Ari Eitan

Ari Eitan is a Research Team Lead at Tenable. Ari began his career as a security researcher for the Israeli Defense Force (IDF). He quickly became Head of the IDF’s cyber incident response team (IDF CERT), honing his expertise in incident response, malware analysis, and reverse engineering. Before joining Tenable, Ari was the VP of Research at Intezer and presented his research at several government and information security events, including fwd:cloudsec, AVAR, BSidesTLV, CyberTech, Hack.lu, Hacktivity, Infosec, IP EXPO, Kaspersky SAS, and the Forum of Incident Response and Security Teams (FIRST).


Session

06-17
09:10
20min
Intercloud Identities: The Risks and Mitigations of Access Between Cloud Providers
Noam Dahan, Ari Eitan

The vast majority of organizations are deploying a multi-cloud or a hybrid cloud strategy. A central key to the multi-cloud machine is intercloud (or cross-cloud) access. Not just personnel access, but access by nonhuman identities from different cloud providers or on-premise workloads to the public cloud. While this form of access is key, it is easy to get it wrong.
Attackers are already primed to exploit these opportunities to move laterally within organizations.

In this session, we will explore the gears of the multi-cloud access engine, including different shared secret mechanisms and workload identity authentication. We will start with an overview of the primary mechanisms used for intercloud access. Afterwards, we’ll dive into the actual implementations, and understand the differences between cloud providers. We will dive into the implications of these differences and understand the risks associated with them. We will show TTPs for exploiting these interfaces and implementations, and discuss known uses by attackers.

By examining known malicious and grayware files and scripts, we present an important finding: Because some attacker tools are built to work on multiple cloud providers, if these are deployed to a machine built on a cross-cloud deployment, they would enable attackers to perform cross-cloud lateral movement.

We will offer actionable prevention and detection strategies for organizations and practitioners to take home and implement. We will offer advice on choosing the right intercloud access mechanisms, configuring them, and detecting intrusions and anomalies.

A Long Train of Abuses and Usurpations
Breakout 1