2025-04-12 –, Track 1
Advanced and evolving cloud attacks (Blizzard) make breach seem inevitable. We describe a deception detection approach using canaries, with a bit of honey and razors, to implement stealthy tripwires to provide low-FP detections for post-breach lateral movement and privilege escalation.
To move the security needle, we need to stop banging our heads against the wall expecting different outcomes. We need to look ground-up at blue techniques and borrow / utilize red approaches like stealth, based on the actual design of the target environments such as: restricted admin roles not used by valid users; honey resources (buckets, files) with detections to flag access; cached honey credentials across EC2 instances, and Cloud Shells; detection of enumeration of IAM permissions and resources. When properly applied to defenses, we can significantly improve signal fidelity for detection of post-breach activity.
Jenko Hwong leads threat research and product at Widefield Security. He was formerly a Principal Threat Researcher at Netskope, speaks regularly at RSA and DEFCON, and helps with the Cloud VIllage CTF. He brings customer and product experiences from over 25 years in research, product management, and engineering at companies such as Cisco and TIBCO, as well as security startups in markets such as vulnerability scanning, anti-virus/anti-spam appliances, penetration-testing, threat intelligence, an