On June 17–18, fwd:cloudsec brought hundreds of cloud security practitioners to Arlington, Virginia, for the fifth installment of the conference. This year, the conference carried the label fwd:cloudsec North America for the first time—a nod to the upcoming inaugural fwd:cloudsec Europe that will take place in September 2024.
While the conference is always live-streamed, this year (in a truly remarkable fashion) the individual videos are already up on YouTube. Grab your mug and a beverage of choice and spend some time with these videos—you won’t be disappointed. If you ever get a chance to attend, we highly recommend it; you will rarely get the chance to be in the same room as so many people this passionate about cloud security.
Themes
Cloud threat detection and response talks were everywhere
There was a spike in the number of talks about real-world threat actors this year. Is this the result of more attacks against the cloud than in previous years? Or is it that our cloud threat detection and incident response teams (and their capabilities) are getting better? It seems likely that both are true, but it’s unclear which is accelerating at a faster rate.
Building and sharing solutions together
Collaboration has been consistent through the years at fwd:cloudsec. This community values sharing information. Whether it’s open source tools, indicators of compromise, engineering success stories, or how to get into the field, there's a feeling that you can’t “go it alone” in cloud security, and that we must all work together to push the collective needle forward.
Cloud security specializations are rapidly evolving
This year’s content spanned all facets of cloud security: threat detection and incident response, security research, offensive security, security engineering, and security architecture. In short, the cloud security profession is rapidly specializing, and the talks at this year's conference reflected that.
Talk Highlights
On that note, let’s take a look at some of our favorite talks in security research, security engineering, and threat detection and response.
Security research
Trust Me Bro: Preexisting Trust is the New Initial Access Vector
Our own Nick Frichette’s talk really resonated with the crowd. Nick talked about vulnerabilities in AWS services that would have allowed anyone to gain access to certain AWS-created roles within victim AWS environments. While the vulnerabilities Nick identified have been fixed, he encouraged us all to think about where similar vulnerabilities might still be lurking. Other AWS services? Other cloud providers?
Hacking clouds using the power of the sun
Due to bit flipping, a small percentage of cloud traffic slips through the cracks of the internet each day. What impact could this data have in the wrong hands? Ian Mckay combines DNS and SSL bitsquatting with the results of what this “lost traffic” contains to challenge what providers may treat as acceptable risk due to heat and solar-based bit flipping. The result is some creative data collection followed by responsible disclosure. It shows how difficult security really is when you have to consider solar flares in your threat model.
Get into AWS security research as a n00bcake
What's stopping you from pursuing your own research? Using AWS as an example, Daniel Grzelak delivered a plethora of pro tips, including reviewing docs for “as designed” security issues, searching for misconfigurations in public code, and keeping an eye on errors. Dan's advice—from his own experience and others in the field—make this talk an excellent guide and a reminder that getting started doesn't need to be difficult. Down-to-earth advice and a great sense of humor make this talk a delight.
Intercloud Identities: The Risks and Mitigations of Access Between Cloud Providers
Noam Dahan and Ari Eitan provided an overview of Okta Org2Org takeovers for privileged persistence. While explaining the technicalities of this attack, they demonstrated configuration of a malicious Okta instance to authenticate a target domain on behalf of a compromised Okta instance. This was a great example of the impact an identity compromise can have, and it reportedly played into MGM’s high-profile incident last year.
Security engineering
Freeing Identity From Infrastructure: Automating Virtual Cloud IAM in a Multi-Account, Multi-Cloud Environment
Ian Ferguson shared how Datadog has solved assigning scoped identity access to container environments at scale though a sidecar container (Attaché) that intercepts calls to the metadata service. If you find Ian’s iterative solutions design process fascinating and are considering how you can apply this process to your own work, Ian open sourced Attaché for this talk.
yubidisaster: Building Robust Emergency Admin Access to AWS Accounts
Greg Kerr, Brett Caley, and Matt Jones talked about how they created a robust emergency admin access system to AWS using YubiKeys. Their premise was that they didn't want their break-glass system to depend on other systems that they might not have access to in the case of a disaster, and they walked us through their solution.
Threat detection and response
Responding to Sophisticated Ransom Attacks in the Cloud: A Real-World Case Study
Yotam Meitar walked us through the process of investigating a ransom attack against a customer. What's notable about this talk is the entertaining journey from the incident response perspective and not the attacker perspective—in other words, a reverse timeline of attacker events. We start with the ransom note and then follow Yotam as he gets to the root cause of the breach: the publicly facing application that was compromised.
LUCR-3: Cloud Clepto & SaaS-y Scattered Spider Shenanigans
Ian Ahl discussed the malicious activities of LUCR-3, a threat actor group he has been tracking for a while now. He talked about how this group is notable in that they go after specific people’s access within their identity provider, and from there they have access to everything the victim has access to. This goes beyond cloud provider access—it includes any SaaS application the victim can access. What’s notable about this attacker is that while they do dabble in cryptojacking, they mostly manually hunt around in the environment and find ways to gain money from their victims via ransom and extortion. This talk was a great reminder that threat groups will do whatever your best technical users do… for the wrong reason.
The Dark Economy of Stolen Cloud Accounts in Phishing Attacks
Alessandro Brucato and Stefano Chierici dived deep into how attackers are using AWS Simple Email Service (SES) inside client AWS accounts to conduct malicious activities. They showed how attackers can gain initial access by either buying SES keys on the black market, by running info stealer scripts on compromised workstations and laptops, or compromising a cloud-hosted application then hunting for SES credentials. From there, they talked about spam, scam, and phishing as the most commonly observed post-exploitation activities.
From Intrusion to Insight: Lessons learned from a month-long AWS compromise
Korstiaan Stam illustrated a client compromise within AWS that started with stolen long-term access keys and ended with using the victim’s AWS account to carry out phishing and spam campaigns against additional targets. The talk is light and fun, and it starts with the client figuring out they have been compromised because the attacker was creating AWS support tickets to request increased SES limits! Luckily, AWS support thought something was off and notified the client, who in turn contacted Korstiaan to help with the cloud incident response.
Another fwd:cloudsec in the books
There are over 40 talks on the YouTube playlist and the quality of these talks is exceptionally high, with an average duration of no more than 25 minutes. If something catches your interest, it's likely to deliver!
