This hands-on CTF-style training focuses on elevating your security knowledge into the cloud. Learn to defend your public cloud infrastructure by building automated detection, alerting and response pipelines for your public cloud workloads by using native cloud services. This training focuses on building security knowledge on the cloud and for the cloud.
|09:00-17:00 SGT/GMT +8
|09:00-17:00 SGT/GMT +8
Breach investigations, Malware analysis, threat intelligence, and forensic investigation plays a critical role in large scale incident response teams. Traditional analysis tools and deployment methods are not built to support multiple security teams separated geographically. Also, cloud-based workloads require additional monitoring which poses another challenge. This training tries to solve the two problems by building scalable and automated services to perform investigations, reporting and alerting for cloud workloads by directly using native cloud services.
The training will begin by covering technical and architectural understanding of the cloud and its services in the introductory phase. We will then dive into the Identity and access management based attack and defense scenarios. The lesson will follow through by deploying attack templates to replicate real-life IAM attack scenarios and countermeasures required to implement Principle of Least privilege.
The second phase of the training will cover cloud infrastructure security. Beginning from building alerting services for common attack scenarios like brute force and account takeover. Then we focus on persistence techniques used by attackers to pivot into the cloud environment and how to defend against such attacks. By using attack templates, we will simulate use-cases like token hijacking and trail deletion, with emphasis on building defensive measures by using cloud native technologies at scale.
The next part of cloud infrastructure security will involve hands-on tool building for automated malware detection by utilizing lambda functions. We will cover CTF exercises on detecting malware at scale across the cloud infrastructure along with integrating additional features like file-type determination and automated signature update through object stores.
In the third phase, we will dive deeper into security monitoring. We will focus on building a SIEM-like detection and alerting capability by deploying Elasticsearch stack and through Slack web-hooks. We will also enhance the capability by building a Security data lake. This would enable large scale security teams to perform threat intelligence and correlation on historic security data.
The fourth phase of the training will focus on forensic investigations. We will learn to build investigation playbooks using step functions to automate the investigation and reporting process. Examples include automated forensic artifact collection by utilizing lambda functions, automated analysis, building timeline, dumping process memory & alerting through Slack or SNS.
In summary, this training focuses on elevating your threat detection, investigations, and response knowledge into the cloud. This hands-on training with CTF-style exercises simulates real-life attack scenarios on cloud infrastructure & applications. It then teaches you to build defensive guard rails against such attacks by using cloud native services on AWS. This makes it an ideal class for red & blue teams.
By the end of this training, we will be able to:
- Introduction to cloud services - Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc. - Understanding cloud deployment architecture. - Introduction to Logging services in cloud. - Introduction to shared responsibility model. - Setting up your free tier account. - Setting up AWS command-line interface. - Understanding Cloud attack surfaces.
- Identity & Access management crash course. - Policy enumeration from an attacker's & defender's perspective. - Detecting and responding to user account brute force attempts. - Building anomaly detection using CloudWatch events. - Building controls against privilege escalation and access permission flaws. - Attacking and defending against user role enumeration. - Brute force attack detection using cloudTrail. - Automated notification for alarms and alerts. - Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.
- Quick Introduction to cloud infrastructure security. - Building clamAV based static scanner for S3 buckets using AWS lambda. - Integrating serverless scanning of S3 buckets with yara engine. - Building signature update pipelines using static storage buckets to detect recent threats. - Malware alert notification through SNS and slack channel. - Adding advanced context to slack notification for quick remediation. - Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.
- Integrating playbooks for threat feed ingestion and Virustotal lookups. - Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch. - Creating a Security datalake for advance analytics and intelligence search. - Building dashboards and queries for real-time monitoring and analytics. - CTF exercise to correlate multiple logs to determine the source of infection.
- Understanding Network flow in cloud environment. - Quick introduction to VPC, subnets and security groups. - Using VPC flow logs to discover network threats. - VPC traffic mirroring to detect malware command & Control.
- Analysis of an infected VM instance. - Building an IR 'flight simulator' in the cloud. - Creating a step function rulebook for instance isolation and volume snapshots. - lambda functions to perform instance isolation and status alerts. - Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking. - Automated timeline generation and memory dump. - Storing the artifacts to S3 bucket. - On-demand execution of Sleuthkit instance for detailed forensic analysis. - Enforcing security measures and policies to avoid instance compromise.