Def Con 31

Sticking around after Black Hat this year? We'll be in Vegas for Def Con 31 and look forward to meeting you there. Our Research Team will be presenting in the Def Con Demo Labs and another two sessions in the Cloud Village.

CNAPPGoat - A Multicloud Vulnerable-by-Design Infrastructure Deployment Tool

Demo Labs: Friday August 11 from 12:00pm-1:55pm - Accord Boardroom, Forum
Cloud Village: Sunday, August 13 from 12:40pm-1:10pm
Presented by: Noam Dahan and Igal Gofman

CNAPPGoat is a CLI tool designed to deploy intentionally vulnerable-by-design cloud infrastructure. It provides a useful playground for defenders to test their protective strategies, tools, and procedures and for offensive professionals to refine their skills and tooling. This tool deploys diverse infrastructures, including those with misconfigurations, IAM issues, network exposure, and those conducive to lateral movement attacks. While other (excellent) tools are designed to deploy tailored capture-the-flag scenarios, CNAPPGoat takes a broader approach by deploying a wide array of environments with diverse misconfigurations, providing a comprehensive perspective.

CNAPPGoat supports modular deployment of various vulnerable environments and is a multi-cloud tool. CNAPPGoat is built on Pulumi and supports multiple programming languages. It operates as a CLI tool, requiring no specific IaC expertise, enabling a wide range of professionals to deploy and monitor environments.

The tool enables defenders to test detection, prevention, and control mechanisms against vulnerabilities and misconfigurations, while aiding offensive professionals by providing practice environments. Demonstrations will include tool showcasing, deployment and remediation of a scenario, practical exploitation for learning, and guidance on building modules to customize CNAPPGoat.

The Rocky Balboa Guide to Cloud Security Research: Getting Back Up When You Get Knocked Down

Cloud Village: Saturday, August 12 from 12:20pm -1:00pm
Presented by: Liv Matan

Vulnerability research is sometimes perceived as a glamorous pursuit, where researchers constantly uncover security flaws and find critical exploits that can lead to catastrophic results. In this talk, we show you what it’s really like behind the scenes of cloud vulnerability research. 

The session draws on real-world examples, including a major vulnerability we uncovered that affected multiple Azure web services, exploitation of internal communication channels across various CSPs, and our go-to approach when exploring new unfamiliar cloud services. We close the session by discussing each vendor's unique approach to fixing reported security issues.

Join us for this thought-provoking talk and discover the hidden side of vulnerability research. You'll come away with a new appreciation for the challenges and rewards of this fascinating field and a deeper understanding of its role in keeping us all safe and secure.