Tomas Kabrt
Tomas is a researcher in the Emerging Threats team focusing on Cloud Threat Intelligence at CrowdStrike. He began his cybersecurity journey during his exchange studies at Aalto University. His career started as a vulnerability and exploit analyst specializing in IPS rule development, then progressed through operational security roles and incident response. Now, returning to research, he focuses exclusively on cloud intrusions and he loves it.
Session
As organizations migrate to the cloud, threat actors' exfiltration tactics and techniques evolved and targeted the architectural boundaries of cloud service models (SaaS, PaaS, IaaS). Each service model presents different exfiltration options as the responsibility shifts between cloud providers and customers, creating distinct attack surfaces that threat actors use for exfiltration.
Drawing on hundreds of real-world cases from CrowdStrike incident response and threat hunting, this talk moves past the theory to showcase exfiltration techniques that catch even seasoned defenders off guard. We'll dive into:
- SaaS Stealth: Abusing Microsoft 365 via third-party apps and silently exfiltrating DocuSign documents using sync functionality.
- The PaaS Pivot: How ETL platforms could be misused for exfiltration.
- IaaS Tactics: Infrastructure tampering and cross-cloud data transfers.
This session is designed for the defender who has the cloud basics covered but wants to know what they might be missing. Attendees will leave with a clear understanding of these evolved exfiltration paths and most importantly required telemetry and detection ideas.