Black Hat USA 2024

Black Hat USA is the world's leading information security event, providing attendees with the very latest in research, development and trends. Black Hat USA 2024 opens with four days of technical Trainings followed by the two-day main conference featuring Briefings, Arsenal, Business Hall, and more.

Tenable Speaking Sessions: 

Speaker: Sean Jennings
Session Date: Wednesday, August 7th
Session Time: 11:30 AM - 12:20 PM
Session Location: Business Hall Theater C
Session Title: Context Matters: Advancing Toward a Threat-Centric Program
Abstract: 
The field of vulnerability management has advanced beyond basic CVSS scores to adopt a threat-centric model. Yet, the sheer volume of vulnerabilities and attack surfaces necessitates a deeper contextual understanding through vulnerability intelligence. Join Sean Jennings, Principal Enterprise Security Engineer at Tenable, as he discusses how integrating vulnerability intelligence with external data can help identify and eliminate the next moves of threat actors, enhancing your security posture through strategic exposure response.
 

Speaker: Liv Matan
Session Date: TBC
Session Time: TBC
Session Location: TBC
Session Title: The GCP Jenga Tower: New Google Cloud 0-days Exploiting Supply Chain Dependencies
Abstract: Cloud security is so complex that even cloud providers get it wrong sometimes - one simple faulty command argument by Google Cloud Platform (GCP) was enough to enable us to find a critical RCE vulnerability (dubbed 'CloudImposer') in GCP customers' workloads and potentially internal production servers, affecting thousands of cloud servers. To further emphasize the point of complexity, I will also reveal a privilege escalation vulnerability we discovered in GCP that stemmed from the deployment of services with dangerous defaults by GCP themselves.

I will start the talk by sharing the thrilling process of discovering the CloudImposer vulnerability, including getting hundreds of DNS requests from internal Google servers, until a PyPI guardrail stopped us.

However, this talk is about more than just a vulnerability. This investigation led to some unique research insights about cloud services:
1. Supply chain vulnerabilities in the cloud are on steroids. Instead of one malicious package affecting one server, one malicious package affects a service that is deployed to millions.
2. Cloud providers build their services like Jenga towers. They use their core services as the foundation of more popular customer-facing offerings. For example, one click to create a Cloud Function service creates resources in six different services. This exposes customers to a larger attack surface and risks.

The next part of the talk will dive deep into the vulnerable GCP Cloud Functions deployment flow. I will showcase the vulnerability I found in this flow and present a simple tool we built, newly available to the community, to find the hidden APIs that are called by the cloud provider when performing an action.

By the end of this talk, the audience will learn the dangers of treating cloud services like a black box - and get the right tools and ideas for looking inside it.