{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2026.1.0.dev0"}, "schedule": {"url": "https://pretalx.com/fwd-cloudsec-europe-2024/schedule/", "version": "1.5", "base_url": "https://pretalx.com", "conference": {"acronym": "fwd-cloudsec-europe-2024", "title": "fwd:cloudsec Europe 2024", "start": "2024-09-17", "end": "2024-09-17", "daysCount": 1, "timeslot_duration": "00:05", "time_zone_name": "Europe/Brussels", "colors": {"primary": "#3aa57c"}, "rooms": [{"name": "Main Room", "slug": "3373-main-room", "guid": "e8911fce-cb88-58e8-8226-d7d769bc7284", "description": null, "capacity": null}], "tracks": [{"name": "Defending the Cloud", "slug": "4640-defending-the-cloud", "color": "#4C31CD"}, {"name": "Breaking the Cloud", "slug": "4641-breaking-the-cloud", "color": "#C15700"}, {"name": "Birds-of-a-feather, off the record and business-focused discussions", "slug": "4642-birds-of-a-feather-off-the-record-and-business-focused-discussions", "color": "#9A0190"}, {"name": "Odds & Ends", "slug": "4643-odds-ends", "color": "#9A0190"}], "days": [{"index": 1, "date": "2024-09-17", "day_start": "2024-09-17T04:00:00+02:00", "day_end": "2024-09-18T03:59:00+02:00", "rooms": {"Main Room": [{"guid": "33045a3c-c701-5fc6-96a4-bbbf68a2bc71", "code": "AQZCSX", "id": 53702, "logo": null, "date": "2024-09-17T09:00:00+02:00", "start": "09:00", "duration": "00:15", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-53702-introduction", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/AQZCSX/", "title": "Introduction", "subtitle": "", "track": "Odds & Ends", "type": "Welcome talk", "language": "en", "abstract": "Welcome, introduction and opening statements", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "ANRBXD", "name": "Chris Farris", "avatar": "https://pretalx.com/media/avatars/ANRBXD_RIVOrYa.webp", "biography": "Chris is a grumpy old cloud troll.", "public_name": "Chris Farris", "guid": "2ef41c64-3ba9-5834-8c69-db5bd5f80174", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/ANRBXD/"}, {"code": "KKBMLH", "name": "Karim El-Melhaoui", "avatar": null, "biography": null, "public_name": "Karim El-Melhaoui", "guid": "df9c27ea-2e0b-50e3-a6f7-10a48ab6073c", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/KKBMLH/"}], "links": [], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/AQZCSX/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/AQZCSX/", "attachments": []}, {"guid": "7510dca7-7e6e-52b9-940d-0f2225e83c91", "code": "PNTUUU", "id": 49711, "logo": null, "date": "2024-09-17T09:20:00+02:00", "start": "09:20", "duration": "00:40", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-49711-how-to-10x-your-cloud-security-without-the-series-d", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/PNTUUU/", "title": "How to 10X Your Cloud Security (Without the Series D)", "subtitle": "", "track": "Defending the Cloud", "type": "Long talk", "language": "en", "abstract": "I\u2019ll summarize and distill the actionable guidance for scaling Cloud Security programs from the vast array of talks and blog posts our there. We'll blaze through a dense view of what cloud security is, how you can do it more effectively, and what the near future looks like. After the talk, you'll have practical takeaways, and a lengthy, curated bibliography to lean on.", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "SHSDTA", "name": "Rami McCarthy", "avatar": "https://pretalx.com/media/avatars/SHSDTA_wB7oEOQ.webp", "biography": "Rami is a bit of a security wonk. Most recently, he helped build the Infrastructure Security program at Figma. Before that, he worked as a security consultant and helped scale security for a health-tech unicorn. He writes about security over at [ramimac.me](http://ramimac.me) and for [tldrsec.com](http://tldrsec.com).", "public_name": "Rami McCarthy", "guid": "d60b928f-762d-545d-8a0f-2a4ae98d0c57", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/SHSDTA/"}], "links": [{"title": "Slides", "url": "https://fwdcloudsec.org/assets/presentations/2024/europe/rami-mccarthy-how-to-10x-your-cloud-security.pdf", "type": "related"}, {"title": "Recording", "url": "https://youtu.be/DgWLWtFbO_o", "type": "related"}], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/PNTUUU/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/PNTUUU/", "attachments": []}, {"guid": "3bc22a79-e01f-50cf-9c86-9b1b36b912f1", "code": "TQREWF", "id": 52359, "logo": null, "date": "2024-09-17T10:10:00+02:00", "start": "10:10", "duration": "00:20", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-52359-cloud-conscious-tactics-techniques-and-procedures-ttps-an-overview", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/TQREWF/", "title": "Cloud-Conscious Tactics, Techniques, and Procedures (TTPs) \u2013 An Overview", "subtitle": "", "track": "Defending the Cloud", "type": "Lightning talk", "language": "en", "abstract": "Cloud security incidents have increased significantly in recent years, with cloud-conscious attacks more than doubling in 2023 according to CrowdStrike Intelligence statistics. Based on over 180 cases sourced from CrowdStrike incident response, managed threat hunting, and managed SOC services which are highly reflective of the actual threat environment that companies face every day, this talk gives an overview of the most common tactics, techniques, and procedures (TTPs) that adversaries use when compromising the cloud. We will be looking into two incident response cases where actors gain unauthorized access, exfiltrate data, and deploy ransomware.\r\nDefenders walk away from this talk with a clear picture of what the most common techniques are, how to hunt for the presented techniques, and how to defend against them.", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "8YKBNG", "name": "Sebastian Walla", "avatar": "https://pretalx.com/media/avatars/8YKBNG_mcfbt8s.webp", "biography": "Sebastian Walla is an expert for Cloud Threat Intelligence. He is the deputy manager of the Emerging Threats team focusing on Cloud Threat Intelligence at CrowdStrike. Since 4 years Sebastian worked as a reverse engineer and has been focusing on cloud intrusions for a couple of years.\r\nSebastian studied Cybersecurity, has a Masters in Computer Science, and published a paper on automatically identifying and exploiting tarpit vulnerabilities to fight malware. He further holds the GREM and GCLD certification and presented at Euro S&P 2019 and Fal.Con 2023.", "public_name": "Sebastian Walla", "guid": "b0fc759c-ea7c-5f7c-b650-23ebd45a3e25", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/8YKBNG/"}], "links": [{"title": "Slides", "url": "https://fwdcloudsec.org/assets/presentations/2024/europe/sebastian-walla-cloud-conscious-tactics-techniques-and-procedures-an-overview.pdf", "type": "related"}, {"title": "Recording", "url": "https://youtu.be/H0CmqRCx_R8", "type": "related"}], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/TQREWF/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/TQREWF/", "attachments": [{"title": "Hunting Rules for Case Studies", "url": "/media/fwd-cloudsec-europe-2024/submissions/TQREWF/resources/fwd_cloudsec_EU_2024_Hunting_rules_tddXDZz.pdf", "type": "related"}]}, {"guid": "0a2a6218-9171-5000-a119-ca47d9e22ed1", "code": "EXD7QE", "id": 52774, "logo": null, "date": "2024-09-17T10:55:00+02:00", "start": "10:55", "duration": "00:20", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-52774-hidden-in-plain-sight-ab-using-entra-s-aus", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/EXD7QE/", "title": "Hidden in Plain Sight: (Ab)using Entra's AUs", "subtitle": "", "track": "Breaking the Cloud", "type": "Lightning talk", "language": "en", "abstract": "Entra ID's Administrative Units (AU) are great for defenders\u2026 and for attackers! AUs are a useful method for creating scoped Entra ID role assignments. However, this scoping also offers juicy new methods for anyone looking to persist quietly in an Azure tenant: Obscure parameters can hide AU membership, and restrictions can prevent removal of malicious accounts. AUs are a globally-enabled tenant feature. Are you prepared to keep an eye on them?\r\n\r\nWe'll start by reviewing Azure permissions, Entra ID role assignment, and the advantages AUs can provide. Then, we'll demonstrate scenarios where an attacker can leverage them for invisible, privileged tenant persistence. We'll conclude with detection, remediation, and reflections on these double-edged features of user administration. Emulation of these techniques will be available in Stratus Red Team alongside this talk.", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "Y9FNXH", "name": "Katie Knowles", "avatar": "https://pretalx.com/media/avatars/Y9FNXH_2HD95ol.webp", "biography": "Katie Knowles is a Security Researcher at Datadog, focused on Azure research. Through her past roles, Katie has had the chance to approach security as both an attacker and defender, from incident response and detection engineering to penetration testing. She holds Azure (AZ-104, AZ-500) and offensive security (OSCP, GPEN) certifications.", "public_name": "Katie Knowles", "guid": "2793126a-c65c-5ce0-8829-82db01a600f1", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/Y9FNXH/"}], "links": [{"title": "Slides", "url": "https://fwdcloudsec.org/assets/presentations/2024/europe/katie-knowles-hidden-in-plain-sight-abusing-entra-id-administrative-units.pdf", "type": "related"}, {"title": "Recording", "url": "https://youtu.be/Uoqu9r_-0sg", "type": "related"}], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/EXD7QE/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/EXD7QE/", "attachments": []}, {"guid": "e4281088-2646-536f-afc5-74a583938fc0", "code": "BTT9LJ", "id": 52734, "logo": null, "date": "2024-09-17T11:25:00+02:00", "start": "11:25", "duration": "00:20", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-52734-service-agents-and-the-search-for-transitive-access-in-gcp", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/BTT9LJ/", "title": "Service Agents and the Search for Transitive Access in GCP", "subtitle": "", "track": "Breaking the Cloud", "type": "Lightning talk", "language": "en", "abstract": "Service Agents are the \u2018per-project, per-product\u2019 machine identity in Google Cloud.  When Cloud Build deploys a container or writes a container to a registry, it's the Service Agent that enables this service-to-service auth.\r\nIn this talk, we'll hoist Service Agents on a lift and inspect their undercarriage, questioning why Google Cloud frequently sets their auto-assigned permissions to admin level yet positions them as inconsequential.\r\n\r\nWe\u2019ll challenge the perception that Service Agents are inherently safe, shattering the party line that their administrative power is without the potential for abuse by a malicious actor in the project. The audience will learn about transitive access techniques, revealing how Service Agents' permissions can be exploited to manipulate services and data, even without direct resource access. \r\n\r\nI will make these risks concrete by releasing a case of Service Agent abuse resulting in data exfiltration, bypassing the need for explicit Storage permissions. Using the transitivity principle, I will demonstrate how service functionality puts the end user in the driver's seat, directing a Service Agent's actions to achieve unauthorized data access.\r\n\r\nAttendees will ride to the underbelly of Google Cloud's machine identity ecosystem, where assumptions are confronted, and the security implications may reshape their understanding of Service Agents.  Please keep all hands and feet inside the moving vehicle at all times.", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "VUA87C", "name": "Kat Traxler", "avatar": "https://pretalx.com/media/avatars/VUA87C_SwRqv46.webp", "biography": "Kat Traxler is the Principal Security Researcher at Vectra AI focusing on abuse techniques and vulnerabilities in the public cloud. Prior to her current role, she worked in various stages in the SDLC performing web application penetration testing and security architecture design for Web, IAM, Payment Technologies and Cloud Native Technologies.\r\n\r\nKat\u2019s research philosophy directs her work to where design flaws and misconfigurations are most probable. This guiding principle leads her research to the intersection of technologies, particularly the convergence of cloud security and application security and where the OS-layer interfaces with higher-level abstractions.\r\n\r\nKat has presented at various conferences including the SANS CloudSecNext Summit and fwd:CloudSec on topics such as privilege escalation in GCP, and bug-hunting in the cloud. In addition to her work at Vectra AI, she is a member of IAN Faculty and the Lead Author of the SANS SEC549 - Enterprise Cloud Security Architecture and currently holds multiple GIAC certifications. You can find her on the internet as @nightmareJS", "public_name": "Kat Traxler", "guid": "a43a1c06-80ef-5fea-b69d-76e571595b48", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/VUA87C/"}], "links": [{"title": "Slides", "url": "https://fwdcloudsec.org/assets/presentations/2024/europe/kat-traxler-service-agents-and-the-search-for-transitive-access-in-gcp.pdf", "type": "related"}, {"title": "Recording", "url": "https://youtu.be/3vpYOii6o2w", "type": "related"}], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/BTT9LJ/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/BTT9LJ/", "attachments": []}, {"guid": "8b7dda99-70ff-5c00-8ba8-3829a64d1edb", "code": "BQAHLN", "id": 48316, "logo": null, "date": "2024-09-17T11:55:00+02:00", "start": "11:55", "duration": "00:20", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-48316-doing-bad-things-for-the-right-reasons-a-look-at-the-aws-vulnerability-disclosure-and-remediation-process", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/BQAHLN/", "title": "Doing bad things for the right reasons: A look at the AWS vulnerability disclosure and remediation process", "subtitle": "", "track": "Breaking the Cloud", "type": "Lightning talk", "language": "en", "abstract": "# Summary \r\nIn an era where cloud services form the backbone of our digital infrastructure, uncovering cloud vulnerabilities and ensuring their responsible disclosure is paramount. This session will explore key aspects of responsibly disclosing security research findings in cloud environments. Topics include the research process, how researchers approach cloud services, addressing Coordinated Vulnerability Disclosure (CVD), embargo periods, strategies for customer protection, and real-world examples. \r\n\r\n \r\n\r\nhttps://aws.amazon.com/security/vulnerability-reporting/  \r\n \r\n\r\n# Outline: \r\n* How does a security researcher approach cloud services\r\n* Coordinated Vulnerability Disclosure (CVD)\r\n* A vulnerability has been identified. What's next?\r\n* AWS workflow \r\n* Real world examples\r\n* What are Embargo periods?\r\n* What is Public disclosure?\r\n* Where to Report?", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "7DVSRC", "name": "Ryan Nolette", "avatar": "https://pretalx.com/media/avatars/7DVSRC_nmj8aD3.webp", "biography": "Ryan is AWS's Senior Security Engineer for the Outreach Team and CoAuthor of AWS Detective. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With almost 2 decades in the infosec field, Ryan has been on the development and operations side of companies such as Postman, Sqrrl, Carbon Black, Crossbeam Systems, SecureWorks and Fidelity Investments. Ryan has been an active speaker and writer on threat hunting and endpoint security. \r\n\r\n* www.linkedin.com/in/cloudy-with-a-chance-of-security \r\n* https://github.com/sonofagl1tch", "public_name": "Ryan Nolette", "guid": "de864541-67c2-53ca-940d-e0b0fc16f825", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/7DVSRC/"}], "links": [{"title": "Slides", "url": "https://fwdcloudsec.org/assets/presentations/2024/europe/ryan-nolette-a-look-at-the-aws-vulnerability-disclosure-and-remediation-process.pdf", "type": "related"}, {"title": "re", "url": "https://youtu.be/JINXKN9NZmY", "type": "related"}], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/BQAHLN/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/BQAHLN/", "attachments": []}, {"guid": "9dc97881-bcda-5622-bdbc-3786a902b9c4", "code": "F8RHTG", "id": 52815, "logo": null, "date": "2024-09-17T13:30:00+02:00", "start": "13:30", "duration": "00:20", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-52815-staying-sneaky-in-microsoft-azure", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/F8RHTG/", "title": "Staying Sneaky in Microsoft Azure", "subtitle": "", "track": "Breaking the Cloud", "type": "Lightning talk", "language": "en", "abstract": "Microsoft are improving their cloud platform by providing more log sources that can be consumed to gain visibility into enumeration and data read events. However, due to Azure's complexity, such as different legacy and modern systems, the same objective can be achieved by an attacker through different methods, inherently with different indicators. As a result, the challenges that organisations face, and will continue on facing, are the following:\r\n\r\n- Attackers using known and lesser-known APIs to perform activities against a tenant and Azure resources.\r\n- Attackers remaining undetected due to assumptions taken by defensive teams in how specific attacks would be performed.\r\n\r\nThis talk will aim to build up on publicly available research into undocumented APIs within Azure and present different ways that attackers can use these APIs to gather information about an environment and also perform actions against the estate. With each method that is discussed, the talk will also present what controls exist to try and prevent their abuse within an organisation as well as what telemetry is generated when performing these attacks. Thus, allowing attendees to understand the available attack surface within Azure and help provide guidance on the potential non-typical log sources that should be ingested to improve an attack detection in an estate.", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "9SKZ9Y", "name": "Christian Philipov", "avatar": "https://pretalx.com/media/avatars/9SKZ9Y_pB81RIC.webp", "biography": "Chris is a principal security consultant and heads up the Cloud Security capability area within WithSecure Consulting. As part of his day to day he leads the global team that deals with various different types of engagements of both a transactional and more bespoke nature. Chris specialises in Microsoft Azure predominantly with GCP and AWS as an additional background.", "public_name": "Christian Philipov", "guid": "07439ae1-e9eb-5c1d-8f95-05cbb915f50d", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/9SKZ9Y/"}], "links": [{"title": "Slides", "url": "https://fwdcloudsec.org/assets/presentations/2024/europe/christian-philipov-staying-sneaky-in-azure.pdf", "type": "related"}, {"title": "Recording", "url": "https://youtu.be/khhGDEoGuxc", "type": "related"}], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/F8RHTG/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/F8RHTG/", "attachments": []}, {"guid": "041ffad6-e455-5ac0-9243-859ce22f5325", "code": "VVMRW9", "id": 51065, "logo": null, "date": "2024-09-17T14:00:00+02:00", "start": "14:00", "duration": "00:20", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-51065-kubernetes-audit-log-gotchas", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/VVMRW9/", "title": "Kubernetes Audit Log Gotchas", "subtitle": "", "track": "Defending the Cloud", "type": "Lightning talk", "language": "en", "abstract": "Kubernetes (K8s) audit log is a primary detection source in both managed and unmanaged  K8s clusters. It provides visibility into API server activity , such as anonymous access to cluster or creation of privileged pod. Equipped with this knowledge and your favorite log analysis tool, you optimistically set out on a journey to implement a consolidated  detection infra across your clusters / cloud environments, or perhaps to create a forensics playbook. Soon enough you realize that the task is not that simple:  your EKS cluster logging is off, your AKS log is missing crucial events, and the event formats in GKE and OKE are completely different from vanilla K8s audit log format.\r\nIn this talk I will present practical challenges around streaming and managing K8s audit logs across multiple CSPs and unmanaged clusters. We'll talk about default logging policy and the lack of transparency around it, about unexpected format differences across the cloud vendors, touch on performance and latency and more. Finally, we will analyze the impact of the described gotchas on potential detection and forensic activities: what attacker techniques you might miss, which rules won't trigger, and what other sources to consider for augmentation.", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "LC8V8Z", "name": "Shay Berkovich", "avatar": "https://pretalx.com/media/avatars/LC8V8Z_7KfeD7c.webp", "biography": null, "public_name": "Shay Berkovich", "guid": "c3dbe78a-7ccd-55c5-9919-a708052fb9d9", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/LC8V8Z/"}], "links": [{"title": "Slides", "url": "https://fwdcloudsec.org/assets/presentations/2024/europe/shay-berkovich-kubernetes-audit-logs-gotchas.pdf", "type": "related"}, {"title": "Recording", "url": "https://youtu.be/E_6HwlCzqUk", "type": "related"}], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/VVMRW9/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/VVMRW9/", "attachments": []}, {"guid": "7bf27a23-9ed6-56cd-994e-a504e992c555", "code": "EZGNSZ", "id": 52769, "logo": null, "date": "2024-09-17T14:45:00+02:00", "start": "14:45", "duration": "00:20", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-52769-who-watches-the-watchmen-stealing-credentials-from-policy-as-code-engines-and-beyond", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/EZGNSZ/", "title": "Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines (and beyond)", "subtitle": "", "track": "Breaking the Cloud", "type": "Lightning talk", "language": "en", "abstract": "If an attacker could run an arbitrary policy on a policy engine, would that be dangerous? Turns out, the answer is yes.\r\n\r\nThis initial research question took us down a fascinating rabbit hole, which started in the OPA (Open Policy Agent) Rego language and ended all the way in Terraform HCL (Hashicorp Configuration Language).\r\n\r\nInfrastructure-as-code (IaC) is the backbone of DevOps for modern cloud applications. Due to the sensitivity and complexity of IaC deployments, policy engines and policy-as-code languages have emerged as key tools to govern these processes. They are also a common tool to govern operations within Kubernetes platforms (using Gatekeeper).\r\n\r\nIn this session, we'll explore malicious techniques for abusing modern policy-as-code and IaC domain-specific languages (DSLs). Supposedly, since these are hardened languages with limited capabilities, they should be more secure than standard programming languages, and indeed they are. However, more secure does not mean bulletproof. We'll explore techniques adversaries can use to manipulate these DSLs through third-party code to compromise cloud identities, conduct lateral movements, and exfiltrate sensitive data. We will be presenting novel techniques, such as DNS tunneling in DSLs, discovered in our research.\r\n\r\nThis begs two immediate questions: are attackers leveraging these techniques already? Are common scanners able to detect them? We answer these questions by showing the results of our scan of the public Terraform registry, as well as the scan results of popular scanners against our malicious configurations. We will conclude by presenting detection rules that defenders can use to detect these techniques and best practices that can be used to prevent them.", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "UYT8RZ", "name": "Shelly Raban", "avatar": "https://pretalx.com/media/avatars/UYT8RZ_6oiCv10.webp", "biography": "Shelly is a Senior Security Researcher at Tenable, specializing in cloud security research. In her previous roles, Shelly worked as a security researcher and threat hunting expert at Hunters. With 7 years of experience in cybersecurity, Shelly has conducted extensive research in detection engineering, host forensics, malware analysis, and reverse engineering. Outside of work, Shelly loves spending time with her two baby cats.", "public_name": "Shelly Raban", "guid": "2f050840-7e35-55c7-9914-864b9a890e3c", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/UYT8RZ/"}], "links": [{"title": "Slides", "url": "https://fwdcloudsec.org/assets/presentations/2024/europe/shelly-raban-who-watches-the-watchmen-stealing-credentials-from-policy-as-code-engines.pdf", "type": "related"}, {"title": "Recording", "url": "https://youtu.be/1kk7STIsQsg", "type": "related"}], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/EZGNSZ/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/EZGNSZ/", "attachments": []}, {"guid": "f91fbfa5-1e72-5f87-99ad-1f743b4d43b5", "code": "Q99MWV", "id": 50507, "logo": null, "date": "2024-09-17T15:15:00+02:00", "start": "15:15", "duration": "00:20", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-50507-hidden-among-the-clouds-a-look-at-undocumented-aws-apis", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/Q99MWV/", "title": "Hidden Among the Clouds: A Look at Undocumented AWS APIs", "subtitle": "", "track": "Breaking the Cloud", "type": "Lightning talk", "language": "en", "abstract": "Undocumented AWS APIs have been associated with a number of vulnerabilities over the time. They\u2019ve been used to modify and access resources cross-tenant, evade detection from CloudTrail, be useful for privilege escalation, and more. For cloud researchers and security professionals, these vulnerabilities raise the question: \u201cHow can we effectively identify these hidden APIs at scale\u201d?\r\n\r\nIn this talk I will present my methodology for discovering thousands of undocumented AWS APIs, talk about the challenges of this research, and release an open-source tool so that you can discover them for yourself. In addition, I will share an analysis of the full dataset of undocumented APIs I\u2019ve been gathering for over a year.", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "PV3VBW", "name": "Nick Frichette", "avatar": "https://pretalx.com/media/avatars/PV3VBW_OkAyiTt.webp", "biography": "Nick Frichette is a Staff Security Researcher at Datadog, where he specializes in offensive AWS security. He is known for finding multiple zero-day vulnerabilities in AWS services and regularly publishing on new attack techniques. In addition to his research, Nick is the creator and primary contributor to Hacking the Cloud, an open source encyclopedia of offensive security capabilities for cloud environments. He is also a part of the AWS Community Builder Program, where he develops content on AWS security.", "public_name": "Nick Frichette", "guid": "5f24665e-ebac-5e3a-86fc-88dae39e8158", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/PV3VBW/"}], "links": [{"title": "Slides", "url": "https://fwdcloudsec.org/assets/presentations/2024/europe/nick-frichette-hidden-among-the-cloud-a-look-at-undocumented-aws-apis.pdf", "type": "related"}, {"title": "Recording", "url": "https://youtu.be/f7AuDxlYCzE", "type": "related"}], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/Q99MWV/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/Q99MWV/", "attachments": []}, {"guid": "1b8aaa00-9a39-56c9-a6e4-b53a2cdc0a49", "code": "LSLLFA", "id": 52191, "logo": null, "date": "2024-09-17T16:00:00+02:00", "start": "16:00", "duration": "00:20", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-52191-gcp-and-aws-identity-federation-lessons-learned-from-the-field-as-well-as-cross-cloud-forensics-and-incident-response", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/LSLLFA/", "title": "GCP and AWS identity federation - lessons learned from the field as well as cross-cloud forensics and incident response.", "subtitle": "", "track": "Defending the Cloud", "type": "Lightning talk", "language": "en", "abstract": "Our presentation is about identity federation between GCP and AWS using AssumeRoleWithWebIdentity. We will share our setup and lessons learned from implementing this in production at Spotify, as well as how we verify service identity between different cloud providers. Additionally, we will discuss the setup for use cases such as cross-cloud forensics and incident response.\r\n\r\nIn our session we\u2019ll deep dive into the AssumeRoleWithWebIdentity API and show how we can use it together with both native cloud SDKs as well as building our own self-signed token service to automate various use cases. Our presentation will cover:\r\n- Deep dive into identity federation between GCP and AWS using  AssumeRoleWithWebIdentity \r\n- Our journey implementing this in production and our lessons learned.\r\n- Demonstrating how this can be used for cross-cloud forensics and incident response purposes. E.g. collecting forensic artifacts between GCP projects and AWS accounts.\r\n\r\nWe\u2019ll also cover options for how to automate the above methods for cross-cloud forensic purposes.", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "UKCSND", "name": "Marcus Hallberg", "avatar": "https://pretalx.com/media/avatars/UKCSND_Vho0yvI.webp", "biography": "My name is Marcus, a security engineer at heart, and I work for Spotify in Stockholm, Sweden. I spend my time with a mix of detection and response as well as cloud security where my passion is in forensics and automation. When I have time off I enjoy rock climbing, folk dancing and cross-country skiing.", "public_name": "Marcus Hallberg", "guid": "efd4799d-037e-5266-8684-40452236acdc", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/UKCSND/"}, {"code": "UNQXGZ", "name": "Attila Dulovics", "avatar": "https://pretalx.com/media/avatars/UNQXGZ_8cM6Uim.webp", "biography": "My name is Attila, a security engineer who is a fan of codified solutions which aim to reduce the burden of the users by helping them to configure things easier and safer.  My current day to day  focus is mostly around Cloud Security and Cloud IAM problems . In my free time I like doing strength training, hiking, and practicing inline skating tricks at skateparks.", "public_name": "Attila Dulovics", "guid": "b3ec0273-9eaf-5c91-b099-04286a8faeee", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/UNQXGZ/"}], "links": [{"title": "Slides", "url": "https://fwdcloudsec.org/assets/presentations/2024/europe/marcus-hallberg-attila-dulovics-gcp-aws-identity-federation-lessons-from-the-field-cross-cloud-forensics-and-incident-response.pdf", "type": "related"}, {"title": "Recording", "url": "https://youtu.be/N3kWr47O1mQ", "type": "related"}], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/LSLLFA/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/LSLLFA/", "attachments": []}, {"guid": "65754681-ab27-5337-aac8-fb7eecdfe17d", "code": "3VSYZ7", "id": 50087, "logo": null, "date": "2024-09-17T16:30:00+02:00", "start": "16:30", "duration": "00:20", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-50087-build-your-own-cloudtrail", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/3VSYZ7/", "title": "Build Your Own CloudTrail", "subtitle": "", "track": "Defending the Cloud", "type": "Lightning talk", "language": "en", "abstract": "What can we learn from applying the principles and architecture of AWS IAM to our own services running in the cloud?\r\n\r\nCedar is an open-source authorization policy framework created by AWS. We used Cedar to build an authorization framework to secure our services, with an architecture inspired by AWS IAM - complete with our very own CloudTrail audit logging. In this talk I'll share what we learned from this, as well as actionable IAM practices to adopt.", "description": null, "recording_license": "", "do_not_record": false, "persons": [{"code": "CFZVSL", "name": "Chris Norman", "avatar": "https://pretalx.com/media/avatars/CFZVSL_399yyyS.webp", "biography": "Chris is the cofounder of Common Fate and the creator of Granted, an open-source CLI for accessing AWS.", "public_name": "Chris Norman", "guid": "b7eba8b3-0953-57b5-86fa-b086e5a22872", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/speaker/CFZVSL/"}], "links": [{"title": "Slides", "url": "https://fwdcloudsec.org/assets/presentations/2024/europe/chris-norman-buld-your-own-cloudtrail.pdf", "type": "related"}, {"title": "Recording", "url": "https://youtu.be/PPJgxGMGwEY", "type": "related"}], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/3VSYZ7/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/3VSYZ7/", "attachments": []}, {"guid": "0a50583e-b221-5c11-8d6e-7e68ba90f6cd", "code": "JZYLET", "id": 54251, "logo": null, "date": "2024-09-17T17:00:00+02:00", "start": "17:00", "duration": "02:00", "room": "Main Room", "slug": "fwd-cloudsec-europe-2024-54251-happy-hour-birds-of-a-feather", "url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/JZYLET/", "title": "Happy Hour + Birds of a Feather", "subtitle": "", "track": "Birds-of-a-feather, off the record and business-focused discussions", "type": "Birds of a Feather", "language": "en", "abstract": "Drinks and networking in the communal space, Birds of a Feather sessions in the main room.\r\n\r\nBirds of a Feather topics will be picked on the day, the two most upvoted topics will be run for 30 minutes each.", "description": null, "recording_license": "", "do_not_record": false, "persons": [], "links": [], "feedback_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/JZYLET/feedback/", "origin_url": "https://pretalx.com/fwd-cloudsec-europe-2024/talk/JZYLET/", "attachments": []}]}}]}}}