L o a d i n g
CLOUD VILLAGE

Cloud Village is an open space to meet folks interested in offensive and defensive aspects of cloud security.

Stream Recordings Get latest updates

Hosted for DEF CON 28 at: Virtual aka SAFE MODE

Cloud CTF

Cloud Village CTF @DEF CON 28: Virtual aka SAFE MODE

CTF start time - August 7th 11 AM PST

CTF close time - August 9th 12:30 PM PST

Registrations Open - 6 AM PST 7th August 2020



If you ever wanted to break stuff on the cloud, or if you like rabbit holes that take you places you did not think you would go to, follow complicated story lines to only find you could have reached to the flag without scratching your head so much - then this CTF is for you!

Our CTF is a three days jeopardy style contest where we have a bunch of challenges hosted across multiple Cloud providers across multiple categories of difficulty.

You can register as teams or go solo, use hints or stay away from them, in the end it will be all for glory or nothing. Plus the prizes. Did we not mention the prizes? :D

See you on the other side!


CTF winners @DEF CON 28

Description Members

Position: First

Team Name: attackercommunity

Points: 2960

itsc0rg1

matir

mandatory

attackercommunity

Position: Second

Team Name: CTF_Circle

Points: 2340

tvd

Position: Third

Team Name: CTF.SG

Points: 1610

sgn00

CTF.SG

haebi

ViolentTestPen

CTF stats @DEF CON 28

Teams registered - 244

Players Registered - 353

Challenges - 11

Possible Points - 3110

Correct submissions - 333

Wrong submissions - 393

Most solves - "Commitment Issues" – 56 Solves

Least solves - "Our passion. Your potential." – 2 solves

Zero solves - "What name do I cling on?"


About

Cloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security. The village is home to various activities like talks, workshops, CTFs and discussions targeted around cloud services.

If you are a professional who is looking to gain knowledge on securely maintaining the cloud stack and loves to be around like-minded security folks who share the similar zeal towards the community, Cloud Village is the perfect place for you.

Crew Members:

CFP Review Panel (DEFCON 28):


Speaker: Jenko Hwong

Twitter: @jenkohwong

Abstract: 

Imagine you've protected your production Google Cloud environment from compromised credentials, using MFA and a hardware security key. However, you find that your GCP environment has been breached through hijacking of OAuth session tokens cached by gcloud access. Tokens were exfiltrated and used to invoke API calls from another host. The tokens were refreshed by the attacker and did not require MFA. Detecting the breach via Strackdriver was confusing, slowing incident response. And revoking the active OAuth sessions required finding OAuth tokens from logs and using a REST API call, causing further delays in remediation.

This talk will demonstrate a compromised credential attack in Google Cloud Platform by:

- hijacking cached OAuth tokens stored on a GCP administrator's client machine and
- reusing existing gcloud CLI sessions to gain access to multiple GCP environments
- showing that MFA does not apply to OAuth token refreshes for cached credentials (only the initial login)

The POC takes advantage of several issues with GCP IAM design or configuration: OAuth tokens are cached and unencrypted, allowing easy access once the client endpoint has been exploited.

- Tokens can have long or no expiration, allowing potentially long time windows for compromise.
- The attacker can easily refresh tokens, allowing persistence.
- Token refresh does not require MFA making it easy to maintain persistence, creating a false sense of security when MFA is enabled.
- Authentication and Access policies are defined in different admin areas, are confusing, and easily misconfigured.
- Configuring Stackdriver Logging is confusing, leading to slow or ineffective incident response.
- OAuth tokens cannot be revoked easily making remediation difficult.

We will discuss various approaches and challenges to defending:

1. Prevention

- MFA is not required to refresh the OAuth token
- Google cloud session timeout (GSuite Admin)
- IP whitelisting (using VPC Service Controls and Access Context Manager)
- Explicit client-side revokes (manual)
2. Detection

- Stackdriver logging data access events must be enabled for all services or else the abuse of OAuth tokens will not be logged and remediation will not be possible.
- Periodic audit checks on the logs or IAM configurations can be somewhat useful for compliance, but are not real-time so are of limited use for detection.
3. Remediation

- OAuth tokens can be revoked, but there are caveats:
+ ""gcloud auth revoke"" only works on the compromised user's endpoint and requires the user account in order to look up the locally cached OAuth token. This will fail if the attacker deletes the gcloud credential cache.
+ A REST API revoke call works and requires the OAuth token, so reliable logging and event parsing must be implemented to ensure tokens can be extracted quickly for IR.
- Deletion of user accounts has a huge impact.
- Browser sessions can be revoked but does not apply to Google Cloud sessions.

Jenko Hwong is on the Threat Research Team at Netskope, focusing on cloud threats/vectors. He's spent time in engineering and product roles at various security startups in vulnerability scanning, AV/AS, pen-testing/exploits, L3/4 appliances, threat intel, and windows security.

Speaker: Dani Goland

Speaker: Mohsan Farid

Twitter: @DaniGoland

Abstract: 

When we started taking a proactive approach to blue teaming, the number of daily scans by automated vulnerability scanners dropped immensely.

In this talk, we will present the mindset we found useful and the techniques we used to make scanning our applications and infrastructure a slow and manual process.

Starting with blocking path and subdomain enumeration with a couple of lines on the proxy bombarding the banners with randomized content that is not differentiable from real content.

Next, we will simulate known vulnerabilities in a subtle way, allowing attackers to connect, pivot, perform lateral movement, and let them exfiltrate terabytes of useless data, wasting their time, resources, and letting your systems fingerprint their TTPs and IOCs

We had a blast presenting at the cloud village last year, and we have many interesting things cooking for this year!

Dani Goland, at the age of 20 he founded his own boutique company for innovative software and hardware solutions. He is a certified AWS Cloud Solutions Architect. While gaining experience in business and finance, Dani did not neglect his hands-on capabilities in both making and breaking systems. Dani recently relocated from Israel to the United States to study Data Science at the prestigious UC Berkeley. During his studies, Dani founded VirusBay, a collaborative malware research community that skyrocketed amongst the global security community with over 2500 researchers. Dani spoke at numerous cybersecurity conferences such as BlackHat USA, CodeBlue Japan, CONfidence, SEC-T, and more. After serving in the Israeli Defense Forces as a commander of a Field Intelligence unit, Dani went on an 8-month journey across South America. He loves snowboarding, music concerts, and having crazy, breathtaking experiences such as spending 5 days in the Bolivian Jungle with no food or water.

Mohsan has over 13 years of experience in the cyber security game. Mohsan has ran the gamut in the security space: from penetration testing as a Rapid7 consultant, pen testing for numerous federal agencies, hacking mobile applications, pentesting Fortune 500 companies, and speaking at cybersecurity conferences such as Defcon, Sec-T, Black Alps, and others. Mohsan’s traveled to over 100 countries and counting. When he isn’t isn't breaking into things, he likes to travel the globe in search of incredible surf, scuba diving, rock climbing, hiking, and is an avid yogi.

Speaker: Phillip Marlow

Twitter: @wolramp

Attackers frequently use valid accounts to access servers with sensitive data. This gives them ninja-like stealth in most environments, but this session will show you how to turn the tables and use a zero-touch environment to catch them.

Zero-touch environments are a product of the fast-moving world of DevOps which is being adopted by an increasing number of successful companies including Google. This session will show that by leveraging the constraints of this environment, we can identify malicious network traffic which would otherwise blend into the noise.

This proposal is based on active research and new details may emerge during preparation of the final session. A brief overview of expected included topics:

• Why care about DevOps and Zero-Touch?
• How application servers are deployed in traditional environments
• What lateral movement with valid credentials looks like in traditional environments
• How deployment works in Zero-Touch environments
• What lateral movement with valid credentials looks like in zero-touch
• Detecting the lateral movement with existing network sensors

Phillip Marlow is a cybersecurity and DevOps engineer. He helps organizations understand how to adopt DevOps practices to increase their security rather than sacrifice it in the name of speed. Phillip holds several security, cloud, and agile certifications and is currently pursuing a Master’s Degree in Information Security Engineering at SANS Technology Institute.

Speaker: Nimrod Kor

Twitter: @KorNimrod

Security teams in the cloud are faced with an overwhelming amount of information to process in order to keep their environments secure. Keeping up with everything manually is a difficult, never-ending task where failure can have high consequences. Permissions management can be a time-consuming task, and as a security engineer, you’d often ask your self “how should have access to what?” , “who have access it in the past?” and “Is it OK to remediate those excessive permissions or would it cause a downtime?“.

In this talk, we will demonstrate a method to automatically secure a live AWS IAM environment to a specific, less-permissive role that best fits the access pattern using the open-source tool: https://github.com/bridgecrewio/AirIAM/ . At the end of the talk, we will have a result in Terraform code with a much smaller attack surface and reduced risk.

Nimrod cloud security engineers team lead. He is an open source contributor to various AWS security projects and also part of Bridgecrew's founding team. A believer in terraform as a security enabler.

Speaker: Spencer Gietzen

Twitter: @SpenGietz

Traditional ransomware has become a popular tool for cybercriminals to make their buck and has cost a variety of industries hundreds of millions to billions of dollars in recent years. As trends change and corporations move from traditional data centers to cloud environments like AWS, GCP, and Azure, adversaries are adapting their techniques to match the new climate. Because of this, attackers abusing cloud APIs rather than host/network-based commands are becoming more prevalent. This talk explores the services most likely to be targeted by ransomware in AWS cloud, techniques that attackers may use, and preventative/detective measures to assist the blue team.

Spencer Gietzen comes from a background in web development and penetration testing. He is now a Cloud Security Researcher at CrowdStrike, spearheading research and development of new and upcoming cloud threats. Spencer has published a variety of research blogs and developed cloud security tools for the open source community, such as Pacu, an offensive AWS pentesting framework.

Speaker: Colin Estep

Twitter: @colinestep

If you are a customer of AWS, Azure, or GCP, you may have deployed your own bastion hosts to provide RDP or SSH access to your virtual machines. While bastions help to protect your infrastructure, there are challenges that come along with them, such as managing the identities, obtaining logs, and preventing SSH multiplexing attacks.

In this talk, we will briefly review bastion hosts and some of their shortcomings, as well as the SSH multiplexing attack. The SSH multiplexing attack uses a feature of SSH to pivot from a compromised laptop to your bastion hosts. From there, the attacker could use this feature to compromise other users and gain access to your virtual machines hosted in the cloud.

Finally, we’ll show you services that provide access to your virtual machines in all three major cloud providers that eliminate the need for bastion hosts. Some providers have more than one alternative. However, this presentation will not present all of the alternatives. It is focused on the services that generally take the following approach:

Users authenticate to the access service with their Identity and Access Management (IAM) credentials for the cloud provider.
Once authenticated, the cloud service creates an encrypted tunnel with port forwarding, which runs SSH or RDP for the user.

The benefits of this approach include:
Public IP addresses are not required in order to access the virtual machines.
It eliminates the possibility of compromising an entire organization with SSH multiplexing attacks.
In some cases, disabling a user’s IAM credentials also removes SSH or RDP access.
Cloud audit logs will capture metadata for RDP or SSH sessions, and in some cases, full session logs are easy to collect through the provider’s service.
We’ll cover Session Manager in AWS, OS Login and Identity-Aware Proxy (IAP) in GCP, and the Bastion Service in Azure. You’ll see how the services work, how they help with identity management, and where to find the SSH sessions in logs.
If you are migrating to any of these platforms, this could save you from having to go through the pain of deploying your own solutions!

Colin Estep is currently a threat researcher at Netskope focused on AWS and GCP. Colin was previously the CSO at Sift Security (acquired by Netskope), where he helped move the product towards breach detection for IaaS. He was a senior engineer on the security teams at Netflix and Apple before joining Sift. He was also a FBI Agent specializing in Cyber crime, where he spent a fair amount of time coordinating with other countries to locate and arrest malware authors and botnet operators.

Speaker: Mohit Gupta

Twitter: @_Skybound

Kubernetes is rapidly growing in popularity and is the most popular technology for container orchestration. However, it also brings its own set of challenges and security issues which may lead to novel or unexpected attack scenarios. This talk aims to go over various areas of Kubernetes security and ways that Kubernetes features could be leveraged by an attacker. It will review the core architecture and functionality of Kubernetes from a security perspective, and cover most of the common Kubernetes security features, including Pod Security Policies, Network Policies, and RBAC.

These discussions will be underlined by examples of attack paths that have been found in real-world environments, discussing how it was possible to exploit misconfigurations to escalate privileges with the end goal of compromising the cluster and breaking out into the broader environment.

Mohit has been a Security Consultant at F-Secure Consulting (previously known as MWR InfoSecurity) for the past four years with one of his specialiastions in containerisation and orchestration technologies. Mohit leads the delivery of security services in these areas, and has been involved in a wide variety of offensive and defensive security engagements involving Docker, Docker Swarm and Kubernetes. In addition to this, he has developed and led training both externally and internally for these areas.

Speaker: Alexandre Sieira

Twitter: @AlexandreSieira

AWS is a very complex and ever-changing platform, which presents a challenge to defenders and an opportunity for attackers. Among some of the most complex and powerful features of AWS is its IAM functionality, which allows for very granular control but is famously complex to learn and set up.

One the features of access control in AWS is that AWS accounts are a self-contained unit of processing, storage and access control. Given how AWS itself recommends segregation across accounts as a best practice, and the fact that many SaaS vendors request access to their customers' accounts in order to perform their services, this presents a challenge.

In this talk we will present in detail the policy-fu needed in order to securely allow principals from one account to perform actions on another, both inside different accounts in an organization but especially from the perspective of a SaaS provider that needs to access hundreds or thousands of customer accounts. Existing research on defenses and possible attacks will be presented and demonstrated to illustrate the concepts.

SaaS vendors like ""single pane of glass"" offerings, multi-cloud solutions and CSPM offerings are huge concentrators of risk since they have access to potentially thousands of customer AWS accounts. By exploring how this access can be uniquely secured due to capabilities only AWS provides and how vendors can fail at this we hope to allow attendees to better understand the risks of using these services, and also help service providers mitigate them.

Alexandre (or Alex) Sieira is a successful information security entrepreneur in the information security field with a global footprint since 2003. He began his security career as a Co-Founder and CTO of CIPHER, an international security consulting and MSSP headquartered in Brazil which was later acquired by Prosegur. In 2015, he became Co-Founder and CTO of Niddel, a bootstrapped security analytics SaaS startup running entirely on the cloud, which was awarded a Gartner Cool Vendor award in 2016. After the acquisition of Niddel by Verizon in January 2018, he became the Senior manager and global leader of the Managed Security Services - analytics products under the Detect & Respond portfolio tower at Verizon.

Currently is the Founder of Tenchi Security, a startup focused on cloud security headquartered in Brazil.

Alexandre is an experienced conference speaker in English and Brazilian Portuguese, with previous talks accepted at Black Hat, BSides San Francisco, FIRST Conference and local Latin American conferences.

Speaker: Michael Mimo

Twitter: @securitydevops

Cloud instance forensic acquisition presents certain challenges to forensics teams. Traditional forensic methods usually are not effective in the cloud. Access and networks are designed differently than in an on-premise Data Center. Forward thinking strategies need to be implemented so that Incident Response Cyber teams can effectively use forensically sound methods to examine artifacts on hosts.

My talk is about how to prepare your organization for forensic acquisitions in a cloud infrastructure. I will quickly cover how to prepare a fleet of systems for memory and physical disk forensics. The targets are AWS EC2 instances but could be applied to any other cloud providers host provisioning infrastructure. I will focus on the process and infrastructure required to do this level of inspection. By the end you will be able to apply these strategies to activities such as Threat Hunting.

Many organizations struggle with implementing Threat Hunting programs with orchestration in mind to capture memory and disk level forensics. How does a Cyber team respond to an alert they receive from a cloud host? How can they quickly collect artifacts for further forensic inspection? Last, how can you best secure the forensics infrastructure from where you launch the orchestrated forensic examiner systems?

The first part of my talk will describe the infrastructure required to be in the place to support forensic orchestration. I will outline a strategy: servers, tools, storage, and protective measures to ensure that forensic activities are conducted behind a cloud of secrecy. Maintaining stealth mode is critically important to enabling the forensic team to do their job while the business is not impacted by the investigative activities.

In the second part, we will examine the pipeline process to implement solutions in EC2 instances with pre-configured memory and acquisition tools ready to be tapped into by the forensic team. I will discuss some of the challenges encountered when conducting forensics with the different AWS hypervisor solutions.

As a result, testing each design of the Linux instances with your forensics tools is an important part of the process. Do not expect the forensic tools to work seamlessly when the architecture teams switch fundamental infrastructure designs. Each phase of the AMI delivery pipeline needs to be tested and verified that the Cyber team can continue to perform their investigations without running into challenges during a real incident. Do not wait until forensics is really needed to only find out that the tools designed did not perform their job.

Michael Mimo is the Chief Security officer at Copyright Clearance Center Inc. Prior to his current role, he was a lead Incident Response and Forensics investigator for a large major USA bank. He has been an Incident Responder in several major incidents. He is currently focused on Cloud Cyber Security research.

https://www.linkedin.com/in/michael-mimo-79a12b6/
Holds certifications in GCIH, GCFA, GCFE, GPEN
+ 5 Chief Security Officer at Copyright Clearance Center
+ 20 years in various Forensic and Cyber security roles.

Presentation Engagements:

1. FireEye Cyber Defense Summit 2019 Keynote “Securing the Cloud” https://summit.fireeye.com/learn/mainstage.html#cloud
2. Information Security Summit MassBay Community college 2019 "" Discussing Advanced Threat Detection & Vulnerability Management""
3. Information Security Summit MassBay Community college 2017 “Third Party Risk”

Speaker: Nick Jones

Twitter: @nojonesuk

The cloud brings a broad range of benefits from a security perspective, including network isolation by default, strong identity controls and unprecedented visibility. It does, however, bring many changes and unique challenges of its own when compared to an on-premise estate, with modern cloud environments make heavy use of containerisation, serverless functions and other new paradigms. As such, many of the data sources used for threat hunting and attack detection in traditional environments are no longer available. In addition, most attacks consist of abusing legitimate functionality, making it challenging at times to differentiate the malicious from the benign.

Based on first-hand experience attacking and defending large enterprises, this talk will compare and contrast the benefits and challenges of attack detection in the cloud against on-premise detection, and highlight some of the key advantages, common pitfalls and key data sources. It will also offer advice and guidance on developing your own cloud attack detection capabilities in house.

Lastly, it will present Leonidas - a cloud native toolchain that allows users to easily define, simulate and detect new attack vectors and techniques against cloud environments, all tied back to the MITRE ATT&CK framework. This will include deploying and using Leonidas, constructing and executing an attack path end-to-end, and how to implement your own test cases. It'll also cover Leonidas into your detection stack to track improvement over time and support learning and skills development within your team.

Nick Jones is the cloud security lead and a senior security consultant at F-Secure Consulting (formerly MWR InfoSecurity), where he focuses on AWS security in mature, cloud-native organisations and large enterprises. He has a number of years experience delivering offensive security assessments and services to a broad client base. When he's not delivering offensively-focused engagements, he's typically found working with clients to help them develop their security operations and attack detection capabilities.

Speaker: Wes Lambert

Twitter: @therealwlambert

No registration required. Workshops are free for all. Just tune in to the YouTube live stream.

Peeling Back the Layers and Peering Through the Clouds with Security Onion
As the number of production assets and workloads transition to cloud, it is more important than ever to be able to understand the ""goings-on"" of these type of environments. Unfortunately, many organizations still have little visibility into cloud infrastructure. Vendor-specific solutions can be cost-prohibitive, and don't always offer a complete solution for security monitoring. In this session, we'll discuss how we can better defend cloud environments by leveraging Security Onion, a completely free and open source platform for intrusion detection, enterprise security monitoring, and log management. By using Security Onion, we can pierce the veil of the cloud, and gain better visibility to facilitate threat detection, identify application misconfigurations, and assist with compliance-related efforts. Attendees should walk away with a firm grasp of the platform, understanding how they can utilize Security Onion to improve their organization's security posture, and make their adversaries cry.

Outline:

(1) Cloud
 (a) Assets/Data
 (b) Threats
 (c) Monitoring Challenges
(2) Introduction to Security Onion
 (a) Components
 (b) Data types
(3) Security Onion in the Cloud
 (a) Facilitating cloud-based intrustion detection and monitoring with traffic mirroring
 (b) Ingesting telemetry from external/vendor-specific sources
(4) Automating the Onion
 (a) Automating Security Onion Deployment

This talk assumes you have secured your individual AWS accounts at the basic level by locking down your root accounts with 2FA, and etc.

For more details on theworkshop pre-requisites, please refer the following link: click here

Speaker: Michael Wylie

Twitter: @TheMikeWylie

No registration required. Workshops are free for all. Just tune in to the YouTube live stream.

Organizational data is rapidly moving to the cloud, but it's not always intentional. The shift from on-premise data storage to the cloud constitutes a significant challenge and risk to the modern enterprise. The use of cloud file storage applications is on the rise for both consumer and business systems, which results in interesting data and metadata siting on endpoints. In this talk, we'll examine the large footprints of popular cloud file storage applications such as OneDrive and Box - learning what information can be enumerated from each cloud file storage solution. In some scenarios, data can be carved out from cache, restoring sensitive documents no longer on an endpoint.

Attendees will:

- Understand why it's critical to investigate cloud file storage applications during an incident
- Learn what files are available to examiners during an incident (e.g. local, cloud, deleted, and cached)
- See what kind of cloud file storage user activity can be audited
- Be introduced to two scenarios of unauthorized data transfer to investigate
- Be introduced to where and how different cloud file storage applications log
- Learn how to examine incidents with suspected data exfiltration using corporate issued and person cloud file storage use

The slides and labs will take a deep dive into Microsoft OneDrive, Google Drive, Dropbox, Box, and Citrix ShareFile to first understand what is known about the applications and artifacts left behind, then move into hands-on labs to analyze registry keys, log files, and other traces left behind by the applications.

Michael Wylie, MBA, CISSP is the Director of Cybersecurity Services at Richey May Technology Solutions. In his role, Michael is responsible for delivering information assurance by means of vulnerability assessments, cloud security, penetration tests, risk management, and training. Michael has developed and taught numerous courses for the U.S. Department of Defense, DEFCON, Universities, and for clients around the world. Michael is the winner of numerous SANS challenge coins and holds the following credentials: CISSP, CCNA R&S, CCNA CyberOps, GMON, GPEN, TPN, CEH, CEI, VCP-DCV, CHPA, PenTest+, Security+, Project+, and more.

Speaker: Barak Schoster

Twitter: @BarakSchoster

Planning, provisioning, and changing infrastructure are becoming vital to rapid cloud application development. Incorporating infrastructure-as-code into software development promotes transparency and immutability and helps prevent bad configurations upstream.

About this talk: Planning, provisioning, and changing infrastructure are becoming vital to rapid cloud application development. Incorporating infrastructure-as-code into software development promotes transparency and immutability and helps prevent bad configurations upstream.

In this talk:

We'll cover the current state of infrastructure security in the open source registries.

From there we will continue to discuss best practices for writing, testing, and maintaining infrastructure at scale, keeping the infrastructure code secured using open source scanners.

We will cover infrastructure security use cases like encryption, public-facing data entities and plain text secrets, And will show how to find those using policy as code.

Based on the open source tool:

https://github.com/bridgecrewio/checkov/tree/master/docs

And the training resources:

https://github.com/bridgecrewio/terragoat/
https://github.com/madhuakula/kubernetes-goat

Barak Schosteris CTO and Co-founder at Bridgecrew, working from Tel Aviv, Israel, Helping teams secure cloud infrastructure. Often contributing to open source projects including Checkov, AirIAM, Terragoat, Prowler, and others. He has previously worked for RSA focused on cybersecurity machine learning and big data architecture as well as at Fortscale and IDF tech unit. When not writing code or Barak loves to drink coffee and wine (but not at the same time).

Speaker: Setu Parimi

Twitter: @setuparimi

Abstract: 

Cloud Frontier is a security monitoring tool for Internet Facing Assets in AWS, GCP, and Azure. It can be quickly deployed into AWS and will periodically enumerate internet-facing IP addresses, Domain Names, Block Storages, CDNs, and Object Storage resources from AWS, GCP, and Azure.

The results from this enumeration process are pushed into a DynamoDB and then are sent to analyzers using an asynchronous queuing system. Analyzers use Shodan, VirusTotal, URLScan.io, Mozilla Observatory, and whois to provide insights around the following:

-Web Reputation
-IP Reputation
-DNS Information
-GeoIP Information
-IP and Domain Blacklist check etc
License: MIT License

Setu Parimi is a Cloud Security Architect with specialization towards defense-in-depth and incident response in the cloud-native environments.

Speaker: Sahir Khan

Speaker: Justin Paglierani

Abstract: 

Remediation Framework is event driven, near real time, multi account, serverless platform which identifies and remediates AWS security issues to ensure AWS usage is in compliance with a set of rules. Major focus is on remediations for misconfigurations which could make resources(ec2-ami,snapshots, s3, redshift, rds..) publicly exposed, making it low lift for attackers to get foothold or data exfiltration. The framework is easily customizable, giving the ability to add new modules for AWS resources you want to watch for/automatically fix, when they become non compliant.

This talk will be structured as below:

Introductions (1-2 minutes): Brief bio of what we do.
Background (3 minutes): Introduction to the problem statement which led us to work on automated remediation.
First iteration - Independent Lambda for remediation of each resource and the challenges we faced.
Introduction to the Framework: (5 minutes) A walkthrough of the framework, how it is pieced together to support event driven remediation for multiple AWS accounts and regions.
Demo and Q&A (10 minutes): We will open source and demo the Remediation Framework by making few AWS resources publicly exposed and letting the remediation framework fix it automatically.

Sahir Khan(skhan@flatiron.com) is Senior Security Engineer at Flatiron Health focused on Cloud Security and has deep interests in Security automation.

Justin Paglierani, justin.paglierani@flatiron.com, Justin Paglierani is a Staff Security Engineer at Flatiron Health. Prior to Flatiron, Justin worked at Bishop Fox and within the Federal Reserve System.

Schedule (DEF CON 28)


11:00 - 11:20

Opening Keynote

11:20 - 12:05

Jenko Hwong - IAM Concerned: OAuth Token Hijacking in Google Cloud (GCP)

12:05 - 12:50

Spencer Gietzen - Ransom in the Cloud

12:50 - 13:25

Barak Schoster - Static analysis of Infrastructure as code: Terraform, Kubernetes, Cloudformation and more!

13:25 - 14:10

Phillip Marlow - Can't Touch This: Detecting Lateral Movement in Zero-Touch Environments

14:10 - 16:30

Wes Lambert - Peeling Back the Layers and Peering Through the Clouds with Security Onion

11:00 - 11:45

Nimrod Kor - Least privilege using infrastructure as code

11:45 - 12:30

Dani Goland - How Blue Penetrates You

12:30 - 13:15

Colin Estep - 21 Jump Server: Going Bastionless in the Cloud

13:15 - 14:00

Setu Parimi - Cloud Frontier

14:00 - 14:45

Mohit Gupta - Attacking the Helmsman

14:45 - 15:30

Alexandre Sieira - SaaSpocalypse - The Complexity and Power of AWS Cross Account Access

15:30 - 17:30

Michael Wylie - Discovering Cloud File Storage Artifacts

11:00 - 11:45

Michael Mimo - Cloud host base strategy by staging defensive tools for Threat Hunting and Forensics

11:45 - 12:30

Sahir Khan - Remediation Framework - Auto respond to AWS nightmares.

12:30 - 13:30

Nick Jones - Cloud-Native Attack Detection and Simulation.

13:30 - 13:50

Closing Note