Thousands of security professionals descend upon Las Vegas every year to take part in a series of conferences known as Hacker Summer Camp (Black Hat, BSides and Defcon). This year, I attended Defcon, and it seems like the numbers keep growing. So, why is this one of the most relevant and successful security conferences? Because it’s built around people who love to explore, share knowledge, and learn about computing and security in the cloud.
Hacking in the cloud
The Cloud Village was particularly interesting to me. Cloud services are built for increased collaboration and productivity and provide capabilities like auto sync and API level communication. This has led enterprises to exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End-users as well as security products tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google and SaaS app vendors such as Box, Salesforce, DropBox. As a result, cybercriminals have started launching their attacks from these trusted cloud services. The talk focused on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect.
READ MORE: APIs and security: What you need to know
One presentation I enjoyed was called “Phishing the cloud era.” They began the presentation by sharing some statistics that illustrate the wide-scale adoption of cloud services by cybercriminals. In particular, they focused in on the usage of cloud services as a launching point of an attack.
They looked at a few specific techniques discovered in the wild:
- Targeted BEC (Business email compromise) Phishing attacks abusing popular services like S3, GCS, Azure Storage, and GCP Google’s App engine.
- PhaaS (Phishing-as-a-Service) Criminals hosting a full-fledged phishing infrastructure over cloud and selling it as a B-to-C model. These on-demand service-based models provide an essence of a criminal version of software-as-a-service which allows purchasing site login accounts along with crafting and hosting phished links.
The key takeaways they found behind the threat actor’s motivation and interest in using the cloud were:
- Reducing the infrastructure overhead.
- Access to more powerful hosting or computing services.
- Significantly cheaper attack methods (No DGA or BPH needed).
- Gives attackers protection by default (encrypted traffic, API driven communication, etc.).
- Slow take-downs, fast recovery.
READ MORE: How can AI help secure your APIs?
Security in the cloud
Overall, this presentation focused on phishing attacks hosted in the cloud, and how organizations should carefully assess the risks and potential threats when moving their enterprise workload towards the cloud.
Most end users are savvy enough now to understand links that include random IP addresses or suspicious sounding domain names should not be clicked on, but don’t have a similar awareness of the risk associated with cloud services. Users tend to click on an email invite from a cloud application or a phishing document hosted in a cloud environment as it is convincing and difficult to recognize as phishing.
The motivation behind this new trend is its simplicity. This is why it draws an ever-growing amount of novice cybercriminals into building their attack surfaces using cloud services.
Over all, it was another successful Defcon. There were so many different people from every walk of life it seemed. Every person I interacted with was super friendly and eager to learn about everything security. Looking forward to Defcon 28!
Cybersecurity threats – Interview with Bernard Harquindeguy, Ping Identity