May 7th, 2022
This training focuses on elevating your threat detection, investigations, and response knowledge into the cloud. This hands-on training with CTF-style exercises simulates real-life attack scenarios on cloud infrastructure & applications. It then teaches you to build defensive guard rails against such attacks by using cloud native services on AWS. This makes it an ideal class for red & blue teams.
By the end of this training, we will be able to:
* Use cloud technologies to detect IAM attacks.
* Understand and mitigate cloud native pivoting and privilege escalation and defense techniques.
* Use serverless functions to perform on-demand threat scans.
* containers to deploy threat detection services at scale.
* build notification services to create alerts
* analyze malware-infected virtual machines to perform automated forensic investigations and artifacts collection.
* Use Elasticsearch and Athena for building SIEM and security data-lake for real-time threat intelligence and monitoring.
**Day 1:**
*Introduction*
– Introduction to cloud services
– Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.
– Understanding cloud deployment architecture.
– Introduction to Logging services in cloud.
– Introduction to shared responsibility model.
– Setting up your free tier account.
– Setting up AWS command-line interface.
– Understanding Cloud attack surfaces.
*Detecting and monitoring against IAM attacks.*
– Identity & Access management crash course.
– Policy enumeration from an attacker’s & defender’s perspective.
– Detecting and responding to user account brute force attempts.
– Building anomaly detection using CloudWatch events.
– Building controls against privilege escalation and access permission flaws.
– Attacking and defending against user role enumeration.
– Brute force attack detection using cloudTrail.
– Automated notification for alarms and alerts.
– Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.
*Malware detection and investigation on/for cloud infrastructure*
– Quick Introduction to cloud infrastructure security.
– Building clamAV based static scanner for S3 buckets using AWS lambda.
– Integrating serverless scanning of S3 buckets with yara engine.
– Building signature update pipelines using static storage buckets to detect recent threats.
– Malware alert notification through SNS and slack channel.
– Adding advanced context to slack notification for quick remediation.
– Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.
**Day 2:**
*Threat Response & Intelligence analysis techniques on/for Cloud infrastructure*
– Integrating playbooks for threat feed ingestion and Virustotal lookups.
– Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch.
– Creating a Security datalake for advance analytics and intelligence search.
– Building dashboards and queries for real-time monitoring and analytics.
– CTF exercise to correlate multiple logs to determine the source of infection.
*Network Security & monitoring for Cloud Infrastructure*
– Understanding Network flow in cloud environment.
– Quick introduction to VPC, subnets and security groups.
– Using VPC flow logs to discover network threats.
– VPC traffic mirroring to detect malware command & Control.
*Forensic Acquisition, analysis and intelligence gathering of cloud AMI’s.*
– Analysis of an infected VM instance.
– Building an IR ‘flight simulator’ in the cloud.
– Creating a step function rulebook for instance isolation and volume snapshots.
– lambda functions to perform instance isolation and status alerts.
– Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.
– Automated timeline generation and memory dump.
– Storing the artifacts to S3 bucket.
– On-demand execution of Sleuthkit instance for detailed forensic analysis.
– Enforcing security measures and policies to avoid instance compromise.
