L o a d i n g
CLOUD VILLAGE @ DEF CON 30

Cloud Village is an open space to meet folks interested in offensive and defensive aspects of cloud security.

CFP for DEF CON 30 Contribute/Volunteer Become a Sponsor

About

Cloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security. The village is home to various activities like talks, workshops, CTFs and discussions targeted around cloud services.

If you are a professional who is looking to gain knowledge on securely maintaining the cloud stack and loves to be around like-minded security folks who share the similar zeal towards the community, Cloud Village is the perfect place for you.


This year Cloud Village will be in-person at Flamingo, Las Vegas.

Hope to see you all there!


Crew Members:

CFP Review Panel:


Cloud Village CTF

Cloud Village CTF @DEF CON 30: 12th, 13th & 14th August 2022

CTF start - 12th Aug 2022 (10.00 PT)

CTF close - 14th Aug 2022 (12.00 PT)

Registrations Open - 5th Aug 2022

CTF Site - ctf.cloud-village.org



If you ever wanted to break stuff on the cloud, or if you like rabbit holes that take you places you did not think you would go to, follow complicated story lines to only find you could have reached to the flag without scratching your head so much - then this CTF is for you!

Our CTF is a three days jeopardy style contest where we have a bunch of challenges hosted across multiple Cloud providers across multiple categories of difficulty.

You can register as teams or go solo, use hints or stay away from them, in the end it will be all for glory or nothing. Plus the prizes. Did we not mention the prizes? :D

See you on the other side!


Schedule (DEF CON 30)


10:00 - 10:10 PDT

Opening Note

10:10 - 10:50 PDT

Automating Insecurity in Azure

10:50 - 11:30 PDT

Making the most of Microsoft cloud bug bounty programs: How I made in $65,000 USD in bounties in 2021

11:30 - 12:10 PDT

Shopping for Vulnerabilities - How Cloud Service Provider Marketplaces can Help White and Black Hat Vulnerability Research

12:10 - 12:30 PDT

A ransomware actor looks at the clouds: attacking in a cloud-native way

12:30 - 13:10 PDT

Weather Proofing GCP Defaults

13:10 - 13:40 PDT

Security at Every Step: The TL;DR on Securing Your AWS Code Pipeline

13:40 - 14:20 PDT

[Sponsored Talk] Pwning the CI Workflow (and How to Prevent it?)

14:20 - 14:50 PDT

Flying Under Cloud Cover: Built-in Blind Spots in Cloud Security

15:00 - 17:00 PDT

Prowler Open Source Cloud Security: A Deep Dive Workshop

10:00 - 10:40 PDT

OAuth-some Security Tricks: Yet more OAuth abuse

10:40 - 11:20 PDT

Who Contains the 'Serverless' Containers?

11:20 - 12:00 PDT

Purple Teaming & Adversary Emulation in the Cloud with Stratus Red Team

12:00 - 12:30 PDT

SquarePhish - Phishing Office 365 using QR Codes and Oauth 2.0 Device Code Flow

12:30 - 13:10 PDT

Security Misconfigurations in the Cloud - "Oh Look, something fluffy, poke, poke, poke"

13:10-13:40 PDT

BrokenbyDesign: Azure | Get started with hacking Azure

13:40 - 14:20 PDT

Us-east-1 Shuffle: Lateral Movement and other Creative Steps Attackers Take in AWS Cloud Environments and how to detect them.

14:20 - 14:50 PDT

Access Undenied on AWS - Troubleshooting AWS IAM AccessDenied Error

15:00 - 17:00 PDT

KQL Kung Fu: Finding the Needle in the Haystack in Your Azure Environments

10:00 - 10:40 PDT

Understanding, Abusing and Monitoring AWS AppStream 2.0

10:40 - 11:20 PDT

How to do Cloud Security assessments like a pro in only #4Steps

11:20 -11:50 PDT

Cloud Sandboxes for Security Research - Noirgate

11:50 - 12:30 PDT

Deescalate the overly-permissive IAM

12:30 - 12:50 PDT

Sign of the Times: Exploiting Poor Validation of AWS SNS SigningCertUrl

12:50 - 13:30 PDT

Cloud Defaults are Easy Not Secure

13:30 - 13:45 PDT

Closing Note



Talks (DEF CON 30)


Speaker: Karl Fosaaen

Date: 12 Aug

Time: 10:10 - 10:50 PDT

Twitter: @kfosaaen

Abstract: 

Microsoft's Azure cloud platform has over 200 services available to use, so why are we picking on just one? Automation Accounts are used in almost every Azure subscription and have been the source of two different CVEs in the last year, including one issue that exposed credentials between tenants. Given the credentials and access that are often associated with Automation Accounts, they're an easy target for attackers in an Azure subscription. In this talk, we will go over how Automation Accounts function within Azure, and how attackers can abuse built-in functionality to gain access to credentials, privileged identities, and sensitive information. Furthermore, we will do a deep dive on four vulnerabilities from the last year that all apply to Azure Automation Accounts.

As a Senior Director at NetSPI, Karl leads the Cloud Penetration Testing service line and oversees NetSPI's Portland, OR office. Karl holds a BS in Computer Science from the University of Minnesota and is approaching 15 years of consulting experience in the security industry. Karl spends most of his research time focusing on Azure security and contributing to the NetSPI blog. As part of this research, Karl created the MicroBurst toolkit (https://github.com/Netspi/Microburst) to house many of the PowerShell tools that he uses for testing Azure. In 2021, Karl co-authored the book 'Penetration Testing Azure for Ethical Hackers' with David Okeyode. Over the years, Karl has held the Security+, CISSP, and GXPN certifications. Since DEF CON 19, Karl has spent most of his conference time selling merchandise as a Goon on the Merch (formerly SWAG) team.

Speaker: Alexandre Sieira

Date: 12 Aug

Time: 11:30 - 12:10 PDT

Twitter: @AlexandreSieira

Abstract: 

Recently the Conti ransomware group internal chat leaks was fascinating reading. Among other things, it reminded us that both well-intentioned and malicious actors are constantly trying to find ways to find vulnerabilities and develop exploits to widely used IT products. This is particularly true those that are externally exposed firewalls, VPNs and load balancers, or security products that might thwart their techniques and tools.
The timeline from the chats seems to show a gap of several months between Conti members trying to procure either appliances or commercial software that they were trying to get for these purposes. This got us thinking about how the major cloud service providers these days have marketplaces where you can easily buy virtual appliances or SaaS licenses for lots of widely used IT and security products with little more than a valid credit card, in minutes. And we decided to check how feasible it is to use this to conduct vulnerability research.
In this presentation we will show what kind of access one can get to the internals of IT and security products using these marketplaces, particularly in the case of products only typically offered in hardware appliances. Which cloud providers try to prevent this sort of activity, how they do it, which ones simply don't care, and what techniques we were able to use to access these appliance's internals.
The objective here is threefold: 1) help well intentioned vulnerability researchers find an easier avenue to do their work; 2) allow cloud providers to get a better understanding of how their marketplaces can be abused and which controls they could implement to mitigate that risk, and 3) let IT and security vendors realize the added exposure of publishing their products on these marketplaces.

Alexandre (or Alex) Sieira is a successful information security entrepreneur in the information security field with a global footprint since 2003. He began his security career as a Co-Founder and CTO of CIPHER, an international security consulting and MSSP headquartered in Brazil which was later acquired by Prosegur. In 2015, he became Co-Founder and CTO of Niddel, a bootstrapped security analytics SaaS startup running entirely on the cloud, which was awarded a Gartner Cool Vendor award in 2016. After the acquisition of Niddel by Verizon in January 2018, he became the Senior manager and global leader of the Managed Security Services - analytics products under the Detect & Respond portfolio tower at Verizon. Currently is the CEO and Co-Founder of Tenchi Security, a company focused on cloud security.
Alex is also an experienced speaker having presented at Black Hat, BSides SF, FIRST Conference, DEF CON Cloud Village and local events in Brazil several times over his career.

Speaker: Noam Dahan

Date: 12 Aug

Time: 14:20 - 14:50 PDT

Twitter: @NoamDahan

Abstract: 

Every system has its blind spots. The major cloud providers are no different. The shadows in which attackers can hide out of sight (or in plain sight), and the doors that are too often left open are important parts of the cloud security landscape.
The pressure to create usability, the need to support legacy systems and workflows in a rapidly evolving landscape and the porting over of on-prem systems are just some factors that lead to these exploitable parts of cloud security.
In this talk, we'll map out a few of these built-in blind spots, focusing on AWS, Azure, and GCP in three key areas: 1) Hard knock life: Critical security areas that are hard to get right or confusingly misrepresented. 2) Trust no one! Cloud provider design flaws and backdoors that limit the degree of security that can be reached. 3) Too old for this s***: Legacy support and dirty fixes that make for great hiding places for attackers.
We'll explore cool ways to penetrate cloud environments, escalate privilege and achieve stealth. By identifying what these weak points have in common, we can also figure out how to spot more such oversights in the future.

Noam Dahan is a Senior Security Researcher at Ermetic with several years of experience in embedded security. He is a graduate of the Talpiot program at the Israel Defense Forces and spent several years in the 8200 Intelligence Corps. Noam was a competitive debater and is a former World Debating Champion.

Speaker: Shannon McHale

Date: 12 Aug

Time: 12:30 - 13:10 PDT

Twitter: @_shannon_mchale

Abstract: 

Default Google Cloud Platform (GCP) configurations include open ports, high numbers of excessive permissions, limited logging, and credential expiration dates, which security professionals would typically never let happen. But, we cannot expect users in GCP environments to know and prioritize the most secure option for each setting when they configure a resource. This inadvertently leads to unsafe environments that attackers can leverage.
In this talk, we will review the 'dangerous defaults' of GCP and how they can be abused by attackers. We'll also provide specific policies cloud architects and cloud administrators should implement to stop their users from deploying default configurations and outline how to set up policies that reduce decision fatigue on their users. The goal is for cloud architects, engineers, and Blue Teamers to implement what they see in this talk and scale their environment to be significantly more secure. It will also give my fellow Red Teamers a list of items to check for during their assessments to help organizations further harden their environments.

Shannon McHale, Associate Consultant at Mandiant, has spent her first year in the security industry focused on Red- Teaming cloud environments and recently passed the Google Cloud Certified Professional Cloud Security Engineer (PCSE) exam. As one of Mandiant's Google Cloud Platform (GCP) Subject Matter Experts (SME), she works hard on enhancing and delivering the GCP Penetration Test methodology. This is her first DefCon, but she has presented at ShmooCon and the Women in Cybersecurity (WiCyS) conferences, while simultaneously obtaining her Bachelor's of Science in Computing Security from Rochester Institute of Technology.

Speaker: Cassandra Young

Date: 12 Aug

Time: 13:10 - 13:40 PDT

Twitter: @muteki_rtw

Abstract: 

Securing application or infrastructure code in the Cloud is more than just scoping permissions in IAM and scanning ECS, EKS and EC2 instances. Attackers can use poisoned container instances, malicious code and dependencies, and vulnerable CI/CD pipelines to break into your environment, requiring you to consider the entire development lifecycle, from who's writing the code, to how it's deployed. This short talk will introduce you to basic but powerful practices you can put in place now, such as signed Git commits, securing repo access, code analysis, CI/CD permissions, and resource scanning and hardening.

Cassandra works full time in information security consulting, specializing in Cloud Security Architecture and Engineering. She holds a master's degree in Computer Science, focusing on cloud-based app development and academic research on serverless security and privacy/anonymity technology. Additionally, as one of the directors of Blue Team Village, Cassandra works to bring free Blue Team talks, workshops and more to the broader InfoSec community.

Speaker: BridgeCrew

Date: 12 Aug

Time: 13:40 - 14:20 PDT

Twitter: @bridgecrewio

Abstract: 

Our journey to open source and GitOps has exposed new security challenges as our CI platforms are exposed to the outside world. The soft underbelly of our development pipeline is just as visible to willing contributors as it is to malicious subversives looking for the keys to the cloud. In this talk, we'll look at some known disruptions to GitHub Actions workflows to show how simple misconfigurations or straight-up bad practices can leave our software supply chain wide open to attackers. We'll also take an ounce of prevention to not be the weak link for supply chain attacks.

Speaker: Nestori Syynimaa

Date: 12 Aug

Time: 10:50 - 11:30 PDT

Twitter: @DrAzureAD

Abstract: 

Microsoft Cloud bug bounty programs are one of the most well-paid programs, including Microsoft Identity program. This program covers cloud-related Elevation of Privilege vulnerabilities, having bounties up to $100,000! But as all vulnerabilities are not worth 100k, it's good to know how to make most of the low-bounty vulnerabilities.
In this talk, I'll share my experiences on the Microsoft bounty programs from 2021, when I made $65k in bounties with six vulnerabilities. I'll show how I turned a vulnerability initially categorized as 'by-design' to $40k in bounties and how I tripled the initial $5k bounty by reporting similar findings smartly.

Dr Nestori Syynimaa (@DrAzureAD) is one of the leading Azure AD / M365 security experts globally and the developer of the AADInternals toolkit. For over a decade, he has worked with Microsoft cloud services and was awarded Microsoft Most Valuable Security Researcher for 2021. Currently, Dr Syynimaa works as a Senior Principal Security Researcher for Secureworks Counter Threat Unit and hunts for vulnerabilities full time. He has spoken at many international scientific and professional conferences, including IEEE TrustCom, Black Hat Arsenal USA and Europe, RSA Conference, and TROOPERS.

Speaker: Jenko Hwong

Date: 13 Aug

Time: 10:00 - 10:40 PDT

Twitter: @jenkohwong

Abstract: 

Join in this deep dive looking at new abuses of OAuth 2.0. We'll look at a variety of attacks including phishing and stolen credential attacks, starting with Microsoft authorization code grant to Google authorization code grant using copy/paste. We'll then move on to new attacks including: OWA browser attacks, Chrome attacks, different SaaS OAuth implementations, upstream SSO attacks, and hidden uses of OAuth in Google App Scripting and Google Cloud Shell.
In a nod to Penn and Teller, with each attack, we'll reveal the underlying secret techniques used, why and how it works, and what can be generalized. We'll then show how the most common defensive measures (e.g. MFA, IP allow lists, application allow lists, authorization controls) are used to mitigate each attack, then adjust the attack to bypass the defensive measure. We'll also discuss what vendors have been doing to mitigate these attacks and whether they are effective.
Code for any demo/POCs will be made available as open-source.

Jenko Hwong is a Principal Researcher on Netskope's Threat Research Team, focusing on cloud threats/vectors. He's spent time in engineering and product roles at various security startups in vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, and windows security.

Speaker: Daniel Prizmant

Date: 13 Aug

Time: 10:40 - 11:20 PDT

Twitter: @pushrsp

Abstract: 

What is Serverless? Serverless computing is a cloud computing execution model in which the cloud provider allocates machine resources on-demand, taking care of the servers on behalf of their customers.
"Serverless" is a misnomer in the sense that servers are still used by cloud service providers to execute code for developers.
How does Serverless work? Where is this Serverless code executed? Who's in charge of securing it? There are many questions surrounding the topic of Serverless computing.
In this talk, I will present to you my research on Serverless Functions. I will show you how I managed to break the serverless interface barrier and what is hidden behind it. I will also show you how I managed to break out of the container that was supposed to contain my possibly malicious code and get to the underlying host.
I will start by explaining what is Serverless and the idea behind it. I will show some prime examples of what Serverless is supposed to be used for. I will continue with a break out of the cloud provider interface to show you the infrastructure of the machine, the server of the serverless function, that is actually running the code.
After that, I will begin walking you through my research and journey from the point of view of an attacker. I will show you how I discovered the image that the container was running and the steps I took to reverse engineer it.
From there, the path to an elevation of privileges to root to escaping the container was short. I will walk you through a very old but useful exploit I used to escalate my containerized root access to a full-on container breakout.
To finish the talk, I will discuss some of the mitigations that were in place in this instance by the cloud provider, and why they were critical in this scenario.

Daniel started out his career developing hacks for video games and soon became a professional in the information security field. He is an expert in anything related to reverse engineering, vulnerability research, and the development of fuzzers and other research tools. To this day Daniel is passionate about reverse engineering video games at his leisure. Daniel holds a Bachelor of Computer Science from Ben Gurion University.

Speaker: Christophe Tafani-Dereeper

Date: 13 Aug

Time: 11:20 - 12:00 PDT

Twitter: @christophetd

Abstract: 

To detect evil in the cloud, you must first know what 'evil' looks like. Then, it's critical to have an easy way to reproduce common attack techniques in live environments, to validate that our threat detection and logging pipelines work as intended. In this talk, we present Stratus Red Team, an open-source project for adversary emulation and end-to-end validation of threat detection in AWS, Kubernetes and Azure.
We discuss the motivation behind the project, design choices, and the philosophy behind Stratus Red Team: helping blue teams focus on real-world, documented attack techniques and empower them to iteratively build high-quality detections. We also discuss more advanced use-cases that Stratus Red Team allows, such as running it on a schedule in your CI/CD to continuously validate that the expected alerts are popping up in your SIEM.
We conclude with a live demo where we 'detonate' attack techniques against a live Kubernetes cluster and AWS account.

Christophe is a cloud security researcher and advocate at Datadog. He's passionate about threat detection in the cloud, and cloud-native technologies in general. He previously worked as a software developer, penetration tester, SOC analyst and cloud security engineer. He likes to write about technology he likes, uses, dislikes and misuses. Living in Switzerland, you can tell he's French when he speaks.

Speaker: Kat Fitzgerald

Date: 13 Aug

Time: 12:30 - 13:10 PDT

Twitter: @rnbwkat

Abstract: 

Intro time (5 mins) Well, I have to say who I am and why I'm here and my qualifications, otherwise people leave. Ok, maybe they don't leave, but I want to explain how/why I do this and how I'm going to make it a fun project for everyone after the talk!
Baking something fluffy (10 mins) Now I take a few minutes to explain the common concepts of cloud configurations such as IAM/ORG policies and how they compare to redteaming 'on-prem'. It's all about understanding the magic that is the cloud in clear terms that everyone can follow along with - and yes, there are funny jokes and memes throughout. A happy crowd is an engaged crowd! Seriously, in a quick 10 minutes, 'Pizza as a Service' is used to explain the concepts of the cloud, the attack vectors presented and how pentesters and bad actors use these attack points to their advantage.
It's clobberin time (10 mins) Let's get to it with lots of example of misconfigurations and the attack vectors they pose. This is both live (with recorded backup) demo time and OSS tool demonstrations to help find misconfigured cloud services. Not much else to say about this part. It is interactive, fun and really shows off how simple mistakes can lead to serious incidents like exposing millions of records to the public 'accidentally' or how a public github repo was used to launch over 300 VMs for crypto mining and no one knew until a month later. Oh yeah, and a brief description of how cryptomining is a fun diversion to take your attention away from what the attacker was really doing will be discussed. Peace offerings to the demo gods will be made prior to the live portion of course.
Great, now how do we fix it? (10 mins) Well, attendees have to come away with some clear AIs to be able to apply to their cloud configurations and some suggestions on how to avoid misconfigurations in the first place. Auditing tools are discussed and shown (not in demo, but output from audits are shared and discussed) Tools discussed are all OSS and nothing, (and I mean nothing!) is commercial! Before and afters of misconfigured cloud projects will be shown with some general automation suggestions to help remove the 'human threat' factor from the process.
Key Takeaways (5 mins) Let's bring it all to a neat and tidy conclusion with specific takeaways so attendees feel like they got something out of this. What good is any talk without identified specifics of what we learned and how to apply them, am I right? And there you have it, tied up neatly with a lovely bow and ready to take home!
Q/A (5 mins)

Based in Seattle and a natural creature of winter, you can typically find me sipping Grand Mayan Extra Anejo whilst simultaneously defending my systems using OSS, magic spells and Dancing Flamingos. Honeypots & Refrigerators are a few of my favorite things! Fun Fact: I rescue Feral Pop Tarts and have the only Pop Tart Sanctuary in the Seattle area.

Speaker: Felipe Esp≤sito

Date: 13 Aug

Time: 13:40 - 14:20 PDT

Twitter: @Pr0teusBR

Abstract: 

Attackers do not always land close to their objectives (data to steal). Consequently, they often need to move laterally to accomplish their goals. That is also the case in cloud environments, where most organizations are increasingly storing their most valuable data. So as a defender, understanding the possibilities of lateral movements in the cloud is a must.
Because the control plane APIs are exposed and well documented, attackers can move between networks and AWS accounts by assuming roles, pivoting, and escalating privileges. It is also possible for attackers to move relatively easily from the data plane to the control plane and vice-versa.
In this talk, we are going to explore how attackers can leverage AWS Control and Data Planes to move laterally and achieve their objectives. We will explore some scenarios that we discovered with our clients and how we approached the problem. We will also share a tool we created to help us visualize and understand those paths.

Felipe Esp≤sito also known as Pr0teus, graduated in Information Technology at UNICAMP and has a master's degree in Systems and Computing Engineering from COPPE-UFRJ, both among the top technology universities in Brazil. He has over ten years of experience in information security and IT, with an emphasis on security monitoring, networking, data visualization, threat hunting, and Cloud Security. Over the last years he has worked as a Security Researcher for Tenchi Security, a Startup focused in secure the cloud, he also presented at respected conferences such as Hackers 2 Hackers Conference, BHACK, BSides (Las Vegas and Sπo Paulo), FISL, Latinoware, SecTor, SANS SIEM Summit, and Defcon's CloudSec Village.

Speaker: Rodrigo Montoro

Date: 14 Aug

Time: 10:00 - 10:40 PDT

Twitter: @spookerlabs

Abstract: 

Amazon Web Services (AWS) is a complex ecosystem with hundreds of different services. In the case of a security breach or compromised credentials, attackers look for ways to abuse the customer's configuration of services with their compromised credentials, as the credentials are often granted more IAM permissions than is usually needed. Most research to date has focused on the core AWS services, such as , S3, EC2, IAM, CodeBuild, Lambda, KMS, etc. In our research, we present our analysis on a previously overlooked attack surface that is ripe for abuse in the wrong hands - an AWS Service called Amazon AppStream 2.0.
Amazon AppStream 2.0 is a fully managed desktop service that provides users with instant access to their desktop applications from anywhere. Using AppStream 2.0, you can add your desktop applications to a virtual machine and share access to the VM by sharing a link - without requiring any credentials, you can share an image (an attack toolset) with a target account without needing any approval from the other side or attach some privileged role to an image and get those credentials.
In this talk, you'll learn about how AppStream works, how misconfigurations and excessive IAM permissions can be abused to compromise your AWS environment and allow attackers to control your entire AWS account. We'll cover tactics such as persistence, lateral movement, exfiltration, social engineering, and privilege escalation. We will also cover the key indicators of compromise for security incidents in AppStream and how to prevent these abuse cases, showing how excessive privileges without great monitoring could become a nightmare in your Cloud Security posture, making possible attackers control your AWS account.

Rodrigo "Sp0oKeR'' Montoro has more than 20 years of experience in Information Technology and Computer Security. Most of his career worked with open source security software (firewalls, IDS, IPS, HIDS, log management, endpoint monitoring), incident detection & response, and Cloud Security. Currently, he is a Senior Threat Detection Engineer at Tempest Security. Before that, he worked as Cloud Researcher at Tenchi Security, Head of Research and Development at Apura Cyber Intelligence, SOC/Researcher at Clavis, Senior Security Administrator at Sucuri, Researcher at Spiderlabs. Author of 2 patented technologies involving innovation in the detection field. One is related to discovering malicious digital documents. The second one is in how to analyze malicious HTTP traffic. Rodrigo has spoken at several open-source and security conferences (OWASP AppSec, SANS (DFIR ,SIEM Summit and CloudSecNext), Defcon Cloud Village, Toorcon (USA), H2HC (Sπo Paulo and Mexico), SecTor (Canada - 5x), CNASI, SOURCE Boston & Seattle, ZonCon (Amazon Internal Conference), Blackhat Brazil, BSides (Las Vegas e Sπo Paulo)).

Speaker: Ricardo Sanchez

Date: 14 Aug

Time: 10:40 - 11:20 PDT

Twitter: @ric_rojo

Abstract: 

"Cloud security is evolving rapidly and can be challenging. The growing need for remote working over the last year enhances this development. How can companies keep up with the pace of change? How do you know you are secure? Are the default installations secure? How do you find and fix your Cloud misconfigurations? How do you even start doing a Cloud assessment? Is it like an on-premise one?
At the end of the conversation you will have a detailed guide with tools and examples of how can you hack/secure a cloud environment in only #4Steps.

Ricardo is a senior security specialist with business development and consultant background and over 10 years of experience. He exceeds in translating business needs into technical needs, and vice versa. He is currently the Lead of the Cloud Business Unit of one of the most important Cyber Security companies of the Netherlands. On top of that, he wrote two books with international distribution, has two patent applications as main inventor.

Speaker: Jay Chen

Date: 14 Aug

Time: 11:50 - 12:30 PDT

Abstract: 

The principle of least privilege states that a subject should be given only those privileges needed for it to complete its task. The concept is not new, but our recent research on 18,000 production cloud accounts across AWS and Azure showed that 99% of the cloud identities were overly-permissive. The majority of the identities only used less than 10% of their granted permissions.
While I investigated the issue further, one interesting pattern quickly surfaced, many overly-permissive permissions were granted by CSP-managed permission policies. CSP-managed policies were granted 2.5 times more permissions than customer-managed policies. These excessive permissions unnecessarily increased the attack surface and risks of the cloud workloads. In particular, many identities could abuse the granted permissions to obtain admin privilege.
These findings raised a few questions. Are we all doing something terribly wrong? Is the principle of least privilege a realistic and necessary goal in modern cloud environments? What can be done to mitigate the problem? Knowing the problem and the risks, I will then introduce an open-source tool IAM-Deescalate to shine a light on the problem.
IAM-Deescalate can help identify and mitigate the privilege escalation risks in AWS. It models the relationship between every user and role in an AWS account as a graph using PMapper. It then identifies the possible privilege escalation paths that allow non-admin principals to reach admin principals. For each path, IAM-Deescalate revokes a minimal set of permissions to break the path to remediate the risks. At the time of writing, IAM-Deescalate can remediate 24 out of the 31 publicly known privilege escalation techniques. On average, it remediates 75% of the privilege escalation vulnerabilities that existing open-source tools can detect.
The audience will gain a new perspective on IAM security and pick up a new tool for their security toolbox.

Jay Chen is a security researcher with Palo Alto Networks. He has extensive research experience in cloud-native, public clouds, and edge computing. His current research focuses on investigating the vulnerabilities, design flaws, and adversary tactics in cloud-native technologies. In the past, he also researched Blockchain and mobile cloud security. Jay has authored 20+ academic and industrial papers.

Speaker: Igal Flegmann

Date: 14 Aug

Time: 12:50 - 13:30 PDT

Twitter: @igal_fs

Abstract: 

In the last decade, the major cloud companies have been fighting to get market share by offering the easiest to use cloud with most services. Allowing you get a simple site up and running in a few minutes and quickly being able to scale it. While cloud providers market themselves as the most secure infrastructure for your code, their defaults are far from secure. With: certificates being able to be issued without proof of domain ownership, insecure SSH by default, default passwords, and more the move to the cloud is making it easier for you and your attackers to get into your infrastructure. In this talk we will talk about common Azure errors that will get you in trouble.

Igal started his career in Microsoft’s Azure Security team creating and managing identity services for Azure’s secure production tenants. After a successful career in Azure Security, Igal transferred teams to work in Azure’s ASCII (Azure Special Capabilities, Infrastructure, and Innovation) team, where he used his identity and security expertise to design and create security services to protect the critical infrastructure devices of the world.
To follow passion for identity and security, Igal decided to leave Microsoft and Co-found Keytos, a security company with the mission of eliminating passwords by creating easy to use PKI offerings.

Speaker: Toni de la Fuente, Sergio Garcia

Date: 12 Aug

Time: 15:00 - 17:00 PDT

Twitter: @ToniBlyx & @sergargar1

Abstract: 

Whether you are a long time Prowler user or if you are just getting started, this workshop will give you the tools to get AWS security up and running and under control at your organization.
With millions of downloads and a large community of users, Prowler is one of the most used tools when it comes to AWS security assessments, hardening, incident response and security posture monitoring.
Prowler has some new features and important changes coming in v3.0. This includes a new check architecture, python support, and a load of new checks for compliance and AWS services. In addition to allowing us to build new checks with the existing bash/aws-cli support we will teach how to do it with python as well and going beyond the AWS API and increasing the coverage of Prowler to get the most of it and adapt it to your requirements.

I'm founder of Prowler Open Source

Speaker: Darwin

Date: 13 Aug

Time: 15:00 - 17:00 PDT

Twitter: @darwnsm

Abstract: 

Kusto Query Language (KQL) is Microsoft's proprietary query language and has many use cases in enterprise Azure environments including threat hunting, threat detection and discovering misconfigured assets. In this workshop, I'll be going over these use cases and teaching the attendee how to structure KQL queries to get insights about activity in their Azure environments via Microsoft Sentinel.

Workshop Pre-requisites -
- Laptop w/ network connectivity
- An Azure subscription (Free trial or Pay-as-you-Go tier works just fine)
 - Disclaimer: Attendees may incur a small bill due to the nature of the workshop. We will be deleting everything we create during the workshop upon completion of the workshop.
- Water, snacks and an appetite for learning

Darwin Salazar is a Product Detection Engineer @ Datadog. Formerly a medical device security practitioner and cloud security consulting for several Fortune 500s. Enjoys reading, working out, spending time with family and giving back to his community.

Speaker: Nevada Romsdahl, Kamron Talebzadeh

Date: 13 Aug

Time: 12:00 - 12:30 PDT

Twitter: @nevadaromsdahl

Abstract: 

SquarePhish is a phishing tool that combines QR Codes and OAuth 2.0 Device Code Flow for Advanced Phishing Attacks against Office 365.

Nevada Romsdahl is currently a senior security researcher for Secureworks. In his 15 year information security career, Nevada has held the roles of security analyst, security architect, penetration tester and security researcher. He holds many offensive security certifications including OSCP, OSWP, OSWE, OSCE, and OSEE.
Kam Talebzadeh is a penetration tester and security researcher. He has developed and published several open-source offensive toolkits including o365spray, BridgeKeeper, and redirect.rules. Currently, he works as a Security Researcher for Secureworks. He holds the Offensive Security WebExpert (OSWE) certification.

Speaker: Siebren Kraak, Ricardo Sanchez, Roy Stultiens

Date: 13 Aug

Time: 13:10-13:40 PDT

Twitter: @

Abstract: 

Link to tool: https://www.brokenazure.cloud/
Because cloud and on-premise infrastructures are not alike, security analysts require a different skillset when assessing cloud infrastructure. There are multiple courses and exams that can be taken to learn how to work with and audit cloud environments. All these courses teach a global understanding of cloud security, but do not go in-depth due to all services having a different portal and setup. With this tool we will create security hacking training for the rapidly developing Azure space.
With this tool we will create security hacking training for the rapidly developing Azure space. We aim to breach the gap between theory and practice in a real secured Azure cloud environment. The software allows everyone that is trying to get into the field of cloud security to train their skills in the Azure space, with a Capture-the-Flag requiring multiple vulnerabilities that need to be exploited. All challenges are hosted online for free for anyone that wants to use the software. The challenges are beginner-friendly. The broken features are explained to give insight into why they exist and how they can be prevented. If the user is not able to figure out how to complete the challenge, additional hints (and eventually the answer) can be requested. The environment is built using the Infrastructure-As-Code language Terraform, which will all be open-source to allow other developers and security professionals to add new challenges and make the tool even better.

Siebren Kraak is a Dutch full-stack Azure developer specializing in Security and Cloud and is currently a master's student at a university in The Netherlands.
Ricardo Sanchez is a Senior cloud security expert with 10+ years of experience in security. He is currently leading the Cloud Security Unit in one of the larger focused cybersecurity firms in the Netherlands.
Roy Stultiens is a Security Cloud Specialist expert in serverless and containerized applications. He is a thought leader in Cloud and Kubernetes Security is one of the larger focused cybersecurity firms in the Netherlands. He has created several other training courses on these topics.

Speaker: Noam Dahan

Date: 13 Aug

Time: 14:20 - 14:50 PDT

Twitter: @NoamDahan

Abstract: 

Access Undenied on AWS analyzes AWS CloudTrail AccessDenied events û it scans the environment to identify and explain the reasons for which access was denied. When the reason is an explicit deny statement, AccessUndenied identifies the exact statement. When the reason is a missing allow statement, AccessUndenied offers a least-privilege policy that facilitates access.
IAM is a complex system in which permission information is distributed among many sources and permission evaluation logic is complex. The tool can help both defensive and offensive security teams with this challenge.
For defenders. The need to facilitate access to teams annoyed or frustrated by access denied messages often breaks least-privilege and creates excessive permissions in the environment. AccessUndenied gives a minimal least-privilege policy suggestion and prevents this. Some users of the tool are even scaling their use by hooking AccessUndenied to a Lambda that automatically handles AccessDenied messages and sends them a slack notification with the tool's output.
For offensive teams. In AWS IAM, a Deny statement trumps any allow. Therefore even after privilege escalation to admin, certain actions can still be blocked. Offensive teams can use AccessUndenied to quickly and effectively track down these explicit deny statements to then circumvent or remove them.
Sometimes, the new and more detailed AccessDenied messages provided by AWS will be sufficient. However, this is not always the case.
Some AccessDenied messages do not provide details. Among the services with (many or exclusively) undetailed messages are: S3, SSO, EFS, EKS, GuardDuty, Batch, SQS, and many more.
When the reason for AccessDenied is an explicit deny, it can be difficult to track down and evaluate every relevant policy.
When the explicit deny is in a service control policy (SCP), one has to find every single policy in the organization that applies to the account.
When the problem is a missing allow statement, users still need to define a least-privilege policy.
Github: github.com/ermetic/access-undenied-aws

Noam Dahan is a Senior Security Researcher at Ermetic with several years of experience in embedded security. He is a graduate of the Talpiot program at the Israel Defense Forces and spent several years in the 8200 Intelligence Corps. Noam was a competitive debater and is a former World Debating Champion.

Speaker: Louis Barrett

Date: 14 Aug

Time: 11:20 -11:50 PDT

Twitter: @0daysimpson

Abstract: 

Analyzing malicious digital content safely typically requires specialized tools in a sandboxed environment, and an awareness of the risk associated with specific analysis techniques.
Traditionally the process of provisioning these environments was labor intensive, and technically demanding. In this presentation i'll show you how to use DevSecOps best practices to provision lightweight, anonymous, cloud sandboxes in seconds.

0daysimpson is a Fullstack Security Researcher who has 10 years of experience in detection and response. He currently works as lead product security engineer for a SaaS AI company, where he is responsible for securing ML infrastructure and building paved road solutions for developers. He has a passion for solving hard, technical problems and integrating new software trends into traditional security practices.

Speaker: Jay Chen

Date: 12 Aug

Time: 12:10 - 12:30 PDT

Abstract: 

Our research shows that the number of known ransomware attacks grew 85%, and the ransom demand climbed 144% (2.2M) from 2020 to 2021. The abundant data stored in the cloud make them lucrative targets for ransomware actors.
Due to the fundamental difference between the cloud-native and on-premises IT infrastructure, existing ransomware will not be effective in cloud environments. Ransomware actors will need new TTPs to achieve successful disruption and extortion.
What are the weaknesses that attackers are likely to exploit? What types of cloud resources are more susceptible to ransomware attacks? How may ransomware disrupt cloud workloads? This research aims to identify the possible TTPs using the knowledge of known ransomware and cloud security incidents. I will also demonstrate POC attacks that abuse a few APIs to quickly render a large amount of cloud-hosted data inaccessible. My goal is not to create fear, uncertainty, and doubt but to help clarify the risk and mitigation strategy.

Jay Chen is a security researcher with Palo Alto Networks. He has extensive research experience in cloud-native, public clouds, and edge computing. His current research focuses on investigating the vulnerabilities, design flaws, and adversary tactics in cloud-native technologies. In the past, he also researched Blockchain and mobile cloud security. Jay has authored 20+ academic and industrial papers.

Speaker: Eugene Lim

Date: 14 Aug

Time: 12:30 - 12:50 PDT

Twitter: @spaceraccoonsec

Abstract: 

Countless projects rely on Amazon Web Services' Simple Notification Service for application-to-application communication such as webhooks and callbacks. To verify the authenticity of these messages, these projects use certificate-based signature validation based on the SigningCertURL value.
Unfortunately, developers are tasked with verifying the authenticity of the certificate URL themselves, creating a vulnerable-by-default 'configuration over convention' situation that spawns numerous vulnerabilities. This is an official design pattern recommended by AWS itself (https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html). I will demonstrate how various custom checks and regexes in real projects can be bypassed to forge SNS messages by leveraging a namespace clash with Amazon S3. Attackers can generate and host their own public keys on S3 buckets that pass custom verification checks, allowing them to trigger sensitive webhook functionality.
In addition, I will go further to discuss a key loophole (pending disclosure) in official AWS SDKs like sns-validator that affects all downstream dependents, from Firefox Monitor to the 70 million download/week Definitely Typed package. I will dive into possible short-, medium-, and long-term fixes pending AWS' own patch.
As a result, attendees will walk away with a better understanding of the difficulties in securing trusted application-to-application cloud messaging tools. I will discuss how to code defensively by going for convention over configuration in cloud architecture. I will also provide pointers on discovering vulnerable SNS webhook implementations through code review.

I hack for good! From Amazon to Zendesk, I've helped secure organizations from a range of vulnerabilities. In 2021, I was 1 of 5 selected from a pool of 1 million white hat hackers for the HackerOne H1-Elite Hall of Fame. At GovTech Singapore, I protect citizen data through security research. At the same time, I research cutting-edge cybersecurity issues that span a diversity of domains such as artificial intelligence and social engineering. My work has been featured at top conferences such as Black Hat, DEF CON, and industry publications like WIRED and The Register.



For Previous Talks & Recent Updates