Dive deep into cloud security, tailored for AWS & Azure and learn to fortify cloud infrastructure and applications by establishing automated detection, alerting, and response systems. Engage in interactive labs, real-world attack simulations, and CTF challenges—with metal coins to win—for a hands-on learning journey.
This training focuses on enterprise level cloud security challenges and includes both investigator and builder approach towards security.
Learn to defend your AWS & Azure cloud infrastructure by building highly scalable threat detection, Incident response and auto-remediation pipelines by using native cloud services like serverless, containers, object stores, IAM/AD, logic apps, SQL/KQL queries and much more. The training extends the knowledge into more advanced enterprise use-cases like cross-account logging & monitoring, multi-cloud compliance and data security. This training focuses on building security knowledge on the cloud and for the cloud.
By the end of this training, we will be able to(applies to both AWS & Azure):
* Use cloud technologies to detect & build automated responses against IAM & AD attacks.
* Understand and mitigate advanced identity based attacks like pivoting and privilege escalation and build defense techniques against them.
* Use serverless functions and containers to build highly scalable, on-demand threat scanning service.
* Build notification services to create detection alerts on real-time SIEM using Slack.
* Analyze malware-infected virtual machines to learn cloud pivot techniques.
* Build cross-account Incident Response service using API gateway and perform auto-remediation and analysis.
* Define step functions & logic apps to implement automated forensic artifacts collection for cloud resources.
* Build cloud security response playbooks for defense evasion, persistence and lateral movements.
* Enforce multi-cloud security strategy through assessments, compliance checks and benchmarking automation.
Course Syllabus/Outline includes:
**Day 1:**
*Introduction*
– Quick Introduction to AWS & Azure cloud services.
– Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.
– Introduction to Logging services in the cloud.
– Setting up your free tier account.
– Setting up AWS & Azure command-line interface.
*Cloud Attack Surface*
– Cloud service enumeration for attack surface identification.
– Exploiting serverless functions and harvesting cloud credentials.
– Cross-account lateral movement through Organizations & Subscriptions.
*Detecting and monitoring against AWS IAM attacks.*
– Identity & Access management crash course.
– Policy enumeration from an attacker’s & defender’s perspective.
– Detecting and responding to user account brute force attempts.
– Building controls against privilege escalation and access permission flaws.
– Attacking and defending against user role enumeration.
– Brute force attack detection using cloudTrail & Athena SQL queries.
– Automated notification for alarms and alerts.
– Architectural implementation of cross account logging for security analytics.
– Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.
*Building Malware detection and investigation on/for cloud infrastructure*
– Building clamAV & Yara based static scanner for S3 buckets using AWS lambda.
– Building signature update pipelines using static storage buckets to detect recent threats.
– Malware alert notification through SNS and slack channel.
– Adding advanced context to slack notification for quick remediation.
– Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.
**Day 2:**
*Threat Response & Intelligence analysis techniques on/for Cloud infrastructure*
– Integrating playbooks for threat feed ingestion and Virustotal lookups.
– Building a SIEM-like service for advanced alerting and threat intelligence gathering using Elasticsearch.
– Creating a Security datalake for advanced analytics and intelligence search.
– Building dashboards and queries for real-time monitoring and analytics.
– CTF exercise to correlate multiple logs to determine the source of infection.
*Azure AD Attacks & Defenses*
– Azure AD enumeration & permission gathering.
– Privilege escalation & lateral movement through RBAC, service principals etc.
– Auditing & logging in Azure.
– Detecting attacks through KQL queries.
*Forensic Acquisition, analysis & Incident Response In the Cloud.*
– Building an Incident response ‘flight simulator’ in the cloud(AWS).
– Creating an API service for automated instance isolation and volume snapshots(AWS).
– lambda functions to perform instance isolation and status alerts(AWS).
– Automating alert using Sentinel(Azure) for threat analysis.
– Automating threat response through Azure logic apps.
– Implementing rulebook for cloud IR in an enterprise.
– Enforcing security measures and policies to avoid instance compromise.
*Multi-cloud Compliance*
– Building a multi-cloud security assessment & monitoring strategy.
– Automatic inventory and change detection in a multi-cloud environment.
– Implementing compliance standards and benchmark standards(CIS) to the cloud environment.
Why should people attend your course?
This is a unique course that is on the cloud and for the cloud. It helps train individuals on cloud terminologies and enables them to build scalable defense mechanisms for their services running in the public cloud. The training explicitly focuses on threat detection, Incident response, malware investigations, and forensic analysis of cloud infrastructure which is still a very less known domain in the market. The training is not going to use cloud-native security tools, but going to focus more on building analysis pipelines that are generic and can be implemented in any cloud environment. It emphasises on real-world Enterprise security challenges and focuses on solving problems at an organization level.
top 3 takeaways your students will learn
– Using cloud native technologies to build your own security services for your applications and services running in the cloud.
– Building real-time detection, monitoring and incident response capabilities for enterprise-level cloud security teams.
– Building Advanced automated pipelines through Detection-as-code features to defend public cloud infrastructures.
## Does your course focus on any proprietary product or platform?
No.
## Approximately what percentage of your course is lecture vs hands-on?
Hands-on: 65-70%. Lecture: 30-35%.
## How many hands-on labs (approx) are you planning to have? How long will they take?
Day 1: 6 hands-on labs: Approximately 6 hours
Day 2: 5 hands-on labs: Approximately 6 hours.
## Do you assign homework or after class exercises?
Yes. Students will be provided with Cloudformation templates for next day’s lessons.
## What are the keywords you would use to describe the topic areas covered by your course?
Cloud Security, DevSecOps, Red-team, Blue team, Infrastructure security.
## Who Should Take This Course:
– Cloud Security Analyst.
– Devsecops Engineer.
– Infrastructure Security Engineer.
– Cloud Security Architect.
– Cloud Solutions Architect.
– Cloud Pentesting Engineer.
– Red Team members.
– Blue team and Purple team members.
## Student Requirements
– Basic understanding of cloud services.
– Free tier AWS and Azure accounts registered before the class.
– System administration and linux cli.
– Able to write basic programs in python.
– Familiarity with SQL and KQL queries will be a plus.
## Is this course for beginners, intermediate or advanced students?
Intermediate & Advance.
## What Students Should Bring
– Laptop with internet access.
– Free tier account for AWS with commandline tools installed.
– Free Tier account for Azure with commandline tools installed.
– Read and complete the pre-training briefing document that will be sent a week before the training date.
– Solve the beginner CTF exercises before the training date. Details will be provided in the pre-training document.
## What Students Will Be Provided With
– “Cloud Defender” metal coin for all attendees of the training.
– PDF versions of slides that will be used during the training.
– Complete course guide containing 200+ pages in PDF format. It will contain step-by-step guidelines for all the exercises, labs, and a detailed explanation of concepts discussed during the training.
– 20+ pages of cloud security rulebook to implement cloud security controls in an enterprise.
– 15 day access to Slack channel & CTF platform.
– Infrastructure-as-code templates to deploy the test environments & simulations for continued practice after the class ends.
– Access to Github account for accessing custom-built source codes and tools.
– Collection of test malware samples, forensic images, detection rules and queries.
## Trainer bio
Abhinav Singh is a cybersecurity researcher with a decade long experience working for global leaders in security technology, financial institutions and as an independent trainer/consultant. He is the author of Metasploit Penetration Testing Cookbook (first, second & third editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community in the form of patents, open-source tools, paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines, and digital portals. He is a frequent speaker and trainer at eminent international conferences like Black Hat, RSA, DEF CON, BruCon, HITB, Hack In Paris, OWASP Appsec etc. His areas of expertise include malware research, reverse engineering, enterprise security, forensics, and cloud security.
## Previous Training:
#### 2023:
Insomni’hack, Geneva: https://insomnihack.ch/
OWASP AppSec Days, New Zealand, 2023: https://appsec.org.nz/
DEF CON Las Vegas: https://training.defcon.org/
Infosecworld: https://www.infosecworldusa.
BruCon(virtual): https://www.brucon.org/2023/
BruCon 2023: https://www.brucon.org/2023/
OWASP Lascon: https://lascon.org/pre-conf-
Blackhat MEA: https://blackhatmea.com/
#### 2022
– Defcon Las Vegas, Aug 2022: https://training.defcon.org/
– Hack in Paris June 2022: https://hackinparis.com/
– Insomnihack, Geneva, March 2022
– Blackhat EU 2022: https://www.blackhat.com/eu-
– Lascon 2022, SaintCon 2022.
#### 2020-2021
– Blackhat EU 2021: https://www.blackhat.com/eu-
– Troopers 2021, 2020: https://troopers.de/
– HITB 2020, 2021.