L o a d i n g

Cloud Village is an open space to meet folks interested in offensive and defensive aspects of cloud security.

CFP for DEF CON 29 Contribute/Volunteer

Hosted for DEF CON 29 at: Virtual

Cloud Village CTF

Cloud Village CTF @DEF CON 29: Virtual

CTF start - 11:00 AM Pacific August 6th 2021

CTF close - 12:15 PM Pacific August 8th 2021

Registrations Open - 7:00 AM Pacific August 6th 2021

CTF Site - https://ctf.cloud-village.org

CTF Winners announcement - During the closing keynote at 13:05 PM Pacific August 8th 2021

If you ever wanted to break stuff on the cloud, or if you like rabbit holes that take you places you did not think you would go to, follow complicated story lines to only find you could have reached to the flag without scratching your head so much - then this CTF is for you!

Our CTF is a three days jeopardy style contest where we have a bunch of challenges hosted across multiple Cloud providers across multiple categories of difficulty.

You can register as teams or go solo, use hints or stay away from them, in the end it will be all for glory or nothing. Plus the prizes. Did we not mention the prizes? :D

See you on the other side!

Please submit CTF write-ups here at


Cloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security. The village is home to various activities like talks, workshops, CTFs and discussions targeted around cloud services.

If you are a professional who is looking to gain knowledge on securely maintaining the cloud stack and loves to be around like-minded security folks who share the similar zeal towards the community, Cloud Village is the perfect place for you.

Crew Members:

CFP Review Panel (DEFCON 29):

Cloud CTF

Cloud Village CTF @DEF CON 29: http://ctf.cloud-village.org

CTF start time - 11:00 AM Pacific August 6th 2021

CTF close time - 12:15 PM Pacific August 8th 2021

Our CTF is three days jeopardy style contest where we will create bunch of challenges in multiple categories, related to cloud services though.

Teams / Individuals gain some points, (or loose points on using hints) on solving each challenge. Teams or Individuals who gain maximum points gets the winning rewards.

CTF winners @DEF CON 29

Team Name Members











Work From Cloud





CTF stats @DEF CON 29

Teams registered - 268

Users registered - 397

Challenges - 11

Correct submissions - 321

Wrong submissions - 267

Most solves - "Full of malice, Alice!" with 19 solves.

Least solves - "The German Born American Patriot!" with 2 solves.

Schedule (DEF CON 29)

10:00 - 10:15 PDT

Opening Keynote

10:15 - 11:00 PDT

Rod Soto - Detection Challenges in Cloud Connected Credential Abuse Attacks

11:00 - 11:45 PDT

Alexandre Sieira & Leonardo Viveiros - The Fault in Our Stars - Attack vectors for APIs using AWS API Gateway Lambda Authorizers

11:45 - 12:05 PDT

Cassandra Young - Exploiting the O365 Duo 2FA Misconfiguration

12:05 - 12:50 PDT

Mazin Ahmed - Attacking Modern Environments Series: Attack Vectors on Terraform Environments

12:50 - 13:20 PDT

Madhu Akula - Kubernetes Goat - Kubernetes Security Learning

13:20 - 14:05 PDT

Felipe Pr0teus - Hunting for AWS Exposed Resources

14:05 - 14:35 PDT

Yuval Avrahami - WhoC - Peeking under the hood of CaaS offerings

14:35- 17:00 PDT

Magno Logan - Kubernetes Security 101: Best Practices to Secure your Cluster

10:00 - 10:45 PDT

Karl Fosaaen - Extracting all the Azure Passwords

10:45 - 11:30 PDT

Daniel Prizmant - Windows Server Containers are Broken - Here's How You Can Break Out

11:30 - 12:15 PDT

Kavisha Sheth - AWS cloud attack vectors and security controls

12:15 - 12:45 PDT

Mohammed Aldoub - Using Barq to perform AWS Post-Exploitation Actions

12:45 - 13:30 PDT

Avinash Jain - Shift Left Using Cloud: Implementing baseline security into your deployment lifecycle

13:30 - 13:50 PDT

Rodrigo Montoro - CSPM2CloudTrail - Extending CSPM Tools with (Near) Real-Time Detection Signatures

13:50 - 14:35 PDT

Batuhan Sancak - Azure Active Directory Hacking Wars

14:35 - 17:00 PDT

Wes Lambert - Onions In the Cloud Make the CISO Proud

10:00 - 10:45 PDT

Michael Raggo - Identifying toxic combinations of permissions in your cloud infrastructure

10:45 - 11:15 PDT

Igal Flegmann - I know who has access to my cloud, do you?

11:15 - 12:00 PDT

Joshua - Understanding common Google Cloud misconfiguration using GCP Goat

12:00 - 12:20 PDT

Kevin Chen - PK-WHY

12:20 - 13:05 PDT

Rami McCarthy - Cloud Security Orienteering

13:05 - 13:20 PDT

Closing Keynote

Talks (DEF CON 29)

Speaker: Rod Soto

Twitter: @rodsoto


With the widespread adoption of cloud technologies, many companies are now managing environments where the line between the perimeter and the internet is blurred. This presentation outlines the challenges defenders face in the light of the implementation of new technologies that enable users to operate seamlessly between the cloud and the perimeter. A “converged” perimeter brings new attacks such as Golden SAML, Pass The SAML, Oauth Token Hijacking which are some of the manifestations of current and future challenges in these types of environments. Presenters will propose a new approach based on current attack research and new defense posture, with specific detections developed to address these new threats.

Over 15 years of experience in information technology and security. He has spoken at ISSA, ISC2, OWASP, DEFCON, RSA Conference,Hackmiami, DerbyCon, Splunk .CONF, Black Hat,BSides, Underground Economy and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision, BBC, Forbes, VICE, Fox News and CNN. Co-founder of Hackmiami, Pacific Hackers Meetups and Conferences. Co-founder of Pacific Hackers Association.

Speaker: Alexandre Sieira

Twitter: @AlexandreSieira

Speaker: Leonardo Viveiros

Twitter: @LeonardoViveiro


"Serverless applications are a really interesting new trend that promises benefits such as increased scalability and reduced cost. Frameworks like Serverless Application Model (SAM) and Serverless Framework are increasingly used to build them. APIs are a natural part of serverless applications, and in AWS that typically is implemented using the AWS API Gateway backed by Lambdas that implement the actual API endpoint logic. Our research focused on API Gateway Lambda Authorizers. This is a feature that allows developers to use a custom authentication and authorization scheme that uses a bearer token authentication strategy (like JWTs, OAuth or SAML), or that uses request parameters to determine the caller's identity and enforce which API endpoints they are allowed to access. We will present (AFAIK novel) techniques to attack the authentication and authorization of APIs that use Lambda Authorizers. We show how IAM policy injection is possible in theory but highly unlikely in practice due to some good decisions by AWS. We also show a class of problems based on incorrect security assumptions baked into AWS' own documentation and Lambda Authorizer open source code templates. Sample source code will be provided to demonstrate all techniques."

Alexandre Sieira is a successful information security entrepreneur with a global footprint since 2003. He began his security career as a Co-Founder and CTO of CIPHER, an international security consulting and MSSP from Brazil acquired in 2018 by Prosegur. In 2015, became Co-Founder and CTO of Niddel, a bootstrapped security analytics SaaS startup running entirely on the cloud, which won a Gartner Cool Vendor award in 2016. After the acquisition of Niddel by Verizon in January 2018, he became the Senior manager and global leader of the Managed Security Services - analytics products management team in the Detect & Respond portfolio tower at Verizon. In late 2019 founded Tenchi Security, a company that focuses on cloud security solutions and services. Experienced speaker featured at Black Hat, DEF CON Cloud Village, BSides San Francisco, FIRST Conference and others.

A Software Engineer at heart, Leonardo has been working in tech in different roles, from interacting with clients to building robust, scalable solutions. Experienced in building Cloud Native solutions as well as Front-end applications. Led the product roadmap of a smart mobility startup from Rio de Janeiro. Current DevSecOps Specialist at Tenchi Security enabling our clients to achieve a safer software development life cycle.

Speaker: Mazin Ahmed

Twitter: @mazen160


Ever come across an environment in an engagement that uses Terraform for IAC (infrastructure-as-code) management? Almost every modern company does now.
In this talk, I will be sharing techniques and attack vectors to exploit and compromise Terraform environments in engagements, as well as patterns that I have seen that achieve successful infrastructure takeover against companies. I will be also covering prevention methods for the discussed attack vectors in my talk. This is part of my work-in-progress research in cloud security and attacking modern environments.

Mazin Ahmed is a security engineer that specializes in AppSec and offensive security. He is passionate about information security and has previously found vulnerabilities in Facebook, Twitter, Linkedin, and Oracle to name a few. Mazin is the developer of several popular open-source security tools that have been integrated into security testing frameworks and distributions. Mazin also built FullHunt.io, the next-generation continuous attack surface security platform. He is also passionate about cloud security where he has been running dozens of experiments in the cloud security world.

Speaker: Felipe Pr0teus

Twitter: @pr0teusbr


"Like all major public cloud providers, AWS allows users to expose managed resources like S3 buckets, SQS queues, RDS databases, and others publicly on the Internet. There are legitimate uses for making resources public, such as publishing non-sensitive data. However, we often find that this functionality is mistakenly used, often due to a lack of cloud security expertise, to erroneously expose sensitive data. News of exposed S3 buckets are sadly very frequent in the specialized media. It is important to note, however, that there are many other relevant kinds of AWS resources that can be equally dangerous when publicly exposed but that doesn't get nearly as much scrutiny as S3 buckets. In this talk we are going to describe some of the methods that researchers and attackers use to discover and exploit these publicly exposed resources, and how cloud providers and defenders can have taken action to monitor, prevent and respond to these activities."

Felipe Espósito graduated in Information Technology at UNICAMP and has a master's degree in Systems and Computing Engineering by COPPE-UFRJ, both among the top technology universities in Brazil. He has over ten years of experience in information security and IT, with an emphasis on security monitoring, networking, data visualization, and threat hunting. He is a founder of the HackerMakerSpace in Rio de Janeiro and presented at respected conferences such as Hackers 2 Hackers Conference, BHACK, BSides (Las Vegas and São Paulo), FISL, Latinoware, SecTor and SANS SIEM Summit.

Speaker: Karl Fosaaen

Twitter: @kfosaaen


"Whether it's the migration of legacy systems or creation of brand-new applications, many organizations are turning to Microsoft’s Azure cloud as their platform of choice. This brings new challenges for penetration testers who are less familiar with the platform, and now have more attack surfaces to exploit. In an attempt to automate some of the common Azure escalation tasks, the MicroBurst toolkit was created to contain tools for attacking different layers of an Azure tenant. In this talk, we will be focusing on the password extraction functionality included in MicroBurst. We will review many of the places that passwords can hide in Azure, and the ways to manually extract them. For convenience, we will also show how the Get-AzPasswords function can be used to automate the extraction of credentials from an Azure tenant. Finally, we will review a case study on how this tool was recently used to find a critical issue in the Azure permissions model that resulted in a fix from Microsoft."

As a Practice Director at NetSPI, Karl leads the Cloud Penetration Testing service line and oversees NetSPI’s Portland, OR office. Karl holds a BS in Computer Science from the University of Minnesota and has over a decade of consulting experience in the computer security industry. Karl spends most of his research time focusing on Azure security and contributing to the NetSPI blog. As part of this research, Karl created the MicroBurst toolkit (https://github.com/Netspi/Microburst) to house many of the PowerShell tools that he uses for testing Azure. Over the last year, Karl has co-authored the book “Penetration Testing Azure for Ethical Hackers” with David Okeyode. Over the years, Karl has held the Security+, CISSP, and GXPN certifications.

Speaker: Daniel Prizmant

Twitter: @pushrsp


"A container packages up code and its dependencies, creating a minimal computing environment that can be cloned quickly and reliably across the ever-changing variety of operating system distributions. Originally available for Linux alone, containerized software will always run the same, regardless of the infrastructure. Microsoft teamed up with Docker to offer a container solution for Windows. Support for containers was added in 2016, but little documentation on the internal implementation was released. It was necessary to reverse engineer some of the components of Windows in order to better understand the kernel implementation. How does Windows prevent containers from running system calls that may allow attackers to escape containers? How does Windows prevent containers from accessing sensitive files outside the container, on the host? Why go through all this trouble? A vulnerability in the low level implementation of containers could impact hundreds of thousands of affected instances. Not to mention a full escape from the container to its host machine. How would such an escape vulnerability affect Kuberenetes and Azure services? In this presentation I will show you how to fully escape a Windows container and gain full access to the host’s file system. I will discuss why Microsoft originally didn’t consider this a vulnerability, but do now. I will also show the use of this vulnerability in the wild by a malware."

Daniel started out his career developing hacks for video games and soon became a professional in the information security field. He is an expert in anything related to reverse engineering, vulnerability research and the development of fuzzers and other research tools. To this day Daniel is passionate about reverse engineering video games at his leisure. Before joining Palo Alto Networks Daniel was employed at CheckPoint, KayHut and Nyotron. Daniel holds a Bachelor of Computer Science from Ben Gurion University.

Speaker: Kavisha Sheth

Twitter: @sheth_kavisha


"In the last decade, cloud computing has been incorporated in various industries, from Health to Military, which has been meticulously guided by exploring related technologies in the industry and academia alike. The enterprise computing model have shifted from on-site infrastructure to remote data centers which is accessible via internet and managed by cloud service providers.However, Many companies breached on AWS moved sensitive data to AWS without following best practices or implementing cloud security controls correctly. Main objective of the session is to bring awareness about some of the AWS cloud attack vectors and as well as security controls that can help. You get to know discovery, identification and exploitation of security weaknesses, misconfigurations lead to complete compromise of the cloud infrastructure. As,Cloud attack vectors and security controls are different as security professional you need to be aware about attack vector and controls. So, you will also learn about what can be possible best practices, detective controls to avoid some of the misconfigurations. In this session: - Learn about how an attacker can perform reconnaissance, leverage network, AWS Lambda functions, S3 misconfiguration and implementation in weaknesses to steal credentials and data. - Learn how misconfigurations and other leading cloud vulnerabilities put you at risk to exploitation with some real world example - Learn about Security controls, possible best practices, detective controls to avoid these misconfigurations"

"Kavisha is a Security Analyst at Appsecco. She is a cloud security and machine learning enthusiast who dabbles in application and API security and is passionate about helping customers in securing their IT assets. Kavisha is a member of a number of security communities including null community, InfoSecGirls, and WiCys India group. She believes in giving back to the community and frequently finds audiences to talk about Attacking GraphQL, different techniques to bypass authentication and Attacking AWS. When not breaking apps for Appsecco, Kavisha spends time learning and researching on different areas of security . She has also been listed as one of the top security researchers of the nation by NCIIPC RVDP."

Speaker: Avinash Jain

Twitter: @logicbomb_1


"In the agile world, where continuous iteration of development and testing happens throughout the software development lifecycle involving constant collaboration with stakeholders and continuous improvement and iteration at every stage, where engineers release their changes very frequently. All this makes the chances of potential security loopholes become more and more real. A fast-moving lean and agile culture makes it necessary to bring the testing of software support earlier in the development and release process. This brings us to the quote - “Security shouldn’t be treated as an after-thought”, it should be brought as close to engineers and as early in SDLC. When we bring something close to the source, and in this context, if we bring Security closer to the source, we call it Shift Left Security. It not only gives a much better opportunity to see improved security outcomes in products sooner, and include the requirements, suggestions, advice at an earlier stage, but also saves time, effort, and overall cost of product delivery. Shift Left approach takes this a step further, integrating security into CICD. With security requirements represented earlier in the software development process, it also makes enforcement part of the Continuous Delivery pipeline with improved testing, monitoring, and response to support security drift detection. By integrating security in CICD, one can deliver secure and compliant application changes rapidly while running operations consistently with automation. In order to do this well, the most logical place security can be checked are code reviews. But now the series of questions raised - How can it be achieved? How can we make sure every release that goes to production has proper security sign-off? How can we scan and test every piece of code that is changed from not just DAST or SAST point of view but also including wide custom and flexible security test cases? Here we will talk about building such a solution and framework to integrate security in CICD and automating the complete process for continuous scanning of different kinds of potential security issues on every code change in AWS Codepipeline. Some of the improvement it brings - Wide Variety of Security checks — Integration of standard and custom checks Early Checks — Now security checks are performed as soon as any PR is raised or code is modified Highly Flexible —The security checks are very modular. We can add more checks as we want and configure them to perform response-based action Completely Automated — Automation is the key/let the machines do the work Alerting - Integration of SNS alert for check success or failure Reporting - Scan reports are shared across different communication channels Framework as code - Any company having their CICD over AWS can use this framework by just running my in-house built cloud formation template Vulnerability Management - All the vulnerabilities and findings are logged in a single place - AWS Security Hub"

I am an information security researcher working as a Lead Security Engineer managing complete end-to-end information security. I love to break application logic and find vulnerabilities in them, have been - acknowledged by various MNCs like Google, Yahoo, NASA, Vmware, MongoDB, and other top companies. I am also an active blogger, some of my articles and interviews have been published in various newspapers like Forbes, BBC, Techcrunch, Economic times, Huffingtonpost, Hindustan times, ZDNet, Hakin9, Hackerone, etc. I am also a cybersecurity speaker, love to share my views on various infosec threads.

Speaker: Joshua

Twitter: @joshva_jebaraj


"As organisations workflows move into the cloud we see a wider adoption of cloud based platforms like Google Cloud (GCP). While cloud based platforms offer a higher level of scalability critical aspects into security can fall to the sidelines. With cybersecurity attacks on the rise in the cloud space (Gitlab-blog, Rhino-security-blog) we have to make sure all our applications hosted on cloud infrastructure like GCP are kept safe. The talk starts with the common service misconfiguration like open buckets and moves to advanced and GCP specific services like, gcloud container registry. This talk not only covers the offensive side but also covers the defensive side where the audience will see demonstration of how those vulnerabilities can be mitigated. GCP Goat is an intentionally vulnerable project which consists of common misconfiguration in the Google Cloud that is open source for the audience to test their newly learned information after the talk. By the end of the talk the audience will have a better understanding of the common threat surface on GCP and How they can mitigate it. The talk starts with Introduction about the GCP goat and how we can deploy it(5 mins) -

  • Attacking Compute Engine (5 mins)
  • Attacking the App engine(5 mins)
  • Attacking SQL Instance (5 mins)
  • Attacking GCP buckets (5 mins)
  • Attacking GCP GKE clusters (5 mins)
  • Privilege Escalation (5 mins)
  • Conclusion and QA (5 mins)

  • Joshua Jebaraj is Security Researcher at we45. He is an active member of many open-source communities like Null, Ansible and Hashicorp. He frequently speaks at null Chennai chapter and OWASP Vit Chennai. He has previously spoken at conferences like Owasp-Seasides,Bsides-Delhi and Open-Security-Summit.

    Speaker: Michael Raggo

    Twitter: @MikeRaggo


    "With more than 24,000 permissions across AWS, Azure, and GCP, how does one determine who gets what permissions? Half of the 10,000 permissions in AWS are admin-like permissions. This is even more complicated when new permissions and services are being added almost daily. Mapping these out and understanding their implications is a difficult task, yet attackers understand them well enough to leverage toxic combinations of these permissions for privilege escalation and exploiting your cloud infrastructure. In this presentation, we'll share our experiences in doing > 150 risk assessments across AWS, Azure, and GCP. We'll review common admin permissions that we commonly find accidentally assigned to developers and users. We'll reveal some extremely powerful permissions that can be mapped to a Cyber Kill Chain specific to cloud infrastructure. This will uncover toxic combinations of permissions that can lead to lateral movement, privilege escalation, exfiltration, and more. We'll provide real world examples of findings from audit logs, activity monitoring, and ML-based anomaly analysis. We'll then outline a strategy to tracking this moving forward actively within your environment and how to mitigate this over-permissioned access to build a permissions management lifecycle."

    Michael Raggo has over 20 years of security research experience. His current research focuses on Cloud security. His research has been highlighted on television’s CNN Tech, and numerous media publications including TIME, Forbes, Bloomberg, Dark Reading, TechCrunch, TechTarget, The Register, and countless others. Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding” for Syngress Books, and is a contributing author for “Information Security the Complete Reference 2nd Edition”. His Data Hiding book is also included at the NSA’s National Cryptologic Museum at Ft. Meade. A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon; and is a former participating member of the PCI Council. He is also a frequent presenter at security conferences, including Black Hat, DEF CON, RSA, OWASP, HackCon, and SANS. He was also awarded the Pentagon’s Certificate of Appreciation.

    Speaker: Batuhan Sancak

    Twitter: @nullx3d


    "Abstract Azure is one of the most popular cloud services today. It has 15.4 million customers worldwide. 95% of Fortune 500 companies use Azure. If you look at it from the hacker point of view, that's perfect. Is Azure completely secure? No! No system is completely secure. It would be good to talk about Azure and talk about attack techniques. Check out the attack vectors. The results obtained by comparing attack vectors and defense vectors will be beneficial for everyone. In this presentation, I would like to talk about Azure Active Directory technology and attack vectors. I wrote the titles for you to review. Outline

  • Azure Ad Overview Roles, terminology
  • Understand Active directory with azure
  • Azure AD security features Attacking
  • Azure Ad (Techniques)
  • - Unauth Recon
  • - Password Sniper
  • - MsOnline Powershell Module
  • - PHS
  • - Backdoor Azure
  • - SSO
  • - Spn scanning
  • - DcShadow Attack
  • - Group Policy, etc.
  • Defense Azure Ad Suggestions

  • "Hello Cloud Village. I'm Batuhan (@nullx3d). He is a cyber security researcher. He's living Turkey and studying Management Information Systems at university. He's 21 age years old. He feel like he belong in cyberspace. Web Application Security, Linux structure is very attractive for he. He work on virtual machines, live web systems and on new technology(cloud security). Batuhan gave trainings and presentations in many universities in his country. He shares his experiences and works on his personal blog (docs.rka0x.com). If you accept he for defcon cloud village, he will very happy. This is he dream. he hopes you like the CFP."

    Speaker: Kevin Chen

    Twitter: @devadvocado


    Certificates and public key infrastructure (PKI) are hard. No shit, right? I know a lot of smart people who’ve avoided this particular rabbit hole. Personally, I avoided it for a long time and felt some shame for not knowing more. The obvious result was a vicious cycle: I was too embarrassed to ask questions so I never learned. Well, now everything needs a certificate so let's be embarrassed together and learn they why.

    Kevin Chen was the first Developer Advocate at the now-unicorn open source company Kong and currently works at smallstep, an early stage open source startup. When not developing tech and demos for the PKI space, he likes to bake, travel, and tend to his motorcycle.

    Speaker: Rami McCarthy

    Twitter: @ramimacisabird


    "Most of us are not lucky enough to have architected the perfect cloud environment, according to this month's best practices, and without any legacy elements or ""surprise"" assets. Over the course of a career in cloud security, you'll likely find yourself walking into a new environment and needing to rapidly orient yourself to both mitigate the biggest risks and also develop a roadmap towards a sustainable, secure future. As a security consultant, I had the challenge and opportunity to enter blind into a variety of cloud environments. They were across Azure, GCP, and AWS, some well-architected and others organically sprawling, containing a single account/project and hundreds. This gave me a rapid education in how to find the information necessary to familiarize myself with the environment, dig in to identify the risks that matter, and put together remediation plans that address short, medium, and long term goals. This talk will present a cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment. We'll learn by applying this to a sample AWS environment in order to cover:

  • An archeological guide for where and how to find organizational context
  • How to quickly find and kill the most common attack vectors at the perimeter (both network and identity)
  • Common architectural and deployment patterns, how to spot them, and their security implications
  • What you need to know, what you need to prioritize, and what ""best practices"" aren't worth the squeeze when you're in a crunch.

  • Rami McCarthy is a Staff Security Engineer at Cedar (a healthtech unicorn), and a recovering Security Consultant. He spent 3 years at NCC Group where he executed dozens of security assessments and sat on the Cloud Security working group. He was a core contributor to ScoutSuite - a multi-cloud auditing tool (and SaaS offering), and released sadcloud - a tool for Terraforming insecure AWS environments. Rami holds the CCSK, the AWS Certified Security – Specialty, and is completing an MS in information security leadership.

    Speaker: Magno Logan

    Twitter: @magnologan


    "This workshop aims to give an overview about how Kubernetes works and provide some best practices to secure your cluster whenever you are deploying a new cluster on your own or via managed services such as GKE, EKS or AKS. We are going to cover everything from the Control Plane or the Master Node, starting with the API server, including etcd, RBAC and network policies. Then, we’ll cover the worker nodes, kubelet, audit logs and pods best practices. We'll talk about the CIS Benchmarks for Kubernetes and the default configurations you need to worry about when deploying a new cluster. We'll show how to use RBAC and assign roles and permissions to your cluster users. We'll demonstrate how to enable audit logs for better visibility and later we'll set up some network policies to avoid communication between pods and prevent any lateral movement from attackers. Are you starting to use Kubernetes for container orchestration? Do you need guidelines on how to start securing Kubernetes in your organization? Do you want to find a way to increase the protection of your Kubernetes clusters without increasing the complexity of the infrastructure? Do you need to use Kubernetes clusters in a safe, efficient and affordable way? Everything in a practical way with a focus on security best practices? Then this is the workshop for you!


    • Kubernetes
    • - What is Kubernetes?
    • - Why should I use it?
    • - What is the CNCF?
    • - What are cloud native applications?
    • K8s Architecture
    • - Control Plane (API Server, etcd, scheduler, controller-manager)
    • - Worker Nodes (kubelet, kube-proxy and CRE)
    • Cluster, Nodes, Pods and Namespaces
    • K8s API Objects
    • kubectl
    • Setting up your first cluster
    • Deploying your web app as a pod
    • Using services and load balancers
    • Hardening K8s
    • - API Server
    • - Image Scanning
    • - Runtime Protection
    • - Network Policy
    • - Pod Security Policy (PSP) - Deprecated
    • - PSP Alternatives
    • - Audit Logs

      • Participants should prepare by:

        • - Creating their own AWS account
        • - Setting up and deploying a Cloud9 instance (t2-micro in us-east-1)
        • - Creating an IAM Role with Admin privileges and attaching it to the Cloud9 EC2 instance

        Magno Logan works as an Information Security Specialist for Trend Micro. He specializes in Cloud, Container and Application Security Research, Threat Modelling and Red Teaming. He has been tapped as a resource speaker for numerous security conferences around the globe. He is the founder of the JampaSec Security Conference and the OWASP Paraiba Chapter and also an active member of the CNCF TAG-Security team.

    Speaker: Wes Lambert

    Twitter: @therealwlambert


    "It's been said that 94% of enterprises already use a cloud service, and that 30% of all IT budgets are allocated to cloud computing. What does this mean for network defenders? It means that many organizations are invested in the cloud, and unfortunately, many organizations still have little visibility into inter-instance, instance-to-internet, and control plane activity, as well as management functions and bucket access within the cloud. While some of this activity may be logged, it may not be analyzed or aggregated for quick review. In this workshop, we'll cover how Security Onion, a completely free and open platform for intrusion detection, enterprise security monitoring, and log management can be leveraged to increase visibility in the cloud. By using Security Onion, defenders can facilitate effective threat detection and ease compliance efforts. Attendees should walk away with an understanding of how they can utilize Security Onion to find evil in their cloud environments and make their adversaries cry.

    • (1) Introduction to the Cloud
    • (a) Asset/Threats
    • (b) Monitoring Challenges
    • (2) Introduction to Security Onion
    • (a) Components and Data Collected
    • (3) Security Onion in the Cloud
    • (a) Traffic Mirroring
    • (b) Cloud Telemetry
    • (c) Deployment

    Speaker: Madhu Akula

    Twitter: @madhuakula


    Kubernetes Goat is "vulnerable by design" Kubernetes Cluster environment to practice and learn about Kubernetes Security. In this session, Madhu Akula will present how to get started with Kubernetes Goat by exploring different vulnerabilities in Kubernetes Cluster and Containerized environments. Also, he demonstrates the real-world vulnerabilities and maps the Kubernetes Goat scenarios with them. We will see the complete documentation and instruction to practice Kubernetes Security for performing security assessments. As a defender you will see how we can learn these attacks, misconfigurations to understand and improve your cloud native infrastructure security posture.

    Madhu Akula is the creator of Kubernetes Goat, an intentionally vulnerable by design Kubernetes Cluster to learn and practice Kubernetes Security. Also published author and Cloud Native security researcher with extensive experience. Also, he is an active member of the international security, DevOps, and Cloud Native communities (null, DevSecOps, AllDayDevOps, etc). Holds industry certifications like OSCP (Offensive Security Certified Professional), CKA (Certified Kubernetes Administrator), etc. Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON (24, 26 & 27), BlackHat USA (2018 & 19), USENIX LISA (2018 & 19), O'Reilly Velocity EU 2019, GitHub Satellite 2020, Appsec EU (2018 & 19), All Day DevOps (2016, 17, 18, 19 & 20), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n(2017, 18), Nullcon (2018, 19), SACON 2019, Serverless Summit, null and multiple others. His research has identified vulnerabilities in over 200+ companies and organizations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP and Adobe, etc, and credited with multiple CVE's, Acknowledgements, and rewards. He is co-author of Security Automation with Ansible2 (ISBN-13: 978-1788394512), which is listed as a technical resource by Red Hat Ansible. Also, technical reviewer of Learn Kubernetes Security book published by Packt. Also won 1st prize for building Infrastructure Security Monitoring solution at InMobi flagship hackathon among 100+ engineering teams.

    Speaker: Yuval Avrahami

    Twitter: @yuval_avrahami


    "Running your business-critical applications on the public cloud involves trust. You trust your cloud provider to separate your workloads from other customers' workloads. You trust your cloud provider to patch and update their software and hardware stack. For those of us with trust issues, blindly running our applications in the public cloud can be tough. Fortunately, trust can be earned through visibility, and that's where WhoC can help. WhoC provides a bit of visibility into how Container-as-a-Service (CaaS) offerings run our containers. WhoC (Who Contains) is a container image that upon execution extracts the underlying container runtime. It doesn't try to identify the underlying runtime based on the container's cgroup configuration, the existence of a '.dockerenv' file or any other known trick. WhoC exfiltrates the actual container runtime binary from the underlying host. In this talk Yuval will walk you through how WhoC works and show a demo running WhoC in a popular CaaS offering. You'll learn a surprising truth: Linux containers can actually access one host file - the container runtime."

    Yuval Avrahami is a Principal Security Researcher at Palo Alto Networks, dealing with hacking and securing anything related to containers and cloud. Yuval is a veteran of the Israeli Air Force, where he served in the role of a researcher.

    Speaker: Mohammed Aldoub

    Twitter: @Voulnet


    barq is a post-exploitation framework that allows you to easily perform attacks on a running AWS infrastructure. It allows you to attack running EC2 instances without having the original instance SSH keypairs. It also allows you to perform enumeration and extraction of stored Secrets and Parameters in AWS.

    Mohammed Aldoub is an independent security consultant and Blackhat Trainer from Kuwait, who, in his 11 years of experience, worked on creating Kuwait's national infrastructure for PKI, cryptography, smartcards and authentication. Mohammed delivers security trainings, workshops and talks in the Netherlands, USA, Sweden, London, Czech Republic, Singapore, Dubai, Lebanon, Riyadh, Kuwait, in events like Blackhat (USA,EU) Infosec in the City, OPCDE, SEC-T and others. Mohammed is focusing now on APIs, secure devops, modern appsec, cloud-native security, applied cryptography, security architecture and microservices. He is the author of "barq", the AWS post exploitation attack framework, which you can find at: https://github.com/Voulnet/barq and he's also the author of Desharialize, which you can find at: https://github.com/Voulnet/desharialize Mohammed is deeply interested in malware, especially those used by state actors in the Middle East zone, where he volunteered as OWASP Kuwait's chapter leader. You can find his twitter account at https://twitter.com/Voulnet You can find his Github account at: https://github.com/voulnet

    Speaker: Igal Flegmann

    Twitter: @igal_fs


    "Working in security over the last few years I have learned that it is nearly impossible to stop a breach from happening. While having great security practices such as: Isolated password-less identities, isolated devices, and condition access; will help you stop 99% of the attacks we need to ask ourselves the following questions: Are we monitoring our infrastructure for changes that might open an attack vector? Are we ready to detect and remediate our next breach before the attacker can do any damage? Azure Security Center provides us with some great tools to check some of these errors. For example, it will alert on the SSH port being left open but it would not alert on a very large IP address range being added to your networking rules. The Solution? CloudWatcher our open-source tool that monitors your Azure Subscription ACLs and will alert you if they changed based on the baseline you have created."

    "Igal started his career in Microsoft’s Azure Security team creating and managing identity services for Azure’s secure production tenants. During his time at Azure Security, Igal had the opportunity to create and manage PKI services, Identity Management products, tools for migrating running services across Azure tenants, and created products for password-less bootstrap to new domains. After a successful career in Azure Security, Igal transferred teams to work in Azure’s ASCII (Azure Special Capabilities, Infrastructure, and Innovation) team, where he used his identity and security expertise to design and create security services to protect the critical infrastructure devices of the world. To follow his passion for identity and security, Igal decided to leave Microsoft and Co-found, Keytos a security company with the mission of eliminating passwords by creating easy to use PKI offerings. Earlier this year they launch their first product “EZSSH” which takes aim at stopping SSH Key theft by making it easy to use short lived SSH Certificates."

    Speaker: Cassandra Young

    Twitter: @muteki_rtw


    A common methodology used by companies to implement Duo 2-factor authentication for O365 can, if not configured properly, result in a loophole that allows mobile clients to authenticate without being prompted. This short talk will provide background on the authentication types involved, show the incomplete configuration, and demonstrate how to exploit using mobile devices.

    Cassandra is a Senior Scientist at Security Risk Advisors, focusing on Cloud Security architecture and engineering. She is concurrently pursuing a Masters degree in Computer Science, with notable work including academic research on serverless/microservices security, cloud-based app development, and privacy & anonymity technologies. She is also one of the directors of Blue Team Village, a not-for-profit organization bringing free Blue Team talks, workshops and more to the broader InfoSec community.

    Speaker: Rodrigo Montoro

    Twitter: @spookerlabs


    "The AWS service APIs provide around 9,400 different actions (and growing!) that, when logged, give a lot of extra info that can be correlated and used to find malicious activities. However, as with most data sources, it is very noisy. Plus, it fails to include in its events critical contextual information that threat hunters need. Working with our Threat Detection Engineering Team to create very actionable use cases that don’t need much additional context and exceptions. We developed an idea to detect the creation time of events discovered by most CSPMs check when evaluating a cloud provider, particularly AWS in this case. Cloud Security Posture Management (CSPM), which works by detecting cloud service misconfigurations, is one of the most common technologies used to improve cloud security and is used heavily worldwide by thousands of companies. Despite this, CSPM tools cannot detect most of the real-time findings, need privileges to be executed and scheduled to run and analyze preferably daily to decrease windows exposure. Cloud misconfigurations typically result in second-stage attacks. Aside from some risks that make information public, attackers likely need some credentials with privileges to perform actions that could impact privilege escalation, resource exposure, crypto mining, infrastructure modification, and access to sensitive data. Starting with some CloudSploit checks, we named this research CSPM2CloudTrail, so we create misconfigured services based on their findings and analyze how these changes are logged to CloudTrail. We made many use cases that we mainly transform in cards (with CloudSploit information) and sigma rules, having information such as severity, recommendations, AWS Documentation, and more importantly, for our SOC, Splunk searches. Besides this great use of trying to detect this almost in real-time (since CloudTrail delays around 15 minutes), these queries could enrich CSPM findings, making incident responses on misconfigurations caught faster. All information and detections created will be shared in our Github repository."

    Rodrigo "Sp0oKeR'' Montoro has 20 years of experience deploying open source security software (firewalls, IDS, IPS, HIDS, log management) and hardening systems. Currently, he is a Senior Researcher at Tempest Security. Before it, he worked as Cloud Researcher at Tenchi Security, Head of Research and Development at Apura Cyber Intelligence, SOC/Researcher at Clavis, Senior Security Administrator at Sucuri, Spiderlabs Researcher, where he focuses on IDS/IPS Signatures, Modsecurity rules, and new detection researches. Author of 2 patented technologies involving the discovery of malicious digital documents and analyzing malicious HTTP traffic. He is currently coordinator and Snort evangelist for the Brazilian Snort Community. Rodrigo has spoken at several open-source and security conferences (OWASP AppSec, SANS DFIR & SIEM Summit, Toorcon (USA), H2HC (São Paulo and Mexico), SecTor (Canada), CNASI, SOURCE Boston & Seattle, ZonCon (Amazon Internal Conference), Blackhat Brazil, BSides (Las Vegas e São Paulo)).