"The interaction between attackers and defenders is like a ping pong game, and that is exactly how we did this research. On the offensive Mo will share his tools and tactics attacking AWS Infrastructures from Recon to Attacks to Post Exploitation on different services with a focus on Elastic Container Service(ECS). After each attack step, Dani will explain the defensive side and tools and tactics for hardening the AWS Infrastructure from Designing a secure Cloud Architecture to Detection to Hardening specific services like Docker containers on ECS. After the battle, we will both walk-through common misconfiguration problems, one-click solutions for monitoring and attack detection, and workflows for pentesters on AWS. One of the most important lessons from our research is the importance of the interaction between pentesters and developers/DevOps engineers, and how a few days of working side by side can help us secure our current systems and learn to develop future systems with security in mind. Dani and Mohsan will demonstrate an entire kill chain on a hypothetical organization operating in an AWS environment and pivoting into their internal Active Directory network. The demonstration will cover reconnaissance methods for a cloud environment, an attack on a AWS hosted webserver that results in compromise of access keys. The access keys will be utilized to access a separate AWS service, followed by escalation of privileges to administrator. We will further demonstrate exfiltration methods, setting up persistence in AWS, and last but not least pivoting to the internal AD environment and obtaining Domain Admin privileges. Many open source tools will be used as well as some custom python scripts on the offensive side, for example: TruffleHog for scanning for leaked keys on github, S3Scanner for enumerating S3 buckets, amass for DNS Mapping and Subdomain Enumeration, Cloud Mapper for reconnaissance and auditing, Prowler for assessing security, Pacu and Metasploit for exploitation, and more. On the defensive side, we will introduce Open Source tools like HashiCorp Vault and AWS Parameter Store for secret management, NAXSI as an open source WAF, Vulnerability scanners for Docker, AWS KMS for creating and rotating keys for in-transit and at-rest data encryption, CloudTrail and CloudWatch for detection of suspicious activity and alarming, and more."

1. Battle in the
Clouds: Attacker vs
Defender on AWS
Dani Goland
Mohsan Farid

2. Shared
Responsibility
Model

3. Hummus Bombing Celery Workers

4. Relay 101

5. Exchange Abuse

6. Exchange Abuse

7. Exchange Abuse

8. Exchange Abuse

9. Pivoting isn’t
always easy
but it sho is
fun!

10. Everybody
Wants To Rule
The World

11. Shell Yeah!

12. Lateral-aly

13. Post
Exploitation

14. Post
Exploitation

15. Post
Exploitation

16. Post
Exploitation

17. Post
Exploitation

18. Post
Exploitation

19. Post
Exploitation

21. Infrastructure As Code
(Hashicorp Terraform / AWS Cloudformation)

22. Immutable
Infrastructure(Hashicorp
Packer)
• Bake AMIs with Packer
• Use Ansible to harden the OS
• https://github.com/openstack/ansi
ble-hardening

23. Secret Management
• Hashicorp Vault/AWS SSM
Parameter Store
• Granular control over access
to secrets
• Automatic generation of
short-lived DB
credentials(Vault)

24. Interservice
Communication
• Use TLS
• Manage your own keys via
Vault
• Use Consul Connect sidecar
to automatically proxy your
traffic encrypted.

25. WAF
• AWS WAF Custom Rules or
Managed Rules
• Open Source Solutions Like
NAXSI(with NGINX)
https://github.com/nbs-system/naxsi

26. Example Architecture
• ALB à NGINX(w/ NAXSI) à ECS with Consul Connect Sidecar à Vault

27. AWS Services
Guard Duty – A threat detection
service that continuously monitors
for malicious activity and
unauthorized behavior.
Inspector - An automated security
assessment service that helps
improve the security and compliance
of applications deployed on AWS.

28. VirusBay
Registration Code:
“DEFCON27”