fwd:cloudsec 2023

To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
08:00
08:00
600min
Hallwaycon & Sponsor Booths
Salon A
09:00
09:00
15min
Welcome
Aaron Zollman

Kicking off the conference, our organizers will present a short overview of how the conference works, who to thank for it, and what to expect over the next two days.

Odds & Ends
Salon B
09:20
09:20
20min
Beyond the AWS Security Maturity Roadmap
Rami McCarthy

Scott (Piper)’s AWS Security Maturity Roadmap is the definitive resource for cloud-native companies to build a security program and posture in AWS. It does an amazing job at providing broadly applicable guidance along the maturity curve. However, for many fwd:cloudsec attendees, the roadmap ends too soon.

In my experience there is a set of technical capabilities and controls that companies should consider once they’ve “shipped the roadmap." In this talk, I’ll take you on a rapid fire tour beyond Scott's paved road, focusing on the problems you’ll encounter scaling a cloud security program. A key framework will be “build versus buy,” and the talk will be opinionated about where cloud security teams can fall into the trap of undifferentiated work.

The goal is to walk away with a clear view of the possibilities at the leading edge of cloud security, risk-informed guidance on priorities, and a crucial new reference for writing cloud security roadmaps.

Infrastructure & superstructure
Salon B
09:20
20min
The Good, the Bad, and the Vulnerable: A comprehensive overview of vulnerabilities in cloud environments
Merav Bar, Amitai Cohen

As our world continues to shift from on-premises environments to cloud environments, the impact and nature of vulnerabilities also change.

In this session, we will examine the top vulnerabilities of 2022 and see how they affected the cloud – when might an otherwise critical vulnerability pose minimal risk to cloud environments? What does a critical cloud vulnerability even look like? Through the analysis of cloud, application and OS vulnerabilities, attendees will gain a deeper understanding of the factors that make vulnerabilities less or more significant in cloud environments.

Inside & Outside
Salon C
09:50
09:50
20min
IMDS: The Gatekeeper to Your Cloud Castles (And How to Keep the Dragons Out)
Lior Zatlavi, Liv Matan

Most of us know IMDS as a tool for seamlessly maintaining and supplying credentials for applications running on instances to access resources in cloud environments. However, a deep understanding of IMDS implementations across cloud providers is what separates the security novices from the advanced practitioners - and can be crucial for the security of your cloud environment.

During this talk we’ll take a deep dive into the protections offered by different cloud service providers for the IMDS used by computing instances, and how they have evolved over time. We’ll demonstrate how these mechanisms could mean the difference between a critical and non-critical vulnerability, through the story of a real-life vulnerability we found in a leading cloud provider. We’ll talk about the customer’s part of the shared responsibility model in this context - and how that must evolve as well.

We’ll demonstrate how vulnerable software may be leveraged by an attacker to gain access to credentials and talk about the kind of compensating controls which may be used to mitigate this risk.

Inside & Outside
Salon C
09:50
20min
Success Criteria for your CSPM
David White

CSPM vendors are a dime a dozen, and all of them claim they can do all the things. Buy this product, write the check, send the money and you're all done, right? Wrong!

Every environment is different and it is important to make the right choice when choosing a CSPM provider. But what goes into making that choice? Are you making the right choice and investment and do you feel good about it?

In this talk, I will discuss our CSPM evaluation matrix, things we found as we were comparing vendors, and give tips from the trenches on what to look for in your own tooling. By the end of this talk, you will be asking if your tooling/vendored CSPM solution is meeting all of your needs.

Control & data
Salon B
10:10
10:10
30min
Morning Break
Salon B
10:10
30min
Morning Break
Salon C
10:40
10:40
20min
The Unholy Marriage of AWS IAM Roles and Instance Profiles
Andre Rall

Cloud infrastructure teams often focus on traditional security measures like CSPM, DLP, and network protection. However, there are hidden aspects of cloud infrastructure that warrant attention to ensure a robust and secure environment. In this article, we take a deep dive into the lesser-known quirks of AWS Identity and Access Management (IAM) roles and instance profiles, revealing unexpected behaviors that could impact security and resource management.

Our exploration uncovers surprising findings when modifying IAM roles and instance profiles, such as the persistence of role credentials even after removing a role from an instance profile, the discrepancies in credential refresh timings, and the survival of instance profiles after role deletion. We also discuss the implications of these behaviors on security and resource management in AWS ecosystems, highlighting the importance of understanding and managing IAM roles and instance profiles correctly.

Join us as we unravel the mysteries of AWS IAM roles and instance profiles, equipping you with the knowledge to guard your cloud environment against hidden threats and ensure a secure, efficient infrastructure

Control & data
Salon B
10:40
20min
Vulnerabilities and Misconfigurations in GitHub Actions
Rojan Rijal

GitHub Actions has helped companies automate their CI/CD pipeline with ease by directly integrating with their code sources. This ease however can come with pain when various vulnerabilities arise due to misconfigurations, code vulnerabilities and supply-chain attack vectors.

This talk will cover three different vulnerability types in GitHub Actions. We’ll go over basic code execution examples due to unsanitized user inputs, and two unique vulnerabilities seen by us. The first vulnerability will cover a supply chain attack by exploiting vulnerable third-party actions used by companies and government agencies. The second exploit will cover misconfiguration in OIDCs connected between GitHub Actions and Amazon Web Services that affected large organizations.

The talk will wrap up with some mitigation measures on how these vulnerabilities can be detected and patched. In addition, we will cover some detection examples of how potential abuse/exploitations of the vulnerabilities can be properly triaged.

Infrastructure & superstructure
Salon C
11:10
11:10
40min
Evading Logging in the Cloud: Disrupting and Bypassing AWS CloudTrail
Nick Frichette

AWS customers rely on CloudTrail for continuous monitoring and detection of security incidents within their cloud environments. However, what if an adversary were able to circumvent this crucial security layer, enabling them to perform stealthy reconnaissance and even altering the environment without leaving a trace?

In this talk I will discuss techniques seen in the wild to disable CloudTrail logging and how security teams can respond to this. In addition, I will cover multiple vulnerabilities that allowed me to bypass CloudTrail logging. I will go in depth as to how these vulnerabilities worked, and discuss how this research could potentially be applied to future bypasses. Security practitioners will come away with an understanding of both common and cutting edge log evasion techniques in AWS.

Inside & Outside
Salon B
11:10
40min
Google Cloud Threat Detection: A Study in Google Cloud
Day Johnson

If you have ever read the Sherlock Holmes story ‘A Study in Scarlet’, there is a quote: “If you have all the details of a thousand misdeeds at your finger ends, it is odd if you can’t unravel the thousand and first.” What this tells us is that by studying known threat activity, we can guide our efforts in the development of threat detection content.

In this talk, we’ll delve into several real-world Google Cloud Platform (GCP) attacks and highlight how to use the available telemetry to identify and detect these attacks. In particular, we'll dive into tactics used by threat actors such as lateral movement, privilege escalation, data exfiltration and the types of event logging to aid the detection process. At the end of the talk, attendees will better understand how to build targeted detections and enhance their overall security posture.

Inside & Outside
Salon C
11:50
11:50
70min
Lunch
Salon B
11:50
70min
Lunch
Salon C
13:00
13:00
20min
A Year of NO: building organizational IAM guardrail policies that work
Noam Dahan

Organizational policies are a key part of every organization’s cloud IAM strategy. They supplement least-privilege best practices by establishing guardrails that protect the organization from unknown threats, and limit the extent of damage that can potentially be caused by compromised identities, workloads or credentials.
In this talk, we will explore how to build, test, and deploy effective organizational policies.
We will do so by being mindful of the real threats and TTPs we’re trying to protect ourselves from, along with the crown jewels we need to protect, the vulnerable points in our environment, and the data perimeter.
We will also dive into the implementation of organizational IAM policies in each cloud provider, their different behaviors in edge cases, and how we should adjust our strategy to accommodate these differences.
Lastly, we will discuss strategies for building, testing, and deploying organizational policies, and recommend a process for creating and evaluating them (including how to build detection mechanisms in case of violations).

Inside & Outside
Salon C
13:00
20min
The Ins and Outs of Building an AWS Data Perimeter
John Burgess

Drawing a boundary between what’s yours and what’s not - that should be easy, right? Wrong!

In this presentation, we’ll walk through how to build an AWS Data Perimeter in an existing and complex cloud environment. How to define that boundary and audit access through it, the various guardrails at our disposal, and the bizarre exceptions you’re going to run into.

Inside & Outside
Salon B
13:30
13:30
20min
From ‘huh?’ to privilege escalation: finding vulnerabilities from a bug in the AWS console
Ben Bridts

Security research is not something that's only done by dedicated teams and companies. Sometimes it will be a developer or platform engineer that makes the jump from "that's not how I expect it to work" to "that's not how it's supposed to work".

In this talk we'll walk through the process we took when we found strange behaviour in the AWS console, tried to debug what's going wrong and ended up finding an API that didn't check iam:PassRole correctly.
We’ll see that in a lot of cases the needs of a person who’s debugging and a security researcher will overlap and that features like CloudTrail and documented APIs are useful resources for everyone.

Inside & Outside
Salon C
13:30
20min
How do you set boundaries? i.e AWS Permissions boundaries in large cloud environments
Kushagra Sharma

Often you hear about “security” creating friction during cloud adoption, especially in large regulated organizations where setting boundaries pose a challenge amongst myriad requirements from risk and compliance teams and it doesn’t get easier while you demystify the AWS IAM universe.

But there’s always a eureka moment and for us, it was the “AWS Permissions boundaries” so with this talk, we’ll show how central security teams can empower development teams to focus on faster cloud adoption and delivering value to the business, while security teams incorporate boundaries in their security baseline moving towards a self-service IAM model.

There are always security exceptions and making a "one size fits all" boundary sounds impossible, right? So we would show how at Booking.com, we built "flavored" permissions boundaries on the fly to tackle edge cases and AWS account-level exceptions making every account boundary unique yet secure and at the same time, highlighting how we overcame some challenges faced along the way.

Inside & Outside
Salon B
14:00
14:00
40min
Patterns in S3 Data Access: Protecting and enhancing access to data banks, lakes, and bases
Josh Snyder

Large scale heterogeneous data sets cannot always be locked down using readily available tools, like AWS IAM. With some understanding of how access is provisioned and requests are signed, however, we can build a dynamic control plane that provides access to data in a flexible and highly auditable manner that is compatible with least privilege. This talk will cover techniques for providing just-in-time access to data in any cloud datastore, with primary focus on Amazon's S3 and Google's GCS object stores.

Control & data
Salon B
14:00
40min
gVisor: The Future of Container Security
Andy Nguyen

gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system.

In this talk, we will dive into the architecture and some of the platforms of gVisor, and what security boundaries it provides for untrusted workloads. Next, we will explain its threat model and Google’s approach to continuously securing it. Finally, we will do a case study on some vulnerabilities that we have uncovered and analyze their exploitability.

Infrastructure & superstructure
Salon C
14:40
14:40
40min
Afternoon Break
Salon B
14:40
40min
Afternoon Break
Salon C
15:20
15:20
20min
AWS Presigned URLs: The Good, The Bad, and The Ugly
Jarom Brown

AWS presigned URLs are a powerful mechanism for granting temporary access to resources in AWS services. However, they can also be exploited by attackers to gain unauthorized access, perform data exfiltration, and execute other malicious or unwanted actions. In this talk, I will explore the different attack scenarios that can leverage presigned URLs and methods to detect and prevent such attacks.

Control & data
Salon B
15:20
20min
Passing The Security Burden – How To See The Unforeseen
Matthew Keogh

What really happens when you start using a new service within your cloud estate? This talk will look at how services can introduce risks into a cloud estate when part of their functionality is dependent on existing services, whether this be in your own account/tenant or a provided controlled one. Specifically, we will break down the AWS Elastic Disaster Recovery service and demonstrate how a service that, on the outside appears to safeguard resources by ensuring they are backed up, can be used for malicious purposes due to its dependency on the EC2 service. By the end of the talk, you will have identified how to spot the not so common security concerns that can be raised when using a new service and have a clear process to follow when reviewing new services in the future.

Control & data
Salon C
15:50
15:50
20min
It's Just a Name, Right?
Nathan Eades

Permiso's p0 labs is privileged to have access to diverse data sets that enable the identification of interesting forms of attack, obfuscation, and anomalies. While cloud service providers like AWS allow for broad naming inputs to identities and resources, this approach can lead to some unforeseen consequences. In this talk, we will explore different scenarios we’ve discovered through our research that highlight how the loose nature of AWS’s naming conventions allows for inputs that can negatively affect detection capabilities and potentially obscure an attack.

Throughout the presentation, I will provide a breakdown of the potential consequences of these scenarios, including their impact on detection and the possible motivations behind them. Additionally, I will discuss a case in which an instance of broad input generated false positive detections in an environment years later. By analyzing these scenarios, we hope to provide insights into the importance of keeping your eyes open when reviewing logs, spark some ideas of your own, and maybe help you down the path to find similar instances in your own environments.

Inside & Outside
Salon B
15:50
20min
Scanning the internet for external cloud exposures
Nir Ohfeld, Hillai Ben-Sasson

Remote hacking of traditional web applications is a widely-discussed topic with many tools and resources. However, penetration testing of publicly exposed cloud resources remains uncharted territory. Many devastating configuration mistakes can go unnoticed simply because of a lack of proper scanning tools. In this talk, we will demonstrate practical approaches to scanning and exploiting exposed cloud resources by showcasing newly developed methodologies for discovering these issues from external sources.

This session will cover several cloud services that may be erroneously configured as publicly accessible, including AWS and Azure's queues, notification channels, managed identity providers, and different managed storage. We will examine how each of these services can inadvertently be made available to the public, how to scan for them externally, and potential exploitation methods.

Furthermore, we will provide statistics on the prevalence of exposed services found on the internet and our assessment of the issue's scale.

Join us to learn how to scan and map any organization's external cloud exposure, finding misconfigurations and vulnerabilities at scale.

Control & data
Salon C
16:20
16:20
40min
I Trusted You: A Demonstrated Abuse of Cloud Kerberos Trust
Daniel Heinsen, Elad Shamir

Microsoft has introduced a variety of protocols to abate the issue of authenticating to Azure AD and AD seamlessly. In the Windows Hello For Business setup, Cloud Kerberos Trust has been introduced to enable users to authenticate to Azure AD and still be able to access resources protected by legacy authentication mechanisms, like Kerberos. While this deployment model offers greater convenience, the ability to forge authentication material is delegated to Azure AD. This ability can be abused by attackers to breach the Cloud/On-Premises security boundary in a variety of ways.
In this talk, we will discuss the implications of entrusting an external entity with such a sensitive capability and the existential issue of synchronizing data between two equally important sources of truth. We will demonstrate how an attacker can abuse Cloud Kerberos Trust to authenticate as non-synced on-premises users, violating the security boundary between Azure AD and Active Directory and ensuring that attackers don't need to rely on a misconfiguration such as an administrator being synced to Azure AD. Lastly, we will discuss how to mitigate the issue and how to identify potential misconfigurations that may lead to issues unique to your environment.

Inside & Outside
Salon B
16:20
40min
Operationalizing GCP’s Asset Inventory for Cloud Enlightenment
Randy Heins, Jeffrey Zhang

Security engineers at Nuro will demonstrate how they have extended GCP’s native Cloud Asset Inventory to gain better awareness of their cloud environment to improve incident response time, reduce cloud costs, and allow for better resource planning. They will demonstrate the benefits of their custom application, CLARITY, which streamlines inventorying efforts to improve situational awareness.

Inside & Outside
Salon C
17:00
17:00
20min
MITRE ATT&CK® for Cloud: Challenges and Opportunities
Casey Knerr, Jesse Griggs

In 2019, ATT&CK - a free, globally accessible knowledge base of adversary tactics and techniques - released its Cloud Matrix to capture the increasing threats targeting organizations’ cloud-based technologies. Since then, we've discovered that behaviors easily mapped to techniques in "traditional" on-prem spaces don't always fit into the same neat boxes in the cloud.

For example, in a cloud environment, what distinguishes collection (in which the adversary gathers data of interest) from data exfiltration (in which the adversary steals data from the target network) - especially when adversaries can directly view and download sensitive information via the CLI or web console? What happens when traditional persistence methods, such as adding roles to users, end up also resulting in privilege escalation due to the complexity of cloud permissions? What is lateral movement in the cloud, and can it also exist within a tenant as well as between tenants, or between a tenant and a corresponding on-premises environment? And what distinguishes execution in the cloud from execution in a cloud-hosted instance?

Join two members of the ATT&CK for Cloud team for a group discussion as we try to work through these issues and determine how to better capture and ultimately defend against adversary behaviors in the cloud.

Birds-of-a-feather, business & behind-the-scenes "balk talks"
Salon B
17:00
45min
What Could Go Wrong? DEI-informed Perspectives on Threat Modeling in the Age of Terrifying Feature Requests
Jasmine Henry, Renee Beckloff

“Can you do a security review of our new AI feature by tomorrow?”

Security practitioners face a hard truth. We don’t know what could go wrong with the new AI chatbot or machine learning mode. But, how do you set guardrails for security, safety, or privacy solo in a world where there are few reliable safety guidelines for next quarter’s product roadmap? To achieve safer and more secure outcomes, cloud security practitioners should consider it imperative to adapt to more diversity, equity, and inclusion-informed (DEI) approaches to building threat models.

Easier said than done, right?

While it’s never easy to navigate new collaborative models, cloud security practitioners all have an opportunity to create more diverse, equitable, and inclusive conversations about risk and threats at every stage of the feature lifecycle. This is a practitioner talk given through an intersectional and DEI-focused lens with a particular focus on facilitating greater inclusion and collaboration at every stage of the feature lifecycle. Attendees will learn how to foster greater self-service decisions among product managers, facilitate inclusive premortem meetings, drive a culture of ‘fearless risk documentation,’ and launch a risk amnesty program for anonymous reporting.

Birds-of-a-feather, business & behind-the-scenes "balk talks"
Salon C
17:30
17:30
40min
Threat intelligence in the age of cloud
Noam Dahan, Igal Gofman

Threat Intelligence is one of the most important inputs when investigating breaches, and enables faster, better informed security decisions. However, implementing a successful threat intelligence strategy heavily depends on the feed quality and how data is cross-referenced with other intel sources. This talk highlights the challenges of building good threat intel in a cloud-based world and offers a way forward for better threat intel through collaboration. In the discussion we will present a model for evaluating cloud threat intelligence feeds, map the units of threat intelligence that are uniquely relevant to the cloud, discuss channels for sharing intel, and strategize regarding how to encourage transparency from cloud providers.
We believe this session can kick off a wider conversation to improve cloud threat intelligence.

Birds-of-a-feather, business & behind-the-scenes "balk talks"
Salon B
07:30
07:30
570min
Hallwaycon & Sponsor Booths
Salon A
08:00
08:00
40min
How Citi advanced their containment capabilities through automation
Damien Burks, Elvis Veliz

Incident response is critical for ensuring the reliability and security of AWS environments. Supporting 28 AWS services, Citi implemented a highly scalable cloud incident response framework specifically designed for their AWS environment. Using AWS Step Functions and AWS Lambda, Citi's automation and orchestration of NIST’s incident response plan has significantly improved response time to security incidents by reducing containment actions by an average of 5 hours and eliminating the risk of human error. Utilizing real-world scenarios and examples, attendees will learn how to leverage AWS Step Functions and core AWS services to effectively build and design scalable incident responses solutions.

Control & data
Salon B
08:00
40min
Pivoting Clouds in AWS Organizations
Scott Weston

AWS Organizations is a service offered by AWS that allows a user to logically bind together a large number of AWS accounts under one "organization". While this helps for organizational purposes, it presents several unique pathways for a pentester allowing one to tunnel through the inherent boundaries that might exist in a single AWS account. Using AWS Organizations, I show how one can turn a single account takeover into a multi-account takeover drastically increasing the blast radius. The talk hopes to provide both a technical perspective and abstract-enough overview to be useful to both in-the-weeds pentesters and general managers/business owners alike.

The talk covers
- AWS Organization overview
- Easy way to pivot to member account (account creation)
- Trusted access & delegated administration overview
- Using trusted access & delegated administration to indirectly/directly access member accounts
- A new Organization security feature released late last year + security implications
- An overview of available tooling created by the speaker to assist in enumerating organizations in the open source tool Pacu.

Infrastructure & superstructure
Salon C
08:50
08:50
20min
AWS Identity Center - Extending Cloudsplaining to score Users & Permission sets risks
Rodrigo Montoro

There are multiple methods to access an AWS account: IAM Users, Cross Accounts, Federated users, and Identity Center. Since the name change from AWS SSO to Identity Center, AWS is putting more effort into customers using more Identity Center. Using it, you have some significant advantages such as short-term keys, centralized logging when using Organizations and multiple accounts, easier management, etc.

Many tools and projects handle permissions management for IAM users, but using Identity Center, we have new challenges trying to map excessive permission. There are no easy and visual ways to match users and permissions that are riskier. Based on this new challenge, we extended Cloudsplaining and created a flow based only on open-source stuff to map those Identity Center Risks.

Explaining the flow, we map all accounts belonging to an Organization, mapping accounts, users, permission sets, and related policies associated (both Managed and Customer policies). With that, we start mapping permissions in those accounts that belong to this organization using our Risk Score research based on Cloudsplaining and putting them all together, showing all risk findings that an Identity User is capable of. More importantly, in a visual way, with Kibana, you will graphically have a dashboard to help your prioritization and map Identity Center users with their risks in a single place.

The audience will learn a step-by-step method to replicate this at the end of the talk, using only open-source projects such as sso-reporter, Cloudsplaining, and Elastic stack. We'll provide all scripts and risk-scoring enrichments based on Cloudsplaining findings, logstash configurations, and kibana visualizations. And on top of this, we will discuss some Identity Center actions that you should monitor closely to avoid privilege escalation attempts.

Control & data
Salon C
08:50
20min
Tales From the Sewer: A plumber’s view of building a data security platform
Christopher Webber

Over the last four years Open Raven has been building a data security platform for the cloud. During that time I have been tasked as the Head of Operations to not just run the platform but also be one of our subject matter experts. From $40,000 mistakes S3, lambda pooping out logs like rabbits, and other crazy adventures around IAM, we will dive into a number of the technical lessons learned and touch a bit on the weird edge cases that scare me.

Control & data
Salon B
09:20
09:20
20min
CloudFox + CloudFoxable: A Powerful Duo for Mastering the Art of Identifying and Exploiting AWS Attack Paths
Seth Art

CloudFox helps penetration testers and security professionals find exploitable attack paths in cloud infrastructure. However, what if you want to find and exploit services not yet present in your current environment?
What if you lack access to an enterprise AWS environment?

Enter CloudFoxable, an intentionally vulnerable AWS environment created specifically to showcase CloudFox’s capabilities and help you find latent attack paths more effectively. Drawing inspiration from CloudGoat, flaws.cloud, and Metasploitable, CloudFoxable provides a wide array of flags and attack paths in a CTF format.

In this talk, we'll demonstrate some of CloudFoxable's CTF challenges that “blur the lines”, including an IAM role that trusts a GitHub repository via OIDC, an SNS topic with an overly permissive resource policy that leads to remote code execution, and an exploit path that leads from a vulnerable AWS OpenSearch domain to a private GitHub repository with the flag.

Infrastructure & superstructure
Salon B
09:20
20min
Helping developers drink from a champagne flute and not a firehose when it comes to cloud security
Tyson Garrett, Jason Nelson

TrustOnCloud delivers comprehensive, continuously updated threat models of cloud services (such as Amazon SageMaker and Google BigQuery), empowering the Citi Threat Modelling team to swiftly assess and onboard cloud services. This approach enables developers within Citi to consume secured cloud services for the applications built on them while not overwhelming them with complicated service configurations and platform controls. Attendees of this talk will come away with approaches to staying up to date with new threats and controls in the cloud, managing this information, and how to make it digestible for developers in a way that will help them think more deeply about the security of their applications.

Infrastructure & superstructure
Salon C
09:50
09:50
40min
Billions Served: Processing Security Event Logs with the AWS Serverless Stack
Josh Liburdi

Security event and audit logs are a foundational requirement for threat hunting, threat detection, and incident response, but most security teams have little to no control over their data and rely on vendors who charge thousands of dollars per day for "log management." There must be a better way!

In this talk we will discuss the challenges, best practices, and secrets for building large scale, affordable data processing systems using the AWS serverless stack, including how to choose the best streaming data storage service, techniques for real-time event enrichment on billions of logs, and optimizing for both speed and cost.

Infrastructure & superstructure
Salon B
09:50
40min
IYKYK: Negotiating the Scope of Security Audits (Even if You DREAD Compliance)
Jasmine Henry, George Tang

Death, taxes, and cybersecurity audits are inevitable for most of us. Chances are, you will have to participate in an external cybersecurity audit at some point. Luckily, learning to control your audit scope is a game changing skill for everyone in cyber (perhaps especially folks who dread compliance and those who struggle to scale compliance to cloud). Negotiating scope will protect you from seemingly outdated audit requirements or evidence requests that feel pointless!

This interactive session is formatted as an interactive, mock negotiation between two industry experts - a frazzled cybersecurity pro and a seasoned SOC 2 auditor - who negotiate the scope of controls for a fake cloud-native company. Collectively, the speakers have over two decades of experience in their respective roles, so you can watch them redline notes on a control list and hear them explain their positioning. Will the cloud cyber pro prevail against the big firm audit firm CPA that's auditing her security? Can she avoid burnout and death by evidence requests?

Attend this session to learn critical skills in security audit scope negotiation for cloud-native environments!

Control & data
Salon C
10:30
10:30
30min
Morning Break
Salon B
10:30
30min
Morning Break
Salon C
11:00
11:00
40min
Rolling out AWS Infrastructure Everywhere with Space Ships
Mike Grima

AWS Organizations lacks a lot of the features that cloud security engineers need. It often lacks support for rolling out security specific infrastructure that you need where you need it. Unfortunately, there is also a lack of good open or closed source options available for security engineers to roll out infrastructure wide components. Often, security engineers and developers have to build out their own quick and dirty and bespoke scripts to accomplish these tasks. In this talk, we discuss the problem space in greater depth and how we are working around this problem. We have also built an open source project called Starfleet that solves the problems in this space that you can use without having to start from scratch. Starfleet is a whole infrastructure AWS automation framework that allows you to easily run workloads with AWS account and region context. This enables security engineers to place infrastructure components everywhere they need it, and configured exactly how they need it; guaranteed without drift. More details on Starfleet can be found here: https://gemini-oss.github.io/starfleet/

Infrastructure & superstructure
Salon B
11:00
20min
Stop the Bulldozers: Hardening the AWS CDK deployment process
Dawn Cooper

As companies migrate to the cloud, it's common to see uplift projects with the goal of deploying everything as Infrastructure as Code. AWS CDK has been widely adopted since it launched in 2019, partly because it allows dev teams to set up and deploy infrastructure using the programming languages that they're familiar with.

However, unlike most other IaC tools out there, CDK relies on a bootstrapping process which is typically done via CLI. The roles created by this process are highly privileged by default, which introduces the risk of privilege escalation issues.

In this talk, we'll look at a few different ways to reduce the attack surface of the default CDK roles, and enforce least privilege access for AWS resource deployment.

Infrastructure & superstructure
Salon C
11:30
11:30
40min
Unmasking the Subnet: Lookalike IP Ranges in Cloud Environments
Asaf Aprozper

In the world of cloud computing, protecting networks from unauthorized access is critical. While some misconfigurations, such as allowing access from any IP address are widely known, a new and less-discussed risk has emerged: the use of lookalike private IP ranges. In a proactive hunt for possible unknown misconfigurations, it was revealed that cloud users mistakenly configured Security Groups and VPCs with IP ranges they believed were internal, but were actually publicly exposed to US cellular networks and potentially for malicious actors. Such issues blur the lines between customer and cloud vendor responsibility, as customers are responsible for configuring their own networks, but cloud providers can easily assist in mitigating such misconfigurations.

To evaluate this new misconfiguration and the possible critical risk that is associated with it, we purchased a T-Mobile lookalike private IP address for just a few bucks and implemented it over ProxyChains and NMAP to lookalike the private IP range and scan for open services across AWS ASN. This presentation will highlight the security risks of lookalike IP addresses in cloud environments and introduce a new community-driven framework called CloudHunting, which uses Sigma rules mapped by MITRE ATT&CK to proactively detect such misconfigurations that could lead to threats, including this newly identified one.

Inside & Outside
Salon C
11:50
11:50
250min
Incident Response Game Day Challenge
Rich Mogull, Will Bengtson

Come test your cloud incident response skills and see how high you score on our live-fire training range that simulates real-world attacks. Come alone or bring your team as we issue you a fully-instrumented AWS account and start hitting you with a timed series of attacks. Don't worry if you're new, attacks can scale to skill levels and our instructors will be right there to teach in a fun game-day environment.

Odds & Ends
Salon B
12:30
12:30
40min
Swimming with the Sharks. IR Kubed.
Nathan Case, Alon Girmonsky

Kubernetes' (K8s) poses unique challenges during incident investigation, API debugging, threat hunting, and detection. In this talk attendees will see an immersive exploration of incident response inside Kubernetes focusing on three common indicators of compromise: increased API throughput, suspicious payloads on ingress, and known bad IPs communicating with pods. We’ll cover API logging, network monitoring, and best practices for preparing your pods for security incidents.

Network overlays and service meshes, like Istio, also introduce additional layers of complexity which makes it difficult to keep an accurate record of traffic inside of a K8s cluster. Just having VPC flow logs or traditional network monitoring is often not enough. We’ll take a look at the pros and cons of implementing overlays and how they can lead to observability blind spots that could leave you in the dark in the event of an incident.

Whether you're a seasoned K8s user or just starting out, don’t miss this opportunity to look at K8s configuration and operation from the perspective of a seasoned incident responder.

Infrastructure & superstructure
Salon C
13:20
13:20
20min
fwd:cloudsec State of the Union
Scott Piper

How does this conference exist? Who pays for the Cloud Security Forum Slack? Learn about the organization of the non-profit entity behind all this, the motivations that drive it, and how you might want to get involved with it.

Odds & Ends
Salon C
13:50
13:50
60min
The Ground Shifts Underneath Us
Brandon Sherman 👾

One of the hardest parts of working in a cloud environment is the unstable ground we build on. While the APIs themselves are usually quite stable, the actual implementation of those APIs in the cloud provider's systems can— and do— frequently change. What were once safe assumptions and architectures can, and have, been broken by updates to services.

Birds-of-a-feather, business & behind-the-scenes "balk talks"
Salon C