Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform Capabilities

Presented at Black Hat USA 2018, Aug. 9, 2018, 11 a.m. (50 minutes).

Until recently, major public cloud providers have offered relatively basic toolsets for identifying suspicious activity occurring inside customer accounts that may indicate a compromise. Some organizations have invested significant resources to build their own tools or have leveraged industry vendor offerings to provide this visibility. The reality is, that barrier has meant that a large number of organizations haven't dedicated those resources to this problem and therefore operate without sufficient detection and response capabilities that monitor their cloud accounts for compromise.

Amazon Web Services, Google Cloud Platform, and Microsoft Azure have recently launched a new set of native platform threat and anomalous behavior detection services to help their customers better identify and respond to certain issues and activities occurring inside their cloud accounts. From detecting crypto-currency mining to identifying bot-infected systems to alerting on suspicious cloud credential usage to triggering on cloud-specific methods of data exfiltration, these new services aim to make these kinds of detections much easier and simpler to centrally manage.

But what new and unique insights do they offer? What configuration is required to achieve the full benefits of these detections? What types of activities are not yet covered? What attack methods and techniques can avoid detection by these systems and still be successful? What practical guidelines can be followed to make the best use of these services in an organization?

Follow along as we attempt to answer these questions using practical demonstrations that highlight the real threats facing cloud account owners and how the new threat detection capabilities perform in reducing the risks of operating workloads in the public cloud.


Presenters:

  • Brad Geesaman - Independent Cloud Infrastructure Security Consultant,  
    Brad Geesaman is an independent cloud infrastructure security consultant helping secure container orchestration systems running inside the major cloud providers. Prior to this, he was the Cyber Skills Development Engineering Lead at Symantec Corporation where he designed, developed, supported, and delivered large-scale ethical hacking learning simulations inside Kubernetes on AWS. Although his first passions were penetration-testing and security system administration, his life-long passion is educating others on the real-world security risks inherent in complex infrastructure systems.

Links:

Similar Presentations: