AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Building Adversary Simulation Playbooks.pdf
myugan
99 views
43 slides
Oct 26, 2025
Slide 1 of 57
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
About This Presentation
Many cloud breaches come from simple mistakes like misconfigurations, overly broad permissions, or skipping breach simulations. Attackers use gaps like these to their advantage, abusing Cloud Service Provider (CSP) features to steal data, move between accounts, or stay hidden. In this session, we wi...
Slide Content
Attack the Cloud Before Attackers Do:
Building Adversary Simulation Playbooks
Muhammad Yuga Nugraha, Satria Ady Pradana
Building Adversary Simulation Playbooks
Muhammad Yuga Nugraha, Satria Ady Pradana
Who We Are
•DevSecOps Engineer at Practical DevSecOps.
•Not locked into any cloud vendor, I love working with any cloud.
•Speaker at PyCon APAC 2024, PyCon SG 25, AWS Community
Day Indonesia 2024, KCD Indonesia 2024, OpenInfraDays ID
2025, Cloud Village @ DEFCON 33.
M. Yuga Nugraha
•DevSecOps Engineer at Practical DevSecOps.
•Not locked into any cloud vendor, I love working with any cloud.
•Speaker at PyCon APAC 2024, PyCon SG 25, AWS Community
Day Indonesia 2024, KCD Indonesia 2024, OpenInfraDays ID
2025, Cloud Village @ DEFCON 33.
M. Yuga Nugraha
Who We Are
•Adversarial Engineer at Grab.
•Community Leader of Reversing.ID.
•Malware analyst and developer in free time.
Satria Ady Pradana
•Adversarial Engineer at Grab.
•Community Leader of Reversing.ID.
•Malware analyst and developer in free time.
Satria Ady Pradana
Cloud Incidents - Uber Breach
Cloud Incidents - Capital One Breach
What is Red Team?
Simulating Tactics, Techniques, and Procedures (TTPs) used by adversaries or
threat actors within controlled environment to evaluate the security posture of the
organization.
Simulating Tactics, Techniques, and Procedures (TTPs) used by adversaries or
threat actors within controlled environment to evaluate the security posture of the
organization.
Phases of Engagement
•Emulated attacks must be performed in repeatable, consumable and
actionable way.
•Predictable outcome and side effects.
•Action should improve detection.
Do it X times!
actionable way.
•Predictable outcome and side effects.
•Action should improve detection.
Do it X times!
MITRE ATT&CK Cloud Matrix
DataDog - Cloud Security Atlas
So, where do we begin?
•Define scope and objectives
•Rules of engagement
•Prepare isolated test environment (use production)
•Monitor, document, and remediate
Getting Started
•Rules of engagement
•Prepare isolated test environment (use production)
•Monitor, document, and remediate
Getting Started
What about the tooling?
WARM
Spin up infrastructure
DETONATE
Execute the attack
REVERT
Revert to a detonatable state
CLEANUP
Remove all infrastructure
State Machine
Spin up infrastructure
DETONATE
Execute the attack
REVERT
Revert to a detonatable state
CLEANUP
Remove all infrastructure
State Machine
Installation
Credential Access (5), Defense Evasion (7), Discovery (3), Execution (4), Exfiltration
(5), Impact (4), Lateral Movement (2), Persistence (10), Privilege Escalation (7)
(5), Impact (4), Lateral Movement (2), Persistence (10), Privilege Escalation (7)
Organised by platform and tactic using the following pattern.
PLATFORM [.] TACTIC [.] TECHNIQUE
Example: aws.credential-access.ec2-get-password-data
Attack Techniques
PLATFORM [.] TACTIC [.] TECHNIQUE
Example: aws.credential-access.ec2-get-password-data
Attack Techniques
Case: Credential Access
https://attack.mitre.org/tactics/TA0006/
https://attack.mitre.org/tactics/TA0006/
Warmup
Detonate
Malicious activity?
CloudTrail Events
Nice catch!
Cleanup
Case: Discovery
https://attack.mitre.org/tactics/TA0007/
https://attack.mitre.org/tactics/TA0007/
Warmup
Detonate
Nice catch!
AWS CloudTrail
????
????
What happened?
Nice catch!
AWS Systems Manager
AWS Systems Manager
Nice catch!
No finding in GuardDuty, what happened?
Create a New Scenario
https://sonraisecurity.com/blog/sandboxed-to-compromised-new-research-exposes-
credential-exfiltration-paths-in-aws-code-interpreters/
credential-exfiltration-paths-in-aws-code-interpreters/
Amazon Bedrock AgentCore Code Interpreter
•Create an S3 bucket with a sample customer data file (customer.csv).
•Create an IAM role with S3 read permissions for Bedrock Agent Core
service.
•Create a Bedrock Code Interpreter with the execution role.
aws.exfiltration.s3-bedrock - Warmup
•Create an IAM role with S3 read permissions for Bedrock Agent Core
service.
•Create a Bedrock Code Interpreter with the execution role.
aws.exfiltration.s3-bedrock - Warmup
•Start a Bedrock Code Interpreter session.
•Execute a command to query the EC2 instance metadata service (IMDS).
•Retrieve temporary security credentials from Bedrock Code Interpreter.
•These credentials can be used to access the S3 bucket and exfiltrate data
(GetObject, PutObject)
aws.exfiltration.s3-bedrock - Detonation
•Execute a command to query the EC2 instance metadata service (IMDS).
•Retrieve temporary security credentials from Bedrock Code Interpreter.
•These credentials can be used to access the S3 bucket and exfiltrate data
(GetObject, PutObject)
aws.exfiltration.s3-bedrock - Detonation
Register New Attack
Case: Exfiltration
https://attack.mitre.org/tactics/TA0010/
https://attack.mitre.org/tactics/TA0010/
Warmup
Detonate
Thank you
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 99
- Slides 43
- Age 38 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
47 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views