At Praetorian, we pride ourselves on our extensive expertise in cloud security and our commitment to staying at the forefront of the ever-evolving landscape. We consequently were excited to attend the highly anticipated fwd:cloudsec 2023 conference held on June 12–13, in Anaheim, CA. This non-profit conference brings together cloud security professionals, researchers, and practitioners from various industries to delve into the intricacies of cloud security. We find that the welcoming environment ensures everyone, from newcomers to seasoned cloud security veterans, has an enriching experience.

Unlike vendor-focused events, fwd:cloudsec provides a unique platform for in-depth discussions on all major cloud platforms, attack and defense research, the limitations of security features, and the pros and cons of different security strategies. This year, we especially enjoyed presentations by Daniel Heinsen and Elad Shamir, Nathan Eades, and Mike Grima.

This year also included a Cloud Incident Response Capture the Flag competition, which one of our engineers, Jimmy Chang, won on a team with a former Praetorian team member, Jason Kao. This challenge was especially well-implemented, and the designers, Rich Mogull and Will Bengston, did an excellent job balancing instruction with empowering competitors to discover their own solutions, such as through AWS services like Athena and CloudTrail. The content and technical challenges make fwd:cloudsec an ideal environment for cloud practitioners and leaders seeking valuable insights and knowledge independent of CSP vendors.

In this article, we delve into the top four themes that emerged from fwd:cloudsec 2023:

1. Shared experiences and approaches of Cloud Attack Path Discovery and Threat Modeling
2. Gaps, attacks, and solutions for Security Logging, Analysis, Evasion, and Automation
3. How IAM Boundaries, Organizational IAM Policies, and Guardrails really work
4. Practical approaches for Vulnerability Management and Misconfigurations

Cloud Attack Path Discovery and Threat Modeling

Enterprise cloud security increases in complexity as your attack surface expands. Equipping your security teams with the techniques and tools to discover attack paths in your cloud as an attacker would enables your defenders to identify potential vulnerabilities and exploit them before malicious actors can. For example, a comprehensive threat modeling process focuses on the nuances of detecting and defending against cloud-based attacks by enumerating critical assets, attack surface, and potential attack vectors that malicious actors can leverage. Tyson Garrett and Jason Nelson provided a poignant case study that demonstrates these benefits. Alternatively, you can aid your security teams in gaining insights into adversary behaviors and adapt legacy detection techniques to your cloud environment by applying the MITRE ATT&CK framework specifically tailored for the cloud.

Both of these example methodologies enable a proactive approach to threat mitigation, minimizing potential damage and reducing the impact of attacks by leveraging the following benefits prioritizing Cloud Attack Path Discovery and Threat Modeling, as emphasized during fwd:cloudsec 2023:

• Proactive Security: Security teams that identify and exploit cloud attack paths can proactively address vulnerabilities. Jasmine Henry and Renee Beckloff explained how to stay ahead of the ever-changing cloud technology stack and ensure that organizations mitigate potential security breaches before they can be exploited.
• Real-world Insights: As Seth Art discussed in his presentation, the use of intentionally vulnerable cloud environments when pursuing this methodology provides valuable real-world insights into potential attack vectors, enabling security practitioners to understand the techniques and strategies employed by attackers.
• Improved Defense Strategies: Cloud Attack Path Discovery and Threat Modeling equips organizations with the knowledge and tools to develop effective defense strategies tailored to the cloud environment. We heard from the MITRE gurus themselves, Casey Knerr and Jesse Griggs, that by leveraging the MITRE ATT&CK framework, security teams can detect, respond to, and defend against cloud-based attacks more effectively.
• Heightened Incident Response: With enhanced detection capabilities, organizations can respond swiftly and effectively to cloud-based security incidents, reducing the overall impact and potential damages.

Security Logging, Analysis, Evasion, and Automation

Security logging and analysis are essential for comprehensive threat hunting, detection, and incident response. Talks at fwd:cloudsec 2023 shed light on strategies for processing security event logs, optimizing for speed and cost, and leveraging real-time event enrichment. By implementing robust security logging practices, organizations can gain valuable insights into potential threats, detect anomalies, and respond swiftly to security incidents. This all contributes to bolstering their overall security posture.

Addressing evasion techniques, such as those aimed at bypassing AWS CloudTrail logging, is crucial to maintain the integrity and effectiveness of security measures. In light of Nick Frichette’s warning about attackers’ methods to bypass CloudTrail detection, we learned from Josh Liburdi about ways to leverage best practices in our logging tools. Countermeasures and vulnerabilities discussed during the conference provide security professionals with the knowledge and tools to detect and mitigate evasion attempts, reducing the risk of undetected malicious activities.

Moreover, the talks explored the advantages of building infrastructure-wide components and automating AWS infrastructure deployment. This not only enhances the management, security, and scalability of cloud environments but also ensures consistent and secure configurations throughout the infrastructure. Leveraging Cloud Security Posture Management (CSPM) solutions, following David White’s success criteria, further streamlines security operations and enables organizations to identify and remediate misconfigurations, monitor compliance, and effectively manage their cloud environment.

Understanding the theme of Security Logging, Analysis, Evasion, and Automation offers the following advantages and benefits for enterprise cloud security:

• Enhanced Threat Detection and Response: Organizations that implement effective security logging and analysis techniques can proactively detect and respond to potential threats. This reduces the time to identify and mitigate security incidents through thorough analysis of the cloud environment leveraging best practices that Amitai Cohen and Merav Bar identified.
• Mitigation of Evasion Techniques: By understanding and addressing evasion techniques, organizations can thwart attempts to bypass security measures, ensuring the integrity of their logging and monitoring systems.
• Improved Operational Efficiency: Automating infrastructure deployment and leveraging CSPM solutions streamline security operations, and reducing manual efforts enable security teams to focus on critical tasks, such as threat hunting and incident response.
• Scalability and Consistency: Building enterprise-wide components and leveraging automation ensure consistent and secure configurations across the cloud environment, supporting scalability while reducing the risk of misconfigurations. Josh Liburdi taught us about the benefits of serverless architecture and its role in scalability, and many speakers this year hit on the methods to do this securely.

IAM Boundaries, Organizational IAM Policies, and Guardrails

The establishment of IAM boundaries and organizational policies is fundamental to protect against unknown threats, compromised identities, and potential damage caused by compromised credentials. Talks at fwd:cloudsec 2023 emphasized the importance of these practices and provided insights to negotiation skills and evaluation matrices that aid in defining effective IAM boundaries.

IAM boundaries allow organizations to set limitations and control access to cloud resources, minimizing the potential for unauthorized access or privilege escalation. By defining boundaries and implementing fine-grained permissions, security professionals can reduce the attack surface and enforce least privilege principles, bolstering overall cloud security.

Organizational IAM policies play a pivotal role in establishing consistent access controls, defining roles and responsibilities, and ensuring compliance with regulatory requirements. These policies provide a framework for managing identities, permissions, and user provisioning, fostering a secure cloud environment.

The implementation of guardrails further enhances cloud security by enforcing policies, monitoring configurations, and providing automated checks and balances. John Burgess taught us how to establish clearer boundaries utilizing guardrails to act as proactive measures to prevent and detect potential security issues, and Jasmine Henry and Renee Beckloff reinforced how to ensure cloud resources and identities adhere to the organization’s security standards and policies.

Understanding the theme of IAM Boundaries, Organizational IAM Policies, and Guardrails offers several advantages and benefits for enterprise cloud security:

• Minimized Attack Surface: By implementing effective IAM boundaries, organizations can reduce the attack surface. Ultimately, this helps limit access to sensitive resources and reduces the risk of unauthorized access or privilege misuse. Scott Weston also taught us about the benefits of consolidating cloud users under a single organization, minimizing attack surface in the cloud while also streamlining workflows.
• Compliance and Regulatory Alignment: Well-defined organizational IAM policies ensure compliance with industry regulations and standards. This offers a two-fold benefit of maintaining customer trust and minimizing the risk of non-compliance penalties.
• Enforced Least Privilege: IAM boundaries and policies enable the enforcement of least privilege principles and can empower developer and engineering teams, as Kushagra Sharma discussed. These ensure that users have only the necessary permissions to perform their designated tasks, thereby reducing the potential impact of compromised credentials and following Josh Snyder’s guidance for optimizing the principle of least privilege.
• Streamlined Access Management: By establishing clear roles and responsibilities and automating user provisioning, organizations can streamline access management processes, reducing administrative overhead and enhancing operational efficiency. Andre Rall went into great detail to identify some of the lesser known use cases and strategies to address these concerns.

Vulnerability Management and Misconfigurations

Talks at fwd:cloudsec 2023 highlighted the importance of identifying, exploiting, and mitigating these issues, including Asaf Aprozper’s take on lookalike IP ranges and Matthew Keogh’s presentation on vulnerabilities in cloud services like AWS Elastic Disaster Recovery.

Deep dives into these vulnerabilities and misconfigurations provide security professionals with invaluable insights to potential risks and attack vectors. Rojan Rijal taught us about GitHub misconfiguration-based attack vectors related to supply chain issues and OpenID Connect integrations. Leveraging an outside-in perspective like the one Nir Ohfeld and Hillai Ben-Sasson shared in their presentation can help in proactively addressing issues such as publicly exposed cloud resources. Understanding these types of risks and implementing robust practices enables proactive vulnerability management, allowing organizations to identify and address weaknesses before malicious actors can exploit them.

This proactive approach helps minimize the window of opportunity for attackers and reduces the overall risk exposure by granting the following:

• Enhanced Risk Mitigation: By gaining insights into specific vulnerabilities and misconfigurations, security professionals can implement targeted mitigation strategies, reducing the likelihood of successful attacks and minimizing potential damage.
• Proactive Vulnerability Management: Deep dives into vulnerabilities provide security leaders and engineers with the knowledge to prioritize and remediate vulnerabilities effectively, reducing the attack surface and strengthening the security posture of their cloud infrastructure.
• Compliance and Regulatory Adherence: By addressing vulnerabilities and misconfigurations, organizations can ensure compliance with industry regulations and data protection standards, protecting sensitive data and maintaining customer trust. Jasmine Henry and George Tang taught us how to iterate on security to stay ahead of compliance and make it seamless.
• Continuous Improvement: Security professionals who remain updated on emerging vulnerabilities and misconfigurations can continually enhance their understanding of potential risks and adapt their security measures to mitigate new threats effectively. Tyson Garrett and Jason Nelson focused heavily on this theme to promote and encourage policies and procedures that enable developer and engineering teams.

Conclusion

The themes at fwd:cloudsec 2023 highlight the importance of proactive vulnerability management and effective misconfiguration mitigation in securing enterprise cloud infrastructure. By deep-diving into specific vulnerabilities and misconfigurations, security professionals gain valuable insights into potential risks and implement targeted mitigation strategies. Staying informed about these practices is crucial for cloud security leaders and engineers in 2023 and beyond as they strive to protect their organizations’ cloud environments, mitigate risks, and fortify their overall security postures.