04-27, 14:05–14:35 (Europe/London), Main Room (Ballroom) - Track 1
Azure, AWS, GCP...Pick your poison. We are in the midst of a digital revolution as organisations are putting an unearthly (pardon the pun) amount of their business operations and data in the cloud. Responsibility has become a grey area, storage is being left exposed to the internet, and MFA may be the first and last line of defence. Join Max, Head of Adversarial Simulation and a Red Teamer who has become mildly obsessed with hacking the cloud, as he walks you through how his perspective and methodology has shifted when targeting cloud environments.
Initial Access:
- Is password spraying back!? Max and his red team are leveraging intelligent password spraying and common gaps in MFA to breach orgs reliant on o365. This particular attack chain has recently been abused by Russian threat group Midnight Blizzard to compromise Microsoft themselves https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
- The renaissance of web application compromise. Metadata services and rich cloud APIs have taken the impact of SSRF and RCE on app servers and functions to new levels. Gone are the days of popping a low-privileged service account, restricted to the webroot on a web server, in the DMZ...
- Users will always be a target...but out with the old (implants) and in with the new (post-MFA session tokens)
Lateral Movement / Privilege Escalation:
- Every cloud environment we have red teamed to date has some level of overly privileged accounts, and its not a surprise when IT administrators are now expected to understand the granular differences between 100s of different IAM roles
- Targeting the right identities/service principals/etc is often easier and better opsec than going for superusers
- Generally speaking there are so many misconfigurations or abusable default configurations that there is less a focus on 'exploitation' as there is on 'leveraging' what is there.
- Persistence is now about maintaining access to valid session tokens, not repeatedly executing an implant.
Data Mining / Actions on Objectives:
- Data mining is an absolute goldmine in the cloud, and Max and his team have abused this to skip massive chunks of the traditional cyber attack kill chain and cause catastrophic business impact
- Actions on objectives largely remain the same from on-prem to cloud red teams, but the means change dramatically.
Max is a practicing Red Teamer who has quickly risen through the ranks to Head of Adversarial Simulation, just three years after getting into cyber from a non-technical, self-taught background. Formerly an English Teacher and Linguist, he has weaponised his communication skills to great effect whilst social engineering on Red Team engagements. Max now has years of experience working in fast-paced offensive security consultancies, and currently leads a highly technical team of consultants who are at the forefront of cloud Red Teaming. His zero-day vulnerabilities in Microsoft Teams and IBM Backup Products have made headline news around the world. Max is a CHECK Team Leader, and was one of the first in the UK to have received the professional entitlement (Principal Cyber Security Professional) from the UK Cyber Security Council.