CypherCon 2023

How The Sausage is REALLY Made: CloudOps for Red Teamers

John Ventura


This introductory talk will include discussions of real world CloudOps tools and techniques that are commonly applied across industries as well as the security implications brought about by widespread patterns of use and mis-use. If you are going to target other people’s environments professionally (or for any reason), it really helps to know how they are built. Learning current CloudOps and/or DevOps methodologies and design patterns lets you get inside the heads of people who build these systems, find the common mistakes, and understand how to exploit them.  Attendees will get an introduction to generalized design patterns that they can use to target other people’s infrastructures or even build their own. This talk will focus on cloud based infrastructure and how people in the real world build complicated systems that are not only resilient but scale to meet the needs of even the largest businesses. Members of red teams can not only use this insight to focus their attacks, they can also develop a better intuition for the common and very exploitable mistakes that developers make all the time. Professional red teams can also apply these practices to automate their own methodologies. In addition to exploitation, security professionals can learn to build portable and highly disposable environments to serve as the back-end for a phishing campaign, test out new attack techniques, and much more.

Importance: This talk is intended to plug some widespread knowledge gaps in our industry.  More specifically, several people talk about “shifting left”, but this talk shows the attendees how to actually do it in a tangible way. We created example environments in two different clouds (AWS and GCP), and we show the audience how we did it, why we made needed design choices, and how they can do it too. Many (maybe most) penetration testers do not really have a clear idea about how infrastructure is or even should be created and maintained. This talk introduces them to best practices and shows them how to exploit common CloudOps mistakes. Providing that insight would not only make them better at understanding and therefore compromising cloud based environments, it would also help them support their own practices with their own infrastructure (pen test labs, experimental environments, hosted CTFs, etc).

John Ventura


John Ventura is a security researcher and penetration tester working for ServiceNow, where he strives to improve the organization’s security posture through active testing and exploration of new security methodologies. Throughout his career, he has worked across multiple computer security fields, including forensics, network penetration testing, and web application security for a diverse set of organizations. He has had the privilege of speaking at various security conferences, including Black Hat, and SecTor, and GrrCon.