Breach Detection At Scale With AWS Honey Tokens

Presented at Black Hat Asia 2018, March 22, 2018, 5 p.m. (30 minutes)

When an attacker finds an AWS access key, it's like an unscratched instant lottery ticket. If they're lucky, the prize is full control of your cloud infrastructure. If they're unlucky, it's just an information disclosure vector that leads to more chances for them to win. PROJECT SPACECRAB turns every ticket into a losing ticket, that also alerts your security team that the ticket has been scratched.

SPACECRAB lets you generate, annotate and alert on AWS keys configured as honey tokens at scale. Using your CI/CD or orchestration infrastructure you can put them anywhere, even across your supply chain, and when bad actors find them, they'll use them. Alarms will go off and you'll know not only that you are breached, but where.

We'll also present some data on how and when compromised AWS keys are abused in the wild.

Presenters:

• Daniel Grzelak - Head of Security, Atlassian
  Daniel Grzelak is a 100% cyber-free Head of Security at Atlassian. He files TPS reports so that his team can fight the good fight, detecting bad guys pwning the clouds.
• Dan Bourke - Senior Security Analyst, Atlassian
  Dan Bourke is a security analyst at Atlassian. His two greatest fears are writing bios and public speaking, so this is going great so far.

Links:

• https://www.blackhat.com/asia-18/briefings/schedule/#breach-detection-at-scale-with-aws-honey-tokens-9446
• https://www.youtube.com/watch?v=UJFDcLwq1uI

Similar Presentations:

• Black Hat USA 2016 / Hardening AWS Environments and Automating Incident Response for AWS Compromises
• THOTCON 0x8 (2017) / Transitioning to AWS in a Hurry Without Getting Owned
• ShmooCon XIV (2018) / AWS Honey Tokens with SPACECRAB