Nathaniel "Q" Quist

Nathaniel Quist is the Manager for Prisma Cloud’s Threat Intelligence Team, working with Palo Alto Networks’ Unit 42 threat research team to identify and track threat actor groups who target and leverage public cloud platforms, tools, and services. He holds a Master of Science in Information Security Engineering (MSISE) from The SANS Institute and is the author of multiple blogs, reports, and whitepapers published by Palo Alto Networks' Unit 42 and Prisma Cloud and the SANS InfoSec Reading Room.


Session

06-17
14:30
20min
Detecting Cloud Threats with Dynamic Clouds
Nathaniel "Q" Quist, William Gamazo

In the rapidly changing cybersecurity landscape, fully automated and dynamically scaled offensive cloud-targeted attacks are evading some of our strongest defensive strategies. In this presentation, we introduce the " HoneyCloud " project - a novel approach for collecting and analyzing cloud-centric cyber threats. This talk aims to provide a comprehensive understanding and analysis of how our cloud environments are targeted by fully automated and dynamically scaled offensive operations. We will discuss how the design and implementation of a HoneyCloud can allow researchers to forensically collect malicious operations from live cloud environments.
During this presentation, we will deep-dive into three real-world threats displaying the capabilities of this detection platform. First, The EleKtra-Leak Attack - a cryptojacking operation beginning with exposed credentials in a public GitHub repository. The second, P2PInfect - a novel peer-to-peer worm. The third event, called RansomWorm - a ransomware and extortion operation targeting cloud storage and database services, also triggered reconnaissance indicators in our HoneyCloud before the incident was reported. We will discuss how threat actors have improved their secret scanning services and how they increased their effectiveness in controlling cloud resources, as well as where the threat actor's OPSEC mistakes lead to their geolocation exposure.
The audience will walk away with knowledge of how a HoneyCloud project can collect cloud-targeting Indicators of Compromise (IOCs) and the unique capabilities of the project for tracking Cloud Threat Actor Groups (CTAGs) within live cloud environments. Using real cloud threat findings, the audience will discover how CTAGs target weak cloud deployments at scale, allowing them to compromise hundreds of victims within minutes. We will demonstrate how HoneyCloud can automate the collection of highly automated and dynamically scalable cloud-targeted cyber attacks. This session aims to present a novel approach for enhancing threat discovery for cybersecurity professionals seeking to understand how threat actors are targeting and manipulating cloud environments.

A Long Train of Abuses and Usurpations
Breakout 1