79% of companies have experienced at least one cloud data breach in the last 18 months, often due to unknown vulnerabilities.

For an increasing number of organizations, the explosion in attack surfaces has reached unmanageable levels amid the widespread adoption of cloud services. One of the key challenges in the unprecedented growth in cloud infrastructure is understanding which vulnerabilities and misconfigurations are the most exploitable and impactful. While many organizations spend a lot of time fixing the issues they can easily identify with tools, tools have limitations and often do not operate in the same vein as a hacker. 

Uniquely, an offensive security approach offers the ability to identify the type of attack paths that a malicious attacker will actually take and, therefore, better prepare against. 

Session Summary

In this comprehensive presentation, Bishop Fox penetration testers Seth Art and Nate Rob share their expertise from conducting cloud security assessments across diverse environments. The speakers establish two distinct testing perspectives: the "zero knowledge" approach, simulating external attackers attempting to breach the perimeter, and the "assumed breach" scenario, testing internal controls against attackers who have already gained initial access to cloud environments.

The presentation first explores common external attack vectors, including a detailed case study where the Cosmos team discovered VPN configuration profiles through GitHub "secret gists" that had been shared via URL shorteners. This initial access allowed the team to identify thousands of internal services, many lacking authentication, ultimately leading to a full compromise of the target's infrastructure through access to deployment scripts in private repositories.

The speakers then transition to examining internal attack paths, demonstrating how authenticated users can escalate privileges through various means. These include accessing cloud credentials stored in private repositories, exploiting overly permissive cross-account role trusts, and leveraging container escape techniques to gain administrative access. A particularly detailed example illustrates how administrative access to a Jenkins server in a development environment led to production database access containing credit card data, despite network segmentation controls.

Throughout the presentation, the speakers emphasize that attack complexity does not correlate with impact—simple misconfigurations often lead to the most devastating breaches. They conclude with practical recommendations focused on implementing multi-factor authentication, eliminating long-term access keys, applying account-level segmentation, enforcing least privilege principles (particularly through infrastructure as code), and proactively identifying unknown attack paths through continuous testing.

Key Takeaways

1. Attack paths don't need to be complex to be effective - Many cloud breaches result from simple misconfigurations like improper S3 bucket permissions or exposed credentials in private repositories.
2. Cloud credentials remain a primary target - Attackers exploit credentials stored in various locations, from public Git repositories to private document storage and collaboration platforms like Slack.
3. Cross-account role trusts create unexpected access paths - Organizations often misconfigure trust relationships between accounts, allowing users to gain unintended access across account boundaries.
4. Container security requires special attention - Applications running in containers can often access underlying instance metadata and permissions if proper controls aren't implemented.
5. Infrastructure as code facilitates least privilege - Organizations using infrastructure as code can more effectively implement and maintain least privilege policies compared to manual configuration.
6. Multi-layered defensive controls slow attackers down - Even when initial defenses fail, implementing multiple security layers increases attacker noise and provides more detection opportunities.
7. Regular penetration testing from multiple perspectives is essential - Both external ("zero knowledge") and internal ("assumed breach") testing approaches are necessary to identify the full range of potential attack paths.