Tired of using GUIs to provision infrastructure for Game Days and CTFs? This briefing introduces participants to threat emulation at scale, using infrastructure as code (IaC). IaC is a natural partner in offensive attack simulations; with it, organizations can quickly provision and configure sandbox environments to test their code and platform security posture, before someone else does. Learn how to deploy AWS cloud resources using intentionally vulnerable Terraform templates, leveraging code to replicate insecure architectural patterns. Presenters will demonstrate findings from exploiting the latter to launch an Ethereum cryptominer with CloudFormation. From credential access to impact, this offensive attack simulation will take participants through the MITRE ATT&CK Enterprise Cloud Matrix. Finally, discover open source tooling to audit and threat model codified deployments and implement secure infrastructure development best practices to mitigate risk with policy-as code.

Crypto CTF Lets be real. Cryptography is not an approachable field. “Cryptographic Failures” takes the #2 spot on OWASP Top 10:2021; and for good reason. Factoring large primes and calculating modular inverses is dizzying. What is base64, anyway? This session gently introduces participants to foundations of classic and modern cryptography through a CTF style adventure. This session assumes no prior knowledge of cryptography.