William Gamazo
Nelson William Gamazo Sanchez is a Principal Researcher at Palo Alto Networks, currently working on Cloud Security. Prior to joining Palo Alto Networks he was a Threat Security Researcher at ZDI Trend Micro, in the Threat Hunting Team, leading the ITW hunting initiative where he published and presented multiple and unique findings. He has worked in the security field since 2000, playing different roles in multiple security-oriented companies, including anti-malware and computer forensics companies where he has worked in multiple areas as reversing engineer, vulnerability analyst, vulnerability researcher and threat researcher. Nelson William Gamazo Sanchez is an engineering graduate and has a Master's degree in Teleinformatics.
Session
In the rapidly changing cybersecurity landscape, fully automated and dynamically scaled offensive cloud-targeted attacks are evading some of our strongest defensive strategies. In this presentation, we introduce the " HoneyCloud " project - a novel approach for collecting and analyzing cloud-centric cyber threats. This talk aims to provide a comprehensive understanding and analysis of how our cloud environments are targeted by fully automated and dynamically scaled offensive operations. We will discuss how the design and implementation of a HoneyCloud can allow researchers to forensically collect malicious operations from live cloud environments.
During this presentation, we will deep-dive into three real-world threats displaying the capabilities of this detection platform. First, The EleKtra-Leak Attack - a cryptojacking operation beginning with exposed credentials in a public GitHub repository. The second, P2PInfect - a novel peer-to-peer worm. The third event, called RansomWorm - a ransomware and extortion operation targeting cloud storage and database services, also triggered reconnaissance indicators in our HoneyCloud before the incident was reported. We will discuss how threat actors have improved their secret scanning services and how they increased their effectiveness in controlling cloud resources, as well as where the threat actor's OPSEC mistakes lead to their geolocation exposure.
The audience will walk away with knowledge of how a HoneyCloud project can collect cloud-targeting Indicators of Compromise (IOCs) and the unique capabilities of the project for tracking Cloud Threat Actor Groups (CTAGs) within live cloud environments. Using real cloud threat findings, the audience will discover how CTAGs target weak cloud deployments at scale, allowing them to compromise hundreds of victims within minutes. We will demonstrate how HoneyCloud can automate the collection of highly automated and dynamically scalable cloud-targeted cyber attacks. This session aims to present a novel approach for enhancing threat discovery for cybersecurity professionals seeking to understand how threat actors are targeting and manipulating cloud environments.