SlideShare a Scribd company logo
1 of 15
Download to read offline
� 2020 Expel, Inc.� 2020 Expel, Inc.
ATT&CKing the Cloud:
Hopping Between the Matrices
November 12, 2020 | Anthony Randazzo
� 2020 Expel, Inc.
GetCallerIdentity
~ 1.5 years leading response @ Expel
12+ years of SecOps
iSIGHT/FireEye
Fortune 25 Detection & Response
Disclaimer: not a cloud expert but
frequent AWS D&R blog contributor
Kids, LEGO, whiskey
expel.io/blog
� 2020 Expel, Inc.
Agenda
ATT&CK for Cloud as we see it
Defending the control plane
Real world incident
Other applications of ATT&CK for Cloud
Takeaways
� 2020 Expel, Inc.
So what exactly is ATT&CK for Cloud?
Infra-as-a-Service Software-as-a-Service
� 2020 Expel, Inc.
How is this different from Enterprise ATT&CK?
Enterprise Matrices Cloud Matrices
Very different attack surfaces!
� 2020 Expel, Inc.
Control/Management Plane
And many more...
� 2020 Expel, Inc.
A shared responsibility...
Source: AWS
� 2020 Expel, Inc.
We have to protect this control plane, right?
Informs our detection strategy for this
cloud attack surface
What do we detect? Where do we even
start?
How many AWS APIs are available in
this control plane? Almost 10,000, you
say?
� 2020 Expel, Inc.
How'd we build detections? Using OSTs, of course!
Source: Rhino Security Labs
� 2020 Expel, Inc.
What did an attack look like?
An unconventional coin miner...
� 2020 Expel, Inc.
What did the ATT&CK look like?
AWS [IaaS] Cloud
� 2020 Expel, Inc.
What did the ATT&CK look like?
Enterprise Linux
� 2020 Expel, Inc.
More examples of hopping between matrices!
AWS CLI access from multiple compromised keys > SSH access into EC2
boto3 SDK access of AWS SSM > sudo linux access (red team)
SSRF exploitation > EC2 instance credential access to control plane
RDS database ransom > used CloudTrail to identify when weak password
change occured
� 2020 Expel, Inc.
AWS mind map
for investigations
and incidents
MITRE ATT&CK Tactics
Sign up for an advanced
copy of our cheat sheet and
AWS mind map:
http://expel.io/mindmap
� 2020 Expel, Inc.
Takeaways
With lots of attack surface in the cloud, understanding both cloud and
enterprise ATT&CK will help.
attacks in the cloud than in an enterprise [Windows] environment.
Cloud control planes are a target for automated attacks. This is the trend

More Related Content

What's hot

Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Netskope
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?MarketingArrowECS_CZ
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applicationsForcepoint LLC
 
63 Requirements for CASB
63 Requirements for CASB63 Requirements for CASB
63 Requirements for CASBKyle Watson
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
vSEC: bezpečnostní platforma pro privátní a veřejné cloudové služby
vSEC: bezpečnostní platforma pro privátní a veřejné cloudové službyvSEC: bezpečnostní platforma pro privátní a veřejné cloudové služby
vSEC: bezpečnostní platforma pro privátní a veřejné cloudové službyMarketingArrowECS_CZ
 
Managing Security of Large IoT Fleets (IOT321-R1) - AWS re:Invent 2018
Managing Security of Large IoT Fleets (IOT321-R1) - AWS re:Invent 2018Managing Security of Large IoT Fleets (IOT321-R1) - AWS re:Invent 2018
Managing Security of Large IoT Fleets (IOT321-R1) - AWS re:Invent 2018Amazon Web Services
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...DevOps.com
 
Defending Your Workloads Against the Next Zero-Day Vulnerability
Defending Your Workloads Against the Next Zero-Day VulnerabilityDefending Your Workloads Against the Next Zero-Day Vulnerability
Defending Your Workloads Against the Next Zero-Day VulnerabilityAmazon Web Services
 
Accelerating Your Cloud Innovation
Accelerating Your Cloud InnovationAccelerating Your Cloud Innovation
Accelerating Your Cloud InnovationAmazon Web Services
 
The New Economics of Cloud Security
The New Economics of Cloud SecurityThe New Economics of Cloud Security
The New Economics of Cloud SecurityAlert Logic
 
Don't Let Cloud Cast A Shadow on Security | Cisco Ransomware Defence
Don't Let Cloud Cast A Shadow on Security | Cisco Ransomware DefenceDon't Let Cloud Cast A Shadow on Security | Cisco Ransomware Defence
Don't Let Cloud Cast A Shadow on Security | Cisco Ransomware DefenceLogicom Distribution
 
Securing Your Cloud Transformation
Securing Your Cloud TransformationSecuring Your Cloud Transformation
Securing Your Cloud TransformationMarketingArrowECS_CZ
 
John Merline - How make your cloud SASE
John Merline - How make your cloud SASE John Merline - How make your cloud SASE
John Merline - How make your cloud SASE AWS Chicago
 
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and ControlWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and ControlDavid Etue
 
Web Performance Without Sacrificing Security: Featuring Forrester Guest Speaker
Web Performance Without Sacrificing Security: Featuring Forrester Guest SpeakerWeb Performance Without Sacrificing Security: Featuring Forrester Guest Speaker
Web Performance Without Sacrificing Security: Featuring Forrester Guest SpeakerCloudflare
 
Forcepoint Advanced Malware Detection
Forcepoint Advanced Malware DetectionForcepoint Advanced Malware Detection
Forcepoint Advanced Malware DetectionForcepoint LLC
 

What's hot (20)

Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First  Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
 
Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?Automatizovaná bezpečnost – nadstandard nebo nutnost?
Automatizovaná bezpečnost – nadstandard nebo nutnost?
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
 
63 Requirements for CASB
63 Requirements for CASB63 Requirements for CASB
63 Requirements for CASB
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
vSEC: bezpečnostní platforma pro privátní a veřejné cloudové služby
vSEC: bezpečnostní platforma pro privátní a veřejné cloudové službyvSEC: bezpečnostní platforma pro privátní a veřejné cloudové služby
vSEC: bezpečnostní platforma pro privátní a veřejné cloudové služby
 
Managing Security of Large IoT Fleets (IOT321-R1) - AWS re:Invent 2018
Managing Security of Large IoT Fleets (IOT321-R1) - AWS re:Invent 2018Managing Security of Large IoT Fleets (IOT321-R1) - AWS re:Invent 2018
Managing Security of Large IoT Fleets (IOT321-R1) - AWS re:Invent 2018
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
 
Defending Your Workloads Against the Next Zero-Day Vulnerability
Defending Your Workloads Against the Next Zero-Day VulnerabilityDefending Your Workloads Against the Next Zero-Day Vulnerability
Defending Your Workloads Against the Next Zero-Day Vulnerability
 
Security Challenges in Cloud
Security Challenges in CloudSecurity Challenges in Cloud
Security Challenges in Cloud
 
Accelerating Your Cloud Innovation
Accelerating Your Cloud InnovationAccelerating Your Cloud Innovation
Accelerating Your Cloud Innovation
 
The New Economics of Cloud Security
The New Economics of Cloud SecurityThe New Economics of Cloud Security
The New Economics of Cloud Security
 
Don't Let Cloud Cast A Shadow on Security | Cisco Ransomware Defence
Don't Let Cloud Cast A Shadow on Security | Cisco Ransomware DefenceDon't Let Cloud Cast A Shadow on Security | Cisco Ransomware Defence
Don't Let Cloud Cast A Shadow on Security | Cisco Ransomware Defence
 
Securing Your Cloud Transformation
Securing Your Cloud TransformationSecuring Your Cloud Transformation
Securing Your Cloud Transformation
 
Cloud security
Cloud securityCloud security
Cloud security
 
John Merline - How make your cloud SASE
John Merline - How make your cloud SASE John Merline - How make your cloud SASE
John Merline - How make your cloud SASE
 
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and ControlWhose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
 
Web Performance Without Sacrificing Security: Featuring Forrester Guest Speaker
Web Performance Without Sacrificing Security: Featuring Forrester Guest SpeakerWeb Performance Without Sacrificing Security: Featuring Forrester Guest Speaker
Web Performance Without Sacrificing Security: Featuring Forrester Guest Speaker
 
Forcepoint Advanced Malware Detection
Forcepoint Advanced Malware DetectionForcepoint Advanced Malware Detection
Forcepoint Advanced Malware Detection
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption?
 

Similar to ATTACKing the Cloud: Hopping Between the Matrices

Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用Amazon Web Services
 
Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Jean-François LOMBARDO
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019Amazon Web Services
 
Docker, cornerstone of an hybrid cloud?
Docker, cornerstone of an hybrid cloud?Docker, cornerstone of an hybrid cloud?
Docker, cornerstone of an hybrid cloud?Adrien Blind
 
Code in the Cloud- Deploy on Microcontroller and Edge Devices
Code in the Cloud- Deploy on Microcontroller and Edge DevicesCode in the Cloud- Deploy on Microcontroller and Edge Devices
Code in the Cloud- Deploy on Microcontroller and Edge DevicesAmazon Web Services
 
Meetup Sécurité - AWS - Recap Reinforce 2019
Meetup Sécurité - AWS - Recap Reinforce 2019Meetup Sécurité - AWS - Recap Reinforce 2019
Meetup Sécurité - AWS - Recap Reinforce 2019Devoteam Revolve
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureJose Hernandez
 
Machine Learning at the IoT Edge (IOT214) - AWS re:Invent 2018
Machine Learning at the IoT Edge (IOT214) - AWS re:Invent 2018Machine Learning at the IoT Edge (IOT214) - AWS re:Invent 2018
Machine Learning at the IoT Edge (IOT214) - AWS re:Invent 2018Amazon Web Services
 
Multi-Cloud Roadmap: Architecting Hybrid Environments for Maximum Results
Multi-Cloud Roadmap: Architecting Hybrid Environments for Maximum ResultsMulti-Cloud Roadmap: Architecting Hybrid Environments for Maximum Results
Multi-Cloud Roadmap: Architecting Hybrid Environments for Maximum ResultsRightScale
 
AWS Summit London 2019 - Containers on AWS
AWS Summit London 2019 - Containers on AWSAWS Summit London 2019 - Containers on AWS
AWS Summit London 2019 - Containers on AWSMassimo Ferre'
 
It's All About Delivering: A Journey From AWS to Cloud Foundry
It's All About Delivering: A Journey From AWS to Cloud FoundryIt's All About Delivering: A Journey From AWS to Cloud Foundry
It's All About Delivering: A Journey From AWS to Cloud FoundryVMware Tanzu
 
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...Amazon Web Services
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story   Craig BaldingA Cloud Security Ghost Story   Craig Balding
A Cloud Security Ghost Story Craig Baldingcraigbalding
 
Getting Started with Containers in the Cloud: AWS Developer Workshop at Web S...
Getting Started with Containers in the Cloud: AWS Developer Workshop at Web S...Getting Started with Containers in the Cloud: AWS Developer Workshop at Web S...
Getting Started with Containers in the Cloud: AWS Developer Workshop at Web S...Amazon Web Services
 
AWS Dublin User Group: 2016-03-23
AWS Dublin User Group: 2016-03-23AWS Dublin User Group: 2016-03-23
AWS Dublin User Group: 2016-03-23Brian Murray
 
Serverless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, PolandServerless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, PolandDennis Traub
 
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...Kocapep
 

Similar to ATTACKing the Cloud: Hopping Between the Matrices (20)

Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
 
Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022
 
AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019AWS Core Services Overview, Immersion Day Huntsville 2019
AWS Core Services Overview, Immersion Day Huntsville 2019
 
Docker, cornerstone of an hybrid cloud?
Docker, cornerstone of an hybrid cloud?Docker, cornerstone of an hybrid cloud?
Docker, cornerstone of an hybrid cloud?
 
Aws services and resources
Aws services and resourcesAws services and resources
Aws services and resources
 
Code in the Cloud- Deploy on Microcontroller and Edge Devices
Code in the Cloud- Deploy on Microcontroller and Edge DevicesCode in the Cloud- Deploy on Microcontroller and Edge Devices
Code in the Cloud- Deploy on Microcontroller and Edge Devices
 
Meetup Sécurité - AWS - Recap Reinforce 2019
Meetup Sécurité - AWS - Recap Reinforce 2019Meetup Sécurité - AWS - Recap Reinforce 2019
Meetup Sécurité - AWS - Recap Reinforce 2019
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
 
Machine Learning at the IoT Edge (IOT214) - AWS re:Invent 2018
Machine Learning at the IoT Edge (IOT214) - AWS re:Invent 2018Machine Learning at the IoT Edge (IOT214) - AWS re:Invent 2018
Machine Learning at the IoT Edge (IOT214) - AWS re:Invent 2018
 
Multi-Cloud Roadmap: Architecting Hybrid Environments for Maximum Results
Multi-Cloud Roadmap: Architecting Hybrid Environments for Maximum ResultsMulti-Cloud Roadmap: Architecting Hybrid Environments for Maximum Results
Multi-Cloud Roadmap: Architecting Hybrid Environments for Maximum Results
 
AWS Summit London 2019 - Containers on AWS
AWS Summit London 2019 - Containers on AWSAWS Summit London 2019 - Containers on AWS
AWS Summit London 2019 - Containers on AWS
 
It's All About Delivering: A Journey From AWS to Cloud Foundry
It's All About Delivering: A Journey From AWS to Cloud FoundryIt's All About Delivering: A Journey From AWS to Cloud Foundry
It's All About Delivering: A Journey From AWS to Cloud Foundry
 
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story   Craig BaldingA Cloud Security Ghost Story   Craig Balding
A Cloud Security Ghost Story Craig Balding
 
Getting Started with Containers in the Cloud: AWS Developer Workshop at Web S...
Getting Started with Containers in the Cloud: AWS Developer Workshop at Web S...Getting Started with Containers in the Cloud: AWS Developer Workshop at Web S...
Getting Started with Containers in the Cloud: AWS Developer Workshop at Web S...
 
AWS Dublin User Group: 2016-03-23
AWS Dublin User Group: 2016-03-23AWS Dublin User Group: 2016-03-23
AWS Dublin User Group: 2016-03-23
 
Serverless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, PolandServerless SecOps Automation on AWS at AWS UG Krakow, Poland
Serverless SecOps Automation on AWS at AWS UG Krakow, Poland
 
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
SEC302-S-143971-Session-Presentation.7e95c642838da923e9d66db6fde28eef1554e4b8...
 

More from MITRE - ATT&CKcon

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?MITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-TechniquesMITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 

More from MITRE - ATT&CKcon (20)

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - January
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACK
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-Techniques
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 

Recently uploaded

PPT Item # 5-6 218 Canyon Drive replat prop.
PPT Item # 5-6 218 Canyon Drive replat prop.PPT Item # 5-6 218 Canyon Drive replat prop.
PPT Item # 5-6 218 Canyon Drive replat prop.ahcitycouncil
 
2024: The FAR, Federal Acquisition Regulations - Part 17
2024: The FAR, Federal Acquisition Regulations - Part 172024: The FAR, Federal Acquisition Regulations - Part 17
2024: The FAR, Federal Acquisition Regulations - Part 17JSchaus & Associates
 
Best charity ideas parents give their children’s
Best charity ideas parents give their children’sBest charity ideas parents give their children’s
Best charity ideas parents give their children’sSERUDS INDIA
 
Managing Planning and Development of Citie- 26-2-24.docx
Managing Planning and  Development of  Citie-  26-2-24.docxManaging Planning and  Development of  Citie-  26-2-24.docx
Managing Planning and Development of Citie- 26-2-24.docxJIT KUMAR GUPTA
 
War in Ukraine and problematics of the Ukrainian refugees in USA
War in Ukraine and problematics of the Ukrainian refugees in USAWar in Ukraine and problematics of the Ukrainian refugees in USA
War in Ukraine and problematics of the Ukrainian refugees in USAival6
 
2024: The FAR, Federal Acquisition Regulations - Part 16
2024: The FAR, Federal Acquisition Regulations - Part 162024: The FAR, Federal Acquisition Regulations - Part 16
2024: The FAR, Federal Acquisition Regulations - Part 16JSchaus & Associates
 
SPONSORED CONTENT - MyGovWatch - RFP Cliches Debunked: What Government Buyers...
SPONSORED CONTENT - MyGovWatch - RFP Cliches Debunked: What Government Buyers...SPONSORED CONTENT - MyGovWatch - RFP Cliches Debunked: What Government Buyers...
SPONSORED CONTENT - MyGovWatch - RFP Cliches Debunked: What Government Buyers...JSchaus & Associates
 
Item # 4 - Appointment of new PW Director
Item # 4 - Appointment of new PW DirectorItem # 4 - Appointment of new PW Director
Item # 4 - Appointment of new PW Directorahcitycouncil
 
OECD Webinar - ESG to deliver well-being in resource-rich regions: the role o...
OECD Webinar - ESG to deliver well-being in resource-rich regions: the role o...OECD Webinar - ESG to deliver well-being in resource-rich regions: the role o...
OECD Webinar - ESG to deliver well-being in resource-rich regions: the role o...OECDregions
 
Item # 1a - March 18, 2024 Special CCM Minutes
Item # 1a - March 18, 2024 Special CCM MinutesItem # 1a - March 18, 2024 Special CCM Minutes
Item # 1a - March 18, 2024 Special CCM Minutesahcitycouncil
 
Sensitivity Training for 2023 BSKE.pptx
Sensitivity Training for  2023 BSKE.pptxSensitivity Training for  2023 BSKE.pptx
Sensitivity Training for 2023 BSKE.pptxAllidaacLuap
 
For World Water Day 2024, we promote the vital link between water and peace.
For World Water Day 2024, we promote the vital link between water and peace.For World Water Day 2024, we promote the vital link between water and peace.
For World Water Day 2024, we promote the vital link between water and peace.Christina Parmionova
 
My Burning Issue: "War in Ukraine" Cycle 54
My Burning Issue: "War in Ukraine" Cycle 54My Burning Issue: "War in Ukraine" Cycle 54
My Burning Issue: "War in Ukraine" Cycle 54mmazurak
 
Water for Prosperity and peace - United Nations World Water Development Repo...
Water for Prosperity and peace -  United Nations World Water Development Repo...Water for Prosperity and peace -  United Nations World Water Development Repo...
Water for Prosperity and peace - United Nations World Water Development Repo...Christina Parmionova
 
Water can create peace or spark conflict.
Water can create peace or spark conflict.Water can create peace or spark conflict.
Water can create peace or spark conflict.Christina Parmionova
 
Hub Design Inspiration Graphics for inspiration
Hub Design Inspiration Graphics for inspirationHub Design Inspiration Graphics for inspiration
Hub Design Inspiration Graphics for inspirationStephen Abram
 
O Conselho Estadual de Cultura e o Incentivo à Cultura no RS: relato de expe...
O Conselho Estadual de Cultura e o Incentivo à Cultura no RS:  relato de expe...O Conselho Estadual de Cultura e o Incentivo à Cultura no RS:  relato de expe...
O Conselho Estadual de Cultura e o Incentivo à Cultura no RS: relato de expe...Alvaro Santi
 
The Federal Perspective on Coverage of Medications to Treat Obesity: Consider...
The Federal Perspective on Coverage of Medications to Treat Obesity: Consider...The Federal Perspective on Coverage of Medications to Treat Obesity: Consider...
The Federal Perspective on Coverage of Medications to Treat Obesity: Consider...Congressional Budget Office
 
CBO’s Work on Health Care and a Call for New Research
CBO’s Work on Health Care and a Call for New ResearchCBO’s Work on Health Care and a Call for New Research
CBO’s Work on Health Care and a Call for New ResearchCongressional Budget Office
 
World Happiness Report 2024- Full Report
World Happiness Report 2024- Full ReportWorld Happiness Report 2024- Full Report
World Happiness Report 2024- Full ReportEnergy for One World
 

Recently uploaded (20)

PPT Item # 5-6 218 Canyon Drive replat prop.
PPT Item # 5-6 218 Canyon Drive replat prop.PPT Item # 5-6 218 Canyon Drive replat prop.
PPT Item # 5-6 218 Canyon Drive replat prop.
 
2024: The FAR, Federal Acquisition Regulations - Part 17
2024: The FAR, Federal Acquisition Regulations - Part 172024: The FAR, Federal Acquisition Regulations - Part 17
2024: The FAR, Federal Acquisition Regulations - Part 17
 
Best charity ideas parents give their children’s
Best charity ideas parents give their children’sBest charity ideas parents give their children’s
Best charity ideas parents give their children’s
 
Managing Planning and Development of Citie- 26-2-24.docx
Managing Planning and  Development of  Citie-  26-2-24.docxManaging Planning and  Development of  Citie-  26-2-24.docx
Managing Planning and Development of Citie- 26-2-24.docx
 
War in Ukraine and problematics of the Ukrainian refugees in USA
War in Ukraine and problematics of the Ukrainian refugees in USAWar in Ukraine and problematics of the Ukrainian refugees in USA
War in Ukraine and problematics of the Ukrainian refugees in USA
 
2024: The FAR, Federal Acquisition Regulations - Part 16
2024: The FAR, Federal Acquisition Regulations - Part 162024: The FAR, Federal Acquisition Regulations - Part 16
2024: The FAR, Federal Acquisition Regulations - Part 16
 
SPONSORED CONTENT - MyGovWatch - RFP Cliches Debunked: What Government Buyers...
SPONSORED CONTENT - MyGovWatch - RFP Cliches Debunked: What Government Buyers...SPONSORED CONTENT - MyGovWatch - RFP Cliches Debunked: What Government Buyers...
SPONSORED CONTENT - MyGovWatch - RFP Cliches Debunked: What Government Buyers...
 
Item # 4 - Appointment of new PW Director
Item # 4 - Appointment of new PW DirectorItem # 4 - Appointment of new PW Director
Item # 4 - Appointment of new PW Director
 
OECD Webinar - ESG to deliver well-being in resource-rich regions: the role o...
OECD Webinar - ESG to deliver well-being in resource-rich regions: the role o...OECD Webinar - ESG to deliver well-being in resource-rich regions: the role o...
OECD Webinar - ESG to deliver well-being in resource-rich regions: the role o...
 
Item # 1a - March 18, 2024 Special CCM Minutes
Item # 1a - March 18, 2024 Special CCM MinutesItem # 1a - March 18, 2024 Special CCM Minutes
Item # 1a - March 18, 2024 Special CCM Minutes
 
Sensitivity Training for 2023 BSKE.pptx
Sensitivity Training for  2023 BSKE.pptxSensitivity Training for  2023 BSKE.pptx
Sensitivity Training for 2023 BSKE.pptx
 
For World Water Day 2024, we promote the vital link between water and peace.
For World Water Day 2024, we promote the vital link between water and peace.For World Water Day 2024, we promote the vital link between water and peace.
For World Water Day 2024, we promote the vital link between water and peace.
 
My Burning Issue: "War in Ukraine" Cycle 54
My Burning Issue: "War in Ukraine" Cycle 54My Burning Issue: "War in Ukraine" Cycle 54
My Burning Issue: "War in Ukraine" Cycle 54
 
Water for Prosperity and peace - United Nations World Water Development Repo...
Water for Prosperity and peace -  United Nations World Water Development Repo...Water for Prosperity and peace -  United Nations World Water Development Repo...
Water for Prosperity and peace - United Nations World Water Development Repo...
 
Water can create peace or spark conflict.
Water can create peace or spark conflict.Water can create peace or spark conflict.
Water can create peace or spark conflict.
 
Hub Design Inspiration Graphics for inspiration
Hub Design Inspiration Graphics for inspirationHub Design Inspiration Graphics for inspiration
Hub Design Inspiration Graphics for inspiration
 
O Conselho Estadual de Cultura e o Incentivo à Cultura no RS: relato de expe...
O Conselho Estadual de Cultura e o Incentivo à Cultura no RS:  relato de expe...O Conselho Estadual de Cultura e o Incentivo à Cultura no RS:  relato de expe...
O Conselho Estadual de Cultura e o Incentivo à Cultura no RS: relato de expe...
 
The Federal Perspective on Coverage of Medications to Treat Obesity: Consider...
The Federal Perspective on Coverage of Medications to Treat Obesity: Consider...The Federal Perspective on Coverage of Medications to Treat Obesity: Consider...
The Federal Perspective on Coverage of Medications to Treat Obesity: Consider...
 
CBO’s Work on Health Care and a Call for New Research
CBO’s Work on Health Care and a Call for New ResearchCBO’s Work on Health Care and a Call for New Research
CBO’s Work on Health Care and a Call for New Research
 
World Happiness Report 2024- Full Report
World Happiness Report 2024- Full ReportWorld Happiness Report 2024- Full Report
World Happiness Report 2024- Full Report
 

ATTACKing the Cloud: Hopping Between the Matrices

  • 1. � 2020 Expel, Inc.� 2020 Expel, Inc. ATT&CKing the Cloud: Hopping Between the Matrices November 12, 2020 | Anthony Randazzo
  • 2. � 2020 Expel, Inc. GetCallerIdentity ~ 1.5 years leading response @ Expel 12+ years of SecOps iSIGHT/FireEye Fortune 25 Detection & Response Disclaimer: not a cloud expert but frequent AWS D&R blog contributor Kids, LEGO, whiskey expel.io/blog
  • 3. � 2020 Expel, Inc. Agenda ATT&CK for Cloud as we see it Defending the control plane Real world incident Other applications of ATT&CK for Cloud Takeaways
  • 4. � 2020 Expel, Inc. So what exactly is ATT&CK for Cloud? Infra-as-a-Service Software-as-a-Service
  • 5. � 2020 Expel, Inc. How is this different from Enterprise ATT&CK? Enterprise Matrices Cloud Matrices Very different attack surfaces!
  • 6. � 2020 Expel, Inc. Control/Management Plane And many more...
  • 7. � 2020 Expel, Inc. A shared responsibility... Source: AWS
  • 8. � 2020 Expel, Inc. We have to protect this control plane, right? Informs our detection strategy for this cloud attack surface What do we detect? Where do we even start? How many AWS APIs are available in this control plane? Almost 10,000, you say?
  • 9. � 2020 Expel, Inc. How'd we build detections? Using OSTs, of course! Source: Rhino Security Labs
  • 10. � 2020 Expel, Inc. What did an attack look like? An unconventional coin miner...
  • 11. � 2020 Expel, Inc. What did the ATT&CK look like? AWS [IaaS] Cloud
  • 12. � 2020 Expel, Inc. What did the ATT&CK look like? Enterprise Linux
  • 13. � 2020 Expel, Inc. More examples of hopping between matrices! AWS CLI access from multiple compromised keys > SSH access into EC2 boto3 SDK access of AWS SSM > sudo linux access (red team) SSRF exploitation > EC2 instance credential access to control plane RDS database ransom > used CloudTrail to identify when weak password change occured
  • 14. � 2020 Expel, Inc. AWS mind map for investigations and incidents MITRE ATT&CK Tactics Sign up for an advanced copy of our cheat sheet and AWS mind map: http://expel.io/mindmap
  • 15. � 2020 Expel, Inc. Takeaways With lots of attack surface in the cloud, understanding both cloud and enterprise ATT&CK will help. attacks in the cloud than in an enterprise [Windows] environment. Cloud control planes are a target for automated attacks. This is the trend