Difficult to detect and pervasive in nature, cloud attack techniques attract the likes of APT groups like Nobellium who have increased their focus on abusing identity federation. Techniques like Golden SAML and AD FS skeleton keys provide threat actors the double-edged sword of combining both lateral movement and privilege escalation into a single technique - with the added benefit of leaving little trace in the cloud logs for defenders.
For a long time, compromise and detection has focused primarily on on-premises techniques, but the ecosystem has shifted, and the cloud is the new frontier. As most organizations utilise cloud services in one way or another - it’s only a matter of time before we see commodity threat groups and other nation states abusing these techniques. This talk aims to break down APT techniques in the cloud like Golden SAML and AD FS skeleton keys to demonstrate the wide range of possibilities of cloud compromise, and to highlight the future of cloud attacks and the untapped research potential yet to be uncovered.
Lina Lau (@inversecos)
Lina is the Founder of XINTRA, a platform providing advanced cybersecurity training focused on APT techniques and detections. She has an extensive background in incident response, where she was formerly the Principal IR Consultant at Secureworks APJ and the AAPAC Incident Response lead for Accenture ANZ. She has worked in Incident Response for multiple years leading complex international cases covering sectors such as national defence, banking, energy, and manufacturing.
Lina is also a Black Hat trainer, SANS advisory board member and has presented at several international conferences and authored a book on cybersecurity. She currently holds the following certifications: GXPN, GASF, GREM, GCFA and OSCP.