BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//fwd-cloudsec-europe-2024//speaker//UYT8RZ BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-fwd-cloudsec-europe-2024-EZGNSZ@pretalx.com DTSTART;TZID=CET:20240917T144500 DTEND;TZID=CET:20240917T150500 DESCRIPTION:If an attacker could run an arbitrary policy on a policy engine \, would that be dangerous? Turns out\, the answer is yes.\n\nThis initial research question took us down a fascinating rabbit hole\, which started in the OPA (Open Policy Agent) Rego language and ended all the way in Terr aform HCL (Hashicorp Configuration Language).\n\nInfrastructure-as-code (I aC) is the backbone of DevOps for modern cloud applications. Due to the se nsitivity and complexity of IaC deployments\, policy engines and policy-as -code languages have emerged as key tools to govern these processes. They are also a common tool to govern operations within Kubernetes platforms (u sing Gatekeeper).\n\nIn this session\, we'll explore malicious techniques for abusing modern policy-as-code and IaC domain-specific languages (DSLs) . Supposedly\, since these are hardened languages with limited capabilitie s\, they should be more secure than standard programming languages\, and i ndeed they are. However\, more secure does not mean bulletproof. We'll exp lore techniques adversaries can use to manipulate these DSLs through third -party code to compromise cloud identities\, conduct lateral movements\, a nd exfiltrate sensitive data. We will be presenting novel techniques\, suc h as DNS tunneling in DSLs\, discovered in our research.\n\nThis begs two immediate questions: are attackers leveraging these techniques already? Ar e common scanners able to detect them? We answer these questions by showin g the results of our scan of the public Terraform registry\, as well as th e scan results of popular scanners against our malicious configurations. W e will conclude by presenting detection rules that defenders can use to de tect these techniques and best practices that can be used to prevent them. DTSTAMP:20260513T004248Z LOCATION:Main Room SUMMARY:Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines (and beyond) - Shelly Raban URL:https://pretalx.com/fwd-cloudsec-europe-2024/talk/EZGNSZ/ END:VEVENT END:VCALENDAR