Noam Dahan
Noam Dahan is a Staff Security Researcher at Tenable with several years of experience in embedded security and cloud security. He previously spoke at Black Hat USA, DEF CON Cloud Village, DEF CON DemoLabs and fwd:cloudsec. Noam was a competitive debater and is a former World Debating Champion.
Session
The vast majority of organizations are deploying a multi-cloud or a hybrid cloud strategy. A central key to the multi-cloud machine is intercloud (or cross-cloud) access. Not just personnel access, but access by nonhuman identities from different cloud providers or on-premise workloads to the public cloud. While this form of access is key, it is easy to get it wrong.
Attackers are already primed to exploit these opportunities to move laterally within organizations.
In this session, we will explore the gears of the multi-cloud access engine, including different shared secret mechanisms and workload identity authentication. We will start with an overview of the primary mechanisms used for intercloud access. Afterwards, we’ll dive into the actual implementations, and understand the differences between cloud providers. We will dive into the implications of these differences and understand the risks associated with them. We will show TTPs for exploiting these interfaces and implementations, and discuss known uses by attackers.
By examining known malicious and grayware files and scripts, we present an important finding: Because some attacker tools are built to work on multiple cloud providers, if these are deployed to a machine built on a cross-cloud deployment, they would enable attackers to perform cross-cloud lateral movement.
We will offer actionable prevention and detection strategies for organizations and practitioners to take home and implement. We will offer advice on choosing the right intercloud access mechanisms, configuring them, and detecting intrusions and anomalies.