SEC-T - 0x10sion

CLOUD SECURITY MASTERCLASS: Securing Public Cloud Infrastructure

Where

This is not the same address as the conference! Same building but different entrance.
Söder Mälarstrand 57
118 25 Stockholm

Day 1 (2022-09-13)

8.30 – 09.00	Registration & breakfast
9.00 – 12.00	Training
12.00 – 13.00	Lunch
13.00 – 15.00	Training
15.00 – 15.30	Coffee break
15.30 – 17.00	Training

Day 2 (2022-09-14)

8.30 – 09.00	Registration & breakfast
9.00 – 12.00	Training
12.00 – 13.00	Lunch
13.00 – 15.00	Training
15.00 – 15.30	Coffee break
15.30 – 17.00	Training

---

This training focuses on elevating your threat detection, investigations, and response knowledge into the cloud. This hands-on training with CTF-style exercises simulates real-life attack scenarios on cloud infrastructure & applications. It then teaches you to build defensive guard rails against such attacks by using cloud native services on AWS. This makes it an ideal class for red & blue teams.

By the end of this training, we will be able to:

• Use cloud technologies to detect IAM attacks.
• Understand and mitigate cloud native pivoting and privilege escalation and defense techniques.
• Use serverless functions to perform on-demand threat scans.
• Containers to deploy threat detection services at scale.
• Build notification services to create alerts
• Analyze malware-infected virtual machines to perform automated forensic investigations and artifacts collection.
• Use Elasticsearch and Athena for building SIEM and security data-lake for real-time threat intelligence and monitoring.

Course outline

Course Syllabus/Outline includes:

Day 1

• Introduction
  • Introduction to cloud services
  • Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.
  • Understanding cloud deployment architecture.
  • Introduction to Logging services in cloud.
  • Introduction to shared responsibility model.
  • Setting up your free tier account.
  • Setting up AWS command-line interface.
  • Understanding Cloud attack surfaces.

• Detecting and monitoring against IAM attacks

  • Identity & Access management crash course.
  • Policy enumeration from an attacker’s & defender’s perspective.
  • Detecting and responding to user account brute force attempts.
  • Building anomaly detection using CloudWatch events.
  • Building controls against privilege escalation and access permission flaws.
  • Attacking and defending against user role enumeration.
  • Brute force attack detection using cloudTrail.
  • Automated notification for alarms and alerts.
  • Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.
• Malware detection and investigation on/for cloud infrastructure
  • Quick Introduction to cloud infrastructure security.
  • Building clamAV based static scanner for S3 buckets using AWS lambda.
  • Integrating serverless scanning of S3 buckets with yara engine.
  • Building signature update pipelines using static storage buckets to detect recent threats.
  • Malware alert notification through SNS and slack channel.
  • Adding advanced context to slack notification for quick remediation.
  • Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.

Day 2

• Threat Response & Intelligence analysis techniques on/for Cloud infrastructure
  • Integrating playbooks for threat feed ingestion and Virustotal lookups.
  • Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch.
  • Creating a Security datalake for advance analytics and intelligence search.
  • Building dashboards and queries for real-time monitoring and analytics.
  • CTF exercise to correlate multiple logs to determine the source of infection.
• Network Security & monitoring for Cloud Infrastructure
  • Understanding Network flow in cloud environment.
  • Quick introduction to VPC, subnets and security groups.
  • Using VPC flow logs to discover network threats.
  • VPC traffic mirroring to detect malware command & Control.
• Forensic Acquisition, analysis and intelligence gathering of cloud AMI’s.
  • Analysis of an infected VM instance.
  • Building an IR ‘flight simulator’ in the cloud.
  • Creating a step function rulebook for instance isolation and volume snapshots.
  • lambda functions to perform instance isolation and status alerts.
  • Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.
  • Automated timeline generation and memory dump.
  • Storing the artifacts to S3 bucket.
  • On-demand execution of Sleuthkit instance for detailed forensic analysis.
  • Enforcing security measures and policies to avoid instance compromise.

Who Should Take This Course?

• Red Team members
• Blue team and Purple team members
• Cloud Security Teams
• Incident responders, Analysts
• Malware investigators and Analysts
• Threat intelligence analysts and Responders

Student Requirements

• Basic understanding of cloud services
• System administration and linux cli
• Able to write basic programs in python

Is this course for beginners, intermediate or advanced students?

Beginners and Intermediate.

Student Requirements

• Basic understanding of cloud services
• System administration and linux cli
• Able to write basic programs in python

What Students Should Bring

• Laptop with internet access
• Free tier account for AWS

What Students Will Be Provided With

• PDF versions of slides that will be used during the training.
• Complete course guide in containing 200+ pages in PDF format. It will contain step-by-step guidelines for all the exercises, labs and detailed explanation of concepts discussed during the training.
• Slack channel to continue the discussion and access even after the training ends.
• Infrastructure-as-code templates to deploy the test environments & simulations for continued practice after the class ends.
• Access to Github account for accessing custom-built source codes and tools.
• Collection of test malware samples, forensic images, detection rules and queries.

The instructor

Abhinav Singh is a cybersecurity researcher with close to a decade long experience working for global leaders in security technology, financial institutions and as an independent trainer/consultant. He is the author of Metasploit Penetration Testing Cookbook (first, second & third editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community in the form of patents, open-source tools, paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines, and digital portals. He is a frequent speaker at eminent international conferences like Black Hat, RSA & Defcon. His areas of expertise include malware research, reverse engineering, enterprise security, forensics, and cloud security.