Cloud Village is an open space to meet folks interested in offensive and defensive aspects of cloud security.

Speaker: Mohammed Ilyas Ahmed, Syed Aamiruddin

Date: 09 Aug

Time: 15:40 - 17:40 PDT

X: @beingilyasahmed

Bio: 

Mohammed Ilyas Ahmed is an industry professional with extensive expertise in security within the DevSecOps domain, where he diligently works to help organizations bolster their security practices. With a fervent dedication to enhancing security posture, Mohammed's insights and guidance are invaluable to those navigating the complex landscape of DevSecOps. In addition to his involvement in industry events, Mohammed is an active speaker and judge, lending his expertise to technical sessions at prestigious conferences. His commitment to advancing knowledge is evident through his research contributions at Harvard University, where he contributes to journal publications, enriching the academic discourse surrounding security practices, and as a distinguished member of the Harvard Business Review Advisory Council, underscores his commitment to advancing knowledge and fostering collaboration between academia and industry.
Mohammed Ilyas Ahmed's influence extends even further as a Member of the Global Advisory Board at Vigitrust Limited, based in Dublin, Ireland. This additional role highlights his international reach and his involvement in shaping global strategies for cybersecurity and data protection.
Mohammed's dedication to excellence is further highlighted by his numerous certifications, which serve as a testament to his proficiency and depth of knowledge in the security domain. However, beyond his professional pursuits, Mohammed is a multifaceted individual with a diverse range of interests, adding richness to his character and perspective.

Aamiruddin Syed is a Senior Product Security Engineer with over eight years of industry experience. Specializing in DevSecOps, Shift-Left Security, cloud security, and internal penetration testing, he excels in automating security within CI/CD pipelines, developing security automation, and integrating security into infrastructure as code. His work involves securing cloud platforms by implementing best infrastructure provisioning and configuration practices. His penetration testing skills enable him to conduct targeted internal assessments of critical applications and systems, proactively identifying risks. He bridges the gap between security and engineering teams, embedding security directly into products, including those in the manufacturing sector.
Aamiruddin holds dual master’s degrees in Cybersecurity from Northeastern University and Jadavpur University. As a recognized security advocate, he frequently speaks at industry conferences, chairs technical conferences such as ICCTICT, and serves as a judge for the Globee Awards for Cybersecurity. He actively contributes to open-source security tools designed to make security seamless for developers. In his free time, Aamiruddin enjoys traveling and photography.

Abstract: 

In the ever-evolving landscape of containerized applications, ensuring the integrity and security of your container images is paramount. Join us for an immersive, hands-on workshop titled "Hands-On Container Image Security: Mastering Sigstore for Unbreachable Integrity," where we'll dive deep into securing your container images using the cutting-edge open-source tools Cosign and Rekor from the Sigstore project.

This workshop will provide a comprehensive, practical introduction to Sigstore tools, demonstrating how they can be seamlessly integrated into your DevOps workflows. We'll begin with a brief overview of the common security challenges associated with container images and how Sigstore addresses these issues by providing automated and tamper-proof signing and verification processes.

Participants will then engage in hands-on exercises, where they'll:
1. Learn to sign container images and verify their integrity using Cosign. We'll guide you through setting up Cosign, signing your first image, and verifying its signature, ensuring you have a solid understanding of this powerful tool.
2. Delve into using Rekor, Sigstore's transparency log, to record and verify signed image metadata. You'll experience firsthand how Rekor enhances security by providing an immutable log of all signed images, ensuring accountability and traceability.
3. Discover how to seamlessly integrate these tools into your existing DevOps pipelines, automating the signing and verification process, and ensuring that only trusted and verified images make it to production environments.

By the end of this workshop, you'll have gained hands-on experience with Sigstore tools and a deep understanding of how to implement them in your own environment. This session is tailored for DevOps engineers, security professionals, and software developers who are committed to enhancing their container security practices.

Don't miss this unique opportunity to acquire practical knowledge and skills in securing your container images. Join us and learn how to leverage Sigstore's powerful tools to ensure your container images are secure, verified, and trustworthy, safeguarding your applications from potential threats.

Speaker: Ezz Tahoun

Date: 10 Aug

Time: 13:50 - 15:50 PDT

Bio: 

Ezz Tahoun, a distinguished cyber-security data scientist, who won AI & innovation awards at Yale, Princeton and Northwestern. He also got innovation awards from Canada’s Communications Security Establishment, Microsoft US, Trustwave US, PIA US, NATO, and more. He ran data science innovation programs and projects for OrangeCyber Defense, Forescout Technologies, Royal bank of Canada, Governments, and Huawei Technologies US. He has published 20 papers, countless articles and 15 open source projects in the domain. When he was 19 years old he started his CS PhD in one of the top 5 labs in the world for cyber & AI, in the prestigious University of Waterloo, where he published numerous papers and became a reviewer for top conferences. His designations include: SANS/GIAC-Advisory-Board, aCCISO, CISM, CRISC, GCIH, GFACT, GSEC, CEH, GCP-Professional-Cloud-Architect, PMP, BENG and MMATH. He was an adjunct professor of cyber defense and warfare at Toronto’s school of management.

Abstract: 

Interpret the vast amount of alerts (from different sources) received with a comprehensive, hands-on autonomous attack correlation & false positive detection workshop designed to enhance your proactive defense in the cloud. The workshop aims to demystify the process of identifying coordinated attacks amidst this noise, empowering attendees to improve their efficacy & utilize the cloud cost-effectiveness.

No data science expertise is required. Little cloud & secops expertise is required.

Intro:
- The session begins with a foundational overview of event analysis challenges and state of the art.
- Participants will learn about the ATT&CK framework, focusing on its Flows, Tactics, & Techniques to standardize threat detection.


AI & Data:
- A deep dive into accessible open-source AI tools will follow, featuring clustering algorithms, natural language processing, & Markov chains.
- Guidance on importing, cleaning, & normalizing data will ensure accuracy in subsequent analyses.
- Participants will have access to a demo environment to apply these tools interactively.


Mapping Alerts:
- Techniques for automated mapping of alerts to ATT&CK will be demonstrated.
- Attendees will engage in mapping exercises using AI.


Clustering Alerts:
- The workshop will cover clustering methods based on temporal, spatial, & technical attributes.
- Participants will engage in clustering sample alerts to form contextualized attack steps.


Correlating Alerts:
- The importance of killchains in cybersecurity will be highlighted, with methods to link attack steps into cohesive killchains.
- Participants are guided in creating & analyzing killchains to identify coordinated attacks.


Tickets:
- Criteria for creating FP Tickets, Incident Tickets, & Attack Story Tickets will be outlined.
- Participants will engage in generating sample tickets, ensuring each type is comprehensive & actionable.


Integrating & QA:
- The session will cover integration into existing SOC setups & automation using scripts & tools.
- Demonstrations will show how to maintain & update the system for continuous improvement, emphasizing cost-effective cloud automation.
- QA, troubleshooting, & further resources.


By the end of this interactive workshop, participants will have experience with AI tools mapping alerts to Techniques, clustering them into contextualized attack steps, & constructing comprehensive killchains to uncover coordinated attacks. Additionally, they will learn to generate actionable tickets for immediate response & long-term improvements in their security posture, all without needing advanced data science knowledge. This session encourages practical application in participants' environments & further exploration of the vast capabilities of open-source AI in cybersecurity, & showcases the power of cloud cost-effectiveness in big data analytics (sagemaker, s3, lambda, etc.).

Speaker: Seth Art

Date: 10 Aug

Time: 16:00 - 18:00 PDT

X: @sethsec

Bio: 

Seth Art is a Senior Security Advocate at Datadog. Prior to joining Datadog, Seth created and led the Cloud Penetration Testing practice at Bishop Fox. He is the author of multiple cloud focused open source tools including BadPods, IAMVulnerable, and CloudFoxable, and the co-creator of the popular cloud penetration testing tool, CloudFox.

Abstract: 

Whether you are responsible for attacking or defending cloud environments, you want to know how attackers compromise them and what successful post-exploitation looks like in the cloud.

This workshop focuses on learning how attackers typically compromise cloud environments, and what post-exploitation looks like. Each workshop attendee will have access to an AWS account deployed with a collection of intentionally vulnerable cloud resources that represent misconfigurations exploited during real cloud penetration tests.

In most cases, attackers gain initial access to cloud environments in one of three ways: They compromise a vulnerable application or service in the cloud, a misconfigured cloud resource, or a user with access to the cloud. In this workshop we will be attacking an intentionally vulnerable cloud environment with all three types of vulnerabilities.

Each section of the workshop will start with an instructor led introduction followed by hands-on hacking. There is something for everyone, regardless of your offensive skill level. Anyone familiar with Linux commands and the AWS CLI is welcome to attend, and even those who have been in the field for years will find something to challenge them.

Speaker: Harsha Koushik, Anand Tiwari

Date: 09 Aug

Time: 12:30 - 13:00 PDT

X: @0xlcheetah, @anandtiwarics

Bio: 

Harsha Koushik is a security engineer and researcher, passionate about securing digital systems. Specializing in Cloud-Native Application Platform Protection (CNAPP), tackling emerging cyber threats while working at large scales. Additionally, Harsha hosts the security podcast 'Kernel-Space,' exploring insightful discussions on the latest trends and issues in cybersecurity.

Anand Tiwari is an information security professional with a strong technical background working as a Product Manager (PM), focusing on the more technical aspects of a cloud security product. He tries to fill it in by doing in-depth technical research and competitive analysis, given business issues, strategy, and a deep understanding of what the product should do and how the products actually work. He has authored ArcherySec—an open source-tool and has presented at BlackHat, DEF CON USA, and HITB conferences. He has successfully given workshops at many conferences such as DevOpsDays Istanbul, Boston.

Abstract: 

Cloud Offensive Breach and Risk Assessment (COBRA) is an open-source tool designed to empower users to simulate attacks within multi-cloud environments, offering a comprehensive evaluation of security controls. By automating the testing of various threat vectors including external and insider threats, lateral movement, and data exfiltration, COBRA enables organizations to gain insights into their security posture vulnerabilities. COBRA is designed to conduct simulated attacks to assess an organization's ability to detect and respond to security threats effectively.

It facilitates Proof of Concept (POC) evaluations, assesses security controls, measures maturity levels, and generates comprehensive reports, enabling organizations to enhance their cloud security resilience through lifelike threat scenarios.

COBRA Features:
---
Seamless Integration for POC and Tool Evaluation: COBRA provides seamless integration for Proof of Concept (POC) and tool evaluation purposes. Whether you're exploring new cloud-native applications or evaluating existing solutions, COBRA offers a user-friendly interface and flexible deployment options to facilitate effortless testing and assessment.
Comprehensive Assessment of Cloud-Native Security Posture: Gain unparalleled insights into your organization's existing cloud-native security posture with COBRA. Our advanced assessment capabilities enable you to identify vulnerabilities, assess security controls, and pinpoint areas for improvement. By understanding your current security posture, you can proactively address gaps and strengthen your defenses against emerging threats.
Benchmarking Against Industry Standards and Best Practices: COBRA enables you to benchmark your cloud security controls against industry standards and best practices. With our comprehensive benchmarking framework, you can compare your security posture against established benchmarks, identify areas of strength and weakness, and prioritize remediation efforts accordingly.
Actionable Insights and Recommendations: COBRA goes beyond providing insights by providing a report delivering actionable recommendations tailored to your organization's specific needs. Whether it's optimizing security configurations, implementing additional controls, or enhancing incident response processes, COBRA equips you with the tools and guidance needed to bolster your cloud security defenses.

Continuous Threat Simulation: COBRA offers a modular and templatized approach for users to easily integrate additional modules, allowing for continuous threat simulation and adaptability, by providing a flexible framework for adding modules, COBRA ensures that users can tailor their threat simulation capabilities according to evolving security needs, making it an ideal platform for continuous threat simulation.

Speaker: Victor Pasknel

Date: 09 Aug

Time: 15:10 - 15:40 PDT

X: @pasknel

Bio: 

Cybersecurity professional with a proven track record of 13 years in executing red-team operations, penetration testing, war games, and vulnerability assessments. Possessing a strong academic background, including a PhD in Applied Informatics from the University of Fortaleza (Brazil) earned in 2022, coupled with over a decade of experience as a university professor specializing in information security.

Abstract: 

A CI/CD pipeline is a sequence of steps designed to automate the software delivery process. DevOps environments consist of multiple systems that collaborate to facilitate CI/CD pipelines. However, DevOps systems are significant targets for attackers due to their possession of credentials and access keys for various components, including domain accounts, databases, and cloud assets.
Epyon is a versatile tool for red teamers to target common DevOps systems. It is open source and written entirely in Golang. Moreover, it features multiple modules, such as GitLab, SonarQube, and Azure DevOps.
During this demonstration, I will present examples (based on real project experiences) of how to utilize Epyon for privilege escalation and lateral movement within a DevOps environment.

Speaker: Scott Weston

Date: 10 Aug

Time: 10:00 - 10:30 PDT

X: @WebbinRoot

Bio: 

Originally from southern CA, I am currently a senior security consultant for NetSPI based out of Minneapolis, MN. My assessment experience includes web applications, AWS, GCP, and external networks. I spoke about AWS organizations at fwd:cloudsec 2023 with most of the talk summarized in the 2 part blogpost here: https://www.netspi.com/blog/technical-blog/cloud-pentesting/pivoting-clouds-aws-organizations-part-1/. I got accepted to speak at fwd:cloudsec 2024 for a new tool I've been making to pentest GCP environments (mirroring Pacu-like structure). In my spare time I like to pursue bug bounties if the opportunity arises, play videogames, assume the role of dungeon master every so often, and just hang out.

Abstract: 

When discussing the various cloud providers within the last decade, Google Cloud Platform (GCP) is often seen as the smaller provider following AWS and Azure with regards to market share. While GCP might appear smaller than its rival cloud providers, it still is very much in use today, and with this use comes the opportunities for developing pentesting tools. As I've been learning GCP over the last year, I have been making a framework in python (much like Pacu for AWS) specifically for GCP. This includes enumeration modules for some of the core services (Cloud Storage, Cloud Functions, Cloud Compute, IAM) along with the incorporation of numerous exploit modules, many of them rooted in Rhino Security's currently public GCP exploit repository (https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/tree/master). In addition, the framework is built such that it should be easy for a first-time GCP user or beginner to code and develop modules that focus on purely navigating individual resources and easily drop those into the framework. The overall goal is to make an up-to-date, maintained enumeration and exploit toolset for GCP pentesters/red teams/researchers alike that reduces the barrier of entry for learning GCP by allowing average users to make their own modules that easily incorporate with the overall framework.

Speaker: Filipi Pires

Date: 10 Aug

Time: 12:40 - 13:10 PDT

X: @FilipiPires

Bio: 

I’ve been working as Security and Threat Researcher and Cybersecurity Advocate at senhasegura, Founder at Black&White Technology, Cybersecurity Advocate, Snyk Ambassador, Application Security Specialist and Hacking is NOT a crime Advocate. International Speaker at Security and New technologies events in many countries such as US, Canada, France, Spain, Germany, Poland, and others, I’ve served as University Professor in Graduation and MBA courses at Brazilian colleges, in addition, I'm Creator and Instructor of the Course - Malware Attack Types with Kill Chain Methodology (PentestMagazine), PowerShell and Windows for Red Teamers(PentestMagazine) and Malware Analysis - Fundamentals (HackerSec).

Abstract: 

During this presentation, we will address the critical importance of permission management in Cloud Native integrations and how an inadequate permissions model can create significant advantages for attackers. We will demonstrate how an attacker can exploit standard permissions to achieve privilege escalation, explain what Choke Points are, and illustrate Attack Paths in practice, showing how an attacker can progress towards success in their objectives. As the ultimate goal of this talk, we will present practical actions to enhance the security of your environment in this context and mitigate these threats.

Speaker: Hubert Lin

Date: 09 Aug

Time: 12:10 - 12:30 PDT

X: @hubertwslin

Bio: 

Hubert Lin is an offensive security expert, specializing in remote vulnerability exploitation, honeypots, and penetration testing. He previously led the signature team for network threat defense and was a senior staff engineer on the Red Team at Trend Micro. In his roles, he assessed network intrusion prevention systems and conducted sanctioned red team exercises to enhance corporate security. Hubert holds certifications as a Red Hat Certified Engineer (RHCE) and an Offensive Security Certified Professional (OSCP). Currently, he works at Netskope as a Sr. Staff Researcher.

Abstract: 

The Cloud Shell feature from cloud service providers offers a convenient way to access resources within the cloud, significantly improving the user experience for both administrators and developers. However, even though the spawned instance has a short lifespan, granting excessive permissions could still pose security risks to users. This talk reveals an abuse methodology that leverages an unexpected, public-facing port in GCP Cloud Shell discovered during recon. Through manipulation in Linux Netfilter's NAT table, it serves various internally running services such as HTTP, SOCKS, and SSH within the Cloud Shell container to the public. This configuration could be exploited by adversaries to bypass the Google authentication needed in its Web Preview feature to leak data, to deliver malicious content, or to pivot attack traffic through the Google network.

Speaker: Zander Mackie

Date: 09 Aug

Time: 13:00 - 13:25 PDT

X: @ZanderMackie

Bio: 

Zander Mackie is a father, husband, security researcher, and developer. He’s worked across the stack as a software engineer, from fixing CSS bugs to writing systems code for container orchestration. He’s driven by a relentless need to figure out how things work and fixing bugs is his favorite.

Abstract: 

The Microsoft Azure threat matrix contains a mysterious and almost empty item: AZT508 - Azure Policy, which suggests this service can break bad but gives almost no details as to how. To quote Microsoft: “Azure Policy helps to enforce organizational standards and to assess compliance at-scale.“ How does this banal sounding service come to be used for attacking Azure users?

This talk aims to fill in the picture. We will explore the Azure Policy service and how it can be used for badness: punching holes in acls, creating persistent backdoors on virtual machines, assigning attacker controlled roles to resources, modifying database encryption, etc. I will demo an abuse scenario, and discuss others that can be used for privilege escalation and persistence. I will also discuss a confused deputy attack on this service. Finally, I will share detection and control recommendations.

Talk Outline:
---
The Azure Policy service (3 mins):
- What it is, how it works, and how it is intended to be used. This service is billed as an integral part of the Azure compliance story. Policies examine resources and can block or alert on non-compliance.
- Introduce the components at play and lay the groundwork for understanding later abuse. -----There are lots of interlocking pieces to understand.
- Introducing policy effects which go far beyond normal auditing scope. Effects are how policies can make changes to resource configuration.

Establishing the abuse case: (7 mins)
- Discussion of evil that can be done with intended functionality including a demo
- Policy adds an arbitrary script to every VM, which runs as soon as it starts up, calling a reverse shell home.
- Policy turns off database encryption
- Policy to assign an RBAC role to attacker controlled account
- What privileges and roles are need for the above

Privesc scenario (7 mins)
- Policy initiatives - these are higher level groupings of policies
- Confused deputy attack via initiative
- The curious case of `append` actions
- Policies can append an attacker IP to every new ACL in your environment
- Adding attacker ssh keys to all VMs

Speaker: Liv Matan

Date: 10 Aug

Time: 11:50 - 12:15 PDT

X: @terminatorLM

Bio: 

Liv Matan (@terminatorLM) is a Senior Security Researcher at Tenable, where he specializes in application and web security. He previously worked as a Security Researcher at Ermetic and served in the Israeli Intelligence Corps as a Software Developer.
As a bug bounty hunter, Liv has found several vulnerabilities in popular software platforms, such as Azure, Google Cloud, AWS, Facebook and Gitlab, was recognized by Microsoft as a Most Valuable Researcher, and has presented at conferences such as DEF CON Cloud Village and fwd:cloudsec.
Liv studied computer science at the Weizmann Institute of Science, in Israel. In his free time, he boxes, lifts weights and plays Capture the Flag (CTF).

Abstract: 

Cloud providers build their services a little like Jenga towers. They use their core services as the foundation of more popular customer-facing offerings. You may think you’re just creating a GCP cloud function in an empty account. In reality, with one click, you’re creating resources in six different services: a Cloud Build instance, a Storage Bucket, an Artifact Registry or a Container Registry, and possibly a Cloud Run instance and Eventarc triggers. The security of the entire stack is only as strong as the weakest link.

By looking at the entire stack, we can find privilege escalation techniques and even vulnerabilities that are hidden behind the stack. In my research, I was able to find a novel privilege escalation vulnerability and several privilege escalation techniques in GCP.

The talk will showcase a key concept, sometimes not discussed enough: cloud services are built on top of each other, and one click in the console can cause many things to happen behind the scenes. More services mean more risks and a larger attack surface.

The next part will dive deep into the vulnerable GCP cloud functions deployment flow. I will showcase the vulnerability I found in this flow, which enables an attacker to run code as the default Cloud Build service account by exploiting the deployment flow and the flawed trust between services resulting in a large fix and change in GCP IAM and Cloud Functions. This would grant an attacker high privileges to key services such as Storage, Artifact Registry, and Cloud Build.

However, this talk is about more than just a vulnerability. By understanding cross-service dependency, we can reveal a broad attack surface for many possible privilege escalation vectors between services. I will demo a simple tool I wrote to find the hidden APIs that are called by the CSP when performing an action.

By the end of this talk, the audience will learn the dangers of treating cloud services like a black box. The talk explains the hidden deployment flow behind one important stack, and provides the tools to uncover the risks of many more.

Speaker: Brandon Colley

Date: 10 Aug

Time: 12:15 - 12:40 PDT

X: @techBrandon

Bio: 

Brandon Colley has over fifteen years of experience administering and securing Active Directory (AD) and Windows environments. Brandon is a Senior Security Consultant for Trimarc specializing in providing reality-based AD and Entra ID security assessments. He served as a systems administrator for multiple organizations before shifting career focus to information security. He has published multiple articles through Quest, Practical 365 and Trimarc Hub. Brandon enjoys speaking engagements and has previously presented at BsidesKC, Hackers Teaching Hackers, and PancakesCon. He co-hosts a weekly podcast, interviewing infosec professionals and has appeared on multiple broadcasts, including the Phillip Wylie Show. Brandon delivers material in a humorous, yet effective manner with a focus on content built for a Blue Team through a Red lens.

Abstract: 

Microsoft Entra Conditional Access sits at the forefront of organization's security boundaries. The ever-changing climate of conditional access continues to give administrators more and more security controls. The tradeoff of which is increased complexity when attempting to balance security and productivity. The more policies deployed in a tenant, the greater the chance for misconfigurations that create opportunities for exploitation. Whether you're a cloud administrator, security consultant, or adversary, the goal remains the same: to find the holes in conditional access.

This talk discusses lessons learned from real-life engagements and identifies multiple strategies for evaluating conditional access. Topics and tooling are explored that view conditional access from several different angles. First, understanding PowerShell and Graph API is vital when combing through policies, finding gaps in user, group, role, location, application, or device configuration. Second, simulation of logon criteria and reporting on authentication events helps to understand where policies fall short. Finally, creating a visual representation of each policy is helpful to better see policy details or build executive reports. Each of these provides an important piece of the puzzle when attempting to identify methods to bypass security controls. Audience members should expect to leave with an arsenal of new tools and techniques to continuously monitor conditional access for risk.

Speaker: William Taylor

Date: 11 Aug

Time: 12:20 - 12:40 PDT

Bio: 

Security consultant with a background in embedded engineering and DevOps, which has lead to an interest in mobile, Cloud, and Kubernetes security. I used to make things work; now I break things, professionally and ethically.

Abstract: 

Engineers can carefully build their networks, designing the traffic flow explicitly through well constructed controls, even following design best practices from the CSP themselves, only to be let down by unexpected subtleties in the exact way certain technologies operate.

In this talk, we will take a look at just such a case study concerning Transit Gateways (TGW) in AWS, where security consultants were able to communicate freely across an apparent network boundary. We will review how TGWs are attached to subnets, and how the documentation implies they should operate. Then we will examine why NACLs appeared to be having no effect on blocking traffic, and allowed an effectively flat network between two peered accounts.

This case study will demonstrate the importance and effectiveness of practical testing, either internally by the developers or with an external reviewer, in confirming – or in many cases quite the opposite – that the operation matches the design aims. It isn’t always easy to find that leak, but if there is a puddle of water on the floor then at least you know you need to start looking for the flaw. This talk will show through the TGW case study and a few other examples how we noticed the puddle, how we found the leak, how it was fixed, and how hopefully the same leak won’t spring twice.