Presented at
CactusCon 12 (2024),
Feb. 17, 2024, 9:30 a.m.
(60 minutes).
Cloud breaches are typically associated with smash and grab jobs such as cryptojacking or dumping S3 buckets. However, there is a shift in threat landscape in how adversaries are leveraging cloud platforms to achieve more targeted goals. As these techniques become more sophisticated, there becomes a need for adversaries to slow down and establish persistence in these environments.
Traditionally persistence mechanisms have been focused on the host perspective of SSH key creations, reverse shells executed from scheduled tasks or service installations. Complex IAM permissions and cloud services open the door for a variety of unique persistence mechanisms that we need to be on the lookout for.
This talk will cover persistence mechanisms across the AWS and Azure platforms. The audience will learn about well established persistence techniques but also about creative new mechanisms that rely on newer cloud services. Most importantly it will cover defensive techniques and focus on the bottlenecks defenders can monitor to detect this activity.
Take-aways: The attendees with walk away with access to a repo with logs containing activity from the discussed persistence mechanisms along with detection logic.
Presenters:
-
Ryan Thompson
- Senior Intrusion Researcher - Crowdstrike
Ryan Thompson is currently working as a Senior Intrusion Researcher at Crowdstrike. His primary functions include conducting post-mortem analysis on hands-on intrusions and researching attacker techniques and trends. Previously, Ryan has worked as an Instructor at Elastic teaching the Air Force, Navy, and Army to conduct threat hunting using open source tools such as Kibana, Suricata, and Zeek. Before that, he was a Senior Security Analyst at Alert Logic providing weekly recommendations to clients using packet analysis, IDS alerts, and log-based investigations. He currently holds several SANS certs and is a TA for SANS FOR508 (GCFA).
Links:
Similar Presentations: