2024-11-11 –, WestIn - Munich
Threat actor tactics in a classic on-premises environment are well documented and understood. For example, extracting credentials from memory and then pass-the-hash is a common technique to move laterally in Windows. But how do threat actors move laterally between cloud workloads and compute instances? What are the common persistence techniques, and what are the high value targets we need to protect?
Alexander is Principal Forensic Consultant at Truesec and will in this session share his learnings from over 10 000 billable hours of enterprise forensics. You will learn how cloud tactics differ from on-premises and see the latest techniques used in real attacks against cloud infrastructure.
The session will be presented using story telling. The storyline will be a realistic but fictive incident response case. All components of the case are anonymized and taken from real world incident investigations.
Below is a list of the contents/topics of the talk. They will not necessarily be presented in this order (as it will be following a storyline).
Introduction
- Essential cloud concepts
- Physical vs Virtualized vs Container vs Function
- Hybrid cloud
- Devops and CI/CD concepts
- Orchestration, Secrets, and APIs
Cloud cli utilities and admin workstations
- Extracting secrets with aws cli, gcloud, and az
- Abusing token cache and refresh tokens
- Abusing compute instance metadata and high privileges
- Extracting session cookies from web browsers
CI/CD attack vectors
- Jenkins
- Dumping secrets from build servers
Container vectors
- Lateral movement from containers
- Secrets in containers and kubernetes
- Container breakout attacks
Persistence
- Enterprise apps and account persistence
- Container image manipulation
- Golden SAML
- Skeleton Keys
Backup destruction and ransomware
- Sharing a case explaining how a threat actor managed to delete cloud backups before deploying ransomware on cloud compute instances
Conclusions
- Security challenges and incident response in the cloud
- Summary and closing
Alexander is a Principal Forensic Consultant at Truesec where he focuses on incident response, threat intelligence, and security research. Alexander spends most of his time providing incident response to companies that have suffered from a cyber attack. He has responded to several hundred complex incidents, including nation state-backed attacks and ransomware against global organizations. Alexander also performs offensive and forensic research, and is responsible for developing Truesec's forensic tooling.