Welcome, introduction and opening statements

I’ll summarize and distill the actionable guidance for scaling Cloud Security programs from the vast array of talks and blog posts our there. We'll blaze through a dense view of what cloud security is, how you can do it more effectively, and what the near future looks like. After the talk, you'll have practical takeaways, and a lengthy, curated bibliography to lean on.

Cloud security incidents have increased significantly in recent years, with cloud-conscious attacks more than doubling in 2023 according to CrowdStrike Intelligence statistics. Based on over 180 cases sourced from CrowdStrike incident response, managed threat hunting, and managed SOC services which are highly reflective of the actual threat environment that companies face every day, this talk gives an overview of the most common tactics, techniques, and procedures (TTPs) that adversaries use when compromising the cloud. We will be looking into two incident response cases where actors gain unauthorized access, exfiltrate data, and deploy ransomware.
Defenders walk away from this talk with a clear picture of what the most common techniques are, how to hunt for the presented techniques, and how to defend against them.

Entra ID's Administrative Units (AU) are great for defenders… and for attackers! AUs are a useful method for creating scoped Entra ID role assignments. However, this scoping also offers juicy new methods for anyone looking to persist quietly in an Azure tenant: Obscure parameters can hide AU membership, and restrictions can prevent removal of malicious accounts. AUs are a globally-enabled tenant feature. Are you prepared to keep an eye on them?

We'll start by reviewing Azure permissions, Entra ID role assignment, and the advantages AUs can provide. Then, we'll demonstrate scenarios where an attacker can leverage them for invisible, privileged tenant persistence. We'll conclude with detection, remediation, and reflections on these double-edged features of user administration. Emulation of these techniques will be available in Stratus Red Team alongside this talk.

Service Agents are the ‘per-project, per-product’ machine identity in Google Cloud. When Cloud Build deploys a container or writes a container to a registry, it's the Service Agent that enables this service-to-service auth.
In this talk, we'll hoist Service Agents on a lift and inspect their undercarriage, questioning why Google Cloud frequently sets their auto-assigned permissions to admin level yet positions them as inconsequential.

We’ll challenge the perception that Service Agents are inherently safe, shattering the party line that their administrative power is without the potential for abuse by a malicious actor in the project. The audience will learn about transitive access techniques, revealing how Service Agents' permissions can be exploited to manipulate services and data, even without direct resource access.

I will make these risks concrete by releasing a case of Service Agent abuse resulting in data exfiltration, bypassing the need for explicit Storage permissions. Using the transitivity principle, I will demonstrate how service functionality puts the end user in the driver's seat, directing a Service Agent's actions to achieve unauthorized data access.

Attendees will ride to the underbelly of Google Cloud's machine identity ecosystem, where assumptions are confronted, and the security implications may reshape their understanding of Service Agents. Please keep all hands and feet inside the moving vehicle at all times.

Summary

In an era where cloud services form the backbone of our digital infrastructure, uncovering cloud vulnerabilities and ensuring their responsible disclosure is paramount. This session will explore key aspects of responsibly disclosing security research findings in cloud environments. Topics include the research process, how researchers approach cloud services, addressing Coordinated Vulnerability Disclosure (CVD), embargo periods, strategies for customer protection, and real-world examples.

https://aws.amazon.com/security/vulnerability-reporting/

Outline:

• How does a security researcher approach cloud services
• Coordinated Vulnerability Disclosure (CVD)
• A vulnerability has been identified. What's next?
• AWS workflow
• Real world examples
• What are Embargo periods?
• What is Public disclosure?
• Where to Report?

Microsoft are improving their cloud platform by providing more log sources that can be consumed to gain visibility into enumeration and data read events. However, due to Azure's complexity, such as different legacy and modern systems, the same objective can be achieved by an attacker through different methods, inherently with different indicators. As a result, the challenges that organisations face, and will continue on facing, are the following:

• Attackers using known and lesser-known APIs to perform activities against a tenant and Azure resources.
• Attackers remaining undetected due to assumptions taken by defensive teams in how specific attacks would be performed.

This talk will aim to build up on publicly available research into undocumented APIs within Azure and present different ways that attackers can use these APIs to gather information about an environment and also perform actions against the estate. With each method that is discussed, the talk will also present what controls exist to try and prevent their abuse within an organisation as well as what telemetry is generated when performing these attacks. Thus, allowing attendees to understand the available attack surface within Azure and help provide guidance on the potential non-typical log sources that should be ingested to improve an attack detection in an estate.

Kubernetes (K8s) audit log is a primary detection source in both managed and unmanaged K8s clusters. It provides visibility into API server activity , such as anonymous access to cluster or creation of privileged pod. Equipped with this knowledge and your favorite log analysis tool, you optimistically set out on a journey to implement a consolidated detection infra across your clusters / cloud environments, or perhaps to create a forensics playbook. Soon enough you realize that the task is not that simple: your EKS cluster logging is off, your AKS log is missing crucial events, and the event formats in GKE and OKE are completely different from vanilla K8s audit log format.
In this talk I will present practical challenges around streaming and managing K8s audit logs across multiple CSPs and unmanaged clusters. We'll talk about default logging policy and the lack of transparency around it, about unexpected format differences across the cloud vendors, touch on performance and latency and more. Finally, we will analyze the impact of the described gotchas on potential detection and forensic activities: what attacker techniques you might miss, which rules won't trigger, and what other sources to consider for augmentation.

If an attacker could run an arbitrary policy on a policy engine, would that be dangerous? Turns out, the answer is yes.

This initial research question took us down a fascinating rabbit hole, which started in the OPA (Open Policy Agent) Rego language and ended all the way in Terraform HCL (Hashicorp Configuration Language).

Infrastructure-as-code (IaC) is the backbone of DevOps for modern cloud applications. Due to the sensitivity and complexity of IaC deployments, policy engines and policy-as-code languages have emerged as key tools to govern these processes. They are also a common tool to govern operations within Kubernetes platforms (using Gatekeeper).

In this session, we'll explore malicious techniques for abusing modern policy-as-code and IaC domain-specific languages (DSLs). Supposedly, since these are hardened languages with limited capabilities, they should be more secure than standard programming languages, and indeed they are. However, more secure does not mean bulletproof. We'll explore techniques adversaries can use to manipulate these DSLs through third-party code to compromise cloud identities, conduct lateral movements, and exfiltrate sensitive data. We will be presenting novel techniques, such as DNS tunneling in DSLs, discovered in our research.

This begs two immediate questions: are attackers leveraging these techniques already? Are common scanners able to detect them? We answer these questions by showing the results of our scan of the public Terraform registry, as well as the scan results of popular scanners against our malicious configurations. We will conclude by presenting detection rules that defenders can use to detect these techniques and best practices that can be used to prevent them.

Undocumented AWS APIs have been associated with a number of vulnerabilities over the time. They’ve been used to modify and access resources cross-tenant, evade detection from CloudTrail, be useful for privilege escalation, and more. For cloud researchers and security professionals, these vulnerabilities raise the question: “How can we effectively identify these hidden APIs at scale”?

In this talk I will present my methodology for discovering thousands of undocumented AWS APIs, talk about the challenges of this research, and release an open-source tool so that you can discover them for yourself. In addition, I will share an analysis of the full dataset of undocumented APIs I’ve been gathering for over a year.

Our presentation is about identity federation between GCP and AWS using AssumeRoleWithWebIdentity. We will share our setup and lessons learned from implementing this in production at Spotify, as well as how we verify service identity between different cloud providers. Additionally, we will discuss the setup for use cases such as cross-cloud forensics and incident response.

In our session we’ll deep dive into the AssumeRoleWithWebIdentity API and show how we can use it together with both native cloud SDKs as well as building our own self-signed token service to automate various use cases. Our presentation will cover:
- Deep dive into identity federation between GCP and AWS using AssumeRoleWithWebIdentity
- Our journey implementing this in production and our lessons learned.
- Demonstrating how this can be used for cross-cloud forensics and incident response purposes. E.g. collecting forensic artifacts between GCP projects and AWS accounts.

We’ll also cover options for how to automate the above methods for cross-cloud forensic purposes.

What can we learn from applying the principles and architecture of AWS IAM to our own services running in the cloud?

Cedar is an open-source authorization policy framework created by AWS. We used Cedar to build an authorization framework to secure our services, with an architecture inspired by AWS IAM - complete with our very own CloudTrail audit logging. In this talk I'll share what we learned from this, as well as actionable IAM practices to adopt.

Drinks and networking in the communal space, Birds of a Feather sessions in the main room.

Birds of a Feather topics will be picked on the day, the two most upvoted topics will be run for 30 minutes each.