Amazon Web Services (AWS) offers many architecture features which improve application performance and make it easier to deploy applications. This talk will look at two AWS architecture features which can be abused to hide C2 traffic and compromise application code and infrastructure. We will also discuss these features from a “prevent, detect, respond” perspective with a special emphasis on detection and response actions for SOC/IR teams.

Ryan is an analyst on the security incident response team of a Fortune 100 global company. His focus areas include cloud threat detection/response and network intrusion detection. Ryan has a decade of experience in IT, with nearly five years as a CSIRT analyst, and holds several GIAC certifications including: Incident Handling (GCIH), Web Application Penetration Testing (GWAPT), Intrusion Analyst (GCIA), and Continuous/Network Security Monitoring (GMON).