Cloud Security Masterclass: Defender's guide to Securing Public Cloud Infrastructure

Online Training date: October 25-26, 2021.

Abstract

This hands-on CTF-style training focuses on elevating your security knowledge into the cloud. Learn to defend your public cloud infrastructure by building automated detection, alerting and response pipelines for your public cloud workloads by using native cloud services. This training focuses on building security knowledge on the cloud and for the cloud.

Description

This training focuses on elevating your threat detection, investigations, and response knowledge into the cloud. This hands-on training with CTF-style exercises simulates real-life attack scenarios on cloud infrastructure & applications. It then teaches you to build defensive guard rails against such attacks by using cloud native services on AWS. This makes it an ideal class for red & blue teams.

By the end of this training, we will be able to:

  • Use cloud technologies to detect IAM attacks.
  • Understand and mitigate cloud native pivoting and privilege escalation and defense techniques.
  • Use serverless functions to perform on-demand threat scans.
  • containers to deploy threat detection services at scale.
  • build notification services to create alerts
  • analyze malware-infected virtual machines to perform automated forensic investigations and artifacts collection.
  • Use Elasticsearch and Athena for building SIEM and security data-lake for real-time threat intelligence and monitoring.

FULL Course Abstract

Breach investigations, Malware analysis, threat intelligence, and forensic investigation plays a critical role in large scale incident response teams. Traditional analysis tools and deployment methods are not built to support multiple security teams separated geographically. Also, cloud-based workloads require additional monitoring which poses another challenge. This training tries to solve the two problems by building scalable and automated services to perform investigations, reporting and alerting for cloud workloads by directly using native cloud services.

The training will begin by covering technical and architectural understanding of the cloud and its services in the introductory phase. We will then dive into the Identity and access management based attack and defense scenarios. The lesson will follow through by deploying attack templates to replicate real-life IAM attack scenarios and countermeasures required to implement Principle of Least privilege.

The second phase of the training will cover cloud infrastructure security. Beginning from building alerting services for common attack scenarios like brute force and account takeover. Then we focus on persistence techniques used by attackers to pivot into the cloud environment and how to defend against such attacks. By using attack templates, we will simulate use-cases like token hijacking and trail deletion, with emphasis on building defensive measures by using cloud native technologies at scale.

The next part of cloud infrastructure security will involve hands-on tool building for automated malware detection by utilizing lambda functions. We will cover CTF exercises on detecting malware at scale across the cloud infrastructure along with integrating additional features like file-type determination and automated signature update through object stores.

In the third phase, we will dive deeper into security monitoring. We will focus on building a SIEM-like detection and alerting capability by deploying Elasticsearch stack and through Slack web-hooks. We will also enhance the capability by building a Security data lake. This would enable large scale security teams to perform threat intelligence and correlation on historic security data.

The fourth phase of the training will focus on forensic investigations. We will learn to build investigation playbooks using step functions to automate the investigation and reporting process. Examples include automated forensic artifact collection by utilizing lambda functions, automated analysis, building timeline, dumping process memory & alerting through Slack or SNS.

Course Syllabus/Outline

Day 1:

Introduction

- Introduction to cloud services
- Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.
- Understanding cloud deployment architecture.
- Introduction to Logging services in cloud.
- Introduction to shared responsibility model.  
- Setting up your free tier account. 
- Setting up AWS command-line interface.
- Understanding Cloud attack surfaces.

Detecting and monitoring against IAM attacks.

- Identity & Access management crash course. - Policy enumeration from an attacker’s & defender’s perspective.
    - Detecting and responding to user account brute force attempts.
    - Building anomaly detection using CloudWatch events. 
- Building controls against privilege escalation and access permission flaws.
- Attacking and defending against user role enumeration.
- Brute force attack detection using cloudTrail.
- Automated notification for alarms and alerts.
- Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.  

Malware detection and investigation on/for cloud infrastructure

- Quick Introduction to cloud infrastructure security. 
- Building clamAV based static scanner for S3 buckets using AWS lambda.
- Integrating serverless scanning of S3 buckets with yara engine.
- Building signature update pipelines using static storage buckets to detect recent threats.
- Malware alert notification through SNS and slack channel.
- Adding advanced context to slack notification for quick remediation.  
- Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.

Day 2:

Threat Response & Intelligence analysis techniques on/for Cloud infrastructure

- Integrating playbooks for threat feed ingestion and Virustotal lookups.
- Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch.
- Creating a Security datalake for advance analytics and intelligence search. 
- Building dashboards and queries for real-time monitoring and analytics.
- CTF exercise to correlate multiple logs to determine the source of infection. 

Network Security & monitoring for Cloud Infrastructure

- Understanding Network flow in cloud environment.
- Quick introduction to VPC, subnets and security groups.
- Using VPC flow logs to discover network threats.
- VPC traffic mirroring to detect malware command & Control.

Forensic Acquisition, analysis and intelligence gathering of cloud AMI’s.

- Analysis of an infected VM instance.
- Building an IR 'flight simulator' in the cloud.
- Creating a step function rulebook for instance isolation and volume snapshots.
- lambda functions to perform instance isolation and status alerts.
- Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.
- Automated timeline generation and memory dump.
- Storing the artifacts to S3 bucket.
- On-demand execution of Sleuthkit instance for detailed forensic analysis.
- Enforcing security measures and policies to avoid instance compromise.

Why should people attend your course?

This is a unique course which is on the cloud and for the cloud. It not only helps train the individuals on cloud terminologies but also enables them to build scalable defense mechanisms for their services running in the public cloud. The training explicitly focuses on threat detection, Incident response, malware investigations and forensic analysis of cloud infrastructure which is still a very less known domain in the market.

Please list the top 3 takeaways your students will learn

  • Using cloud native technologies to build your own security services for your applications and services running in the cloud.

  • Building real-time detection, monitoring and response capabilities for threat tracking and intelligence gathering.

  • Building Advanced automated pipelines through Detection-as-code features to defend public cloud infrastructures.

Does your course focus on any proprietary product or platform?

No. ### Approximately what percentage of your course is lecture vs hands-on?

Hands-on: 65-70%. Lecture: 30-35%.

How many hands-on labs (approx) are you planning to have? How long will they take?

Day 1: 6 hands-on labs: Approximately 6 hours

Day 2: 5 hands-on labs: Approximately 6 hours.

Do you assign homework or after class exercises?

Yes. Students will be provided with Cloudformation templates for next day’s lessons.

What are the keywords you would use to describe the topic areas covered by your course?

Cloud Security, DevSecOps, Red-team, Blue team, Infrastructure security

Who Should Take This Course:

  • Red Team members
  • Blue team and Purple team members
  • Cloud Security Teams
  • Incident responders, Analysts
  • Malware investigators and Analysts
  • Threat intelligence analysts and Responders

Student Requirements

  • Basic understanding of cloud services

  • System administration and linux cli

  • Able to write basic programs in python

Is this course for beginners, intermediate or advanced students?

Beginners and Intermediate.

What Students Should Bring

  • Laptop with internet access

  • Free tier account for AWS

What Students Will Be Provided With

  • PDF versions of slides that will be used during the training.
  • Complete course guide in containing 200+ pages in PDF format. It will contain step-by-step guidelines for all the exercises, labs and detailed explanation of concepts discussed during the training.
  • Slack channel to continue the discussion and access even after the training ends.
  • Infrastructure-as-code templates to deploy the test environments & simulations for continued practice after the class ends.
  • Access to Github account for accessing custom-built source codes and tools.
  • Collection of test malware samples, forensic images, detection rules and queries.

About the Speaker