Last week over 30,000 hackers, cybersecurity professionals, government officials, and members of the press flocked to the neon oasis of Las Vegas, Nevada, for the popular series of community events known as Hacker Summer Camp. Datadog was proud to participate, hosting twelve talks and workshops over the course of the week. We also released our latest security-focused open-source tool, Grimoire. We were thrilled to be able to present critical vulnerabilities in cloud technologies, educate others on security best practices, meet with customers, and spend time with the security community.
In this post, we’ll cover the highlights from these events.
What is Hacker Summer Camp?
Hosted every summer in Las Vegas, Hacker Summer Camp is a collection of security conferences, the most notable of which are Black Hat USA, DEF CON, BSides Las Vegas, and The Diana Initiative. These conferences are an opportunity for the security community to gather, share knowledge, and revel in shared experiences. They include conference talks, workshops, open-source tool demonstrations, and a myriad of other activities suitable both to security experts and novices alike.
Datadog sponsored The Diana Initiative and was present in the busy Black Hat business hall, where we met with hundreds of attendees and chatted about how we could help solve their security challenges.
This year’s themes
From keynote talks to presentations and booth conversations to in-depth press discussions, a consistent set of themes emerged across this year's conferences that made clear the cybersecurity landscape is evolving at an unprecedented pace:
- API security and ephemeral environments: API security remains a significant focus, with particular attention on securing ephemeral environments, reflecting the industry's shift towards more dynamic and temporary infrastructure.
- Generative AI and large language models (LLMs): GenAI and LLMs continue to be hot topics, with discussions highlighting the growing accessibility of these technologies for both homegrown solutions and closed models, signaling their increasing role in security strategies.
- Sustainability in security: There's a strong emphasis on sustainability within the security landscape, with discussions around playbooks, auto-remediation workflows, and integrating security earlier in the software development lifecycle (SDLC) to promote long-term security practices.
- Evolving security metrics: Traditional KPIs like mean time to detect (MTTD) and mean time to respond (MTTR) are being reconsidered. There’s a shift toward metrics that assess the improvement of processes and the effectiveness of SOC analysts, with a growing interest in the use of local LLMs for correlation and predictive insights.
- Skills-based hiring and recognition in security: A highlight was the discussion on the shift toward a skills-based hiring model in the government and private sector, underscoring that there are more open roles than there are people to fill them. This indicates a broader move toward valuing practical skills and contributions in the security field.
Datadog talks, workshops, and open source projects
At this year’s summer camp, Datadogs participated in twelve events across the main stages, the villages, and more.
Kicking in the door to the cloud: Exploiting cloud provider vulnerabilities for initial access
Datadog Security Research has a reputation for consistently uncovering vulnerabilities and new attack paths in AWS. At last year's Black Hat, Nick Frichette (Staff Security Researcher) gave a presentation on bypassing AWS CloudTrail. This year he gave his talk Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access on the Black Hat USA main stage, DEF CON main stage, and at the DEF CON Cloud Village.
In his talk, Nick shared his research on breaking into AWS accounts by exploiting vulnerabilities in AWS services. From cross-service confused deputy attacks to exploiting vulnerable trust policies caused by AWS Amplify, Nick showed several ways in which an adversary could gain access to victim AWS accounts.
Nick also shared an edge case that could allow an external adversary to still exploit the Amplify vulnerability.
You can find the presentation slides here.
Open source: Stratus Red Team, KubeHound, and the Managed Kubernetes Auditing Toolkit (MKAT)
Open source software is in Datadog's DNA, and it's much more than just opening up source code. We actively try to build a community around our open source projects and make sure we hear firsthand from our contributors, champions, and users.
At Black Hat Arsenal, Christophe Tafani-Dereeper (Cloud Security Advocate and Researcher), Andrew Krug (Head of Security Advocacy), and Julien Terriac (Engineering Manager of Adversary Simulation Engineering) presented and demonstrated three of our most popular open source security projects:
- Stratus Red Team: an adversary emulation tool tailored for the cloud (slides)
- KubeHound: a project that identifies attack paths in Kubernetes clusters
- MKAT: an auditing toolkit that helps close the most common gaps in managed Kubernetes clusters (slides)
Detection engineering and purple teaming in the cloud
Christophe has been involved in several sides of the detection engineering work. In this talk at the DEF CON Cloud Village, he summarized some lessons learned the hard way, as well as practical advice to start a cloud detection engineering program. He also introduced Grimoire, a brand new open source project to help with AWS detection engineering.
The slides are available here.
Privilege escalation and persistence with Azure Policy
At the DEF CON Cloud Village, Zander Mackie (Detection Engineer in our Security Research team) shared his research about abusing the Azure Policy service, a core compliance feature in Azure. Some bad memes were presented to minor amusement.
Hands-on Kubernetes security with KubeHound
Julien Terriac delivered a two-hour, hands-on workshop on using KubeHound. KubeHound is an easy-to-use and yet powerful way to identify and visualize attack paths in Kubernetes clusters.
Abusing misconfigured OIDC authentication in cloud environments
Building up on previously released research, Christophe Tafani-Dereeper demonstrated some of the risks of using OIDC with GitHub Actions in cloud environments. This included a detailed case study where he was able to compromise credentials for a production AWS account of the UK government.
His slides are available here.
Conclusion
It was great to join so many other security practitioners at this year's Hacker Summer Camp to share our research, educate others, continue building our existing relationships, and create new ones. It is a time that reminds all of us of the hacker spirit. We are already hard at work preparing for next year, tracking threat actors, developing new tools, and finding new attack paths in the cloud. Defending the cloud is a year-round activity for us. Be on the lookout for new research from Datadog Security Labs soon!
