The widespread adoption of AWS as an enterprise platform for storage, computing and services makes it a lucrative opportunity for the development of AWS focused APTs. We will cover pre-infection, post-infection and advanced persistency techniques on AWS that allows an attacker to access staging and production environments, as well as read and write data and even reverse its way from the cloud to the the corporate datacenter.
This session will cover several methods of infection including a new concept - "account jumping" for taking over both PaaS (e.g. ElasticBeans) and IaaS (EC2, EC2 Containers) resources, discussing poisoned AMIs, dirty account transfer, as well as leveraging S3 and CloudFront for performing AWS specific credentials thefts that can easily lead to full account access. We will then discuss the post-infection phase and how attackers can manipulate AWS resources (public endpoints like EC2 IPS, Elastic IPS, load balancers and more) for complete MITM attacks on services. We will demonstrate how attackers code can be well hidden via Lambda functions, some cross zone replication configuration and the problem with storage affinity to a specific account. We'll examine hybrid deployments from the cloud and compromising the on premise datacenter by leveraging and modifying connectivity methods (HW/SW VPN, Direct connect or cloud hub). Finally, we'll end with a discussion on best practices that can be used to protect from such attacks such as bastion SSH/RDP gateways, understanding the value of CASB based solutions and where they fit, leverage audit and HSM capabilities in AWS as well as looking at different Isolation approaches to create isolation between administrators and the cloud while still providing access to critical services.
Dan Amiga is the Co-Founder and CTO of FireGlass, a cybersecurity startupwhich commercializes military grade network security concepts into paradigmshifting enterprise security products. Amiga has spent years doing IT securityin the IDF intelligence where he was focused on inventing and developing newsecurity solutions that go far beyond firewalls, proxies or heuristic basedanti-malware solutions. After moving to the private sector, Amiga has workedfor the Microsoft Technology Center as a senior consultant for highly secureorganizations, governments and critical infrastructure companies. He thenmoved to the energy giant Schneider Electric where he held the position ofChief Software Architect. Amiga has given talks in major internationalsecurity and software conferences and is also an adjunct professor in theInterdisciplinary Center, Israel, teaching advanced cloud computing topics.
Dor Knafo leads the security research at FireGlass and is responsible for allmalware, web attacks and reverse engineering research. Prior to FireGlass,Knafo spent five years in the IDF Intelligence as a security and researchengineer.