Live Online Training
Presented By: Abhinav Singh
This training focuses on elevating your threat detection, investigations, and response knowledge into the cloud.
This hands-on training with CTF-style exercises simulates real-life attack scenarios on cloud infrastructure & applications. It then teaches you to build defensive guard rails against such attacks by using cloud native services on AWS. This makes it an ideal class for red & blue teams.
By the end of this training, we will be able to:
- Use cloud technologies to detect IAM attacks.
- Understand and mitigate cloud native pivoting and privilege escalation and defence techniques.
- Use serverless functions to perform on-demand threat scans.
- Use containers to deploy threat detection services at scale.
- Build notification services to create alerts.
- Analyse malware-infected virtual machines to perform automated forensic investigations and artefacts collection.
- Use Elasticsearch and Athena for building SIEM and security data-lake for real-time threat intelligence and monitoring.
The 2 day course will take place online on the 16th and 17th June 2021.
The price is £1,200 (inc VAT/£1,000 ex VAT).
Breach investigations, Malware analysis, threat intelligence, and forensic investigation plays a critical role in large scale incident response teams. Traditional analysis tools and deployment methods are not built to support multiple security teams separated geographically. Also, cloud-based workloads require additional monitoring which poses another challenge. This training tries to solve the two problems by building scalable and automated services to perform investigations, reporting and alerting for cloud workloads by directly using native cloud services.
The training will begin by covering technical and architectural understanding of the cloud and its services in the introductory phase. We will then dive into the Identity and access management based attack and defence scenarios. The lesson will follow through by deploying attack templates to replicate real-life IAM attack scenarios and countermeasures required to implement Principle of Least privilege.
The second phase of the training will cover cloud infrastructure security. Beginning from building alerting services for common attack scenarios like brute force and account takeover. Then we focus on persistence techniques used by attackers to pivot into the cloud environment and how to defend against such attacks. By using attack templates, we will simulate use-cases like token hijacking and trail deletion, with emphasis on building defensive measures by using cloud native technologies at scale.
The next part of cloud infrastructure security will involve hands-on tool building for automated malware detection by utilising lambda functions. We will cover CTF exercises on detecting malware at scale across the cloud infrastructure along with integrating additional features like file-type determination and automated signature update through object stores.
In the third phase, we will dive deeper into security monitoring. We will focus on building a SIEM-like detection and alerting capability by deploying Elasticsearch stack and through Slack web-hooks. We will also enhance the capability by building a Security data lake. This would enable large scale security teams to perform threat intelligence and correlation on historic security data.
The fourth phase of the training will focus on forensic investigations. We will learn to build investigation playbooks using step functions to automate the investigation and reporting process. Examples include automated forensic artefact collection by utilising lambda functions, automated analysis, building timeline, dumping process memory & alerting through Slack or SNS.
- Introduction to cloud services.
- Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.
- Understanding cloud deployment architecture.
- Introduction to Logging services in cloud.
- Introduction to shared responsibility model.
- Setting up your free tier account.
- Setting up AWS command-line interface.
- Understanding Cloud attack surfaces.
Detecting and monitoring against IAM attacks.
- Identity & Access management crash course.
- Policy enumeration from an attacker’s & defender’s perspective.
- Detecting and responding to user account brute force attempts.
- Building anomaly detection using CloudWatch events.
- Building controls against privilege escalation and access permission flaws.
- Attacking and defending against user role enumeration.
- Brute force attack detection using cloudTrail.
- Automated notification for alarms and alerts.
- Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.
Malware detection and investigation on/for cloud infrastructure
- Quick Introduction to cloud infrastructure security.
- Building clamAV based static scanner for S3 buckets using AWS lambda.
- Integrating serverless scanning of S3 buckets with yara engine.
- Building signature update pipelines using static storage buckets to detect recent threats.
- Malware alert notification through SNS and slack channel.
- Adding advanced context to slack notification for quick remediation.
- Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.
Threat Response & Intelligence analysis techniques on/for Cloud infrastructure
- Integrating playbooks for threat feed ingestion and VirusTotal lookups.
- Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch.
- Creating a Security data lake for advance analytics and intelligence search.
- Building dashboards and queries for real-time monitoring and analytics.
- CTF exercise to correlate multiple logs to determine the source of infection.
Network Security & monitoring for Cloud Infrastructure
- Understanding Network flow in cloud environment.
- Quick introduction to VPC, subnets and security groups.
- Using VPC flow logs to discover network threats.
- VPC traffic mirroring to detect malware command & Control.
Forensic Acquisition, analysis and intelligence gathering of cloud AMI’s
- Analysis of an infected VM instance.
- Building an IR ‘flight simulator’ in the cloud.
- Creating a step function rulebook for instance isolation and volume snapshots.
- lambda functions to perform instance isolation and status alerts.
- Building forensic analysis playbook to extract key artefacts, run volatility and build case tracking.
- Automated timeline generation and memory dump.
- Storing the artefacts to S3 bucket.
- On-demand execution of Sleuthkit instance for detailed forensic analysis.
- Enforcing security measures and policies to avoid instance compromise.
Why should people attend this course?
This is a unique course which is on the cloud and for the cloud. It not only helps train the individuals on cloud terminologies but also enables them to build scalable defence mechanisms for their services running in the public cloud. The training explicitly focuses on threat detection, Incident response, malware investigations and forensic analysis of cloud infrastructure which is still a very less known domain in the market.
Top 3 takeaways students will learn
- Using cloud native technologies to build your own security services for your applications and services running in the cloud.
- Building real-time detection, monitoring and response capabilities for threat tracking and intelligence gathering.
- Building Advanced automated pipelines through Detection-as-code features to defend public cloud infrastructures.
Who Should Take This Course:
- Red Team members
- Blue team and Purple team members
- Cloud Security Teams
- Incidentresponders, Analysts
- Malware investigators and Analysts
- Threat intelligence analysts and Responders
- Basic understanding of cloud services
- System administration and linux cli
- Able to write basic programs in python
Is this course for beginners, intermediate or advanced students?
- Beginners and Intermediate
What Students Should Bring
- Laptop with internet access
- Free tier account for AWS
What Students Will Be Provided With
- PDF versions of slides that will be used during the training.
- Complete course guide in containing 200+ pages in PDF format. It will contain step-by-step guidelines for all the exercises, labs and detailed explanation of concepts discussed during the training.
- Slack channel to continue the discussion and access even after the training ends.
- Infrastructure-as-code templates to deploy the test environments & simulations for continued practice after the class ends.
- Access to Github account for accessing custom-built source codes and tools.
- Collection of test malware samples, forensic images, detection rules and queries.
About the Trainer
Abhinav Singh is a cybersecurity researcher with close to a decade long experience working for global leaders in security technology, financial institutions and as an independent trainer/consultant. He is the author of Metasploit Penetration Testing Cookbook (first, second & third editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community in the form of patents, open-source tools, paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines, and digital portals. He is a frequent speaker at eminent international conferences like Black Hat, RSA & Defcon. His areas of expertise include malware research, reverse engineering, enterprise security, forensics, and cloud security.