When not typing "terraform destroy" and building security tooling that intersects with machine learning, Aimee is pursuing a BS in Cybersecurity. She lives to lift diversity as a former OWASP DevSlop co-host and Women in Cybersecurity and Society of Hispanic Professional Engineers student chapter president.
Tired of using GUIs to provision infrastructure for Game Days and CTFs? This briefing introduces participants to threat emulation at scale, using infrastructure as code (IaC). IaC is a natural partner in offensive attack simulations; with it, organizations can quickly provision and configure sandbox environments to test their code and platform security posture, before someone else does. Learn how to deploy AWS cloud resources using intentionally vulnerable Terraform templates, leveraging code to replicate insecure architectural patterns. Presenters will demonstrate findings from exploiting the latter to launch an Ethereum cryptominer with CloudFormation. From credential access to impact, this offensive attack simulation will take participants through the MITRE ATT&CK Enterprise Cloud Matrix. Finally, discover open source tooling to audit and threat model codified deployments and implement secure infrastructure development best practices to mitigate risk with policy-as code.