Hackfest 2023 - Back to the Future

Amir Gharib

Amir Gharib is a senior security researcher at Microsoft. His main responsibility is to improve Microsoft’s detection capabilities across different workloads by researching novel attacks and detection mechanisms. As part of his role, he leverages events and signals from a variety of workloads and products to develop high-fidelity detection that can be used to disrupt attacks automatically. In the past, he was a technical manager at PwC performing incident response, threat hunting, and detection engineering. Furthermore, he worked with IBM Qradar to develop UEBA solutions for users and entities. He currently holds GCFA certification and a Master of Computer Science (MCS) degree specialized in cybersecurity. He has published and presented at several international conferences and journals. His publications have received more than 600 citations in recent years. Outside of work, he enjoys spending time with his family (plus his dog) and friends. He is currently training toward his private pilot license (PPL).


Which country are you from?

Canada


Session

10-13
15:00
20min
Cryptojacking: Defending against cloud compute resource abuse
Amir Gharib

As Cloud computing evolves, adversaries can take advantage of new attack surfaces and services. The threat actors are deploying sophisticated campaign strategies to abuse millions of dollars in cloud computing in compromised tenants and subscriptions while avoiding detection. Microsoft's research reveals that targeted organizations faced more than $300,000 in compute fees from cryptojacking attacks.

In this talk, we will explore the attackers’ behaviours that we observed in numerous incidents across many organizations. We will dissect the inner workings of cloud attacks such as cryptojacking and resource abuse. As we move from the Initial Access stage to the Impact stage, we will explore key TTPs (Tactics, Techniques, and Procedures). Additionally, we will explore several ways that threat actors can abuse and hijacking subscriptions that are forensically disruptive. By analyzing footprints and logs, we will provide insights that blue teamers can use to detect and counterattack these at early stage of attacks

Defensive
Workshops & Speed