SlideShare a Scribd company logo

Detecting Credential Compromise in AWS (Black Hat Conference 2018)

Priyanka Aash
Priyanka Aash

Credential compromise in the cloud is not a threat that one company faces, rather it is a widespread concern as more and more companies operate in the cloud. Credential compromise can lead to many different outcomes depending on the motive of the attacker who compromised the credentials. In some cases in the past, it has led to erroneous AWS service usage for bitcoin mining or other non-destructive yet costly abuse, and in others it has led to companies shutting down due to the loss of data and infrastructure. This paper describes an approach for detection of compromised credentials in AWS without needing to know all IPs in your infrastructure beforehand.

Technology
1 of 43
Download to read offline
Detecting Credential Compromise in AWS Will Bengtson @__muscles
Detecting Credential Compromise in AWS Will Bengtson -> whoami Senior Security Software Engineer on Netflix’s Security Tools and Operations Team Netflix is a microservice ecosystem running 100% in AWS. We try and like to build cool things: ● Least Privilege: Security Gain Without Developer Pain ● Application DoS in Microservice Architectures ● Best Practice for Managing Security Operations on AWS @__muscles https://github.com/willbengtson
This is not a machine learning talk Why use machine learning when things can be much more simple
Detecting Credential Compromise in AWS Will Bengtson What is the scope of this talk? Detection of compromised AWS instance credentials (STS credentials) outside of your environment STS - The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users)1 1 https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
WHAT’S THE PROBLEM?
WHO IS DOING THIS WELL?
WHY IS THIS SO HARD?
WHAT TOOLS ARE THERE?
Detecting Credential Compromise in AWS Will Bengtson CloudTrail CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.1 ● Accessible via console ● Deliverable via S3 or CloudWatch Logs ○ AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ?UniqueString.FileNameFormat ● Up to 15 or 20 minutes delayed 1 https://aws.amazon.com/cloudtrail/
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-examples.html
First Iteration
Detecting Credential Compromise in AWS Will Bengtson First Iteration Requirements ● Know all IPs in environment (multiple accounts) for the last hour ● Compare each IP found in CloudTrail to list of IPs ○ If we had the IP at the time of log keep going ○ If we DID NOT have the IP at the time of the log, ALERT
Detecting Credential Compromise in AWS Will Bengtson AWS Limitations ● Pagination ● Rate Limiting
New Approach
Detecting Credential Compromise in AWS Will Bengtson ● Use an understanding of how AWS works to our advantage ● Make a strong but reasonable assumption ● Profit From 0 to full coverage in around 6 hours New Approach
HOW DOES AWS WORK?
Detecting Credential Compromise in AWS Will Bengtson
Detecting Credential Compromise in AWS Will Bengtson
Detecting Credential Compromise in AWS Will Bengtson
Detecting Credential Compromise in AWS Will Bengtson
Detecting Credential Compromise in AWS Will Bengtson
Detecting Credential Compromise in AWS Will Bengtson
Detecting Credential Compromise in AWS Will Bengtson
STRONG ASSUMPTION
Detecting Credential Compromise in AWS Will Bengtson
Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value
Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654
Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654
Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654
Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654 =?= 52.95.255.121
Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654 =?= 52.95.255.121
Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654 =?= 67.178.52.232
Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654
Detecting Credential Compromise in AWS Will Bengtson Edge Cases There are a few edge cases to this approach that you may want/need to account for in order to prevent false positives. The edge cases are as follows: ● AWS will make calls on your behalf using your credentials if certain API calls are made ○ sourceIPAddress: <service>.amazonaws.com ● You have an AWS VPC Endpoint(s) for certain AWS Services ○ sourceIPAddress: 192.168.0.22 ● You attach a new ENI or associate a new address to your instance ○ sourceIPAddress: something new if external subnet
Detecting Credential Compromise in AWS Will Bengtson Avoiding Detection Server Side Request Forgery (SSRF) ● Use the same method that you pulled credentials to make the API calls https://ec2.amazonaws.com/?Action=AssociateAddress&InstanceI d=i-1234567890abcdef0&PublicIp=192.0.2.1&AUTHPARAMS Popped Box ● Attacker can execute commands on the system directly
Detecting Credential Compromise in AWS Will Bengtson Final Thoughts ● Understand how AWS works and CloudTrail to make your life easier ● Understand what is logged in CloudTrail ○ Trailblazer is now OSS ■ AWS API Enumeration for Cloudtrail Intelligence / Attack Platform ■ https://github.com/willbengtson/trailblazer-aws ● AWS Credential Compromise Detection OSS ○ One way to detect credential compromise - Reference Architecture/Code ○ https://github.com/Netflix-Skunkworks/aws-credential-compromise-detection
Thank you! @__muscles

Recommended

Security for AWS : Journey to Least Privilege
Security for AWS : Journey to Least PrivilegeSecurity for AWS : Journey to Least Privilege
Security for AWS : Journey to Least Privilegedhubbard858
 
Mastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv SummitMastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv SummitArun Gupta
 
Introduction to Amazon EKS - KubeCon 2018
Introduction to Amazon EKS - KubeCon 2018Introduction to Amazon EKS - KubeCon 2018
Introduction to Amazon EKS - KubeCon 2018Arun Gupta
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSAmazon Web Services
 
K8s on AWS: Introducing Amazon EKS
K8s on AWS: Introducing Amazon EKSK8s on AWS: Introducing Amazon EKS
K8s on AWS: Introducing Amazon EKSAmazon Web Services
 
Security Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsSecurity Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsJohn Varghese
 
Accelerate Digital Experience with Serverless Computing - DEM86 - re:Invent 2017
Accelerate Digital Experience with Serverless Computing - DEM86 - re:Invent 2017Accelerate Digital Experience with Serverless Computing - DEM86 - re:Invent 2017
Accelerate Digital Experience with Serverless Computing - DEM86 - re:Invent 2017Amazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Amazon Web Services
 

Recommended

Security for AWS : Journey to Least Privilege
Security for AWS : Journey to Least PrivilegeSecurity for AWS : Journey to Least Privilege
Security for AWS : Journey to Least Privilegedhubbard858
 
Mastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv SummitMastering Kubernetes on AWS - Tel Aviv Summit
Mastering Kubernetes on AWS - Tel Aviv SummitArun Gupta
 
Introduction to Amazon EKS - KubeCon 2018
Introduction to Amazon EKS - KubeCon 2018Introduction to Amazon EKS - KubeCon 2018
Introduction to Amazon EKS - KubeCon 2018Arun Gupta
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSAmazon Web Services
 
K8s on AWS: Introducing Amazon EKS
K8s on AWS: Introducing Amazon EKSK8s on AWS: Introducing Amazon EKS
K8s on AWS: Introducing Amazon EKSAmazon Web Services
 
Security Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsSecurity Observability for Cloud Based Applications
Security Observability for Cloud Based ApplicationsJohn Varghese
 
Accelerate Digital Experience with Serverless Computing - DEM86 - re:Invent 2017
Accelerate Digital Experience with Serverless Computing - DEM86 - re:Invent 2017Accelerate Digital Experience with Serverless Computing - DEM86 - re:Invent 2017
Accelerate Digital Experience with Serverless Computing - DEM86 - re:Invent 2017Amazon Web Services
 
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Five New Security Automation Improvements You Can Make by Using Amazon CloudW...
Five New Security Automation Improvements You Can Make by Using Amazon CloudW...Amazon Web Services
 
Getting Started on Amazon EKS
Getting Started on Amazon EKSGetting Started on Amazon EKS
Getting Started on Amazon EKSMatthew Barlocker
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
Containers - Amazon EKS
Containers - Amazon EKSContainers - Amazon EKS
Containers - Amazon EKSAmazon Web Services
 
Amazon Web Services User Group Sydney - February 2018
Amazon Web Services User Group Sydney - February 2018Amazon Web Services User Group Sydney - February 2018
Amazon Web Services User Group Sydney - February 2018PolarSeven Pty Ltd
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
WIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox DeadlineWIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox DeadlineAmazon Web Services
 
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...Amazon Web Services
 
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017Amazon Web Services
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Amazon Web Services
 
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...Amazon Web Services
 
Amazon guard duty_lab
Amazon guard duty_labAmazon guard duty_lab
Amazon guard duty_labBela Sojina MBA, PMP
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017Amazon Web Services
 
Introduction to EKS (AWS User Group Slovakia)
Introduction to EKS (AWS User Group Slovakia)Introduction to EKS (AWS User Group Slovakia)
Introduction to EKS (AWS User Group Slovakia)Vladimir Simek
 
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...Amazon Web Services
 
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017Amazon Web Services
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Amazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionAmazon Web Services
 
AWS WAF
AWS WAFAWS WAF
AWS WAFAmazon Web Services
 
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Amazon Web Services
 
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Amazon Web Services
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Amazon Web Services
 

More Related Content

What's hot

Getting Started on Amazon EKS
Getting Started on Amazon EKSGetting Started on Amazon EKS
Getting Started on Amazon EKSMatthew Barlocker
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
Amazon Web Services User Group Sydney - February 2018
Amazon Web Services User Group Sydney - February 2018Amazon Web Services User Group Sydney - February 2018
Amazon Web Services User Group Sydney - February 2018PolarSeven Pty Ltd
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Amazon Web Services
 
WIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox DeadlineWIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox DeadlineAmazon Web Services
 
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...Amazon Web Services
 
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017Amazon Web Services
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Amazon Web Services
 
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...Amazon Web Services
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017Amazon Web Services
 
Introduction to EKS (AWS User Group Slovakia)
Introduction to EKS (AWS User Group Slovakia)Introduction to EKS (AWS User Group Slovakia)
Introduction to EKS (AWS User Group Slovakia)Vladimir Simek
 
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...Amazon Web Services
 
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017Amazon Web Services
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Amazon Web Services
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionAmazon Web Services
 
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Amazon Web Services
 

What's hot (20)

Getting Started on Amazon EKS
Getting Started on Amazon EKSGetting Started on Amazon EKS
Getting Started on Amazon EKS
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
 
Containers - Amazon EKS
Containers - Amazon EKSContainers - Amazon EKS
Containers - Amazon EKS
 
Amazon Web Services User Group Sydney - February 2018
Amazon Web Services User Group Sydney - February 2018Amazon Web Services User Group Sydney - February 2018
Amazon Web Services User Group Sydney - February 2018
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
 
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
Automating Security and Compliance Testing of Infrastructure-as-Code for DevS...
 
WIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox DeadlineWIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
WIN203_With Amazon EC2 for Windows Server and Thinkbox Deadline
 
Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...Using Access Advisor to Strike the Balance Between Security and Usability - S...
Using Access Advisor to Strike the Balance Between Security and Usability - S...
 
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
NEW LAUNCH! Introduction to Managed Rules for AWS WAF - SID217 - re:Invent 2017
 
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
Secure Your Edge-to-Cloud IoT Solution with Intel and AWS - IOT337 - re:Inven...
 
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
NEW LAUNCH! Amazon FreeRTOS: IoT Operating System for Microcontrollers - IOT2...
 
Amazon guard duty_lab
Amazon guard duty_labAmazon guard duty_lab
Amazon guard duty_lab
 
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
How Chick-fil-A Embraces DevSecOps on AWS - SID306 - re:Invent 2017
 
Introduction to EKS (AWS User Group Slovakia)
Introduction to EKS (AWS User Group Slovakia)Introduction to EKS (AWS User Group Slovakia)
Introduction to EKS (AWS User Group Slovakia)
 
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
SecOps 2021 Today: Using AWS Services to Deliver SecOps - SID304 - re:Invent ...
 
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
Securing Serverless Applications Step-by-step - SRV308 - re:Invent 2017
 
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
Automating DDoS Response in the Cloud - SID324 - re:Invent 2017
 
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side EncryptionSID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
SID345-AWS Encryption SDK The Busy Engineer’s Guide to Client-Side Encryption
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
 
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...Cloud-Native App Protection: Web Application Security at Pearson and other cu...
Cloud-Native App Protection: Web Application Security at Pearson and other cu...
 

Similar to Detecting Credential Compromise in AWS (Black Hat Conference 2018)

Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Amazon Web Services
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Amazon Web Services
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Amazon Web Services
 
AWS Summit Auckland Sponsor presentation - Bulletproof
AWS Summit Auckland Sponsor presentation - BulletproofAWS Summit Auckland Sponsor presentation - Bulletproof
AWS Summit Auckland Sponsor presentation - BulletproofAmazon Web Services
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfAmazon Web Services
 
Wrangling Security & Identity across 99+ AWS Accounts
Wrangling Security & Identity across 99+ AWS AccountsWrangling Security & Identity across 99+ AWS Accounts
Wrangling Security & Identity across 99+ AWS AccountsAndrew Bienert
 
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your CloudAWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your CloudAmazon Web Services
 
Ponencia Principal - AWS Summit - Madrid
Ponencia Principal - AWS Summit - MadridPonencia Principal - AWS Summit - Madrid
Ponencia Principal - AWS Summit - MadridAmazon Web Services
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017Amazon Web Services
 
Humans and Data Don't Mix- Best Practices to Secure Your Cloud
Humans and Data Don't Mix- Best Practices to Secure Your CloudHumans and Data Don't Mix- Best Practices to Secure Your Cloud
Humans and Data Don't Mix- Best Practices to Secure Your CloudAmazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Top 15 aws security interview questions
Top 15 aws security interview questionsTop 15 aws security interview questions
Top 15 aws security interview questionsShivamSharma909
 
Bulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit AucklandBulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit AucklandBulletproof
 
ARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at ScaleARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at ScaleAmazon Web Services
 

Similar to Detecting Credential Compromise in AWS (Black Hat Conference 2018) (20)

Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
Detecting Credential Compromise in AWS (SEC389) - AWS re:Invent 2018
 
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
Secure Your AWS Account and Your Organization's Accounts - SID202 - Chicago A...
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
AWS Summit Auckland Sponsor presentation - Bulletproof
AWS Summit Auckland Sponsor presentation - BulletproofAWS Summit Auckland Sponsor presentation - Bulletproof
AWS Summit Auckland Sponsor presentation - Bulletproof
 
Following Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdfFollowing Well Architected Frameworks - Lunch and Learn.pdf
Following Well Architected Frameworks - Lunch and Learn.pdf
 
beAuth
beAuthbeAuth
beAuth
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Security & Compliance
Security & Compliance Security & Compliance
Security & Compliance
 
Wrangling Security & Identity across 99+ AWS Accounts
Wrangling Security & Identity across 99+ AWS AccountsWrangling Security & Identity across 99+ AWS Accounts
Wrangling Security & Identity across 99+ AWS Accounts
 
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your CloudAWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud
AWS Security Week: Humans & Data Don’t Mix - Best Practices to Secure Your Cloud
 
Keeping Humans Away From Data
Keeping Humans Away From DataKeeping Humans Away From Data
Keeping Humans Away From Data
 
Ponencia Principal - AWS Summit - Madrid
Ponencia Principal - AWS Summit - MadridPonencia Principal - AWS Summit - Madrid
Ponencia Principal - AWS Summit - Madrid
 
AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017AWS Security State of the Union - SID326 - re:Invent 2017
AWS Security State of the Union - SID326 - re:Invent 2017
 
Humans and Data Don't Mix- Best Practices to Secure Your Cloud
Humans and Data Don't Mix- Best Practices to Secure Your CloudHumans and Data Don't Mix- Best Practices to Secure Your Cloud
Humans and Data Don't Mix- Best Practices to Secure Your Cloud
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Understanding AWS Security
Understanding AWS Security Understanding AWS Security
Understanding AWS Security
 
Top 15 aws security interview questions
Top 15 aws security interview questionsTop 15 aws security interview questions
Top 15 aws security interview questions
 
Bulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit AucklandBulletproof & Xero Presentation - AWS Summit Auckland
Bulletproof & Xero Presentation - AWS Summit Auckland
 
ARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at ScaleARC325_Managing Multiple AWS Accounts at Scale
ARC325_Managing Multiple AWS Accounts at Scale
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 

Detecting Credential Compromise in AWS (Black Hat Conference 2018)

  • 2. Detecting Credential Compromise in AWS Will Bengtson -> whoami Senior Security Software Engineer on Netflix’s Security Tools and Operations Team Netflix is a microservice ecosystem running 100% in AWS. We try and like to build cool things: ● Least Privilege: Security Gain Without Developer Pain ● Application DoS in Microservice Architectures ● Best Practice for Managing Security Operations on AWS @__muscles https://github.com/willbengtson
  • 3. This is not a machine learning talk Why use machine learning when things can be much more simple
  • 4. Detecting Credential Compromise in AWS Will Bengtson What is the scope of this talk? Detection of compromised AWS instance credentials (STS credentials) outside of your environment STS - The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users)1 1 https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html
  • 6. WHO IS DOING THIS WELL?
  • 7. WHY IS THIS SO HARD?
  • 8. WHAT TOOLS ARE THERE?
  • 9. Detecting Credential Compromise in AWS Will Bengtson CloudTrail CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.1 ● Accessible via console ● Deliverable via S3 or CloudWatch Logs ○ AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ?UniqueString.FileNameFormat ● Up to 15 or 20 minutes delayed 1 https://aws.amazon.com/cloudtrail/
  • 11.
  • 13. Detecting Credential Compromise in AWS Will Bengtson First Iteration Requirements ● Know all IPs in environment (multiple accounts) for the last hour ● Compare each IP found in CloudTrail to list of IPs ○ If we had the IP at the time of log keep going ○ If we DID NOT have the IP at the time of the log, ALERT
  • 14. Detecting Credential Compromise in AWS Will Bengtson AWS Limitations ● Pagination ● Rate Limiting
  • 16. Detecting Credential Compromise in AWS Will Bengtson ● Use an understanding of how AWS works to our advantage ● Make a strong but reasonable assumption ● Profit From 0 to full coverage in around 6 hours New Approach
  • 17. HOW DOES AWS WORK?
  • 18. Detecting Credential Compromise in AWS Will Bengtson
  • 19. Detecting Credential Compromise in AWS Will Bengtson
  • 20. Detecting Credential Compromise in AWS Will Bengtson
  • 21. Detecting Credential Compromise in AWS Will Bengtson
  • 22. Detecting Credential Compromise in AWS Will Bengtson
  • 23. Detecting Credential Compromise in AWS Will Bengtson
  • 24. Detecting Credential Compromise in AWS Will Bengtson
  • 26.
  • 27. Detecting Credential Compromise in AWS Will Bengtson
  • 28. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value
  • 29.
  • 30. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654
  • 31.
  • 32. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654
  • 33. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654
  • 34.
  • 35. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654 =?= 52.95.255.121
  • 36. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654 =?= 52.95.255.121
  • 37.
  • 38. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654 =?= 67.178.52.232
  • 39. Detecting Credential Compromise in AWS Will Bengtson identifier source_ip arn ttl_value i-00000000000002131 52.95.255.121 arn:aws:iam::123456789012:ass umed-role/myCoolRole 1531904179.955654
  • 40. Detecting Credential Compromise in AWS Will Bengtson Edge Cases There are a few edge cases to this approach that you may want/need to account for in order to prevent false positives. The edge cases are as follows: ● AWS will make calls on your behalf using your credentials if certain API calls are made ○ sourceIPAddress: <service>.amazonaws.com ● You have an AWS VPC Endpoint(s) for certain AWS Services ○ sourceIPAddress: 192.168.0.22 ● You attach a new ENI or associate a new address to your instance ○ sourceIPAddress: something new if external subnet
  • 41. Detecting Credential Compromise in AWS Will Bengtson Avoiding Detection Server Side Request Forgery (SSRF) ● Use the same method that you pulled credentials to make the API calls https://ec2.amazonaws.com/?Action=AssociateAddress&InstanceI d=i-1234567890abcdef0&PublicIp=192.0.2.1&AUTHPARAMS Popped Box ● Attacker can execute commands on the system directly
  • 42. Detecting Credential Compromise in AWS Will Bengtson Final Thoughts ● Understand how AWS works and CloudTrail to make your life easier ● Understand what is logged in CloudTrail ○ Trailblazer is now OSS ■ AWS API Enumeration for Cloudtrail Intelligence / Attack Platform ■ https://github.com/willbengtson/trailblazer-aws ● AWS Credential Compromise Detection OSS ○ One way to detect credential compromise - Reference Architecture/Code ○ https://github.com/Netflix-Skunkworks/aws-credential-compromise-detection