BlackHat 2017 Series

[Update: jump to the end of the page for the series index]

Late July found Haroon and I sweating buckets inside an 8th storey Las Vegas hotel room. Our perspiration was due not to the malevolent heat outside but to the 189 slides we were building for BlackHat 2017. Modifications to the slidedeck continued until just before the talk, and we're now posting a link to the final deck. Spoiler alert: it's at the bottom of this post.

A few years ago (2009, but who's counting) we spoke at the same conference and then at DEF CON on Clobbering the Cloud. It's a little hard to recall the zeitgeist of bygone times, but back then the view that "the Cloud is nothing new" was prominent in security circles (and, more broadly, in IT). The main thrust of the previous talk was taking aim at that viewpoint, showing a bunch of novel attacks on cloud providers and how things were changing:

Eight years on, and here we are again talking about Cloud. In the intervening years we've built and run a cloud-reliant product company, and securing that chews up a significant amount of our time. With the benefit of actual day-to-day usage and experience we took another crack at Cloud security. This time the main thrust of our talk was:

In our 2017 talk we touch on a bunch of ways in which security teams are often still hobbled by a view of Cloud computing that's rooted in the past, while product teams have left most of us in the dust. We discuss insane service dependency graphs and we show how simple examples of insignificant issues in third parties boomerang into large headaches. We talk software supply chains for your developers through malicious Atom plugins. Detection is kinda our bag, so we're confident saying that there's a dearth of options in the Cloud space, and go to some lengths to show this. We cover seldom-examined attack patterns in AWS, looking at recon, compromise, lateral movement, privesv, persistence and logging disruption. Lastly we took an initial swing at BeyondCorp, the architecture improvement from Google that's getting a bunch of attention.

We'd be remiss in not mentioning Atlassian's Daniel Grzelak who has been developing attacks against AWS for a while now. He's been mostly a lone voice on the topic.

One of our takeaways is that unless you're one of the few large users of cloud services, it's unlikely you're in a position to devote enough time to understanding the environment. This is a scary proposition as the environment is not fully understood even by the large players. You thought Active Directory was complex? You can host your AD at AWS, it's 1 of 74 possible services you can run on AWS.

The talk was the result of collaboration between a bunch of folks here at Thinkst. Azhar, Jason, Max and Nick all contributed, and in the next few weeks we'll be seeing posts from them talking about specific sub-topics they handled. We'll update this post as each new subtopic is added.

The full slidedeck is available here.

Posts in this series

  1. All your devs are belong to us: how to backdoor the Atom editor
  2. Disrupting AWS S3 Logging
  3. Farseeing: a look at BeyondCorp
  4. Canarytokens' new member: AWS API key Canarytoken


  1. Some truly wonderful work on behalf of the owner of this internet site , perfectly great articles . affordable seo packages

  2. Thanks for posting such a good content,
    We have skilled professional developers with 12+ years of experience. Also, our team gives 100% support after delivering project. If you have any requirement regarding Android & iOS mobile app development then you can contact us at tel: +1-877-659-9068.

  3. Thanks for sharing information,
    Hire a vehicle on time, Trexeego offer the best service for book taxi online nearby you. We have a wide range car like as Sedan, Xylo, Nissan, Indigo car with expert driver anywhere in India. Feel free or call now at this number +91 7992315344.

  4. Thank you for sharing the information. Website

  5. This is a good read. There are a lot of informative post in your blog. Hamilton Renovations

  6. This was a good post to read. Thanks for the post. Painter-Saskatoon

  7. I fund this to be a great read. I appreciate the share. Electrician in Regina

  8. Hi to everyone! I know that writings papers is much easier with the help of the essay writing service. there you can find such information about should couples live together before marriage essay

  9. People who write are sad, but writers are not, because writers are not the ordinary people that are the people who are addicted to writing and who give the part of their solve writing differetn articles and papers and essay, our writers from computer science resume example are that of kind

  10. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    For any Testing and Measuring Instruments in India
    Check here.

  11. nice topic which you have choose.
    second is, the information which you have provided is better then other blog.
    so nice work keep it up. And thanks for sharing.
    Best Lawyers in Delhi NCR
    Law Firm in Delhi

  12. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Private Limited Company Registration in India
    Online Company Registration in India

  13. I feel really happy to have seen your webpage and look forward to so
    many more entertaining times reading here. Thanks once more for all
    the details.
    Tour and Travel agents in Delhi NCR
    Best Tour Operator in India