Misconfiguration Driven Cloud Attacks

So, thank you very much. Um, and I'm gonna introduce uh our next speaker. Uh, it is Felipe Perez. And, uh, Felipe is going to be talking a little bit about misconfigurationdriven cloud attacks and graph-based exploration. It's going to be amazing. I saw the abstract. Um, he's fantastic. Uh, Felipe comes to us from where? >> Originally, yeah. Yeah. Originally, yeah. >> From Brazil. >> From Brazil. So, um, international speaker here already. That's fantastic. Uh, and also just a special fun fact about him. He's got four kids, including twins, and still manages to have enough time to come out and present to us. Uh, so thank you very much, Felipe, and I'll let you take it away.

Can you hear me, guys? Yeah. Can you hear me? >> Yeah. >> Okay. just uh one day he asked me about u where I'm I'm from. So it the correct answer is it depends like technology because I have my family is living right now in Portugal but I'm basing in Dallas out of Dallas but I'm Brazilian is quite confused that makes sense but uh let's say the Amazon package arrived in Portugal. That's the good answer. Okay the that's the point. Okay so thank you again for the staff for having me here. So it's a pleasure to be here and um this morning actually I'm trying to divide this conversation in two parts. First part is more [ __ ] parts like

the theoric part. I don't know if you can say I can tell you know [ __ ] part but anyway is the theoric part I think I don't I know that you don't like the theoric part but it's important and the second part is more sexy part is more the technical things okay and that's it okay few information about me and uh nowadays I'm head of identity threat labs in global product advocate this is just important name for my family but anyway like I'm responsible for this lab identity threat labs basically the thing we do in this company is to investigate new threads understanding how the m works and how they are using different techniques. I

publish uh one of these articles, one of these investigations about PDF malicious three days ago. It was very nice and I publish in my linkage and after that I can share my contact if you would do like to you know scan the care code. Uh good luck but anyway like that's our idea. So u I'm involved with the community. I'm director of sponsor of the red team village. probably you heard about this community is one of this community in the on defcon. So and I'm founder of the red team community. This community is involved with Brazilian and Latino people. Uh basically our idea is to spread the message about the red team. I know this is a blue you know

track but I'm involved with the red team as well. So uh and I'm at AWS builder a part of this program as well. So just few information about me just to clarify this is the company that I've been working this Segura is is a Brazilian company by the way but it's a globally company the name is is a Portuguese name basically and um this company is involved with identity security as you can see and basically my challenge in these companies is to investigate how the attackers are exploring identities not only in the cloud but in the on premise and hybrid whatever just to understand how they are using uh misconfigurations as I will show to you and this morning

and how they are exploring this type of things. Okay. So let's talk about the bushet part about the theoric part just to explain few things about uh kind of concepts. One of these is machine identity because we talk about the cloud okay and cloud when you talk about the cloud in the past we talk about passwords right user users and passwords. So nowadays we have a different things to integrate with the applications like for example tokens, secrets all type of things. When you talk about the machine identity basically refer those type of things. Okay. So we talk about the individuals not exactly persons but you have a human identity no human identity. So when you

talk about the cloud you talk about the how you can integrate those type of thing like a service account for for example this is another type of machine identity. What I need to understand this flip because like when you talk about the offensive security or defensive security we need to understand how many identities you have and how you can protect this identity. One simple question to you guys. So who here work with cloud? Cool. Like and the second question is who here work with AWS? Okay. 83% know. And uh who works here with Azure? Azure right for Microsoft if they didn't change the name again and the second and the third one is uh who work with Oracle

cloud OCI last question Alibaba no sometimes yeah this why I ask you because the idea of this conversation is how you can how the attacker using the misconfiguration I will share some example in the AWS perspective but you can apply this the same concept for different cloud providers. Okay. So basically just to finish this explanation about the machine identities is everything related to the no when we cannot find anything about the users and passwords. Okay this is basically is machine identity as you can see cloud servers applications kubernates and whatever. So how we see the the management. So this is the again theoric part bush things how this is is correlated to this machine ident

basically when you think about when you think about the defensive perspective we need to look in those type of u let's say balls whatever so secret management privilege account cloud entitlements many things and identity threat many things about the identity. Okay, let's talk about how the defensive work should the defensive side should work like discover things, governance, automation and secure very many things here. It's about the one single common type of subject in the end of the day is about permissions and how allowed to do something in the cloud and not allow you to do something in the cloud. Okay, nice. Let's talk about the another concept high value target. This is very common for the offensive perspective.

Why? Because so another question who here work with the red team or pentesting? So we are in a good room. So who works here in defensive side? Who here work with nothing? Because okay there are people defensive nothing anyway. But when you talk about the high value target actually it's coming to the military. This is the kind of terminology comes to the military. I don't ask you anybody here who work with the military because it's this kind of example. It's good to share in the other countries not in US because you guys know everything how the the you know the military works better than me. So but basically when you talk about the high value targets based on a person on

research that the enemy commanders requires to achieve the mission simple like this just to summarize this is not talk about technology about the war or whatever. However, when you think about technology, we have this kind of same uh concept. Like for example, when you talk about the Q chain and cyber Q chain like is the strategy against your you know enemy and you talk about the cyber Q chain is about kind of steps you need to perform and to execute something when you try to achieve or you need to defend something. When you talk about the cloud again so we have we need to think each person in the organization can be the high value target. Think with me who in

the organization can be the high value target and usually we think okay if this person's this is the the person you know expose those identities or you know credentials or something like this what is the impact you need to think about that when you talk about the high value target in the cloud so sometimes we think okay in the in the cloud perspective or the whatever organization that you work or worked at in the past so usually think that's the sea level board member senior executive give all the important guy in the company. Usually we think this way. However, if you see more, we can see people with elevated privilege. What that means? So basically, let me explain, let me

clarify more things about here. So who here in this room have a problem with the developers? Come on guys. Hey, come on. sometimes. So that's the key is the problem is not the developer way it's based on because some guys needs to have the access to the VS code right and the VS code you know VS code application they require elevated privilege the problem is the VS code not the guy that using VS code however how I can manage this in the laptop on you know in the the device of the user I need to give the high permission in this guy the problem is not the All right. The problem is the [ __ ] VS code. I

can use [ __ ] or no. >> Yeah, >> it's not polite. I know. But >> like Okay. Anyway, but that's the key. So if you think about cloud so every people that has the elevated privilege that's the concept here and the challenge when you think about so in this case what you are trying to explain to us Philippe that every people that working with a sensitive or high stack project can be a high value target that's your explanation and I am telling you yes you have a problem right now because you need to manage this high value target because in the past when you talk about offensive security when you see for example in the past when you

talk about just on privacy environment just the active directory was the high value target however now you have a more than just active directory you have a bunch of users bunch of developers you need to give the high privilege these guys that's the challenge here so the second concept attack vector it's a simple like basically is the methodology use or the the method used by the attacker to compromise the system organization or something not be confused with the attacker surface when you think about this room here we have a many windows doors attack surface is basically wall I know that's not technical example but like if you're not a technical guy you will understand me like the windows and

different doors here is different ways that you can go inside of this room this is attack surface and basically attack vector is basically is the entry point when you go inside in this room let's supposing when you talk about organiz ization is like this. If you are if you work with cloud probably you have many application open to the internet. So this is a kind of surface that you have opened and you need to find what is the vector to go inside can be like explore misconfiguration but you need to have the secrets and key to go inside or maybe is send off some vulnerability in the application that can go inside of the organization. Okay. So this is a

different type of things and usually very known attack vector is a malware malicious software or even henser that's cryptograph your environment and request a payment or fishing fish is a kind of technique not exactly a vector but it's a vector sometimes but you understand me and the main point in this conversation is the human ahore human ahore not developer ahore come on guys it's just human okay I know that's sometimes is more easy to see the the developer but anyway it's like a demon that can create this possibility for the attacker. What kind of a vector Philip weak credentials usually we have we can see this poor encryption misconfigurations main topic in this talk that all those type of

things allowing allowing the attacker or even the penetration tester or the red teamer go inside to escalate privilege. Okay, another concept attack path and this is basically is the visualization chain. Okay, the graph way that can see how the attack vectors can exploit environment. Okay, I know this not a map here and but this is picture this picture is from OASPI basically you have the thread agent in the left side your left side here okay and you see the attack vector you have the security weakness that you can explore bypass the security controls have an impact and business impact just to summarize those type of things to understand every type of concept here okay I know that's here

as you can see it's not the graphic but just to see how the attacker can go inside the organization. Okay. And the last one concept is a chalk point. Okay. The chalk point basically is the strate strategic location where multiple attack vectors converge. Okay. That's the word that I would like to put in your height. Converge. Why? Because for the attacker perspective when when they go inside of the organization mainly in the cloud if you work at multi cloud environments. So basically when the attacker go inside remember the entry point the vector when they go inside they the attacker can have multiples attack path but there are common path call it chalk point that attacks converge got it so that's the

the other concept here this is a simple example uh that I'm using here ctography this is a open source project I will share more information but basically here in the orange color that I over there as you can see five users and and the other in the green in the green uh circle over there you can see this is the group that they are part of it means that if I disable that pol that group pol I will stop the attack here this is the converge of difference because we have a different users and those users are a part of the others polish group okay So because of that the converge moment of multiple attacks happen over

there. Okay. Okay. This is a [ __ ] part. So now talk more. Ah this is another [ __ ] part. Okay. Go fast here. Challenge in the cloud. Probably you know about 90% many branches in the cloud and uh this is I don't know if you know that but this is interesting. In AWS you have a more than 18,000 permissions. You know that who know that? Nice one person. You see that's important. It's not too [ __ ] but it's like important. Uh in Azure you have more than two 20,000 permissions. Did you imagine how many possibilities the attacker has to go inside of the environment? Yeah, that's that's it's good to to us

actually when we know this we it means that we have an work to do. Okay, because of this type of things and in GCP you have more than 11,000 possibilities because when you talk about the actions it means that for each person you can add these actions and based on these actions can bring you some some information. Okay, other challenge is a large attack surface, many permissions on identity, lack of oh, this is a big problem here. Lack of visibility. This is because how you can protect your environment if you don't have any visibility. That's it. Increased complexity and uh and the and the last one is loss of course. Okay, as I said, many developers, devops team,

database team, cloud team, those guys need to have the high permission. Remember when I talk about the high value target? So those guys can be a high value target who has or each team has privilege access. It depends of the application. Okay. But my financial team and my HR team don't have any they don't need any privilege but they use like the the SP program or SAP program and this [ __ ] program requires the administration access is again that's the problem is the programmer is not the user. C level I don't I'm not sure why C level needs to have access in the cloud but they need who in this room here work with

marketing oh Jesus I need to stop my talk here why marketing need to have the access actually I'm kidding because the market team sometimes you know organize kind of advertisement you know program or something like this they have a guy or lady inside of this team responsible for running the the lumbida you know codes in the AWS they running this lumbida codes very nice you know infrastructure as a code super technology but for this service they need to create a user and this user need to have the permissions and based on this permission they need to have the keys and secrets and if they the guy don't delete that this is an open door and that's the the challenge is again

it's not problem of the marketing is about the person responsible for apply the permission from this guy remote to workers inside the thread type of challenge. Okay, cool. Let's talk about more about this expert. Thank you God for that. But anyway like I'm this is just a part of just to explain to putting every people in the same page about AWS. Okay, if you work with AWS good you know that. But for who for those here that don't know anything about AWS I'm just explain what is AWS AM is basically the service responsible for managing everything in the AWS responsible for centralize the permissions and they will be responsible for who is authenticated and who is

authorized to go inside. Okay nice when I need to when I need to create some policy in AWS I need to look in this specific thing. Okay, we can see here how I can create this information. I have a version and I have a statement. Basically, the statement is a bunch of rules that I can put inside of this JSON file. I can do this in UX and user interface or I can do this uh in JSON file or I can use in a template like the cloud formations and they can create a policy for me. Okay, basically the important thing that I need to know here is the effect here as you can see

because allow me or deny me to do something and the other important thing is the action that is include bunch of list of permissions or the actions that I can do or I cannot do in the cloud. Okay. And the resource here is what is the A or N AWS resource name. Okay. Basically how I can build this again I can use the web web application or I can use the JSON file. And here is one simple and single example how I can create this specifically polic AWS. As you can see here this is the version one of the EM read only accents and if you see here take a look this I have the effect here the effect

allow me. If you see here, this is the statement as I said to you few seconds ago. So, and I have here the action am is the service and I can list everything based on disaster risk. And I have a question to you guys. This specifically policy is safe or not safe? >> Not safe. >> Who think it's not safe? Who think this can be safe? Nice. I like it. One hand. Who thinks nothing? >> Hey, come on. That's true. Exactly. So, I like this answer. I like I like to answer this question because this is a real it depends. Why it depends? It depends who received this policy. Because if you are a guy

responsible for managing the CSPM tools, CSPM it means cloud security poster management. This kind of this type of tools require this permission from the one single user. So you need to have this is a more safe permissions to integrate this this kind of environment. Basically do you integrate this tool? This tool you running the discover in your environment it brings some recommendations to you like another two cloud entitlements the same way. So require these permissions. We cannot do the integration if don't have this integration. How you prefer integrate using this permission or prefer integrate using the administrator access? This one definitely this one. However, if you a guy that work with the let's suppose financial team, you have this

permission. That's bad. Totally bad because you can list all users, you can list all policy, you can list all group. is totally bad. So because of that it really depends of what is your position in your organization, what kind of you know task you need to do and what kind of activ you need to do. Why it depends because inside of these specifically servers here am there are bunch of actions. I will explain more one single but really the answer the good answer is it depends but can be totally bad but sometimes can be necessary. Okay. So think with me how for the attacker perspective how I can go inside the cloud environment. So for the AWS

perspective there are one way that you can go inside basically you can go here for example type AWS a uh AWS AM connect or or configure I think if I'm not wrong. Yeah I'm wrong. AWS AM uh configure. No >> configure AWS configure. Yeah, I think you are right. Yeah, because I'm just thinking about the AM. Yeah, what is common means? Basically, so if you see that there, I just need to have the AWS access key ID. Of course, I have one specific thing here. And if I type enter again, I have the secret. This is the second uh information requirements to connect with the AWS. And if I type enter here, they request me the region.

Okay, if you see that the default region is just a east region the first one and how you can check the others type of regions if you don't know the name because I can type here for example Philip is not a region of AWS of course but how I know others region I just need to go to AWS website and they can bring me how many regions there and I can just type in for the offensive perspective the red team perspective how they can enumerate things the second one just click enter the default output I can put none and that's it I just need four informations to go inside and after that I can go AWS am a I am list uh users

and I can type enter right but if I type enter you see my users not for you guys anyway so if you see there so I just need two informations right secrets and key. So based on that I thought okay how I can get this is simple like this. I just created a simple [ __ ] Python code as you can see there there are specifically token here that I can copy and paste here the gitlab or gitlab or github. I will do basically here a a crowler creating a cl crowler in uh to execute for discovery or to find new things. what kind of new things basically this simple AWS key and secrets those two

information that we need right and of course I put in here to you know get some uh GCP APIs OCIs and generic keys and once I have this I just this is the com the complete code I will put in my GitHub by the way I need to put in after the event I will put there if you can use for the education purpose okay guys and we just can put there you can put in your API there your your your GitHub GitLab GitHub and after that you can execute in your test environment let's say and you can try to figure more AWS key secrets GCP and once you have this you can go to the the AWS you can

configure if you find secrets and key copy and paste and based on that you can start to do something okay list users list group policy list permissions because we go inside when you have and if you go inside the first comment that you do basically is usually for the offensive perspective you type AM list users okay and if you see here this is the error that happened here access deny if you see here why this this answer came to me because I don't have permissions to access the list of users in AWS is is this specific information doesn't means that you know I was blocked just means that I was denied to access something. Okay. The second the

second comment that I did here was list policy. Why? Because when you talk about AWS you have a two possibilities. One is standard policy. Another second one is custom polic. So basically when I type this I'm trying to figure how many standard polic is applied above these specifically keys and secrets and custom policies. Okay. And the other one is list group basically comments just to figure what is impact against these secrets and these keys. Okay based on that I can find many things. Of course, this is a manually process. Because of this, the company paid for the CS, CSPM tools, uh cloud entitlements tools and many other security tools because they would like to have a visibility. Remember one of

the uh problems or challenge that we have in cloud, we don't have any visibility. So that's one problem. Okay. So now let me explain more about impact in the cloud. So basically this is how the AM works. Okay. The identity access management works in the cloud. If you see here, I I decide to create one single new policy version. Okay? And I create a new custom policy. So if you see here, this is way that AWS divided this access level. One is list, the second one is read, one is list, another one is read. Right? So maybe you think okay list is not too dangerous because it's just list information and read again it depends but just not too danger

because I I cannot create new things I just can just read and or list and there are other it means tagging and permission management. So let me give you an example what is the impact one single action. So if you see here inside of the permission management there are bunch of actions here like attack group policy create policy delete group policy and difference here I am just create one single policy okay using this create policy version and I've explained the impact of this one single one single action if you see here so when I need to configure something usually the I press this button here all permissions management actions apply mainly if you go to the AWS it's in going this way for

example um okay I need to enable one permission from the user and they will start a new EC2 you know EC2 is a instance responsible for running like a virtual machine okay in the cloud but the services in the AWS you need to attach the the hard disk here they call another service and those type of things works together to running application. Okay. So if you don't know about cyber security, what do you do? Usually you go to AWS and you when you go to the permissions, they have an specific permission called EC2 boundary permission or whatever permission whatever name what think is more easy to do just to enable this EC2 permissions and that's

it. Why? because this is recommendations from AWS can be not wrong because AWS understand that they create this policy for running EC2 right but the idea of this talk is to share with you the impact of each of one of these um checkbox inside of this standard policies. Okay. So once I create this, I put in this I create this new polic here as you can see. Create policy version. This is my I don't know why I put in this because it's just a lab demo. Anyway, yeah, I'm I'm stupid. Okay. And this is the polic that I created. If you see here, this there are one single action create policy version. That's it. No more anyone checkbox

enabled. Only create policy version. And once I have this I go to the Google or whatever and I ask okay how I can create a full access in the cloud and they suggest me this specifically JSON file and because I am noob what I did I just copy and paste the code this code code and I put in there okay and I create this and I call hacker exploitation because it's a nice name anyway and after that I go to AWS or Google again and and ask how I can create using a CL I like command because I don't know I just need to put AWS am create policy version because the AWS recommend me and

I need to set the policy or a or end that I created that I call PC attack module and I need to set here the policy document the file and if you see here is the attacker exploitation.json and take a look this flag here set as a default. Yeah, I like this because I had this one here. Okay. And now I have this one here. So what is the impact here? A lot. I like this the letter the last one a lot. And not only this, but let me explain more one single small [ __ ] thing here. So AWS you can work on a single account multiple accounts or you can work in the a second level or high

level call it organization level right so if a big company usually you have an organization level and you have a many accounts behind of this organization level right so what I did here is to escalate for one single account for the organization level so you see how the impact of this specifically it's not a zero today. Okay, as I'm I'm talking about the misconfiguration and it it's happened every day because I go to AWS and I enable the EC2 standard policy or if require me administrator access I go to administrator access and I set that but I I need to look in each actions and impact here that's the problem that's my main goal here to you

guys. So tomorrow when you go to your company if you work with defensive t with cloud my goal to you is to check you need to check those type of things I don't need to after this talk so this talk is [ __ ] talk no doesn't work for me it works if you go tomorrow and you can fix your problem in your company that's my main goal here okay you need to check the things because this is the impact here real real impact because not only elevate the privilege in the user level but it will elevate in the organization level you know that is is a big problem here okay it's not a zero day guys it's

just a misconfiguration and let me do a last question here so who in this room know about AWS web architecture AWS web architecture please okay two or three people so this is basically is the guidance from AWS not from me from AWS that how you can implement the AWS you know in a good way the architecture and they have inside of this framework a kind of security levels they can call you for least privilege concept and something and so forth so if you see here the most part of this room work with AWS however four guys know about that you know how this is it's not the developer problem it's my problem in the end of the It's my problem. So

how I can I I I'm I'm try humble. I'm try to guidance some guys in the security lab in security field and they ask me Philip how I can improve my career. So let's go to the basis. I don't like to read manual manual. I don't like to read manual. I don't know if you like but I don't like my wife asked me how many books do you read this year? Oh don't [ __ ] discrete this question. I don't have any idea. and my daughter come to me. I read 10 books and then in the last two months, [ __ ] you. I like to watch TV, talk with my kids, read books, but but

man, it's necessary. Of course, I'm kidding here. Actually, I don't read books. No, I'm kidding. I have actually seven books here from packing my table and my and my wife told me I will pick this books and putting behind all the you know in the kitchen just to help in the whatever because you don't read these books and I I I I said to her I will read I promise you it's I don't know what kind of ear but I will read but the key is we need to read not the book but we need to look in those bases you know like web architecture is the basis about AWS if I need to configure cure this

environment. I need to read the least privilege. I I I made a similar talk in Austria last year and one guy in the middle of the the the the the room putting their hands up and said, "But you don't see the least privilege in your architecture." No, that's the problem. And the guy looked at me, yeah, but I I read the that's good for you. you are doing a good job but the main goal here is to share with this impact here that's the key and okay so now I have all those information just to share with you so now I can read the list users I can list policy but maybe you are thinking okay Philip I'm just

creating one pol it's not too dangerous because I can list users and I can list kind of policy what kind of impact can be if you read the AWS ctor or if you ask to Google or whatever about how many standard or AWS standard policy have high privilege then you bring the name of the standard policy you don't need to know about you know deeply you just need to we just you just need to do the right questions to the AI simple like this because now when I when I say Google is Gemini or whatever Okay or chpt whatever just make the right questions and I will bring you okay this is the standard policy that has high privilege. So after

I know that how many policies has high privilege I just need to type okay let me change for this policy for this one let me explain better okay this is one I will explain better the example that I I was talking this is one tool that you can use for example to bring the visibility ctography if you can took a p if you can take a picture that's very nice here they bring this information to you basically how you can you know see about the for example AWS principle they call like a statement here and uh here they will bring you this is the name of the the the tool okay ctography basically and you can see

how many has how many user has this am create policy okay but you share with us about the create policy version of course there are two different actions here one is create policy and the second one is create policy version but in the end of the the the the command line if you Remember I putting set as a default. When you think about the hierarchic set as a default is better because you set has a default. It depends of the the the the common that you you set when you put this as a default that you putting in first place. Okay. So this is one way that you can see and the second one is

AWS PX. Let me go to the my virtual machine here. It's better to explain it those type of things. So here is AWSPX here and I'm connected here in my virtual machine cross your things for the Lords of demo. Let's see what happened here from somewhere to whatever they have here the kind of high value target here the effective admin and let me put in here just to explain you here we can see you need a glass or just me. >> Okay. Okay. But like we have here user like me here, Philip. This is one user. This is Bu. I promise you this is Bu. You can see better. Oh no. Okay. Anyway, but you can see B and this is a group

user default. So think with me. Okay. When I go inside of the company, when I start to like a hiring guy, when you hire something, you know, the hire the the new hireer for example, they go inside of the company like the new developer or new a new new cloud guy or whatever, usually when you add this user in AWS, you need to set a kind of permissions. is easier to put in like okay let me put in the group with no bunch of permissions just a single permissions just to manage it few things so I create this lab here and I put in user default group okay and the second one here is the permission the policy permissions I

am demo another here is user support this is another one here Anna the name of my wife always doing [ __ ] things and just a single for example. And uh here is another permission group to lab and the administrator access. If you see here, this is a standard from AWS. Okay, administrator access. This is very standard. And if you see below administrator access, another default because I created based on the default. And if you see here below again, okay, I know I can fix this. Ah, nice. I have a gear here the CFO is important guy because they will pay our salary and administrator CEO business manager and Thor. Okay. So if you see here there are

a bunch of users behind of this administrator access. And take a look this. If I click here and I try to see for example the right bottom I can see the inbound actions. So if I click here I can see how many oops how many actions I have and this user here Thor and this user is a part of the support users and these a part of the EM read only access remember that I show you in the beginning and they are part of EM demo and the thor. So if you see here for each of those permissions there are a bunch of actions here. Here is just six here 15 and here 47. 47 is just thor is is a custom policy

here. Did you got it? Okay. Double click. I like this. And I like this. Wow.

Okay, I try to help you to read. Okay. Okay guys, let me see here what can we do here. So there are bunch of actions here. You see the impact for each standard thing here. So basically here one of these is attach user policy. So let's let's suppose that this user just has have one single action. If this this action is attach user policy what that means permissions >> you can give yourself more permissions. But how I know what kind of permission it sets? I just go to Gem Gemini and ask how many standard standard policies AWS have and they will bring the names and based on that I can attach a new policy. So you can do this test in your in your

company if you want just create one user and put in a test or test is normal put another name like lab or another common name whatever name you you want just put in the name and create new polic custom policer policy based on that you can try to do this specific attack if you want you see the impact if you can escalate privilege you can escalate previous. So basically Philip you are telling us that I need to check the all actions in my my environment. Yes [ __ ] but I can I don't have a time to do this. I know that I have a twins as well. Yeah, I have a twins. I have a four kids. I'm

crazy. Four kids registered by the way in mind. No, I'm kidding. Anyway, but you see that's I know that's challenge. I know that's difficult but you need to think in this way. Okay, it's difficult to me. I can do same thing everything and you can take the ownership of your job will be good for you for your job for your career. That's it. Because if you improve your your knowledgement, you do the best thing in your job. Of course, your manager will see that and you can give the promotion. So basically this is the impact. So okay this is the this is guy is part of the the to lab. Let me see another guy here

not to danger guy. Let's see there are one here but whatever co this is another guy here. Oh come on bunch of actions here as well. Why why co is a part of the super user? Did you see that? So why the co is a part of this permission group? You see it's not this is reflect not only the lab you see that's reflection of the real life maybe in your companies maybe your company is safe and not the real life but in my company let's say my lab in my company but anyway so this is how you can fix if you think okay how I can fix this Philip because you bring the problem how I can fix this so I I give

an example here

what I did here. Maybe I was hacking. Ah okay. Sorry. I sometimes I present something about mware when I do this kind of [ __ ] things. So that people are you are infected with the mau. Yeah. But anyway, so you can use here the ctography ctography. Basically what the challenge here is you need to know more about the cipher query. If you know about the Neo4j database here, you can do this in open source. You can do this yourself is a very nice opportunity to increase your knowledgement about how you can see the the actions. This is one way that you can fix this. This another one is AWSPX. However, the AWSPX the challenge here is

just this to specifically just work with AWS. If I go back here to the ctography can put in here for example ctography. Um you can see here the the page you can read the documentations and uh they work in this way. But the the nice thing here with the ctography basically is they not only work with the AWS but you can integrate with different other cloud providers. As you can see here the AWS not too good to see anyway let me putting can you read here better? Okay, you can re you can use it not only for the identity access management but you can integrate with others connectors as you can see because guys the the uh cloud

solutions the secret perspective like we is like you have another bunch of here very nice by the way uh is based on connectors is the same case with you think about the blood hound we have a connector that integrate your active directory and then bring you this information to you in the graph mode so basically those type of tools that work with attack path is based on the same idea. Okay. But interesting here is you can integrate with AWS, GCP, Oracle, Octa and so on and so forth. Okay. And again the AWSPX basically is uh is quite different because we have a limitation in this case because limitation in quotes because they work with AWS only

not only not with another's um cloud providers that's the challenge for the AWSPX. So again you have a connector that you need to perform in this discovery and inject in your environment. They will bring this information that I show you to you. Okay. And my company and me in this case I developed this product that can help you again that can help you how you can bring this information. I don't have a time to do the complete demo but I just share with you some uh uh print screen and uh just to show this is the way that I can see basically they will bring this information to you but for me mainly is the access path view you don't

need to know nothing about the neo forj or something like this you can use your private mail if you want you can just go to the this the web page here and uh and you can it's cloud docura do app here is again it's free of the product you can integrate your environment I connect let me just log out here and um you don't need is to go to register here below and you can use again register for free you don't have any limitations okay just you can put your private mail if you want and once you have connected you you have the the access environment you have by the way the sandbox mode which means that all

those datas is populated ated you don't need to integrate with anything you if you can use with your master degree or college you can use as as well it's not problem and they will bring this information graph away how each user has the access path they bring the attack path this is the feature that I developed it basically so here is the explanation how for example the attack path works they need to have this specifically this specific attack is called as attach user attack how you can figure in your environment how many users you have in your environment that can suffer this specific attack. Okay. And this is the requirements. This is the impact basically.

And you can see the view about cloud health if you have a multi cloud environment. Okay. And we have the our jai recommend some uh um code how you can create your cloud formation. But this is just for demo. In this case the AI okay is nice to have in the production environment. Okay. We need to have the basically the community using this tool that we can convince my CTO that we can open the uh for the community basically. But I think we get there. Okay. And that's it guys. I finish here and I just uh say thank you for being here with me during this few minutes and I hope to have something more uh helpful for you to apply in your

job tomorrow. And here my list of my cont the blog that I talk to you about the kind of investigation that threat labs and my my contact as a social media if you want to post something and tag me and I don't recommend to scan the care code because you know it's not safe but if you I'm kidding. Okay, I finish here. Thank you so much again. >> Thank you. >> Bring me up. Thank you. We do have time for a couple of questions. By the way, if we didn't say it before, lunch is actually free. We're paying for you guys lunch today. So, yes. Awesome. Uh, so do we have any questions for Felipe before we break for lunch? We

got one back over here. Yep. >> Come on, sir. No difficult question, please. >> Hold on. Hold on. I'll give you the name. >> Be kind. Be kind. Please. >> This is like a agentless graphunner or Azure cloud sharpound type. >> Good question. It's just a connector. Basically, it's a S solution like you asking me about what kind of product. I share three. So um the ctography we just need to install the docker if you want in a virtual machine on a docker environment that you have the ingesttor because this ingesttor be responsible for running the discover in the cloud that you receiving your database you ingest this in the platform the uh AWSPX works in the same case that you ingest

inside of this and for the other tool for my cop develop is a SAS platform you just need to have the user the same case you have for we is for other tools like just a read only access. I'm supposed is really only access okay but for us it's just really only access. If you're creating a custom policy doesn't works you need to use the like because we had a kind of problem with some people you know create administrator access okay I have this administrator access because there are a bunch of list of permission there but no we don't we don't want the administrator access just the reading only because just all those information we need any other question guys

>> that was a good question an easy question thank you sir >> yeah quick question do the tools take into account uh AWS guardrails if you have those in place. >> Sorry, I didn't understand the question. >> AWS guard rails. Um those can help prevent misisconfiguration. So I'm wondering if the tools take that. >> Okay, good question. So if you understand correctly there are not only AWS but if you see in the GCP or OCI and others cloud providers there are bunch of tools that can bring you some informations about the the misconfigurations mainly and usually they bring this information for for example like the kind of actions that you can uh mainly not the the AM

services but for example buck tree exposed to the internet they can bring this information to you like your bucket test tree is exposed to the internet based on this exposed. They can bring you kind of recommendations to you based on a specifically framework like NIS, HIPPA, PCRDSS and others. But usually this kind of service is paid you need to pay for it. And if your company paid for it, good. Let's go. So if they don't pay for it, you need to like manage it in the other way. Another way is to like h buy some tools like Whiz or Octa, Octa or whatever. Or you need or you can use in like the open source if you're have

your hands tight.