To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
08:00
08:00
55min
Registration opens
Room 2/3
08:00
55min
Registration opens
Room 1
09:00
09:00
15min
Welcome

Introduction to fwd:cloudsec from the organizing team

It's all related
Room 2/3
09:20
09:20
40min
Cloudy With a Chance of Vulnerabilities – Finding and exploiting vulnerabilities in the cloud
Sagi Tzadik, Nir Ohfeld

Cloud service providers (CSPs) offer immense and ever-growing functionality. While this greatly benefits organizations and their business, it also generates a much broader attack-surface compared to traditional application security research.

In this session, we share the methodologies and internally developed strategy we used to successfully uncover multiple critical vulnerabilities and design issues in the core of major CSPs. Covering the whole research process - from choosing a target to exploiting a remote code execution vulnerability on a managed service, we will explain how we found issues that affected thousands of cloud customers and organizations.

We will dive into the bits and bytes of some of our major findings (ChaosDB, OMIGOD, AWS confused deputy vulnerabilities, ExtraReplica and more), explain our mindset and approach and discuss common pitfalls to avoid performing a security audit of a target. Attendees should expect to better understand the fundamentals behind real-world cloud security exploits and gain practical tools to enhance their own independent cloud security research.

It's complicated
Room 2/3
09:20
20min
Real-World Detection Evasion Techniques in the Cloud
Christopher Doman

Recent cloud-focused malware campaigns have shown adversary groups possess an advanced knowledge of cloud technologies and their security mechanisms, with this knowledge being used to their advantage in a range of attacks. These attacks are no longer focused solely on cloud compute environments. Adversaries are now shifting focus to target serverless environments and containers.
In this session, Chris will provide an overview of three malware campaigns (TeamTNT, Denonia, Abcbot) where novel TTPs leveraged against cloud technologies were observed. Chris will guide the audience through notable examples of anti-forensics, credential theft and system-weakening techniques used in real-world attacks on cloud infrastructure. This includes techniques such as changing file timestamps post-compromise and evasion at the network level.

It's complicated
Room 1
09:50
09:50
20min
A Tacky Graph and Listless Defenders: Looking Beneath the Attack Surface
Jasmine Henry

John Lambert is well known for his quote, "Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win." But is this always true? Based on new research leveraging data across 1,300 organizations, we discovered areas where it is appropriate to continue using lists and other areas where graphs are more helpful to defenders. This presentation will examine various types of attack surfaces and attack paths to determine the type of techniques (e.g., lists vs graphs) and controls (e.g., bounded vs unbounded) that are potentially most useful for defenders.

We will also examine how different architectural designs might affect these attack surfaces and paths and how the principles of the D.I.E. Triad (distributed, immutable, ephemeral) influence the size of the attack surfaces and the depths of the paths that are underneath that surface.

It's complicated
Room 1
10:20
10:20
20min
Cloudy with a chance of IoCs
Zack Allen

An Indicators of compromise (IoCs) feed can be a useful tool in a defense in depth approach for security practitioners. IoCs help describe observed attacks in the wild, and are supposed to be validated by machines or humans before being disseminated for consumption. Creating, transforming, ingesting and disseminating IoCs is an industry in itself, and mostly focuses on artifacts seen in the network or host, which arguably exists solely in the data plane.

But what about IoCs for the control plane? In this talk, we’ll describe how IoCs are typically used, how there aren’t any good descriptions or resources for control-plane IoCs, and describe a methodology to shape control-plane IoCs into the MITRE ATT&CK Sightings format, ready to be consumed by cloud practitioners.

It's complicated
Room 1
10:20
20min
Defending against cloud cross-tenant vulnerabilities
Yanir Tsarimi, Tzah Pahima

Recent times showed that cloud cross-tenant vulnerabilities are very real and dangerous. Most vulnerabilities disclosed show that even if you do everything right in your cloud environment, you can still be at risk because of your cloud provider’s mistakes.

In this talk, we will explore some of the recent vulnerabilities we’ve found in Azure, explain their impact, and show how you could still defend against them in case of exposure. While this talk focuses on Azure, the methods apply to all cloud providers alike.

It's Broken
Room 2/3
10:45
10:45
15min
Morning break
Room 2/3
10:45
15min
Morning break
Room 1
11:00
11:00
20min
Everything you never wanted to know about flow logs
Daniel Wyleczuk-Stern

In the world of security, network logs are fundamental to security operations and response in . So what could possibly be new to learn? Like most simple things, the cloud’s gone and *#?!ed it all up. In this talk, I’ll be sharing my experience unraveling the unexpected and sometimes bizarre behavior of flow logs in the 3 major cloud service providers (AWS, Azure, and GCP). We’ll summarize how the simple has become complicated and uncover some of the gotchas (some documented and some not) when using these logs. I’ll walk through examples of how to actually derive use from these flow logs using examples from an organization that collects and analyzes billions of records and hundreds of terabytes of flow logs per day.

It's all related
Room 2/3
11:00
20min
Stop Guessing and Start Proving: Demystifying AWS Zelkova
Kaushik Devireddy

As cloud environments continue to explode in complexity, formal methods have started to gain attention for their potential to secure clouds at scale. AWS undoubtedly pioneered this space by developing Tiros + Zelkova and pushing their capabilities across the shared-responsibility boundary in the form of point-solutions (ex. Access Analyzer). We’ll start by briefly discussing how your organization can find easy wins on existing infrastructure with these point-solutions. However, the killer use-case for formal-methods is applying them pre-deployment, ensuring the cloud is “correct-by-construction”. While Zelkova can be leveraged to do exactly this for IAM, it is not directly available for some customers. To address this, we implemented a simplified IAM policy parser which determines relative permissiveness using an SMT solver based on the original Zelkova paper.

We’ll take you through this process to explore what makes IAM policies difficult to evaluate, how Zelkova works, and discover Zelkova’s quirks (are there instances where Zelkova can’t compute permissiveness before timeout?). More importantly, we’ll go through policy reasoning examples to argue that Zelkova’s use of automated reasoning and formal guarantees are likely unnecessary for the problem space. To conclude the talk, we’ll discuss what makes a good specification for Zelkova to verify. After all, your verification is only as strong as your specification. In doing this, we’ll demonstrate why Zelkova’s relative permissiveness API makes writing broad specifications difficult.

Ultimately, the audience will be encouraged to adopt formal method tooling such as Zelkova for their cloud environment, while remaining prudent about the value formal methods provide for their organization.

It's complicated
Room 1
11:30
11:30
20min
Dismantling the Beast: Formally Proving Access at Scale in AWS
Nick Jones, Mohit Gupta

Identity and access management is proving to be one of the primary challenges in the cloud, at least partly due to the complexity of the systems involved. Nowhere is this more apparent than AWS, which currently tracks over 13,000 unique granular permissions and at least 7 methods to approve or deny a particular action. Maintaining an accurate picture of who can really do what is challenging at best when combined with role assumption and the scale of some cloud estates, reaching hundreds or thousands of AWS accounts.

This talk demonstrates IAMSpy, a new policy analysis engine designed to operate offline against large AWS organizations, and built on the same underlying technology powering AWS IAM Access Analyser. IAMSpy uses an SMT solver to formally prove whether an action by a given IAM entity is possible against a particular resource. SMT solvers resolve whether a given mathematical formula (in our case, the set of conditions that make up an account’s IAM configuration) is true for any set of input variables. This can then be used to resolve actions across entire organizations. The speakers will talk through several existing use cases and how to leverage it in your own projects, and discuss future directions for the tooling and technology.

It's complicated
Room 1
11:30
20min
Evading AWS GuardDuty and Network Firewall using Privacy Enhancing tech
Dhruv AHUJA

AWS offer many threat-detection and containment services, some of which we have come to rely on for a sense of security. In this presentation, we will look at GuardDuty's network-related findings, Route 53 Resolver DNS Firewall and Network Firewall, and demonstrate evading them using commonly available tools.

The evasion techniques will be an application of privacy-enhancing technologies meant for individuals behind Great Firewalls, but in a role swap, have recently been seen used by malware (such as denonia discovered by Cado Security) to circumvent sensors built into AWS.

All hope is not lost as we look at the Achilles heel, encrypted DNS masquerading as HTTPS traffic, and identify the infrastructure empowering its enablement. Could GuardDuty be supplemented with this knowledge and alert on some of this?

In the case of Network Firewall, we look at the interplay between DNS and TLS to baffle it, and discuss how AWS' advice on mitigating that is neither robust nor practical.

Finally, with the upcoming TLS extension to encrypt the handshake a little more (ESNI/ECH), we look at VPC Flow Logs and Network Firewall again to discover their packet-parsing limits and therefore guide ourselves in hiding our tracks on them.

It's Broken
Room 2/3
12:00
12:00
60min
Lunch (provided)
Room 2/3
12:00
60min
Lunch (provided)
Room 1
13:00
13:00
40min
Security tools don’t fix security issues; people do: How to make compliance data relatable and actionable
Jay Thoden van Velzen, Andrea Edwards

SAP operates a multi cloud landscape across AWS, Azure, GCP, Alibaba, AWS China and Azure China of over 10,000 cloud accounts, with a wide variety of internal and customer-facing workloads. These workloads are operated by hundreds of teams in business units across eight board areas, each with their own organizations, different levels of operational support or cloud-native sophistication, and multiple layers of organizational hierarchy – all of which can be hard to navigate, is rarely clear cut and change quickly. How to ensure security compliance scans not just get conducted across a landscape this large and varied, but also enriched with metadata collected through strict cloud asset management processes, and shared through multiple layers of the organizational hierarchy is a complex task. Along the way we ran into scalability challenges, how to make sense of a large data set, and figuring out how to meet stakeholders where they are, with multiple data formats targeting different personas and roles. This came paired with organizational support structures, board area delegate weekly briefings, weekly Office Hours and executive reporting that brough accountability through the organization and drove remediation and enforcement efforts. We’d like to share our experience and successes in driving visibility and accountability up-and-down the organization to drive continuous improvements in SAP’s security compliance posture in this complex landscape.

It's all related
Room 1
13:00
40min
The True Power of AWS Tags
Yoav Yanilov, Itamar Bareket

While AWS IAM is packed with ABAC features, enforcing who-can-tag-what at scale can be frustrating. We’ll introduce the concept of “Control Tags” - a tag based control plane for tagging operations and its applications in Similarweb, most notably enforcing the two-person rule for sensitive actions, resources and 3rd-party systems like EKS and Hashicorp Vault.

It's complicated
Room 2/3
14:00
14:00
20min
Achieving AWS IAM zen in a Google Cloud world
Caleb Tennis

While AWS IAM can be a tricky beast, those of us in the cloud security practitioner world follow the best practices of reducing surface attack area by eliminating IAM user static credentials and relying on assume-role style access for our integrations with AWS APIs.

In Google Cloud, things aren't so great. Almost every reference document, 3rd party integration, API library you will run across gives the same advice: create a GCP service account and then download a static keyfile for that account and pass it around as needed. This is a huge step back on the security front, and very little discussion exists on how to improve the situation. Furthermore, if your organization uses Google Workspace, and even if you aren't running any workloads in Google Cloud, it's very likely you may have service accounts and static credentials floating around with access to key resources in your org - and not know it.

Fortunately, there are solutions.

In this talk, we'll review the state of affairs as to how IAM auth in Google Cloud compares to that of AWS, and how Google Cloud and Google Workspace credentials overlap. We'll especially look at improvements to the process using Google's Workload Identity Federation, with emphasis on how to eliminate static credentials. We'll see that some Google tooling doesn't even work with their own solutions for authentication, and how you can work around it. And finally we'll look at how you can even leverage AWS IAM as an identity provider for Google Cloud.

It's complicated
Room 2/3
14:00
20min
Human vs. Robot: Why you should automate your vulnerability management program
Keziah Plattner, Kadia Mashal

Vulnerability Management can be a tedious and time consuming job of trying to sift through a never ending stream of new, old or undefined CVEs. It can be challenging to prioritize severity-based SLAs when default assessments are inaccurate: they don’t factor in the criticality of the affected asset, or understand custom infrastructure and existing mitigations and/or gaps. Ultimately, having low confidence in scanning results and reported vulnerabilities leads to alert fatigue and diminishes trust in the security team.

In our talk, we will lay out our team’s approach towards automating vulnerability management for our entirely cloud-based infrastructure and why standard industry approaches were lacking. We will discuss our work of centralizing all vulnerabilities and automating detection, risk assessment, vulnerability reporting, and vulnerability fix verification in a scalable manner. We want to share how we developed internal tooling that allows us to be vendor agnostic, not rely on default risk severities, and reduce operational work as much as possible.

It's complicated
Room 1
14:30
14:30
30min
Afternoon break
Room 2/3
14:30
30min
Afternoon break
Room 1
15:00
15:00
20min
Abusing the Replicator; Silently Exfiltrating Data with the AWS S3 Replication Service
Kat Traxler

A comprehensive backup strategy is a cornerstone of any DR plan.
But how would you distinguish between legitimate backup activity and malicious data exfiltration?

Cyber attackers are increasingly gaining access to backup services, even those in the cloud, and leveraging them to exfiltrate data from across an organization’s production environment. In this talk, we will look closely at how an attacker can abuse S3 Replication to efficiently migrate your data out of your environment.

The AWS S3 Service is no longer the 'Simple Storage Service' it was made out to be. With dozens of features and integrations, it has become the data store of choice for enterprise AWS customers. It’s also so complicated that it is difficult to understand and thus secure all its capabilities.

One of S3's numerous features is the capability to create and manage backups, across regions and accounts. Cross-account replication can assist organizations in recovery from a data-loss event. In the wrong hands, the replication service allows threat actors to siphon off data to untrusted locations.

In this talk, we’ll demonstrate the techniques an adversary can employ to abuse the S3 Replication Service to exfiltrate data. I’ll also highlight how the authorized movement of data via the S3 Replication Service is less than transparent making it especially difficult to hunt for data exfiltration, enabling an attacker to hide their activity in plain sight within your cloud environment.

It's Broken
Room 1
15:00
20min
Unlocking Cloud Build Security with OIDC
Zach Steindler

Isolated, ephemeral builders are table stakes for a secure build system, which is why people are turning to cloud CI/CD solutions like Tekton, GCP Cloud Build, or GitHub Actions. Moving your build to the cloud isn't all roses though, as existing build processes often rely on access to infrastructure on prem or in another cloud provider. In the past year, cloud CI/CD systems have added OIDC as a way to provide that access. This is quite different than an end-user OAuth2 flow, so we'll go over what it looks like, common security pitfalls, and how to avoid them. We'll then take it a step further, and show how the open source sigstore project can use OIDC to attest to the build process, and even sign your builds without managing a private key.

Slides

It's all related
Room 2/3
15:30
15:30
20min
Leveraging Azure Resource Graph for Good and for Evil
Darwin Salazar

Azure Resource Graph (ARG) is a little known service that you interact with daily if you work with Azure. It powers the Azure Portal search bar giving it God-level visibility across your assets. ARG Explorer is a sub-service that empowers you to carry out in-depth resource exploration across subscriptions with limited permissions. This makes it a double-edged sword and an extremely powerful tool for attackers in the Discovery phase. Resource Graph Explorer is faster, more efficient and less noisy than Azure CLI, PowerShell and various Azure pen testing tools. In this session, you'll learn how to leverage Azure Resource Graph Explorer to enhance your organization's attack surface visibility, operations and security posture as well as how to quickly identify vulnerable and critical assets AKA attractive targets. You will also learn a bit of Kusto Query Language (KQL) Kung FU!

It's complicated
Room 1
15:30
20min
Using AI to harden cloud security by mitigating IAM configuration errors
Mikhail Kazdagli

Modern software systems rely on mining insights from business-sensitive data stored in public clouds. A data breach usually incurs significant (monetary and reputational) loss for a company. Conceptually, cloud security heavily relies on Identity Access Management (IAM) policies that IT admins need to properly configure and periodically update. Security negligence and human errors often lead to misconfigured IAM policies which may open backdoors for attackers. In this presentation, we present a framework for addressing these challenges. First, we demonstrate a novel visualization tool to uncover issues among IAM policies used by real-world commercial organizations. Second, we develop a novel framework to generate optimal IAM policies using constraint programming (CP). We use the least privilege principle as an optimality criterion, which intuitively implies minimizing unnecessary permissions. Third, to make IAM policies interpretable, we use graph representation learning using historical access patterns of users to encode similarity constraints: similar users should be grouped together within permission groups/roles. Finally, we describe multiple attack models and show that our optimized IAM policies significantly reduce the impact of security attacks using real data from multiple commercial organizations and synthetic instances.

It's all related
Room 2/3
16:00
16:00
20min
Auditing PassRole: Finding the Hidden Trails of a Problematic Privilege Escalation Permission
Noam Dahan

The iam:PassRole permission is one of the most common open privilege escalation vector in AWS accounts today, The basic idea of iam:PassRole is simple: whenever a principal (which can be a user or a role, a human, code or a service) uses a service that needs to perform other actions, the AWS architecture often has that service assume an AWS role to perform the actions. When that happens, the service performing the actions is “passed” a role by the calling principal and implicitly (without performing sts:AssumeRole) assumes that role to perform the actions. The privileges associated with the role are different from — and can be greater than — those of the principal calling the action.

Consider launching an EC2 instance with a certain IAM Instance profile. The instance profile is resolved to an IAM role whose permissions determine what the instance can and can’t do. Whenever behavior like this happens, AWS checks, behind the scenes, if the calling principal has the permission iam:PassRole to pass the role to the service.

PassRole is both a facilitator of critical privilege escalation and a permission for which is remarkably difficult to monitor, control and create policies for.

In this talk, we’ll walk through the work we did to automatically map hundreds of potential actions requiring iam:PassRole and the manual and automatic methods we used to sift through these to isolate the actions which truly require the permission. We’ll discuss tips and tricks picked up along the way and how to use these to provision, control and limit iam:PassRole in AWS environments.

It's complicated
Room 2/3
16:00
20min
Secret Agents: Demystifying (and Pwning) Cloud Middleware
Nir Ohfeld, Rotem Lipowitch

In this session, we will unveil new research on the unseen risk of "cloud middleware" - the proprietary software that bridges customers' virtual machines and cloud service providers' integrations. We found that this software is commonly installed on customers' virtual machines without the customer’s awareness or explicit consent and can often introduce new potential attack surfaces to cloud environments.

When Microsoft patched vulnerabilities found in the secretly installed agent Open Management Infrastructure (OMI), it was initially the customers' responsibility to update all the vulnerable agents running across their environments - agents they were not aware existed! Even today, the maintenance of implicitly-installed cloud agents does not perfectly fit the shared responsibility model. Are cloud service providers responsible for keeping the agents they are installing up-to-date as most customers expect? In our session, we will present unique statistics regarding how long cloud middleware agents remain vulnerable after exploits are made public, and discuss details about the patching process.

It's Broken
Room 1
16:45
16:45
45min
"Shifting right" with policy as code
Gabe Schuyler

So you've "shifted left," adding security to the software development lifecycle. Developers are checking for vulnerabilities in their work as they create, merge, test, and deploy. But you're missing half the equation if you're not "shifting right," so to speak, to leverage developers' knowledge in the security practice as well.

"Policy as code" lets developers codify the expected inputs, outputs, and behavior of applications. And once codified, defenses can be kept always up-to-date, without slowing you down.

In this talk, you'll learn the basics of policy as code, see some real-world examples, and learn how to get started applying the technology and techniques in your own environment.

BoF session
Room 1
16:45
45min
We built a community cloud vulnerability database, now what?
Alon Schindel, Amitai Cohen

The shared responsibility model is broken! In the pre-cloud era, the responsibility for security was fully in the hands of the users. Multiple recent cloud vulnerabilities such as ChaosDB, ExtraReplica revealed that the current cloud model isn’t sufficient.

Companies are unable to keep up with cloud complexity, while vendors & cloud providers do not provide clear identification, tracking or severity for vulnerabilities discovered in their platforms. Moreover, there is an inherent lack of transparency, as cloud providers do not share full details of exposure, impact, mitigations steps of vulnerabilities discovered in their platform.

In the past year we initiated a community effort, that started with characterizing the gaps in the current model and continued in building a new community-based cloud vulnerabilities database. We will share our insights from this process along with the learnings of the Wiz Research team from the disclosure process of multiple unprecedented vulnerabilities in Azure, AWS and GCP.

We will review the weaknesses of the cloud that the new central database unveils, and present novel findings about the security impact that the lack of cloud vulnerabilities model results. We will make the case for extending the current CVE model to be more cloud friendly as the current model is broken and call everyone to join the movement for change.

BoF session
Room 2/3
17:30
17:30
45min
The evolution of cloud security in a consolidating market - expanding quadrants
Jeremy Snyder

Cloud security has seen a flood of acquisitions in the last 4 years. What does this mean? Are we really moving from "best in breed" to "best in suite"? While working in strategy and corporate development in this field, I developed a 4-quadrant view on cloud security that may be useful.

BoF session
Room 2/3