Credential compromise in the cloud is not a threat that one company faces, rather it is a widespread concern as more and more companies operate in the cloud. Credential compromise can lead to many different outcomes depending on the motive of the attacker who compromised the credentials. In some cases in the past, it has led to erroneous AWS service usage for bitcoin mining or other non-destructive yet costly abuse, and in others it has led to companies shutting down due to the loss of data and infrastructure.
This paper describes an approach for detection of compromised credentials in AWS without needing to know all IPs in your infrastructure beforehand.
Will Bengtson is senior security engineer at Netflix focused on security operations and tooling. Prior to Netflix, Bengtson led security at a healthcare data analytics startup, consulted across various industries in the private sector, and spent many years in the Department of Defense. Bengtson is on the BSidesSF and Bay Area OWASP leadership team. Bengtson contributes to numerous open source projects and has spoken on topics of security across the world.