Cloud Village is an open space to meet folks interested in offensive and defensive aspects of cloud security.

Speaker: Jenko Hwong

Twitter: @jenkohwong

Abstract: 

Imagine you've protected your production Google Cloud environment from compromised credentials, using MFA and a hardware security key. However, you find that your GCP environment has been breached through hijacking of OAuth session tokens cached by gcloud access. Tokens were exfiltrated and used to invoke API calls from another host. The tokens were refreshed by the attacker and did not require MFA. Detecting the breach via Strackdriver was confusing, slowing incident response. And revoking the active OAuth sessions required finding OAuth tokens from logs and using a REST API call, causing further delays in remediation.

This talk will demonstrate a compromised credential attack in Google Cloud Platform by:

- hijacking cached OAuth tokens stored on a GCP administrator's client machine and
- reusing existing gcloud CLI sessions to gain access to multiple GCP environments
- showing that MFA does not apply to OAuth token refreshes for cached credentials (only the initial login)

The POC takes advantage of several issues with GCP IAM design or configuration: OAuth tokens are cached and unencrypted, allowing easy access once the client endpoint has been exploited.

- Tokens can have long or no expiration, allowing potentially long time windows for compromise.
- The attacker can easily refresh tokens, allowing persistence.
- Token refresh does not require MFA making it easy to maintain persistence, creating a false sense of security when MFA is enabled.
- Authentication and Access policies are defined in different admin areas, are confusing, and easily misconfigured.
- Configuring Stackdriver Logging is confusing, leading to slow or ineffective incident response.
- OAuth tokens cannot be revoked easily making remediation difficult.

We will discuss various approaches and challenges to defending:

1. Prevention

- MFA is not required to refresh the OAuth token
- Google cloud session timeout (GSuite Admin)
- IP whitelisting (using VPC Service Controls and Access Context Manager)
- Explicit client-side revokes (manual)
2. Detection

- Stackdriver logging data access events must be enabled for all services or else the abuse of OAuth tokens will not be logged and remediation will not be possible.
- Periodic audit checks on the logs or IAM configurations can be somewhat useful for compliance, but are not real-time so are of limited use for detection.
3. Remediation

- OAuth tokens can be revoked, but there are caveats:
+ ""gcloud auth revoke"" only works on the compromised user's endpoint and requires the user account in order to look up the locally cached OAuth token. This will fail if the attacker deletes the gcloud credential cache.
+ A REST API revoke call works and requires the OAuth token, so reliable logging and event parsing must be implemented to ensure tokens can be extracted quickly for IR.
- Deletion of user accounts has a huge impact.
- Browser sessions can be revoked but does not apply to Google Cloud sessions.

Jenko Hwong is on the Threat Research Team at Netskope, focusing on cloud threats/vectors. He's spent time in engineering and product roles at various security startups in vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, and windows security.

Speaker: Dani Goland

Speaker: Mohsan Farid

Twitter: @DaniGoland

Abstract: 

When we started taking a proactive approach to blue teaming, the number of daily scans by automated vulnerability scanners dropped immensely.

In this talk, we will present the mindset we found useful and the techniques we used to make scanning our applications and infrastructure a slow and manual process.

Starting with blocking path and subdomain enumeration with a couple of lines on the proxy bombarding the banners with randomized content that is not differentiable from real content.

Next, we will simulate known vulnerabilities in a subtle way, allowing attackers to connect, pivot, perform lateral movement, and let them exfiltrate terabytes of useless data, wasting their time, resources, and letting your systems fingerprint their TTPs and IOCs

We had a blast presenting at the cloud village last year, and we have many interesting things cooking for this year!

Dani Goland, at the age of 20 he founded his own boutique company for innovative software and hardware solutions. He is a certified AWS Cloud Solutions Architect. While gaining experience in business and finance, Dani did not neglect his hands-on capabilities in both making and breaking systems. Dani recently relocated from Israel to the United States to study Data Science at the prestigious UC Berkeley. During his studies, Dani founded VirusBay, a collaborative malware research community that skyrocketed amongst the global security community with over 2500 researchers. Dani spoke at numerous cybersecurity conferences such as BlackHat USA, CodeBlue Japan, CONfidence, SEC-T, and more. After serving in the Israeli Defense Forces as a commander of a Field Intelligence unit, Dani went on an 8-month journey across South America. He loves snowboarding, music concerts, and having crazy, breathtaking experiences such as spending 5 days in the Bolivian Jungle with no food or water.

Mohsan has over 13 years of experience in the cyber security game. Mohsan has ran the gamut in the security space: from penetration testing as a Rapid7 consultant, pen testing for numerous federal agencies, hacking mobile applications, pentesting Fortune 500 companies, and speaking at cybersecurity conferences such as Defcon, Sec-T, Black Alps, and others. Mohsan’s traveled to over 100 countries and counting. When he isn’t isn't breaking into things, he likes to travel the globe in search of incredible surf, scuba diving, rock climbing, hiking, and is an avid yogi.

Speaker: Phillip Marlow

Twitter: @wolramp

Attackers frequently use valid accounts to access servers with sensitive data. This gives them ninja-like stealth in most environments, but this session will show you how to turn the tables and use a zero-touch environment to catch them.

Zero-touch environments are a product of the fast-moving world of DevOps which is being adopted by an increasing number of successful companies including Google. This session will show that by leveraging the constraints of this environment, we can identify malicious network traffic which would otherwise blend into the noise.

This proposal is based on active research and new details may emerge during preparation of the final session. A brief overview of expected included topics:

• Why care about DevOps and Zero-Touch?
• How application servers are deployed in traditional environments
• What lateral movement with valid credentials looks like in traditional environments
• How deployment works in Zero-Touch environments
• What lateral movement with valid credentials looks like in zero-touch
• Detecting the lateral movement with existing network sensors

Phillip Marlow is a cybersecurity and DevOps engineer. He helps organizations understand how to adopt DevOps practices to increase their security rather than sacrifice it in the name of speed. Phillip holds several security, cloud, and agile certifications and is currently pursuing a Master’s Degree in Information Security Engineering at SANS Technology Institute.

Speaker: Nimrod Kor

Twitter: @KorNimrod

Security teams in the cloud are faced with an overwhelming amount of information to process in order to keep their environments secure. Keeping up with everything manually is a difficult, never-ending task where failure can have high consequences. Permissions management can be a time-consuming task, and as a security engineer, you’d often ask your self “how should have access to what?” , “who have access it in the past?” and “Is it OK to remediate those excessive permissions or would it cause a downtime?“.

In this talk, we will demonstrate a method to automatically secure a live AWS IAM environment to a specific, less-permissive role that best fits the access pattern using the open-source tool: https://github.com/bridgecrewio/AirIAM/ . At the end of the talk, we will have a result in Terraform code with a much smaller attack surface and reduced risk.

Nimrod cloud security engineers team lead. He is an open source contributor to various AWS security projects and also part of Bridgecrew's founding team. A believer in terraform as a security enabler.

Speaker: Spencer Gietzen

Twitter: @SpenGietz

Traditional ransomware has become a popular tool for cybercriminals to make their buck and has cost a variety of industries hundreds of millions to billions of dollars in recent years. As trends change and corporations move from traditional data centers to cloud environments like AWS, GCP, and Azure, adversaries are adapting their techniques to match the new climate. Because of this, attackers abusing cloud APIs rather than host/network-based commands are becoming more prevalent. This talk explores the services most likely to be targeted by ransomware in AWS cloud, techniques that attackers may use, and preventative/detective measures to assist the blue team.

Spencer Gietzen comes from a background in web development and penetration testing. He is now a Cloud Security Researcher at CrowdStrike, spearheading research and development of new and upcoming cloud threats. Spencer has published a variety of research blogs and developed cloud security tools for the open source community, such as Pacu, an offensive AWS pentesting framework.

Speaker: Colin Estep

Twitter: @colinestep

If you are a customer of AWS, Azure, or GCP, you may have deployed your own bastion hosts to provide RDP or SSH access to your virtual machines. While bastions help to protect your infrastructure, there are challenges that come along with them, such as managing the identities, obtaining logs, and preventing SSH multiplexing attacks.

In this talk, we will briefly review bastion hosts and some of their shortcomings, as well as the SSH multiplexing attack. The SSH multiplexing attack uses a feature of SSH to pivot from a compromised laptop to your bastion hosts. From there, the attacker could use this feature to compromise other users and gain access to your virtual machines hosted in the cloud.

Finally, we’ll show you services that provide access to your virtual machines in all three major cloud providers that eliminate the need for bastion hosts. Some providers have more than one alternative. However, this presentation will not present all of the alternatives. It is focused on the services that generally take the following approach:

Users authenticate to the access service with their Identity and Access Management (IAM) credentials for the cloud provider.
Once authenticated, the cloud service creates an encrypted tunnel with port forwarding, which runs SSH or RDP for the user.

The benefits of this approach include:
Public IP addresses are not required in order to access the virtual machines.
It eliminates the possibility of compromising an entire organization with SSH multiplexing attacks.
In some cases, disabling a user’s IAM credentials also removes SSH or RDP access.
Cloud audit logs will capture metadata for RDP or SSH sessions, and in some cases, full session logs are easy to collect through the provider’s service.
We’ll cover Session Manager in AWS, OS Login and Identity-Aware Proxy (IAP) in GCP, and the Bastion Service in Azure. You’ll see how the services work, how they help with identity management, and where to find the SSH sessions in logs.
If you are migrating to any of these platforms, this could save you from having to go through the pain of deploying your own solutions!

Colin Estep is currently a threat researcher at Netskope focused on AWS and GCP. Colin was previously the CSO at Sift Security (acquired by Netskope), where he helped move the product towards breach detection for IaaS. He was a senior engineer on the security teams at Netflix and Apple before joining Sift. He was also a FBI Agent specializing in Cyber crime, where he spent a fair amount of time coordinating with other countries to locate and arrest malware authors and botnet operators.

Speaker: Mohit Gupta

Twitter: @_Skybound

Kubernetes is rapidly growing in popularity and is the most popular technology for container orchestration. However, it also brings its own set of challenges and security issues which may lead to novel or unexpected attack scenarios. This talk aims to go over various areas of Kubernetes security and ways that Kubernetes features could be leveraged by an attacker. It will review the core architecture and functionality of Kubernetes from a security perspective, and cover most of the common Kubernetes security features, including Pod Security Policies, Network Policies, and RBAC.

These discussions will be underlined by examples of attack paths that have been found in real-world environments, discussing how it was possible to exploit misconfigurations to escalate privileges with the end goal of compromising the cluster and breaking out into the broader environment.

Mohit has been a Security Consultant at F-Secure Consulting (previously known as MWR InfoSecurity) for the past four years with one of his specialiastions in containerisation and orchestration technologies. Mohit leads the delivery of security services in these areas, and has been involved in a wide variety of offensive and defensive security engagements involving Docker, Docker Swarm and Kubernetes. In addition to this, he has developed and led training both externally and internally for these areas.

Speaker: Alexandre Sieira

Twitter: @AlexandreSieira

AWS is a very complex and ever-changing platform, which presents a challenge to defenders and an opportunity for attackers. Among some of the most complex and powerful features of AWS is its IAM functionality, which allows for very granular control but is famously complex to learn and set up.

One the features of access control in AWS is that AWS accounts are a self-contained unit of processing, storage and access control. Given how AWS itself recommends segregation across accounts as a best practice, and the fact that many SaaS vendors request access to their customers' accounts in order to perform their services, this presents a challenge.

In this talk we will present in detail the policy-fu needed in order to securely allow principals from one account to perform actions on another, both inside different accounts in an organization but especially from the perspective of a SaaS provider that needs to access hundreds or thousands of customer accounts. Existing research on defenses and possible attacks will be presented and demonstrated to illustrate the concepts.

SaaS vendors like ""single pane of glass"" offerings, multi-cloud solutions and CSPM offerings are huge concentrators of risk since they have access to potentially thousands of customer AWS accounts. By exploring how this access can be uniquely secured due to capabilities only AWS provides and how vendors can fail at this we hope to allow attendees to better understand the risks of using these services, and also help service providers mitigate them.

Alexandre (or Alex) Sieira is a successful information security entrepreneur in the information security field with a global footprint since 2003. He began his security career as a Co-Founder and CTO of CIPHER, an international security consulting and MSSP headquartered in Brazil which was later acquired by Prosegur. In 2015, he became Co-Founder and CTO of Niddel, a bootstrapped security analytics SaaS startup running entirely on the cloud, which was awarded a Gartner Cool Vendor award in 2016. After the acquisition of Niddel by Verizon in January 2018, he became the Senior manager and global leader of the Managed Security Services - analytics products under the Detect & Respond portfolio tower at Verizon.

Currently is the Founder of Tenchi Security, a startup focused on cloud security headquartered in Brazil.

Alexandre is an experienced conference speaker in English and Brazilian Portuguese, with previous talks accepted at Black Hat, BSides San Francisco, FIRST Conference and local Latin American conferences.

Speaker: Michael Mimo

Twitter: @securitydevops

Cloud instance forensic acquisition presents certain challenges to forensics teams. Traditional forensic methods usually are not effective in the cloud. Access and networks are designed differently than in an on-premise Data Center. Forward thinking strategies need to be implemented so that Incident Response Cyber teams can effectively use forensically sound methods to examine artifacts on hosts.

My talk is about how to prepare your organization for forensic acquisitions in a cloud infrastructure. I will quickly cover how to prepare a fleet of systems for memory and physical disk forensics. The targets are AWS EC2 instances but could be applied to any other cloud providers host provisioning infrastructure. I will focus on the process and infrastructure required to do this level of inspection. By the end you will be able to apply these strategies to activities such as Threat Hunting.

Many organizations struggle with implementing Threat Hunting programs with orchestration in mind to capture memory and disk level forensics. How does a Cyber team respond to an alert they receive from a cloud host? How can they quickly collect artifacts for further forensic inspection? Last, how can you best secure the forensics infrastructure from where you launch the orchestrated forensic examiner systems?

The first part of my talk will describe the infrastructure required to be in the place to support forensic orchestration. I will outline a strategy: servers, tools, storage, and protective measures to ensure that forensic activities are conducted behind a cloud of secrecy. Maintaining stealth mode is critically important to enabling the forensic team to do their job while the business is not impacted by the investigative activities.

In the second part, we will examine the pipeline process to implement solutions in EC2 instances with pre-configured memory and acquisition tools ready to be tapped into by the forensic team. I will discuss some of the challenges encountered when conducting forensics with the different AWS hypervisor solutions.

As a result, testing each design of the Linux instances with your forensics tools is an important part of the process. Do not expect the forensic tools to work seamlessly when the architecture teams switch fundamental infrastructure designs. Each phase of the AMI delivery pipeline needs to be tested and verified that the Cyber team can continue to perform their investigations without running into challenges during a real incident. Do not wait until forensics is really needed to only find out that the tools designed did not perform their job.

Michael Mimo is the Chief Security officer at Copyright Clearance Center Inc. Prior to his current role, he was a lead Incident Response and Forensics investigator for a large major USA bank. He has been an Incident Responder in several major incidents. He is currently focused on Cloud Cyber Security research.

https://www.linkedin.com/in/michael-mimo-79a12b6/
Holds certifications in GCIH, GCFA, GCFE, GPEN
+ 5 Chief Security Officer at Copyright Clearance Center
+ 20 years in various Forensic and Cyber security roles.

Presentation Engagements:

1. FireEye Cyber Defense Summit 2019 Keynote “Securing the Cloud” https://summit.fireeye.com/learn/mainstage.html#cloud
2. Information Security Summit MassBay Community college 2019 "" Discussing Advanced Threat Detection & Vulnerability Management""
3. Information Security Summit MassBay Community college 2017 “Third Party Risk”

Speaker: Nick Jones

Twitter: @nojonesuk

The cloud brings a broad range of benefits from a security perspective, including network isolation by default, strong identity controls and unprecedented visibility. It does, however, bring many changes and unique challenges of its own when compared to an on-premise estate, with modern cloud environments make heavy use of containerisation, serverless functions and other new paradigms. As such, many of the data sources used for threat hunting and attack detection in traditional environments are no longer available. In addition, most attacks consist of abusing legitimate functionality, making it challenging at times to differentiate the malicious from the benign.

Based on first-hand experience attacking and defending large enterprises, this talk will compare and contrast the benefits and challenges of attack detection in the cloud against on-premise detection, and highlight some of the key advantages, common pitfalls and key data sources. It will also offer advice and guidance on developing your own cloud attack detection capabilities in house.

Lastly, it will present Leonidas - a cloud native toolchain that allows users to easily define, simulate and detect new attack vectors and techniques against cloud environments, all tied back to the MITRE ATT&CK framework. This will include deploying and using Leonidas, constructing and executing an attack path end-to-end, and how to implement your own test cases. It'll also cover Leonidas into your detection stack to track improvement over time and support learning and skills development within your team.

Nick Jones is the cloud security lead and a senior security consultant at F-Secure Consulting (formerly MWR InfoSecurity), where he focuses on AWS security in mature, cloud-native organisations and large enterprises. He has a number of years experience delivering offensive security assessments and services to a broad client base. When he's not delivering offensively-focused engagements, he's typically found working with clients to help them develop their security operations and attack detection capabilities.