Inside Out - The Cloud has Never been so Close

Presented at Black Hat Europe 2019, Dec. 5, 2019, 4:35 p.m. (25 minutes)

The public cloud infrastructure adds new management layer and security challenges that need to be well understood and secured. The fact that cloud provider application programming interfaces (API) are accessible through the internet has opened a new window for adversaries to take advantage and gain highly privileged access to cloud critical assets. Traditional defense mechanism mostly focuses on network, application and operating system defense. The use of public APIs introduces a new attack surface, one that traditional defenses cannot protect.

Credential theft is a well-known attack vector used by many adversaries. It is so successful because organizations are struggling to follow the principle of least privilege. The persons who are in charge of cloud resources usually are the DevOps, Development and IT teams who need to manage those resources. Access to APIs performed by using different software development kit (SDK) and dedicated command line tools. Once those accounts are compromised, gaining access to high-value resources is one API call away.

In this talk, we present an alternative new approach for attacking cloud infrastructure. We use graphs to build and illustrate the relationships between different resources, identities, and policies. After mapping all the relationships, we show how adversaries can easily abuse existing features to escalate privileges and get to high-value resources.

Presenters:

• Yaron Shani - Senior Security Researcher, XM
  Yaron Shani has been working in the security field for the last 8 years. He is currently senior researcher at XMCyber, researching how to attack and mitigate popular threat actors trends in large enterprise network. His past work was ranging from reversing embedded systems, develop new anti-anti debugging techniques, kernel debugging and red teaming. In his free time, Yaron likes to design and 3D print stuff, design and develop IOT devices, 3d images processing, and making fun electronics projects.
• Igal Gofman - Head of Security Research, XM
  Igal Gofman is a head of security Research at XM-Cyber. Igal has a proven track record in network security, research oriented development and threat intelligence. His research interests include network security, intrusion detection, operating systems and active directory. Prior to XM-Cyber, Igal worked as a security researcher at Microsoft and an Threat Response Team Lead at Check Point Software Technologies leading the development of the intrusion detection system. Igal has spoken at various security conferences including DEF CON and BSides.

Links:

• https://www.blackhat.com/eu-19/briefings/schedule/#inside-out---the-cloud-has-never-been-so-close-17797
• https://www.youtube.com/watch?v=PldQxID8pQA

Similar Presentations:

• DEF CON 30 (2022) / Cloud Threat Actors: No longer cryptojacking for fun and profit
• Black Hat USA 2022 / IAM The One Who Knocks
• AppSec USA 2015 / Hack the Cloud Hack the Company: the Cloud Impact on Enterprise Security