Anatomy of a Cloud Security Breach - 7 Deadly Sins


Authors:   Maya Levine


Cloud breaches are becoming more sophisticated and attackers are learning about cloud-native tools and services. Real-time monitoring and trusted sources for images are critical for cloud security. Supply chain compromises and blind trust in dependencies are also major concerns.
  • Real-time monitoring is critical for detecting malicious activity using secrets
  • Malicious images can be planted in public repositories and trusted sources should be used
  • DDOS attacks are increasing and containers are being used to crowdsource participation
  • Supply chain compromises and blind trust in dependencies can lead to major security issues
  • Attackers are becoming more knowledgeable about cloud-native tools and services
  • Crypto mining attacks are low effort and high reward, and their scale is expected to increase
In one attack, an attacker exploited a vulnerable public-facing service on a Kubernetes cluster hosted in AWS. They were able to disable cloudtrail logs, steal proprietary software, and find credentials of an IM user related to a different AWS account by discovering terraform State files in S3. The attacker had great knowledge of cloud-native tools and services and was able to adeptly move and escalate their attack. This highlights the importance of handling terraform State files with care and not assuming that read-only access is safe.


What leads to a cloud security breach? Misconfigurations, exposed APIs, vulnerability exploitation, and more. Attacker motivations haven’t changed much, but their methods have adapted to new technologies. As a defender, you must adapt too. Learn about the differences between cloud vs on-premise threats and breaches. What has changed? Are certain attack types more prevalent, attractive, or easy to execute in the cloud? Why? What are the high-level cloud attack trends (and defenses) and how to cope? We will walk through 7 examples of real cloud breaches based on analysis from the Sysdig Threat Research Team. Each breach discussed involves cloud infrastructure. We focus on the attack patterns, response patterns, and other interesting elements that give insight into how to better protect and respond to incidents in cloud environments. You won’t hear general, “lock your stuff down” guidance; each scenario will have a specific takeaway so you can avoid a similar pitfall. After this talk the audience will have an in-depth understanding of common cloud breaches currently running in the wild, lessons learned, and a full list of actions to avoid ending up in the news.


Post a comment

Related work

Conference:  Defcon 31
Authors: Tracy Mosley Trenchant

Conference:  Defcon 31
Authors: Michael Stepankin Security Researcher at GitHub