Nader Zaveri
Senior Manager - Incident Response & Remediation for Mandiant/Google
Houston, Texas, United States
Actions
Nader Zaveri has over 15 years of experience in IT security, infrastructure, and risk management. Nader holds over a dozen industry-related certifications, has authored several blogs/books, and has presented at dozens of conferences, panel talks, webinars, and other industry-specific events.
Nader has led hundreds of incident response and remediation investigations related to on-prem or cloud-based incidents. He has helped investigate and understand the storyline of the attack for the most allusive threat actors such as nation-states.
He leads the remediation efforts by providing strategic short, medium, and long-term recommendations to directors and C-level executives, as well as offering tactical recommendations to specialists to enhance the security posture of the organization. Nader also has experience with leading transformational projects over infrastructure and processes with technical and organizational change components in response to rapidly evolving business needs and regulatory requirements.
Prior to joining Mandiant, Nader Zaveri spent several years in leadership positions at major cyber security consulting firms. Before joining consulting, Nader worked as a lead practitioner for multi-national organizations.
When Nader is not working, he is helping and mentoring young professionals with their entry into the workforce and Cyber Security. Nader juggles about 5-10 mentees at a time to help them navigate their studies and career paths.
Nader has also served on the boards of several startups, gaining valuable experience in strategic decision-making and governance. Notably, Nader has held an Advisory Board position with a firm that was eventually acquired, demonstrating his ability to contribute to their growth and success during his tenure.
Links
Area of Expertise
Topics
Old Services, New Tricks: Cloud Metadata Abuse by Threat Actors
Mandiant identified exploitation of public-facing web applications by threat actors (UNC2903) to harvest and abuse credentials using Amazon’s Instance Metadata Service (IMDS). Although the threat actor specifically targeted Amazon Web Services (AWS) environments, many other cloud platforms offer similar metadata services that could be at risk of similar attacks. Related threat actor motives and operations are gaining prominence as enterprises continue their migration to cloud hosting services. Mandiant has tracked access attempts by the threat actors to access S3 buckets and additional cloud resources using the stolen credentials.
This presentation covers how threat actors performed the exploitation and IMDS abuse, as well as related security hardening guidance on how to detect, remediate, and prevent this type of instance metadata abuse in an organization’s environment. As part of this presentation, we will walk through a demo of the web application that was abused and show how easy it is to obtain credentials if the organization is using the legacy version of IMDS. Then, we will show how by performing the remediation techniques mentioned in the presentation, the organization will be able to block such credential harvesting methods via the instance metadata service.
I. Introduction
II. Overview of Instance Metadata Service (AWS, Azure, and Google Cloud)
III. Threat Landscape for Cloud Metadata
IV. Timeline of the Attack
V. Mandiant Intelligence Findings (Attribution, Scanning Activity, and User Agent Strings)
VI. Demo of Technique Utilized by the Threat Actor
VII. Detecting, Remediating, and Preventing Instance Metadata Abuse
Nader Zaveri
Senior Manager - Incident Response & Remediation for Mandiant/Google
Houston, Texas, United States
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top