Cluster Role

3. Other Security configurations:

- Our: HostPID, SecurityContext
- Paper: X

Utilizing these patterns, we examined over 150 widely-used 3rd-party CNCF projects in K8s, discovering more than 50 instances of vulnerable patterns.
We provide detailed demonstrations of three scenarios for seizing nodes or clusters by using the discovered patterns to set Base Attack conditions.

[Base Attack Conditions]

- RBAC > Demonset / Deployment > Service Account > Secret (Get/List) or Node(Patch)
[Exploit Scenario]
- Stealing Tokens using Pods with excessive privileges
- Node Take over via 1 Day (CVE-2022-42889) or hostPID: True or Security Context
- Take over of another node or cluster using the Service Account Token on the deodorized node

Additionally, we are aware that 3rd-Party CNCF projects are widely used for convenience when operating K8S in CSPs (AWS, Azure, GCP). Since scenarios can occur in a CSP environment, we demonstrate in more detail.
Finally, based on these research results, we share vulnerable patterns with project owners to collaborate on patching and issue tracking. Before the presentation, we plan to share any reporting on CVEs and patch notes.

+

The Oracle Awakens: Demystifying Privilege Escalation in the cloud

+

Speaker: Felipe Pr0teus, Lucas Cioffi

Date: 09 Aug

Time: 11:30 - 12:10 PDT

X: @Pr0teusBR

Bio:

Felipe Espósito also known as Pr0teus, graduated in Information Technology at UNICAMP and has a master's degree in Systems and Computing Engineering from COPPE-UFRJ, both among the top technology universities in Brazil. He has over ten years of experience in information security and IT, with an emphasis on security monitoring, networking, data visualization, threat hunting, and Cloud Security. Over the last years he has worked as a Security Researcher for Tenchi Security, a Startup focused in third-party risk management, he also presented at respected conferences such as Hackers 2 Hackers Conference, BHACK, BSides (Las Vegas and São Paulo), FISL, Latinoware, SecTor, SANS SIEM Summit, and Defcon's CloudSec and Recon Village.

Lucas Cioffi has been working with cybersecurity for 7 years, and focused in Cloud for the last 3. He has a blog where he shares tips and tricks for Cloud Security, and has published some open-source tools. He was a Cloud Security lecturer for a brazilian college in 2022, and is currently pursuing a Masters degree at USP.

Abstract:

In this talk, we explore privilege escalation mechanisms and paths within Oracle Cloud. Privilege escalation, the process by which an attacker gains elevated access and permissions beyond those intended by the cloud administrator, poses a significant threat in cloud environments and can significantly aid an attacker or pentester.

Our discussion will focus on identifying privilege escalation paths, understanding how cloud administrators can misconfigure policies, and the methods attackers can use to exploit these vulnerabilities. Through carefully designed scenarios and real-world examples, attendees will learn to recognize signs of privilege escalation, thereby enhancing their security posture.

+

Catch them all! Detection Engineering and Purple Teaming in the Cloud

+

Speaker: Christophe Tafani-Dereeper

Date: 09 Aug

Time: 10:50 - 11:30 PDT

X: @christophetd

Bio:

Christophe lives in Switzerland and works on cloud security research and open source at Datadog. He previously worked as a software developer, penetration tester and cloud security engineer. Christophe is the maintainer of several open-source projects such as Stratus Red Team, GuardDog, CloudFlair, Adaz, and the Managed Kubernetes Auditing Toolkit (MKAT).

Abstract:

Where to start looking for attackers in a cloud environment? In a world where cloud providers have hundreds of services and thousands of API calls, getting started can feel overwhelming.

In this talk, we lay out the foundations of a modern detection engineering program built and tailored for the cloud, such as threat-informed defense based on real-world attacker activity, emulating common attacker behavior, shortening feedback loops to validate telemetry, and continuous end-to-end testing of threat detection rules. Additionally, we introduce a new open-source project, Grimoire, which allows leveraging pre-built datasets of AWS CloudTrail logs for common attacks.

You'll gain a hands-on, actionable understanding of how to start identifying threats in your cloud environment, or improve your existing process.

+

Gone in 60 Seconds… How Azure AD/Entra ID Tenants are Compromised

+

Speaker: Sean Metcalf

Date: 09 Aug

Time: 10:10 - 10:50 PDT

X: @PyroTek3

Bio:

Sean Metcalf is founder and CTO at Trimarc (TrimarcSecurity.com), a professional services company which focuses on improving enterprise security. He is one of about 100 people in the world who holds the Microsoft Certified Master Directory Services (MCM) Active Directory certification, is a former Microsoft MVP, and has presented on Active Directory, Azure AD/Entra ID, & Microsoft Cloud attack and defense at security conferences such as Black Hat, Blue Team Con, BSides, DEF CON, DerbyCon, Troopers, & the internal Microsoft BlueHat security conference. Sean is also a co-host on the popular weekly podcast Enterprise Security Weekly streamed live every Thursday with recordings available on YouTube. You may have read some of his Active Directory & Azure AD security articles on his site, ADSecurity.org.

Abstract:

60 seconds. 1 minute.

That's all it takes for an attacker to compromise an account with access.
And the account doesn't even need to have obvious privileged rights for the attacker to own the cloud environment.

Then, once they get Global Admin rights to Azure AD/Entra ID, it's game over since they have full admin rights, access to all data, and can easily pivot to control all Azure subscription services and content.

This talk walks through the most common ways that attackers compromise the Microsoft Cloud, specifically Azure AD/Entra ID and how to mitigate these attack techniques.

Join me in this journey of attacker methods involving account compromise of admin and user accounts, including interesting pairing of role rights, application permissions, and Conditional Access gaps.

So go beyond Global Administrator to better understand the Entra ID roles that really matter in the tenant and how application permissions provide attacker opportunity in most environments!

Attendees will learn both Azure AD/Entra ID attack and defense during this session.

+

Exploiting common vulnerabilities in AWS environments

+

Speaker: Seth Art

Date: 10 Aug

Time: 16:00 - 18:00 PDT

X: @sethsec

Bio:

Seth Art is a Senior Security Advocate at Datadog. Prior to joining Datadog, Seth created and led the Cloud Penetration Testing practice at Bishop Fox. He is the author of multiple cloud focused open source tools including BadPods, IAMVulnerable, and CloudFoxable, and the co-creator of the popular cloud penetration testing tool, CloudFox.

Abstract:

Whether you are responsible for attacking or defending cloud environments, you want to know how attackers compromise them and what successful post-exploitation looks like in the cloud.

This workshop focuses on learning how attackers typically compromise cloud environments, and what post-exploitation looks like. Each workshop attendee will have access to an AWS account deployed with a collection of intentionally vulnerable cloud resources that represent misconfigurations exploited during real cloud penetration tests.

In most cases, attackers gain initial access to cloud environments in one of three ways: They compromise a vulnerable application or service in the cloud, a misconfigured cloud resource, or a user with access to the cloud. In this workshop we will be attacking an intentionally vulnerable cloud environment with all three types of vulnerabilities.

Each section of the workshop will start with an instructor led introduction followed by hands-on hacking. There is something for everyone, regardless of your offensive skill level. Anyone familiar with Linux commands and the AWS CLI is welcome to attend, and even those who have been in the field for years will find something to challenge them.

+

Connecting the Dots: Mastering Alert Correlation for Proactive Defense in the Cloud

+

Speaker: Ezz Tahoun

Date: 10 Aug

Time: 13:50 - 15:50 PDT

Bio:

Ezz Tahoun, a distinguished cyber-security data scientist, who won AI & innovation awards at Yale, Princeton and Northwestern. He also got innovation awards from Canada’s Communications Security Establishment, Microsoft US, Trustwave US, PIA US, NATO, and more. He ran data science innovation programs and projects for OrangeCyber Defense, Forescout Technologies, Royal bank of Canada, Governments, and Huawei Technologies US. He has published 20 papers, countless articles and 15 open source projects in the domain. When he was 19 years old he started his CS PhD in one of the top 5 labs in the world for cyber & AI, in the prestigious University of Waterloo, where he published numerous papers and became a reviewer for top conferences. His designations include: SANS/GIAC-Advisory-Board, aCCISO, CISM, CRISC, GCIH, GFACT, GSEC, CEH, GCP-Professional-Cloud-Architect, PMP, BENG and MMATH. He was an adjunct professor of cyber defense and warfare at Toronto’s school of management.

Abstract:

Interpret the vast amount of alerts (from different sources) received with a comprehensive, hands-on autonomous attack correlation & false positive detection workshop designed to enhance your proactive defense in the cloud. The workshop aims to demystify the process of identifying coordinated attacks amidst this noise, empowering attendees to improve their efficacy & utilize the cloud cost-effectiveness.

No data science expertise is required. Little cloud & secops expertise is required.

Intro:
- The session begins with a foundational overview of event analysis challenges and state of the art.
- Participants will learn about the ATT&CK framework, focusing on its Flows, Tactics, & Techniques to standardize threat detection.

AI & Data:
- A deep dive into accessible open-source AI tools will follow, featuring clustering algorithms, natural language processing, & Markov chains.
- Guidance on importing, cleaning, & normalizing data will ensure accuracy in subsequent analyses.
- Participants will have access to a demo environment to apply these tools interactively.

Mapping Alerts:
- Techniques for automated mapping of alerts to ATT&CK will be demonstrated.
- Attendees will engage in mapping exercises using AI.

Clustering Alerts:
- The workshop will cover clustering methods based on temporal, spatial, & technical attributes.
- Participants will engage in clustering sample alerts to form contextualized attack steps.

Correlating Alerts:
- The importance of killchains in cybersecurity will be highlighted, with methods to link attack steps into cohesive killchains.
- Participants are guided in creating & analyzing killchains to identify coordinated attacks.

Tickets:
- Criteria for creating FP Tickets, Incident Tickets, & Attack Story Tickets will be outlined.
- Participants will engage in generating sample tickets, ensuring each type is comprehensive & actionable.

Integrating & QA:
- The session will cover integration into existing SOC setups & automation using scripts & tools.
- Demonstrations will show how to maintain & update the system for continuous improvement, emphasizing cost-effective cloud automation.
- QA, troubleshooting, & further resources.

By the end of this interactive workshop, participants will have experience with AI tools mapping alerts to Techniques, clustering them into contextualized attack steps, & constructing comprehensive killchains to uncover coordinated attacks. Additionally, they will learn to generate actionable tickets for immediate response & long-term improvements in their security posture, all without needing advanced data science knowledge. This session encourages practical application in participants' environments & further exploration of the vast capabilities of open-source AI in cybersecurity, & showcases the power of cloud cost-effectiveness in big data analytics (sagemaker, s3, lambda, etc.).

+

Hands-On Container Image Security: Mastering Sigstore for Unbreachable Integrity

+

Speaker: Mohammed Ilyas Ahmed, Syed Aamiruddin

Date: 09 Aug

Time: 15:40 - 17:40 PDT

X: @beingilyasahmed

Bio:

Mohammed Ilyas Ahmed is an industry professional with extensive expertise in security within the DevSecOps domain, where he diligently works to help organizations bolster their security practices. With a fervent dedication to enhancing security posture, Mohammed's insights and guidance are invaluable to those navigating the complex landscape of DevSecOps. In addition to his involvement in industry events, Mohammed is an active speaker and judge, lending his expertise to technical sessions at prestigious conferences. His commitment to advancing knowledge is evident through his research contributions at Harvard University, where he contributes to journal publications, enriching the academic discourse surrounding security practices, and as a distinguished member of the Harvard Business Review Advisory Council, underscores his commitment to advancing knowledge and fostering collaboration between academia and industry.
Mohammed Ilyas Ahmed's influence extends even further as a Member of the Global Advisory Board at Vigitrust Limited, based in Dublin, Ireland. This additional role highlights his international reach and his involvement in shaping global strategies for cybersecurity and data protection.
Mohammed's dedication to excellence is further highlighted by his numerous certifications, which serve as a testament to his proficiency and depth of knowledge in the security domain. However, beyond his professional pursuits, Mohammed is a multifaceted individual with a diverse range of interests, adding richness to his character and perspective.

Aamiruddin Syed is a Senior Product Security Engineer with over eight years of industry experience. Specializing in DevSecOps, Shift-Left Security, cloud security, and internal penetration testing, he excels in automating security within CI/CD pipelines, developing security automation, and integrating security into infrastructure as code. His work involves securing cloud platforms by implementing best infrastructure provisioning and configuration practices. His penetration testing skills enable him to conduct targeted internal assessments of critical applications and systems, proactively identifying risks. He bridges the gap between security and engineering teams, embedding security directly into products, including those in the manufacturing sector.
Aamiruddin holds dual master’s degrees in Cybersecurity from Northeastern University and Jadavpur University. As a recognized security advocate, he frequently speaks at industry conferences, chairs technical conferences such as ICCTICT, and serves as a judge for the Globee Awards for Cybersecurity. He actively contributes to open-source security tools designed to make security seamless for developers. In his free time, Aamiruddin enjoys traveling and photography.

Abstract:

In the ever-evolving landscape of containerized applications, ensuring the integrity and security of your container images is paramount. Join us for an immersive, hands-on workshop titled "Hands-On Container Image Security: Mastering Sigstore for Unbreachable Integrity," where we'll dive deep into securing your container images using the cutting-edge open-source tools Cosign and Rekor from the Sigstore project.

This workshop will provide a comprehensive, practical introduction to Sigstore tools, demonstrating how they can be seamlessly integrated into your DevOps workflows. We'll begin with a brief overview of the common security challenges associated with container images and how Sigstore addresses these issues by providing automated and tamper-proof signing and verification processes.

Participants will then engage in hands-on exercises, where they'll:
1. Learn to sign container images and verify their integrity using Cosign. We'll guide you through setting up Cosign, signing your first image, and verifying its signature, ensuring you have a solid understanding of this powerful tool.
2. Delve into using Rekor, Sigstore's transparency log, to record and verify signed image metadata. You'll experience firsthand how Rekor enhances security by providing an immutable log of all signed images, ensuring accountability and traceability.
3. Discover how to seamlessly integrate these tools into your existing DevOps pipelines, automating the signing and verification process, and ensuring that only trusted and verified images make it to production environments.

By the end of this workshop, you'll have gained hands-on experience with Sigstore tools and a deep understanding of how to implement them in your own environment. This session is tailored for DevOps engineers, security professionals, and software developers who are committed to enhancing their container security practices.

Don't miss this unique opportunity to acquire practical knowledge and skills in securing your container images. Join us and learn how to leverage Sigstore's powerful tools to ensure your container images are secure, verified, and trustworthy, safeguarding your applications from potential threats.

Software Requirements:
---
1. Operating System: Windows 10 (64-bit) or later. macOS 10.15 (Catalina) or later.
2. Memory: At least 8GB RAm with 40 GB hard disk space.
3. Request to have VirtualBox installed with Ubuntu VM , instruction can follow this: https://www.wikihow.com/Install-Ubuntu-on-VirtualBox
4. Docker, Git 2.20 or later installed on ubuntu machine.
5. GitHub Account:Active GitHub account with access to the repository containing the CI/CD pipeline.
6. Docker Hub Account:Active Docker Hub account for storing and retrieving Docker images.

Setting Up the Environment:
---
1. Install the latest Docker:Follow the installation instructions from the official Docker documentation.OR https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04
2. Install Git:Follow the installation instructions from the official Git documentation.

+

Revealing Choke Points: Practical Tactics for Boosting Cloud Security

+

Speaker: Filipi Pires

Date: 10 Aug

Time: 12:40 - 13:10 PDT

X: @FilipiPires

Bio:

I’ve been working as Security and Threat Researcher and Cybersecurity Advocate at senhasegura, Founder at Black&White Technology, Cybersecurity Advocate, Snyk Ambassador, Application Security Specialist and Hacking is NOT a crime Advocate. International Speaker at Security and New technologies events in many countries such as US, Canada, France, Spain, Germany, Poland, and others, I’ve served as University Professor in Graduation and MBA courses at Brazilian colleges, in addition, I'm Creator and Instructor of the Course - Malware Attack Types with Kill Chain Methodology (PentestMagazine), PowerShell and Windows for Red Teamers(PentestMagazine) and Malware Analysis - Fundamentals (HackerSec).

Abstract:

During this presentation, we will address the critical importance of permission management in Cloud Native integrations and how an inadequate permissions model can create significant advantages for attackers. We will demonstrate how an attacker can exploit standard permissions to achieve privilege escalation, explain what Choke Points are, and illustrate Attack Paths in practice, showing how an attacker can progress towards success in their objectives. As the ultimate goal of this talk, we will present practical actions to enhance the security of your environment in this context and mitigate these threats.

+

GCPwn: A Pentester's GCP Tool

+

Speaker: Scott Weston

Date: 10 Aug

Time: 10:00 - 10:30 PDT

X: @WebbinRoot

Bio:

Originally from southern CA, I am currently a senior security consultant for NetSPI based out of Minneapolis, MN. My assessment experience includes web applications, AWS, GCP, and external networks. I spoke about AWS organizations at fwd:cloudsec 2023 with most of the talk summarized in the 2 part blogpost here: https://www.netspi.com/blog/technical-blog/cloud-pentesting/pivoting-clouds-aws-organizations-part-1/. I got accepted to speak at fwd:cloudsec 2024 for a new tool I've been making to pentest GCP environments (mirroring Pacu-like structure). In my spare time I like to pursue bug bounties if the opportunity arises, play videogames, assume the role of dungeon master every so often, and just hang out.

Abstract:

When discussing the various cloud providers within the last decade, Google Cloud Platform (GCP) is often seen as the smaller provider following AWS and Azure with regards to market share. While GCP might appear smaller than its rival cloud providers, it still is very much in use today, and with this use comes the opportunities for developing pentesting tools. As I've been learning GCP over the last year, I have been making a framework in python (much like Pacu for AWS) specifically for GCP. This includes enumeration modules for some of the core services (Cloud Storage, Cloud Functions, Cloud Compute, IAM) along with the incorporation of numerous exploit modules, many of them rooted in Rhino Security's currently public GCP exploit repository (https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/tree/master). In addition, the framework is built such that it should be easy for a first-time GCP user or beginner to code and develop modules that focus on purely navigating individual resources and easily drop those into the framework. The overall goal is to make an up-to-date, maintained enumeration and exploit toolset for GCP pentesters/red teams/researchers alike that reduces the barrier of entry for learning GCP by allowing average users to make their own modules that easily incorporate with the overall framework.

+

Epyon – Attacking DevOps environments

+

Speaker: Victor Pasknel

Date: 09 Aug

Time: 15:10 - 15:40 PDT

X: @pasknel

Bio:

Cybersecurity professional with a proven track record of 13 years in executing red-team operations, penetration testing, war games, and vulnerability assessments. Possessing a strong academic background, including a PhD in Applied Informatics from the University of Fortaleza (Brazil) earned in 2022, coupled with over a decade of experience as a university professor specializing in information security.

Abstract:

A CI/CD pipeline is a sequence of steps designed to automate the software delivery process. DevOps environments consist of multiple systems that collaborate to facilitate CI/CD pipelines. However, DevOps systems are significant targets for attackers due to their possession of credentials and access keys for various components, including domain accounts, databases, and cloud assets.
Epyon is a versatile tool for red teamers to target common DevOps systems. It is open source and written entirely in Golang. Moreover, it features multiple modules, such as GitLab, SonarQube, and Azure DevOps.
During this demonstration, I will present examples (based on real project experiences) of how to utilize Epyon for privilege escalation and lateral movement within a DevOps environment.

+

Cloud Offensive Breach and Risk Assessment (COBRA)

+

Speaker: Harsha Koushik, Anand Tiwari

Date: 09 Aug

Time: 12:30 - 13:00 PDT

X: @0xlcheetah, @anandtiwarics

Bio:

Harsha Koushik is a security engineer and researcher, passionate about securing digital systems. Specializing in Cloud-Native Application Platform Protection (CNAPP), tackling emerging cyber threats while working at large scales. Additionally, Harsha hosts the security podcast 'Kernel-Space,' exploring insightful discussions on the latest trends and issues in cybersecurity.

Anand Tiwari is an information security professional with a strong technical background working as a Product Manager (PM), focusing on the more technical aspects of a cloud security product. He tries to fill it in by doing in-depth technical research and competitive analysis, given business issues, strategy, and a deep understanding of what the product should do and how the products actually work. He has authored ArcherySec—an open source-tool and has presented at BlackHat, DEF CON USA, and HITB conferences. He has successfully given workshops at many conferences such as DevOpsDays Istanbul, Boston.

Abstract:

Cloud Offensive Breach and Risk Assessment (COBRA) is an open-source tool designed to empower users to simulate attacks within multi-cloud environments, offering a comprehensive evaluation of security controls. By automating the testing of various threat vectors including external and insider threats, lateral movement, and data exfiltration, COBRA enables organizations to gain insights into their security posture vulnerabilities. COBRA is designed to conduct simulated attacks to assess an organization's ability to detect and respond to security threats effectively.

It facilitates Proof of Concept (POC) evaluations, assesses security controls, measures maturity levels, and generates comprehensive reports, enabling organizations to enhance their cloud security resilience through lifelike threat scenarios.

COBRA Features:
---
Seamless Integration for POC and Tool Evaluation: COBRA provides seamless integration for Proof of Concept (POC) and tool evaluation purposes. Whether you're exploring new cloud-native applications or evaluating existing solutions, COBRA offers a user-friendly interface and flexible deployment options to facilitate effortless testing and assessment.
Comprehensive Assessment of Cloud-Native Security Posture: Gain unparalleled insights into your organization's existing cloud-native security posture with COBRA. Our advanced assessment capabilities enable you to identify vulnerabilities, assess security controls, and pinpoint areas for improvement. By understanding your current security posture, you can proactively address gaps and strengthen your defenses against emerging threats.
Benchmarking Against Industry Standards and Best Practices: COBRA enables you to benchmark your cloud security controls against industry standards and best practices. With our comprehensive benchmarking framework, you can compare your security posture against established benchmarks, identify areas of strength and weakness, and prioritize remediation efforts accordingly.
Actionable Insights and Recommendations: COBRA goes beyond providing insights by providing a report delivering actionable recommendations tailored to your organization's specific needs. Whether it's optimizing security configurations, implementing additional controls, or enhancing incident response processes, COBRA equips you with the tools and guidance needed to bolster your cloud security defenses.

Continuous Threat Simulation: COBRA offers a modular and templatized approach for users to easily integrate additional modules, allowing for continuous threat simulation and adaptability, by providing a flexible framework for adding modules, COBRA ensures that users can tailor their threat simulation capabilities according to evolving security needs, making it an ideal platform for continuous threat simulation.

+

Revealing Choke Points: Practical Tactics for Boosting Cloud Security

+

Speaker: Filipi Pires

Date: 10 Aug

Time: 12:40 - 13:10 PDT

X: @FilipiPires

Bio:

Abstract:

+

GCPwn: A Pentester's GCP Tool

+

Speaker: Scott Weston

Date: 10 Aug

Time: 10:00 - 10:30 PDT

X: @WebbinRoot

Bio:

Abstract:

+

Epyon – Attacking DevOps environments

+

Speaker: Victor Pasknel

Date: 09 Aug

Time: 15:10 - 15:40 PDT

X: @pasknel

Bio:

Abstract:

+

Cloud Offensive Breach and Risk Assessment (COBRA)

+

Speaker: Harsha Koushik, Anand Tiwari

Date: 09 Aug

Time: 12:30 - 13:00 PDT

X: @0xlcheetah, @anandtiwarics

Bio:

Abstract:

CTF SPONSOR

Our Sponsors

CTF SPONSOR

CLOUD VILLAGE @DEFCON32 - 2024

About

Cloud CTF

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

CTF SPONSOR

Our Sponsors

CTF SPONSOR

COMMUNITY SPONSOR

COMMUNITY SPONSOR