This week in Brussels was fwd:cloudsec Europe, the first European edition of the vendor-neutral cloud security conference for practitioners. Datadog sponsored the event and presented two research talks by Katie Knowles and Nick Frichette.
You'll find below the list of talks with a pointer to the slides. The videos will be available in the coming days on the fwd:cloudsec YouTube channel. In the meantime, you can replay the full livestream here.
fwd:cloudsec Europe talks
- How to 10X Your Cloud Security by Rami McCarthy (slides)
- Cloud-Conscious Tactics, Techniques, and Procedures (TTPs) by Sebastian Walla (slides, detection rules)
- Hidden in Plain Sight: (Ab)using Entra ID Administrative Units by Katie Knowles (slides, blog)
- Service Agents and the Search for Transitive Access in GCP by Kat Traxler (slides, blog)
- Doing Bad Things for the Right Reasons: A Look at the AWS Vulnerability Disclosure and Remediation Process by Ryan Nolette (slides)
- Staying Sneaky in Microsoft Azure by Christian Philipov (slides)
- Kubernetes Audit Log Gotchas by Shay Berkovich (slides)
- Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines and Beyond by Shelly Raban (slides)
- Hidden Among the Clouds: A Look at Undocumented AWS APIs by Nick Frichette (slides, open source tool)
- GCP and AWS Identity Federation: Lessons Learned From the Field as Well as Cross-Cloud Forensics and Incident Response by Marcus Hallberg and Attila Dulovics (slides)
- Build Your Own CloudTrail by Chris Norman (slides, open source tool)
How to 10X Your Cloud Security
Rami McCarthy, a well-known practitioner from the community, presented several ways to build an efficient and pragmatic cloud security program. At a high level, he recommends to:
- Start by doing things manually, then only automate them when they have shown value and you need to scale them. Otherwise, you risk spending time automating something that you won’t end up using.
- Focus on high-signal, low-noise tools. Having a good signal is usually more important than perfect coverage, especially in the context of a security team with limited resources.
- Use guardrails and paved roads. Make it easy for developers and platform/infrastructure teams to do the right thing in a secure-by-default mindset, and provide guardrails to ensure that a human mistake doesn't turn into a data breach.
Rami also discussed security scorecards, partnering with FinOps, and leveraging security canaries for early attacker detection.
Cloud-Conscious Tactics, Techniques, and Procedures (TTPs)
Sebastian built this talk on a dataset of hundreds of incidents coming from CrowdStrike's incident response on the ground, trying to understand common attacker tactics in the cloud. Sebastian calls out that there are both "cloud-agnostic" and "cloud-conscious" threat actors, the latter having a deep understanding of how to actively compromise and persist in cloud environments.
Here are some key takeaways from this talk:
- Initial compromise often happens by compromising human or machine credentials.
- Long-lived credentials (e.g., GitHub personal access tokens, AWS access keys) are often misplaced and allow attackers for a straightforward and powerful initial access vector.
- Attackers often persist in a cloud environment by creating new identities or backdooring existing ones—for instance, by resetting their password, adding new credentials, or enrolling new MFA devices.
- Cloud-native features to pivot from the cloud control plane to virtual machines that are popular with cloud engineers are also attractive for attackers, particularly AWS SSM Sessions Manager, EC2 Instance Connect, and Azure Run Commands.
- Some attackers exhibit advanced behavior to persist in compromised environments. For instance, CrowdStrike witnessed attackers adding new malicious identity providers to Entra ID and Okta tenants for long-lived persistence through IdP federation.
You can reproduce some of these real-world attacks in your environment with Stratus Red Team. Techniques available in Stratus Red Team and mentioned in this presentation include:
- Steal EC2 Instance Credentials
- Retrieve a High Number of Secrets Manager Secrets (Batch)
- Retrieve a High Number of Secrets Manager Secrets
- Delete CloudTrail Trail
- Remove VPC Flow Logs
- Usage of ssm:SendCommand on Multiple Instances
- Usage of ssm:StartSession on Multiple Instances
- Execute Commands on Virtual Machine Using Run Command
Hidden in Plain Sight: (Ab)using Entra ID Administrative Units
In this talk, Katie Knowles describes Entra ID Administrative Units, a new feature that allows Microsoft Entra ID to scope roles to specific users, but also allows an attacker to achieve sticky privilege persistence.
Read the full research here.
Service Agents and the Search for Transitive Access in GCP
"Confused deputy" is a situation where a trusted entity is tricked into performing some actions on behalf of another, less privileged entity. This is a common source of vulnerabilities in cloud providers, as some of our previous research has shown.
Kat describes an unfixed Google Cloud issue where an attacker with permissions on the Document AI service can misuse it to access and exfiltrate data in Google Cloud Storage buckets, even though they don't have the appropriate permissions.
A Look at the AWS Vulnerability Disclosure and Remediation Process
Like many tech companies, AWS runs a coordinated vulnerability disclosure (CVD) program allowing anyone to report vulnerabilities in AWS services. Ryan Nolette is part of the team that receives, analyzes, triages, and prioritizes these thousands of reports. He dives into the inner workings of this process at AWS, discusses the challenges he and his team face, and outlines how researchers can craft high-quality disclosures. See also AWS's vulnerability disclosure process (VDP).
Ryan also announced that the AWS VDP is now available on HackerOne.
Staying Sneaky in Microsoft Azure
Christian Philipov presented some offensive-focused research in Microsoft Azure, diving into how an attacker who has compromised an initial user can use different Microsoft APIs to further enumerate the environment and stay under the radar. The key is to leverage undocumented APIs used by the Azure portal rather than going through Microsoft Graph. With this method, it's possible to enumerate various permissions and group memberships without generating any Entra ID audit logs.
See also Black Hills Information Security's GraphRunner research. Our very own Nick Frichette has also extensively researched undocumented APIs in AWS.
Kubernetes Audit Log Gotchas
Shay Berkovich talked about Kubernetes control plane audit logs, especially in the context of managed Kubernetes clusters. In these clusters, the cloud provider manages the API server and the logging-related CLI flags, and they surface audit logs in different ways and formats. In addition, cloud-specific components such as daemonsets and authorization/authentication webhooks generate their own logs. These create challenges in multi-cloud situations, or when trying to write Kubernetes-focused detection rules that work independently of the cloud platform in use.
Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines and beyond
Policy-as-code engines such as Open Policy Agent (OPA) are commonly used to ensure that code or configuration files follow best security practices. Shelly Raban points out that these tools are also capable, by design, of executing arbitrary code. This allows for supply chain attacks: If an attacker is able to inject malicious rules in a policy-as-code environment, they're also able to execute code and exfiltrate secrets.
Hidden Among the Clouds: A Look at Undocumented AWS APIs
Nick Frichette has found a number of vulnerabilities in AWS in the past. He describes his methodology to find undocumented AWS APIs at scale, and how that can be a valuable entrypoint for researching cloud provider vulnerabilities.
Nick has also open sourced a new project, undocumented-aws-api-hunter.
GCP and AWS Identity Federation: Lessons Learned From the Field as Well as Cross-Cloud Forensics and Incident Response
Multi-cloud is a common use case that creates some challenges for authentication and authorization. Marcus Hallberg and Attila Dulovics describe Spotify's journey through cross-cloud identity federation between AWS and Google Cloud. This was done in an environment with over 5,000 Google Cloud projects and 80 AWS accounts. In particular, removing long-lived credentials that don't expire was one of their goals. To achieve this, they leveraged Google Cloud's Workload Identity Federation and AWS's AssumeRoleWithWebIdentity.
Markus and Attila also go into detail about implications of cross-cloud identities for digital forensics and incident response.
Build Your Own CloudTrail
Chris Norman is the creator of the open source project Granted. He explores the use of the Cedar Policy Language to authorize and audit requests made to a custom web application running in the cloud. He also gives an approach for correlating application-level audit logs with CloudTrail events.
Chris released companion code alongside his talk, available on GitHub.
Conclusion
This edition of fwd:cloudsec was the first in Europe, which was a great opportunity to meet and interact with the community on that side of the Atlantic. If you liked the content, don't forget to watch the talks from the North America edition which took place back in June.
We're eager to hear from you! If you have any questions, thoughts or suggestions, shoot us a message at securitylabs@datadoghq.com or open an issue. You can also subscribe to our newsletter or RSS feed!
