Purple-Team AWS - 2022 Edition (Online Training)

With companies moving and operating extensively on the AWS Cloud, security remains a key challenge for professionals and organizations everywhere.

This training is an extensive deep-dive into Attack, Detect and Defense implementations within AWS. The training is dedicated to cookbook-style “Attack, Detect and Defence” cyber-ranges.

This class is an intense, deep-dive experience into Security on AWS. We’d like participants to explore practical implementations of full-fledged environments, rather than have a surface-level understanding of attack and defense in AWS.

AWS is the dominant cloud provider in the marketplace. With approximately 100+ cloud services and counting and a leading market-share, organizations from banks to brokerages have bought into their public cloud journey on AWS. AWS’s plethora of compute, database and analytics offerings ensures that organizations can run traditional, massive-scale server infrastructure or deploy auto-scaled microservices with Lambda,Fargate and so on.

Security is one of the key concerns on everyone’s mind, when they are on the cloud. While there are powerful and comprehensive security controls available to users on AWS, it’s hard to often understand the depths of these security configurations. In addition, it’s important to understand how one can run a defense-in-depth implementation of multiple security controls in a synchronized, automated and scalable manner.

The aim of this training is to take the participant through a journey of highly practical, scalable and granular knowledge of AWS offense, defense and security automation. Our fundamental objective is that, after walking out of this class, the participant should be able to immediately apply this knowledge to AWS environments in their workplace. They should be able to identify deep-seated flaws in their company’s AWS infrastructure, secure them from the perspective of defense-in-depth, without resorting to ineffective “perimeter-style” security controls and finally be able to automate both offense and defense, to save precious hours and days that it would otherwise take.

This training is an extensive deep-dive into Attack, Detect and Defense implementations within AWS. The training is dedicated to cookbook-style “Attack, Detect and Defence” cyber-ranges. We call this segment “Stories”, as we’ll be deploying and walking through real-world applications and deployments as stories. Participants will deploy 4-5, fully-formed stories on AWS.These stories consist of stacks that will be vulnerable in specific ways. These infrastructure stacks consist of:

Traditional VM deployments with multiple EC2 servers with a real-world enterprise application deployment.
Serverless deployments that consist of services that are deployed using AWS Lambda. These stacks leverage additional services like DynamoDB, Cognito, etc.
AWS Elastic Beanstalk with real-world application deployment

The first thing that the participants will do is a CTF style session, where they will spend time identifying and attacking these infrastructures with multi-step attacks, where they perform extensive examples of lateral movement using techniques highlighted in the MITRE ATT&CK Framework, popular bug-bounties and our own experiences with attacking and auditing AWS infrastructure.

Each attack will be meticulously detailed and demoed by the instructor with the participants following on dedicated hands-on labs that they deploy and attack. The Offensive Labs will be entirely deployed with automated Infrastructure-as-code scripts using Terraform or CDK.

Once the attack section of each story is complete, we will tear down the vulnerable implementation and deploy a secure version of each story. The security controls will encompass preventive and detective controls from the native AWS Security landscape that can be leveraged to add defense-in-depth security implementations on AWS. Each control that we add will be detailed with a set of mini-labs, where the participant first understands the control in isolation. Once all the controls are explored, a detect version of the story will be deployed into AWS where we are detecting malicious activities and alerting the activities, Once it’s done then we are running a secure version of the story will be deployed to AWS where we will bring all these controls together in an automated deployment that comes full circle for each story.

The security implementations we’ll be exploring across the stories are including, but not limited to:

AWS Network Security Controls => VPC, Advanced VPC Controls (Mirroring, Flow Logs, etc), Security Groups, etc
AWS IAM and Advanced IAM deployment, policies and Policy Management
AWS Security Services => Security Hub, GuardDuty, etc
AWS Host Security Services => IMDSv2, Host level security monitoring using OSQuery, etc
Proactive Detection and Alerting => Cloudwatch, Cloudtrail, Alerts, Leveraging Lambda for security Event triggers, etc.
Security Analytics with Cloudwatch, Athena, etc
Federated Access Control and Management with Cognito and Cognito implementation deep-dives
Container-native security protections => ECR and Fargate
Encryption and Key Management Practices with KMS, Secrets Manager

With the stories being explored in the class, one of the sessions will be dedicated to Security Automation and Assessment techniques for AWS. This segment will focus on DevSecOps practices that can be used in AWS environments, including, but not limited to:

CI/CD Practices with AWS Codepipeline and Github Actions
Security Assessments against AWS with OSS Tools to identify vulnerabilities and security misconfigurations in these environments at scale and with automation
Leveraging existing AWS tooling like Step Functions, Lambda and Fargate to be able to perform completely automated security pipelines and security assessments against AWS with reporting linked to tools like Slack, etc.

Additionally, in the introductory segment in Day 1, we’ll be doing a quick primer on Cloudformation, Terraform and CDK to ensure that everyone has a baseline understanding of automation frameworks in AWS

About the Speakers

Abhay Bhargav

Abhay Bhargav is the Founder of we45 and Chief Research Officer at AppSecEngineer, a focused Application Security Company. Abhay is a builder and breaker of applications. He is the Chief Architect of “Orchestron”, a leading Application Vulnerability Correlation and Orchestration Framework.

He has created some pioneering works in the area of DevSecOps and AppSec Automation, including the world’s first hands-on training program on DevSecOps, focused on Application Security Automation. In addition to this, Abhay is active in his research of new technologies and their impact on Application Security, namely Containers, Orchestration and Serverless Architectures.

Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA, Troopers, SHACK and so on.

Tilak Thimmappa

Tilak is a Senior Solutions Engineer at we45. As part of his role, Tilak is responsible for engineering and assessing we45’s Application Security Product Portfolio and Cloud Portfolio. He’s a polyglot technologist with skill sets in Vulnerability Management and Correlation, Cloud Security, Serverless, Containers and Kubernetes Security among others. He’s skilled in Python, JavaScript and Cloud-native tools and frameworks like Terraform, Serverless Framework and others. He has contributed by developing several applications that have been used at multiple Capture the Flag Contests. In addition, he has extensive experience with integrating security scanners into Orchestron - An Application Vulnerability Correlation and Aggregation engine . Tilak has been a lead developer for the we45 learning portal - which uses state-of-the-art technologies. He has extensive experience with multi-cloud platform integrations as well.

Tilak is a lead-trainer for we45’s Cloud Security training offerings that focus on AWS and Serverless. In his spare time, Tilak contributes to the vibrant security Open Source Community and has built a powerful Source Composition Scanning tool called PyRaider for Python codebases.

Tilak is a trainer and speaker at multiple events across the world such as GlobalAppSecDC, AppSecUS, AppSecCali, DefCon, BlackHat USA, DjangoCon USA, DevSecCon and PyCon.