Dirk-jan Mollema Security Researcher, Outsider Security
Dirk-jan Mollema is a security researcher focusing on Active Directory and Microsoft Entra (Azure AD) security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat, is a current Microsoft MVP and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.
Talk: Researchers vs. Threat Actors in Cloud Attacks
Talks will be streamed on YouTube and Twitch for free.
Security researchers push the boundaries of what’s possible. (Nation-state) threat actors push the boundaries of what’s exploitable. In many cases, threat actors adopt public research for their operations, but there are also many examples where threat actors use novel techniques to compromise cloud environments before researchers publish their findings.
In this talk, a cloud security researcher and a threat intelligence analyst team up to explore how cutting-edge cloud attack research is rapidly weaponized by espionage threat groups. We’ll walk through real-world examples where newly published techniques – intended to educate defenders – were adopted and operationalized by nation-state actors targeting cloud environments. The focus of the talk will be on Entra ID and Microsoft 365 attacks, exploring both the technical mechanics behind the tools and techniques, why threat actors are interested in utilizing them and real-world example of research adoption. Examples of techniques cover include device code phishing, authorization code phishing (ConsentFix) and the adoption of open source security tools.
This session highlights how attack paths that may seem highly theoretical at first glance can pose a significant and immediate threat to organizations operating in the cloud. What starts as a proof-of-concept in a blog can quickly become a part of a threat actor’s playbook.