Thunder CTF�Learning Cloud Security on a Dime
Race to the cloud...
… going faster due to COVID
What are the biggest challenges for organizations engaged with public cloud?
Source: Forbes
Justified?
Misconfigured storage buckets
Misconfigured snapshots
Misconfigured databases
Over-provisioned privileges
Exposed login credentials
Exposed API, account, OAuth, ssh keys
Exposed metadata
All of the above?
Criminals and nation-states racing to take advantage
Are we prepared?
CS 495: Web and Cloud Security https://codelabs.cs.pdx.edu/cs495
Cloud security labs available
(AWS)
(AWS)
(AWS)
Thunder CTF
Design
Scenario-based
TTPs
12 Tactics
|
Scaffolded
Extensible
Deployable
Results
Question | Average rating |
Rate the CTF exercises for understanding security issues in the cloud. | 3.94 |
Rate the CTF exercises for developing skills in navigating the cloud. | 3.94 |
Rate the hint system as a mechanism for providing help as needed in solving CTF exercises. | 4.56 |
(spoiler alert)
thunder/a2finance
3. Storage access
4. Git exfiltration
5. Exposed ssh key in repo history
2. Service discovery (compute/storage)
1. Initial permissions
6. Compute account discovery
7. Elevated access to logging
8. Unsanitized error log exfiltrated
Future work
Questions?
Code walkthrough?