Cloud Threat Actors: No longer cryptojacking for fun and profit

Presented at DEF CON 30 (2022), Aug. 12, 2022, 2:55 p.m. (50 minutes)

Threat actors have elevated their attacks against cloud environments through the direct targeting and usage of Identity and Access Management (IAM) resources. Successful attacks not only expose the wider customer cloud environment workloads but also expose a defender's inability to successfully track the total scope of the incident using only a single cloud visibility tool. I have been tracking the evolution of cloud targeted threats and the threat actors behind them, what I have found is that actors who target cloud environments have begun to use techniques that are solely unique to cloud environments. So much so, that the Unit 42 threat intelligence team and I found it necessary to define these actors as Cloud Threat Actors. ""An individual or group posing a threat to organizations through directed and sustained access to cloud platform resources, services or embedded metadata.""

In this talk, we will guide the audience through the first-ever Cloud Threat Actor Index detailing the targeting cloud environments, who are behind these attacks, how they are targeting and leveraging techniques unique to cloud environments, and most importantly how poorly defined IAM identities open the biggest holes. We will also give the audience the knowledge needed to properly harden their cloud environments by illustrating how the most successful cloud-targeted attacks have occurred. IAM is the first line of defense in your cloud, knowing how attackers target and leverage IAM resources to evade detection is the best tool we have to properly defend your entire cloud infrastructure.


Presenters:

  • Nathaniel Quist
    Nathaniel Quist is a Principal Researcher working with Palo Alto Networks Unit 42 and Prisma Cloud teams on researching the threats facing public cloud platforms, tools, and services. He is actively focused on identifying the threats, malware and threat actor groups that target cloud environments. Nathaniel has worked within Government, Public, and Private sectors and holds a Master of Science in Information Security Engineering (MSISE) from The SANS Institute, where he focused on Network and System Forensics, Malware Reversal, and Incident Response. He is the author of multiple blogs, reports, and whitepapers published by Palo Alto Networks’ Unit 42 and Prisma Cloud as well as the SANS InfoSec Reading Room.

Similar Presentations: