This hands-on training focuses on elevating your incident response, malware analysis & forensic investigations knowledge into the cloud. Learn to defend your public cloud infrastructure by building automated detection and response pipelines through serverless functions, playbooks and containers.
The workshop will begin by covering details about public cloud infrastructure like AWS, Azure, and GCP. We will build a technical and architectural understanding of the cloud and its services in the introductory phase. We will then dive into the Identity and access management based attack and defense scenarios along with running security assessments and automated tests against the entire infrastructure.
The second phase of the workshop will cover hands-on tool building for static file scanning using clamAV and Yara engines by utilizing lambda functions. We will cover exercises on integrating more features to the service like hash lookup, file-type determination and automated signature update through S3 buckets.
The third phase of the workshop will deal with deploying container services to run malware feature extraction and heuristic detection services at scale. By using real-life scenarios, we will build an alerting and notification service using SNS and slack. This service will integrate with lambda functions and web sockets to notify users when an infection is found. The next exercise of this phase will focus on building automated response and investigation using tags and cloudwatch events.
In the fourth phase of the workshop, we will learn to build realtime dashboards using Amazon Athena and ELK stack. We will learn to write queries to derive rich intelligence out of the collected data.
The final phase of the workshop will focus on forensic investigations. It begins by creating automated forensic artifact collection by utilizing lambda functions and then integrating it with automated analysis like building timeline and dumping process memory. We will learn to build an investigation playbook using step functions to automate most of the investigation and reporting process.
- Introduction to cloud services - Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc. - Understanding cloud deployment architecture. - Introduction to Logging services in cloud. - Introduction to shared responsibility model. - Setting up your free tier account. - Setting up AWS command-line interface. - Understanding Cloud attack surfaces.
- Identity & Access management crash course. - Policy enumeration from an attacker's & defender's perspective. - Detecting and responding to user account brute force attempts. - Building anomaly detection using CloudWatch events. - Detecting privilege escalation and access permission flaw using aws_escalate. - Attacking and defending against user role enumeration. - Brute force attack detection using cloudTrail. - PagerDuty notification for alarms and notifications.
- Quick introduction to static and dynamic malware analysis. - Building clamAV based static scanner for S3 buckets using AWS lambda. - Integrating serverless scanning of S3 buckets with yara engine. - Building signature update pipelines using static storage buckets to detect recent threats. - Malware alert notification through SNS and slack channel. - Adding advanced context to slack notification for quick remediation.
- Auto remediation of malware files through event notifiers and object tags. - Building highly scalable heuristic feature extractor using docker containers. - Optimizing the workload with malware file-type identification and hash calculations. - Integrating playbooks for threat feed ingestion and Virustotal lookups. - Advance alerting and threat intelligence gathering using AWS Elasticsearch and Athena. - Building dashboards and queries for real-time monitoring and analytics. - Advance Dynamic analysis using cuckoo sandbox on AWS EC2 instance and using DynamoDB.
- Understanding Network flow in cloud environment. - Quick introduction to VPC, subnets and security groups. - Using VPC flow logs to discover network threats. - VPC traffic mirroring to detect malware command & Control. - Integrating Snort & Zeek for real-time threat detection. - Building GuardDuty notifiers for real time alerting.
- Analysis of an infected EC2 instance. - Building an IR 'flight simulator' in the cloud. - Creating a step function rulebook for instance isolation and volume snapshots. - lambda functions to perform instance isolation and status alerts. - Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking. - Automated timeline generation and memory dump. - Storing the artifacts to S3 bucket. - On-demand execution of Sleuthkit instance for detailed forensic analysis. - Enforcing security measures and policies to avoid instance compromise.
- Introduction to cloud infrastructure security assessment. - Using scout for automated security assessment. - Analyzing report and plugging the holes.