Class mode: VIRTUAL LIVE STREAM
DATE: 26-28 October 2020
TIME: 9:00 to 18:00 EST
Malware analysis, threat intelligence, and forensic investigation plays a critical role in large scale incident response teams. Traditional analysis tools and deployment methods are not built to support multiple security teams separated geographically. Also, cloud-based workloads require additional monitoring which poses another challenge. This workshop tries to solve the two problems by building scalable and automated services to perform investigations, reporting and alerting by directly using native cloud services.
The workshop will begin by covering details about public cloud infrastructure like AWS, Azure, and GCP. We will build a technical and architectural understanding of the cloud and its services in the introductory phase. We will then dive into the Identity and access management based attack and defense scenarios along with running security assessments and automated tests against the entire infrastructure.
The second phase of the workshop will cover hands-on tool building for static file scanning using clamAV and Yara engines by utilizing lambda functions. We will cover exercises on integrating more features to the service like hash lookup, file-type determination and automated signature update through S3 buckets.
The third phase of the workshop will deal with deploying container services to run malware feature extraction and heuristic detection services at scale. By using real-life scenarios, we will build an alerting and notification service using SNS and slack. This service will integrate with lambda functions and web sockets to notify users when an infection is found. The next exercise of this phase will focus on building automated response and investigation using tags and cloudwatch events.
In the fourth phase of the workshop, we will learn to build realtime dashboards using Amazon Athena and ELK stack. We will learn to write queries to derive rich intelligence out of the collected data.
The final phase of the workshop will focus on forensic investigations. It begins by creating automated forensic artifact collection by utilizing lambda functions and then integrating it with automated analysis like building timeline and dumping process memory. We will learn to build an investigation playbook using step functions to automate most of the investigation and reporting process.
Why should you take this course?
This is a unique course which is on the cloud and for the cloud. It not only helps train the individuals on cloud terminologies but also enables them to build a scalable defense mechanism for their services running in the public cloud. The workshop explicitly focuses on the Incident response, malware investigations and forensic analysis of cloud applications which is still a very less known domain in the market. This class is recommended for:
- Incident responders, Analysts
- Malware investigators and Analysts
- Threat intelligence analysts and Responders
- Red Team members
- Blue team and Purple team members
- Cloud Security Teams
Key Learning Objectives
- Using serverless functions, containers and event notifiers to build your own incident response pipeline
- Building real-time dashboards for threat tracking and intelligence gathering
- Building Advanced automated pipelines for forensic investigations, artifact storage, and malware feature extractors
- Integrating and utilizing open source services and tools like AWS_IR, Scout, Cloud custodian, Virustotal lookups, Volatility, Yara among others
- Basic understanding of cloud services
- System administration and linux cli
- Able to write basic programs in python
What Students Will Be Provided With
- PDF version of slides
- Complete course guide in PDF that will contain step-by-step guidelines for all the exercises, labs and detailed explanation of concepts discussed during the training.
- Access to Github account for accessing custom built source codes and tools
- Automation scripts.
- Collection of malware samples, forensic images, and yara rules and cloudwatch rules
Hardware / Software Requirements
Free tier account for AWS
DAY 1: Introduction
– Introduction to cloud services
– Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.
– Understanding cloud deployment architecture.
– Introduction to Logging services in cloud.
– Introduction to shared responsibility model.
– Setting up your free tier account.
– Setting up AWS command-line interface.
– Understanding Cloud attack surfaces.
Detecting and monitoring against IAM attacks.
– Identity & Access management crash course.
– Policy enumeration from an attacker’s & defender’s perspective.
– Detecting and responding to user account brute force attempts.
– Building anomaly detection using CloudWatch events.
– Detecting privilege escalation and access permission flaw using aws_escalate.
– Attacking and defending against user role enumeration.
– Brute force attack detection using cloudTrail.
– PagerDuty notification for alarms and notifications.
Malware detection and investigation on/for cloud infrastructure
– Quick introduction to static and dynamic malware analysis.
– Building clamAV based static scanner for S3 buckets using AWS lambda.
– Integrating serverless scanning of S3 buckets with yara engine.
– Building signature update pipelines using static storage buckets to detect recent threats.
– Malware alert notification through SNS and slack channel.
– Adding advanced context to slack notification for quick remediation.
DAY 2: Threat Response & Intelligence analysis techniques on/for Cloud infrastructure
– Auto remediation of malware files through event notifiers and object tags.
– Building highly scalable heuristic feature extractor using docker containers.
– Optimizing the workload with malware file-type identification and hash calculations.
– Integrating playbooks for threat feed ingestion and Virustotal lookups.
– Advance alerting and threat intelligence gathering using AWS Elasticsearch and Athena.
– Building dashboards and queries for real-time monitoring and analytics.
– Advance Dynamic analysis using cuckoo sandbox on AWS EC2 instance and using DynamoDB.
Network Security & monitoring for Cloud Infrastructure
– Understanding Network flow in cloud environment.
– Quick introduction to VPC, subnets and security groups.
– Using VPC flow logs to discover network threats.
– VPC traffic mirroring to detect malware command & Control.
– Integrating Snort & Zeek for real-time threat detection.
– Building GuardDuty notifiers for real time alerting.
DAY 3: Forensic Acquisition, analysis and intelligence gathering of cloud AMI's.
– Analysis of an infected EC2 instance.
– Building an IR ‘flight simulator’ in the cloud.
– Creating a step function rulebook for instance isolation and volume snapshots.
– lambda functions to perform instance isolation and status alerts.
– Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.
– Automated timeline generation and memory dump.
– Storing the artifacts to S3 bucket.
– On-demand execution of Sleuthkit instance for detailed forensic analysis.
– Enforcing security measures and policies to avoid instance compromise.
Security Assessment Automation for cloud infrastructure
– Introduction to cloud infrastructure security assessment.
– Using scout for automated security assessment.
– Analyzing report and plugging the holes.