SEC-T - 0x10sion

10-13th of September 2024

Securing public cloud infrastructure

This training focuses on elevating your threat detection, investigations, and response knowledge into the cloud. This hands-on training with CTF-style exercises simulates real-life attack scenarios on cloud infrastructure & applications. It then teaches you to build defensive guard rails against such attacks by using cloud native services on AWS. This makes it an ideal class for red & blue teams.


By the end of this training, we will be able to:

* Use cloud technologies to detect IAM attacks.

* Understand and mitigate cloud native pivoting and privilege escalation and defense techniques.

* Use serverless functions to perform on-demand threat scans.

* containers to deploy threat detection services at scale.

* build notification services to create alerts

* analyze malware-infected virtual machines to perform automated forensic investigations and artifacts collection.

* Use Elasticsearch and Athena for building SIEM and security data-lake for real-time threat intelligence and monitoring.


**Day 1:**




– Introduction to cloud services

– Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.

– Understanding cloud deployment architecture.

– Introduction to Logging services in cloud.

– Introduction to shared responsibility model.  

– Setting up your free tier account.

– Setting up AWS command-line interface.

– Understanding Cloud attack surfaces.


 *Detecting and monitoring against IAM attacks.*


   – Identity & Access management crash course.

   – Policy enumeration from an attacker’s & defender’s perspective.

    – Detecting and responding to user account brute force attempts.

    – Building anomaly detection using CloudWatch events.

– Building controls against privilege escalation and access permission flaws.

– Attacking and defending against user role enumeration.

– Brute force attack detection using cloudTrail.

– Automated notification for alarms and alerts.

– Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.  


  *Malware detection and investigation on/for cloud infrastructure*


– Quick Introduction to cloud infrastructure security.

– Building clamAV based static scanner for S3 buckets using AWS lambda.

– Integrating serverless scanning of S3 buckets with yara engine.

– Building signature update pipelines using static storage buckets to detect recent threats.

– Malware alert notification through SNS and slack channel.

– Adding advanced context to slack notification for quick remediation.  

– Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.



**Day 2:**


*Threat Response & Intelligence analysis techniques on/for Cloud infrastructure*


– Integrating playbooks for threat feed ingestion and Virustotal lookups.

– Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch.

– Creating a Security datalake for advance analytics and intelligence search.

– Building dashboards and queries for real-time monitoring and analytics.

– CTF exercise to correlate multiple logs to determine the source of infection.


*Network Security & monitoring for Cloud Infrastructure*


    – Understanding Network flow in cloud environment.

    – Quick introduction to VPC, subnets and security groups.

    – Using VPC flow logs to discover network threats.

    – VPC traffic mirroring to detect malware command & Control.


*Forensic Acquisition, analysis and intelligence gathering of cloud AMI’s.*


– Analysis of an infected VM instance.

– Building an IR ‘flight simulator’ in the cloud.

– Creating a step function rulebook for instance isolation and volume snapshots.

– lambda functions to perform instance isolation and status alerts.

– Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.

– Automated timeline generation and memory dump.

– Storing the artifacts to S3 bucket.

– On-demand execution of Sleuthkit instance for detailed forensic analysis.

– Enforcing security measures and policies to avoid instance compromise.