BlackHat 2017 Series

[Update: jump to the end of the page for the series index]

Late July found Haroon and I sweating buckets inside an 8th storey Las Vegas hotel room. Our perspiration was due not to the malevolent heat outside but to the 189 slides we were building for BlackHat 2017. Modifications to the slidedeck continued until just before the talk, and we’re now posting a link to the final deck. Spoiler alert: it’s at the bottom of this post.

A few years ago (2009, but who’s counting) we spoke at the same conference and then at DEF CON on Clobbering the Cloud. It’s a little hard to recall the zeitgeist of bygone times, but back then the view that “the Cloud is nothing new” was prominent in security circles (and, more broadly, in IT). The main thrust of the previous talk was taking aim at that viewpoint, showing a bunch of novel attacks on cloud providers and how things were changing:

Eight years on, and here we are again talking about Cloud. In the intervening years we’ve built and run a cloud-reliant product company, and securing that chews up a significant amount of our time. With the benefit of actual day-to-day usage and experience we took another crack at Cloud security. This time the main thrust of our talk was:

In our 2017 talk we touch on a bunch of ways in which security teams are often still hobbled by a view of Cloud computing that’s rooted in the past, while product teams have left most of us in the dust. We discuss insane service dependency graphs and we show how simple examples of insignificant issues in third parties boomerang into large headaches. We talk software supply chains for your developers through malicious Atom plugins. Detection is kinda our bag, so we’re confident saying that there’s a dearth of options in the Cloud space, and go to some lengths to show this. We cover seldom-examined attack patterns in AWS, looking at recon, compromise, lateral movement, privesv, persistence and logging disruption. Lastly we took an initial swing at BeyondCorp, the architecture improvement from Google that’s getting a bunch of attention.

We’d be remiss in not mentioning Atlassian’s Daniel Grzelak who has been developing attacks against AWS for a while now. He’s been mostly a lone voice on the topic.

One of our takeaways is that unless you’re one of the few large users of cloud services, it’s unlikely you’re in a position to devote enough time to understanding the environment. This is a scary proposition as the environment is not fully understood even by the large players. You thought Active Directory was complex? You can host your AD at AWS, it’s 1 of 74 possible services you can run on AWS.

The talk was the result of collaboration between a bunch of folks here at Thinkst. Azhar, Jason, Max and Nick all contributed, and in the next few weeks we’ll be seeing posts from them talking about specific sub-topics they handled. We’ll update this post as each new subtopic is added.

The full slidedeck is available here.

Posts in this series

  1. All your devs are belong to us: how to backdoor the Atom editor
  2. Disrupting AWS S3 Logging
  3. Farseeing: a look at BeyondCorp
  4. Canarytokens’ new member: AWS API key Canarytoken

Leave a Reply

Site Footer

Authored with 💚 by Thinkst