See all posts

Blackhat and Defcon summary

Last week I had the pleasure of attending Blackhat and Defcon in Las Vegas. Here are a few key takeaways from the conference. For those that are not familiar, these are easily the biggest offensive security conferences in the world. It is a massive congregation of hackers, vendors, general security practitioners, and nowadays even professionals from completely unrelated fields. I even spoke with several economists and electricians, which just shows how integral cyber security is getting into the professional lives of those outside our field.

5 minAug 19, 2023
Cody Burkard
Cody BurkardPrincipal Security Architect & Partner
Cody Burkard

Overall, attendees got a chance to discuss modern challenges and learn from others in the security industry, talk to vendors about the latest and greatest of their products as well as upcoming features, and of course attend cutting edge presentations in their favorite sub-field of cyber security.

Key talks – application security and cloud security

If you know me, you know that I primarily focus on Azure security and application security. Given this bias, the following talks are in my mind mandatory for any Azure or Application security professional to stay current in the field. Watch for these when they are released to the public

#1 James Kettle – Blackhat – “Smashing the state machine: the true potential of web race conditions”

Every time James Kettle presents, the internet breaks. He seems to specialize in identifying and popularizing novel full stack attacks against web applications, which always fundamentally change the way I look at the security of web apps. This one is no exception.

The fun thing about this research is that it is difficult to automate the detection of the race condition vulnerabilities he describes, and on top of that, it must be fixed at an application level. This is in contrast to his request smuggling research, which could be mostly fixed by reverse proxy vendors and pushed in updates to their products. In contrast, the race conditions described in his talk cannot easily be fixed by any vendors, which means that this is a new tool in any web app pentester’s arsenal that I suspect will be yielding bug bounties and critical vulnerabilities for years to come.

#2 Karl Fosaaen – Defcon Cloud Security Village – “What the Function: A Deep Dive into Azure Function App Security”

Karl is another of those researchers that you should really follow if you want to be up to date on modern attacks against Azure environments. Often times, he presents techniques that abuse expected functionality in Azure, so the attack paths don’t get patched by Microsoft. This makes them mandatory for any Azure pentester to be familiar with. A good example and a favorite of mine is his post on cloud shell takeovers, which provide a surefire way to escalate privileges.

This talk presents a new, or at least new to me, attack path against Azure Functions. The impact of this one is understated – there are plenty of ways to use his techniques to abuse a function and pivot laterally or escalate privileges in an Azure environment. I am sure future research will come out about more abuse techniques in this area.

#3 Aled Mehta and Christian Philipov – Defcon Cloud Village – “Tag, You're Exposed: Exploring Azure Service Tags and their Impact on your Security Boundary”

To me, this one was the dark horse in the cloud village at Defcon. The research  explores how to abuse those little buttons in Azure that say “allow network bypass by trusted azure services” or similar. In the past, these buttons have always given me a bad feeling and I have always advised not to use them, but I have not had any concrete research backing this feeling. Aled and Christian deliver on this front – finally a good presentation on why this is a bad idea and how it can be abused.

Another mandatory watch for any Azure security professional.

Other takeways – CNAPP vendors

One of the great things about Blackhat is that all of the biggest vendors are present, AND they often bring members of their product team. This makes it a great place to grill the product teams about what they are doing, why, how, and where they are going with their products. This time around, I spent some hours exploring the current state of the CNAPP and CIEM vendors.

My main takeaway is that most CNAPP vendors are really doing the same thing, and their products look almost identical. On the technical side, unless you have quite an advanced team that architects their product around a specific CNAPP product or is able to resolve all of the output from some of the products, there isn’t that much benefit you will get from one over another. You will likely be in a constant state of following up on the critical issues identified by the CNAPP, and/or parsing through data to prioritize the endless list of issues you are faced with reviewing.

One notable exception is the shift-left emphasis of some of these vendors – secret scanning and pipeline security are extremely important for understanding the security of a workload in cloud, and I noticed that not all vendors had these capabilities. Other than this, for me, choice of vendor would come down to price, integrations and practicality of implementation.

Moving forward, CIEM was a buzz word that most of the vendors seemed to enjoy talking about. Most vendors seem to be releasing these components by the end of the year for their product.  I do think that the CIEM functionality is key, but also in an infant stage. Vendors are beginning to map out the access that users and other identities have in your cloud environment, but this wont cover all or even most of the attack paths available to an attacker if one of those identities are compromised. 

Long term, I hope there will be some convergence of CNAPPs with tools such as BloodHound, which do this attack path mapping and management. Once we get to this stage, I think the products will become far more useful to contextualize specific security issues in a cloud-based environment.