From Admin by Design to Breach by Default: An Offensive Kill Chain for Cloud & AI Machine Identities
Advanced
Modern cloud environments are dominated by privileged “users” that never log in, never click links, and never get phished. They are API keys, service accounts, CI/CD bots, K8s workloads, and increasingly, AI agents that autonomously call APIs and make decisions.
From an attacker’s perspective, these non-human identities (NHIs) are ideal targets: long-lived credentials, excessive permissions, minimal monitoring, and behavior that blends perfectly into normal operations. Once compromised, they provide silent, scalable access with no malware, no exploits, and no social engineering.
This talk approaches NHIs from the offensive side first, modeling machine identity abuse as a cloud-native intrusion kill chain mapped to MITRE ATT&CK for Cloud and Containers. We walk through how attackers discover machine identities, steal credentials via metadata services, CI/CD pipelines, Kubernetes workloads, and AI agents, then escalate privileges by abusing trust relationships and automation rather than vulnerabilities.
Using live demonstrations built with open-source tooling (Wazuh, cloud APIs, Python automation), the session shows how compromised service accounts and AI agents are weaponized for persistence, data exfiltration, and cross-cloud movement... often without triggering traditional IAM or SOC alerts. Defensive controls are introduced only after the attack paths are fully demonstrated, positioning Identity Security Fabric (ISF) as a systemic response rather than a policy exercise.
From an attacker’s perspective, these non-human identities (NHIs) are ideal targets: long-lived credentials, excessive permissions, minimal monitoring, and behavior that blends perfectly into normal operations. Once compromised, they provide silent, scalable access with no malware, no exploits, and no social engineering.
This talk approaches NHIs from the offensive side first, modeling machine identity abuse as a cloud-native intrusion kill chain mapped to MITRE ATT&CK for Cloud and Containers. We walk through how attackers discover machine identities, steal credentials via metadata services, CI/CD pipelines, Kubernetes workloads, and AI agents, then escalate privileges by abusing trust relationships and automation rather than vulnerabilities.
Using live demonstrations built with open-source tooling (Wazuh, cloud APIs, Python automation), the session shows how compromised service accounts and AI agents are weaponized for persistence, data exfiltration, and cross-cloud movement... often without triggering traditional IAM or SOC alerts. Defensive controls are introduced only after the attack paths are fully demonstrated, positioning Identity Security Fabric (ISF) as a systemic response rather than a policy exercise.
Session prerequisites and resources may be available.
Sign in to access
Speaker
Bodhisattva Das
Security Engineer - RUDRA Cybersecurity
RUDRA Cybersecurity
ISC2 Subject Matter Expert
Bodhisattva Das is a Security Engineer at Rudra Cybersecurity, focused on securing non-human identities, AI agents, and automated workloads across cloud environments. He specialises in open-source threat detection using Wazuh, and builds practical solutions for identity governance and AI-driven secu...
View Full Profile