Greg Foss, profile picture
Uploaded byGreg Foss
PPTX, PDF174 views

Cloud Crime Ops

The document presents a detailed analysis of the rising threat of cybercrime, particularly in the context of cloud computing, which is generating $1.5 trillion annually. It explores various tactics and techniques used in ransomware attacks, especially within AWS environments, outlining the importance of early detection and comprehensive security measures. Additionally, it discusses the underground economy and cryptocurrency-related attack vectors that further complicate the cybersecurity landscape.

Embed presentation

Download to read offline
Enterprise-Grade Crime Ops Cybercrime Industrialization in the Cloud
whoami Greg Foss OSCP, paCSP, GMON, GPEN, GAWN, GWAPT, GCIH, C|EH, APT Principal Cloud Security Researcher Lacework Labs @35Foss
Cybercrime - $1.5 Trillion in revenue annually Source: Atlastvpn Blog: Cybercrime annual revenue is 3 times bigger than Walmart’s
Supply Chain Attacks – The “New” Hotness
Turning all your bad feelings into good feelings Cloud Computing BUILD CODE TEST PLAN PUSH DEPLOY OPERATE MONITOR
Leveraging your cloud to attack your customers Cloud Compromise DISRUPT BACKDOOR CODE MONITOR MODIFY DESTROY INFECT ENCRYPT MONETIZE
Tactical Cloud Compromise
MITRE ATT&CK – Ransomware Tactics Traditional Ransomware: Significant number of required tactics and techniques leads to an abundance of detection potential Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Color Key: Used Sometimes Used / Skipped Skipped
MITRE ATT&CK – Ransomware Tactics Traditional Ransomware: Cloud Ransomware: Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Color Key: Used Sometimes Used / Skipped Skipped
MITRE ATT&CK – Ransomware Tactics Traditional Ransomware: Cloud Ransomware: Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Color Key: Used Sometimes Used / Skipped Skipped Configuration Hardening
Cloud Initial Access – AWS Example Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Typically exploit a web vulnerability to execute code on the server (RCE), then look for AWS access keys
Cloud Reconnaissance – AWS Example Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
Cloud Reconnaissance – AWS Detection Potential
Cloud Discovery – AWS Example Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
Cloud Discovery – AWS Detection Potential
Cloud Exfiltration – AWS Example Both Collection and Exfiltration often go hand-in-hand within the cloud… Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
Cloud Impact – AWS Ransomware Example 7 awscli commands Under 30-seconds No other recovery PoC courtesy of: Michael Bentley Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
Focus on Early Detection and Eradication “Left of Bang” “Right of Bang” Prevention, Compliance, Detection Fallout, Incident Response, Recovery Time
Cloud Persistence – AWS Example Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
Cloud Privilege Escalation – AWS Example Assume Role Method Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
Cloud Credential Access – AWS Example Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
Underground Economy
Initial Access Brokers Selling access to compromised corporate assets, via passwords, keys, cookies, logs, shells, etc.
Access Markets Remote Desktop Protocol (RDP) Secure Shell (SSH) Web Shells (Compromised Websites) SMTP Services and Webmail Session Tokens Logs Credentials Keys Access Marketplace Offerings:
Access Resale Compromise Initial Access via Slack Cookies purchased for $10 Internal Social Engineering Obtained priceless source code Significant brand and financial impact…
Most Common Cryptocurrency Attack Vectors • Cryptojacking • Monetization of the target’s CPU/GPU • Reverse Proxy Phishing • Domain Spoofing MITM attack • Sniff traffic to bypass MFA • Clipping • Infecting a target system / hardware wallet • Stealing crypto during transactions • Hot-swapping wallet addresses • Dusting • De-anonymizing target wallets through small transactions in order to monitor • Used offensively and defensively
Cryptojacking It’s rarely just cryptocurrency mining Someone has gained unauthorized access Impact is only limited by creativity Adversaries want diversity in monetization Single compromised host is bad… What about Cloud Root Keys? The tools themselves can expand your organization’s attack surface Jared Stroud – Examining Vulnerabilities within Cryptocurrency Miners: https://www.lacework.com/blog/hidden-bugs-in-the-mines-examining-vulnerabilities-within-cryptocurrency-miners/
Cloud Service Providers – Ideal Targets
Training Rotate Keys Multifactor Authentication Utilization Limits Vulnerability Management Patch Management Compliance Defense in Depth IR Playbooks Awareness Visibility Alerting Proactive Cloud Security
Thank You! Greg.Foss@lacework.net @35Foss Twitter: @LaceworkLabs LinkedIn: Lacework Labs YouTube: Lacework Labs

More Related Content

PDF
Containers at risk a review of 21,000 cloud environments
bydhubbard858
 
PPTX
Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...
byOK2OK
 
PPTX
Lacework AWS Security Week Presentation
byLacework
 
PDF
Advanced Threat Defense Intel Security
byxband
 
PDF
Next Dimension and Veeam | Solutions for PIPEDA Compliance
byNext Dimension Inc.
 
PPTX
Esteban Próspero
byClusterCba
 
PDF
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
PPTX
Webinar: DRaaS - It’s Not Just For Disasters Anymore
byStorage Switzerland
 
Containers at risk a review of 21,000 cloud environments
bydhubbard858
 
Optimize your AWS FEST - N2WS session - Addressing the Relentless Threat of R...
byOK2OK
 
Lacework AWS Security Week Presentation
byLacework
 
Advanced Threat Defense Intel Security
byxband
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
byNext Dimension Inc.
 
Esteban Próspero
byClusterCba
 
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
Webinar: DRaaS - It’s Not Just For Disasters Anymore
byStorage Switzerland
 

What's hot

PDF
Addressing the cyber kill chain
bySymantec Brasil
 
PPTX
Steve Porter : cloud Computing Security
byGurbir Singh
 
PDF
Reality Check: Security in the Cloud
byAlert Logic
 
PDF
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
byMarco Balduzzi
 
PDF
Atelier Technique CISCO ACSS 2018
byAfrican Cyber Security Summit
 
PPTX
Cloud Resilience and Container Workload Automation
byOK2OK
 
PDF
Reducing Your Attack Surface
byAlert Logic
 
PPTX
Hands on Security - Disrupting the Kill Chain Breakout Session
bySplunk
 
PPTX
Industry reactions to wanna cry ransomware attacks
bykevinmass30
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 
PDF
Web Application Security
byMarketingArrowECS_CZ
 
PDF
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
bySkybox Security
 
PDF
Realities of Security in the Cloud
byAlert Logic
 
PDF
Realities of Security in the Cloud
byAlert Logic
 
PDF
Tenable Solutions for Enterprise Cloud Security
byMarketingArrowECS_CZ
 
PDF
Realities of Security in the Cloud
byAlert Logic
 
PDF
Take the Ransom Out of Ransomware
byUnitrends
 
PDF
Cloud Security Architecture - a different approach
byEC-Council
 
PDF
Issa jason dablow
byISSA LA
 
PDF
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
bySplunk
 
Addressing the cyber kill chain
bySymantec Brasil
 
Steve Porter : cloud Computing Security
byGurbir Singh
 
Reality Check: Security in the Cloud
byAlert Logic
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
byMarco Balduzzi
 
Atelier Technique CISCO ACSS 2018
byAfrican Cyber Security Summit
 
Cloud Resilience and Container Workload Automation
byOK2OK
 
Reducing Your Attack Surface
byAlert Logic
 
Hands on Security - Disrupting the Kill Chain Breakout Session
bySplunk
 
Industry reactions to wanna cry ransomware attacks
bykevinmass30
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 
Web Application Security
byMarketingArrowECS_CZ
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
bySkybox Security
 
Realities of Security in the Cloud
byAlert Logic
 
Realities of Security in the Cloud
byAlert Logic
 
Tenable Solutions for Enterprise Cloud Security
byMarketingArrowECS_CZ
 
Realities of Security in the Cloud
byAlert Logic
 
Take the Ransom Out of Ransomware
byUnitrends
 
Cloud Security Architecture - a different approach
byEC-Council
 
Issa jason dablow
byISSA LA
 
Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
bySplunk
 

Similar to Cloud Crime Ops

PDF
Top 10 Threats to Cloud Security
bySBWebinars
 
PPT
CyberCrime in the Cloud and How to defend Yourself
byAlert Logic
 
PDF
20130321 Cybercrime threats on e-commerce online shops
byLuc Beirens
 
PPTX
LIFT OFF 2017: Ransomware and IR Overview
byRobert Herjavec
 
PPTX
The-Evolving-Cybersecurity-Landscape.pptx
byVLink Inc
 
PDF
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
bywerhkr1
 
PPTX
Lacework | Top 10 Cloud Security Threats
byLacework
 
PDF
Presd1 10
byNiels Groeneveld
 
PPTX
Keynote at the Cyber Security Summit Prague 2015
byClaus Cramon Houmann
 
PPT
Cyber-Security-Presentation-2_2017.pptx.ppt
byNiteshRajput1123
 
PPTX
The Evolution of Cybercrime
byStephen Cobb
 
PPTX
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
PPTX
Your cyber security webinar
byIntergen
 
PDF
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
byJames Anderson
 
PPTX
Building Cyber Resilience: No Safe Harbor
byAdvanced Technology Consulting (ATC)
 
PPTX
Best cloud security practices with MITRE ATT&CK
byShriya Rai
 
PPTX
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
PDF
The Anatomy of a Cloud Security Breach
byCloudLock
 
PPTX
Cybersecurity Training For Sales People.pptx
bysubodh258201
 
PPTX
cloudComputingSec_p3.pptx
bySteven Quach
 
Top 10 Threats to Cloud Security
bySBWebinars
 
CyberCrime in the Cloud and How to defend Yourself
byAlert Logic
 
20130321 Cybercrime threats on e-commerce online shops
byLuc Beirens
 
LIFT OFF 2017: Ransomware and IR Overview
byRobert Herjavec
 
The-Evolving-Cybersecurity-Landscape.pptx
byVLink Inc
 
DEF CON 25 - Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud.pdf
bywerhkr1
 
Lacework | Top 10 Cloud Security Threats
byLacework
 
Presd1 10
byNiels Groeneveld
 
Keynote at the Cyber Security Summit Prague 2015
byClaus Cramon Houmann
 
Cyber-Security-Presentation-2_2017.pptx.ppt
byNiteshRajput1123
 
The Evolution of Cybercrime
byStephen Cobb
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
byEC-Council
 
Your cyber security webinar
byIntergen
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
byJames Anderson
 
Building Cyber Resilience: No Safe Harbor
byAdvanced Technology Consulting (ATC)
 
Best cloud security practices with MITRE ATT&CK
byShriya Rai
 
Practical Security for the Cloud
byChirag Joshi, CISA, CISM, CRISC
 
The Anatomy of a Cloud Security Breach
byCloudLock
 
Cybersecurity Training For Sales People.pptx
bysubodh258201
 
cloudComputingSec_p3.pptx
bySteven Quach
 

More from Greg Foss

PPTX
Future of Destructive Malware
byGreg Foss
 
PDF
Crypto Hacks - Quit your Job and Become a Crypto Farmer
byGreg Foss
 
PDF
PIE - BSides Vancouver 2018
byGreg Foss
 
PDF
Phishing Intelligence Engine - BlueHat v17
byGreg Foss
 
PDF
Security Automation and Orchestration
byGreg Foss
 
PDF
Activated Charcoal - Making Sense of Endpoint Data
byGreg Foss
 
PDF
Threat Intelligence Field of Dreams
byGreg Foss
 
PDF
Deception Driven Defense - Infragard 2016
byGreg Foss
 
PDF
SecureSet WarGames - Logging and Packet Capture Training
byGreg Foss
 
PDF
DerbyCon 5 - Tactical Diversion-Driven Defense
byGreg Foss
 
PDF
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
PDF
Honeypots for Active Defense
byGreg Foss
 
PDF
Wi-Fi Hotspot Attacks
byGreg Foss
 
PDF
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
PDF
Attacking Drupal
byGreg Foss
 
Future of Destructive Malware
byGreg Foss
 
Crypto Hacks - Quit your Job and Become a Crypto Farmer
byGreg Foss
 
PIE - BSides Vancouver 2018
byGreg Foss
 
Phishing Intelligence Engine - BlueHat v17
byGreg Foss
 
Security Automation and Orchestration
byGreg Foss
 
Activated Charcoal - Making Sense of Endpoint Data
byGreg Foss
 
Threat Intelligence Field of Dreams
byGreg Foss
 
Deception Driven Defense - Infragard 2016
byGreg Foss
 
SecureSet WarGames - Logging and Packet Capture Training
byGreg Foss
 
DerbyCon 5 - Tactical Diversion-Driven Defense
byGreg Foss
 
Advanced Threats and Lateral Movement Detection
byGreg Foss
 
Honeypots for Active Defense
byGreg Foss
 
Wi-Fi Hotspot Attacks
byGreg Foss
 
CMS Hacking Tricks - DerbyCon 4 - 2014
byGreg Foss
 
Attacking Drupal
byGreg Foss
 

Recently uploaded

PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
final.pdf
byomarbishtawi04
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
apidays New York 2025 | AI in Application Security
byapidays
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
final.pdf
byomarbishtawi04
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 

Cloud Crime Ops

  • 1.
    Enterprise-Grade Crime Ops CybercrimeIndustrialization in the Cloud
  • 2.
    whoami Greg Foss OSCP, paCSP,GMON, GPEN, GAWN, GWAPT, GCIH, C|EH, APT Principal Cloud Security Researcher Lacework Labs @35Foss
  • 3.
    Cybercrime - $1.5Trillion in revenue annually Source: Atlastvpn Blog: Cybercrime annual revenue is 3 times bigger than Walmart’s
  • 4.
    Supply Chain Attacks– The “New” Hotness
  • 9.
    Turning all yourbad feelings into good feelings Cloud Computing BUILD CODE TEST PLAN PUSH DEPLOY OPERATE MONITOR
  • 10.
    Leveraging your cloudto attack your customers Cloud Compromise DISRUPT BACKDOOR CODE MONITOR MODIFY DESTROY INFECT ENCRYPT MONETIZE
  • 11.
  • 12.
    MITRE ATT&CK –Ransomware Tactics Traditional Ransomware: Significant number of required tactics and techniques leads to an abundance of detection potential Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Color Key: Used Sometimes Used / Skipped Skipped
  • 13.
    MITRE ATT&CK –Ransomware Tactics Traditional Ransomware: Cloud Ransomware: Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Color Key: Used Sometimes Used / Skipped Skipped
  • 14.
    MITRE ATT&CK –Ransomware Tactics Traditional Ransomware: Cloud Ransomware: Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Color Key: Used Sometimes Used / Skipped Skipped Configuration Hardening
  • 15.
    Cloud Initial Access– AWS Example Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact Typically exploit a web vulnerability to execute code on the server (RCE), then look for AWS access keys
  • 16.
    Cloud Reconnaissance –AWS Example Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
  • 17.
    Cloud Reconnaissance –AWS Detection Potential
  • 18.
    Cloud Discovery –AWS Example Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
  • 19.
    Cloud Discovery –AWS Detection Potential
  • 20.
    Cloud Exfiltration –AWS Example Both Collection and Exfiltration often go hand-in-hand within the cloud… Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
  • 21.
    Cloud Impact –AWS Ransomware Example 7 awscli commands Under 30-seconds No other recovery PoC courtesy of: Michael Bentley Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
  • 22.
    Focus on EarlyDetection and Eradication “Left of Bang” “Right of Bang” Prevention, Compliance, Detection Fallout, Incident Response, Recovery Time
  • 23.
    Cloud Persistence –AWS Example Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
  • 24.
    Cloud Privilege Escalation– AWS Example Assume Role Method Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
  • 25.
    Cloud Credential Access– AWS Example Recon Resource Dev Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection C2 Exfiltration Impact
  • 26.
  • 27.
    Initial Access Brokers Sellingaccess to compromised corporate assets, via passwords, keys, cookies, logs, shells, etc.
  • 28.
    Access Markets Remote DesktopProtocol (RDP) Secure Shell (SSH) Web Shells (Compromised Websites) SMTP Services and Webmail Session Tokens Logs Credentials Keys Access Marketplace Offerings:
  • 29.
    Access Resale Compromise Initial Accessvia Slack Cookies purchased for $10 Internal Social Engineering Obtained priceless source code Significant brand and financial impact…
  • 30.
    Most Common CryptocurrencyAttack Vectors • Cryptojacking • Monetization of the target’s CPU/GPU • Reverse Proxy Phishing • Domain Spoofing MITM attack • Sniff traffic to bypass MFA • Clipping • Infecting a target system / hardware wallet • Stealing crypto during transactions • Hot-swapping wallet addresses • Dusting • De-anonymizing target wallets through small transactions in order to monitor • Used offensively and defensively
  • 31.
    Cryptojacking It’s rarely justcryptocurrency mining Someone has gained unauthorized access Impact is only limited by creativity Adversaries want diversity in monetization Single compromised host is bad… What about Cloud Root Keys? The tools themselves can expand your organization’s attack surface Jared Stroud – Examining Vulnerabilities within Cryptocurrency Miners: https://www.lacework.com/blog/hidden-bugs-in-the-mines-examining-vulnerabilities-within-cryptocurrency-miners/
  • 34.
    Cloud Service Providers– Ideal Targets
  • 35.
    Training Rotate Keys Multifactor Authentication UtilizationLimits Vulnerability Management Patch Management Compliance Defense in Depth IR Playbooks Awareness Visibility Alerting Proactive Cloud Security
  • 36.