Abhinav Singh - Cloud Attacks & Defense: A Practitioner's guide to Securing AWS & Azure Infrastructure for Enterprises EARLY €3,000 $3,900
Cloud Attacks & Defense: A Practitioner's guide to Securing AWS & Azure Infrastructure for Enterprises
Track : Cloud
Secondary: Defense
Format: 4-Day Training
Learn to defend your AWS & Azure cloud infrastructure by building highly scalable threat detection, Incident response and auto-remediation pipelines by using native cloud services like serverless, containers, object stores, IAM/Entra-ID, logic apps, SQL/KQL queries and much more. The training extends the knowledge into more advance enterprise use-cases like cross-account logging & monitoring, multi-cloud compliance and data security. This training focuses on building security knowledge on the cloud and for the cloud.
By the end of this training, we will be able to(Both AWS & Azure):
- Use cloud technologies to detect & build automated responses against IAM & EntraID attacks.
- Understand and mitigate advanced identity based attacks like pivoting and privilege escalation and build defense techniques against them.
- Use serverless functions and containers to build highly scalable, on-demand threat scanning service.
-
- Build notification services to create detection alerts on real-time SIEM using Slack.
- Analyze malware-infected virtual machines to learn cloud pivot techniques.
- Build cross-account Incident Response service using API gateway and perform auto-remediation and analysis.
- Define step functions & logic apps to implement automated forensic artifacts collection for cloud resources.
- Build cloud security response playbooks for defense evasion, persistence and lateral movements.
- Enforce multi-cloud security strategy through assessments, compliance checks and benchmarking automation.
- Understand how APTs operate in cloud infrastructures through attack simulations.
Course Syllabus/Outline
Day 1:
Introduction
- Introduction to cloud services
- Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.
- Understanding cloud deployment architecture.
- Introduction to Logging services in cloud.
- Introduction to shared responsibility model.
- Setting up your free tier account.
- Setting up AWS command-line interface.
- Understanding Cloud attack surfaces.
Detecting and monitoring against AWS IAM attacks.
- Identity & Access management crash course.
- Policy enumeration from an attacker's & defender's perspective.
- Detecting and responding to user account brute force attempts.
- Building anomaly detection using CloudWatch events.
- Building controls against privilege escalation and access permission flaws.
- Attacking and defending against user role enumeration.
- Brute force attack detection using cloudTrail.
- Automated notification for alarms and alerts.
- Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.
- Using credentials reports for finding gaps in AWS IAM.
Malware detection and investigation on/for cloud infrastructure(AWS)
- Quick Introduction to cloud infrastructure security.
- Building clamAV based static scanner for S3 buckets using AWS lambda.
- Integrating serverless scanning of S3 buckets with yara engine.
- Building signature update pipelines using static storage buckets to detect recent threats.
- Malware alert notification through SNS and slack channel.
- Adding advanced context to slack notification for quick remediation.
- Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.
Day 2:
Threat Response & Intelligence analysis techniques on/for Cloud infrastructure (AWS)
- Integrating playbooks for threat feed ingestion and Virustotal lookups.
- Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch.
- Creating a Security datalake for advance analytics and intelligence search.
- Building dashboards and queries for real-time monitoring and analytics.
- CTF exercise to correlate multiple logs to determine the source of infection.
Forensic Acquisition, analysis and intelligence gathering of cloud AMI's in AWS.
- Analysis of an infected VM instance.
- Building an IR 'flight simulator' in the cloud.
- Creating a step function rulebook for instance isolation and volume snapshots.
- lambda functions to perform instance isolation and status alerts.
- Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.
- Automated timeline generation and memory dump.
- Storing the artifacts to S3 bucket.
- Enforcing security measures and policies to avoid instance compromise.
Day 3:
Azure EntraID(AD) Enumeration and Attacks
- Introduction to Azure AD and Azure Cloud.
- Azure AD enumeration & permission gathering.
- Understanding Azure principals.
- Enumerating compromised user for permission access.
- Enumerating key services like key vault, blob storage etc.
Azure Lateral movement and Privilege escalation
- Abusing Managed identities for lateral movement in Azure cloud.
- Privilege escalation through RBAC, service principals etc.
- Building persistence through Automation accounts.
- Auditing & logging in Azure.
- Detecting attacks through KQL queries.
Azure Forensics
- Auditing First-party Service principals with added credentials.
- Detecting High privileged applications and tracing risk paths.
- Building Azure workbooks for AD events investigation.
- KQL queries for detection and monitoring of
Day 4:
Azure Resource Forensics
- Automating alerts using Sentinel(Azure) for threat analysis.
- Automating threat response through Azure logic apps.
- Implementing rulebook for cloud IR in an enterprise.
- Enforcing security measures and policies to avoid instance compromise.
- Sub-domain takeover detection & mitigation in Azure DNS.
Multi-cloud Compliance
- Building a multi-cloud security assessment & monitoring strategy.
- Automatic inventory and change detection in a multi-cloud environment.
- Implementing compliance standards and benchmark standards(CIS) to the cloud environment.
CTF
- CTF focusing on lessons covered during the training.
- Solution discussion and additional resources.
Why should people attend your course?
This is a unique course that is on the cloud and for the cloud. It helps train the individuals on cloud terminologies and enables them to build scalable defense mechanisms for their services running in the public cloud. The training explicitly focuses on threat detection, Incident response, malware investigations, and forensic analysis of cloud infrastructure which is still a very less known domain in the market.
Please list the top 3 takeaways your students will learn
- Using cloud native technologies to build your own security services for your applications and services running in the cloud.
- Building real-time detection, monitoring and response capabilities for threat tracking and intelligence gathering
- Building Advanced automated pipelines through Detection-as-code features to defend public cloud infrastructures.
Does your course focus on any proprietary product or platform?
No.
Approximately what percentage of your course is lecture vs hands-on?
Hands-on: 65-70%. Lecture: 30-35%.
How many hands-on labs (approx) are you planning to have? How long will they take?
Day 1: 6 hands-on labs: Approximately 6 hours
Day 2: 5 hands-on labs: Approximately 6 hours.
Day 3: 4 hands-on labs: Approximately 4.5 hours.
Day 4: 3 hands-on labs and CTF: Approximately 5 hours.
Do you assign homework or after class exercises?
Yes. Students will be provided with Cloudformation templates for next day's lessons.
What are the keywords you would use to describe the topic areas covered by your course?
Cloud Security, DevSecOps, Red-team, Blue team, Infrastructure security
Who Should Take This Course:
- Cloud Security Analyst.
- Devsecops Engineer.
- Infrastructure Security Engineer.
- Cloud Security Architect.
- Cloud Solutions Architect.
- Cloud Pentesting Engineer.
- Red Team members.
- Blue team and Purple team members.
Student Requirements
- Basic understanding of cloud services.
- Free tier AWS and Azure accounts registered before the class.
- System administration and linux cli.
- Able to write basic programs in python.
- Familiarity with SQL and KQL queries will be a plus.
- Complete the pre-training setup before the class starts.
Is this course for beginners, intermediate or advanced students?
Beginners and Intermediate.
What Students Should Bring
- Laptop with internet access.
- Free tier account for AWS with commandline tools installed.
- Free Tier account for Azure with commandline tools installed.
- Read and complete the pre-training briefing document that will be sent a week before the training date.
- Solve the beginner CTF exercises before the training date. Details will be provided in the pre-training document.
What Students Will Be Provided With
- "Cloud Attack & Defense" metal coin for all attendees of the training.
- PDF versions of slides that will be used during the training.
- Complete course guide containing 200+ pages in PDF format. It will contain step-by-step guidelines for all the exercises, labs, and a detailed explanation of concepts discussed during the training.
- 20+ pages of cloud security rulebook to implement cloud security controls in an enterprise.
- 15 day access to Slack channel & CTF platform.
- Infrastructure-as-code templates to deploy the test environments & simulations for continued practice after the class ends.
- Access to Github account for accessing custom-built source codes and tools.
- Collection of test malware samples, forensic images, detection rules and queries.
Trainer bio
Abhinav Singh is a cybersecurity researcher with a decade long experience working for global leaders in security technology, financial institutions and as an independent trainer/consultant. He is the author of Metasploit Penetration Testing Cookbook (first, second & third editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community in the form of patents, open-source tools, paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines, and digital portals. He is a frequent speaker and trainer at eminent international conferences like Black Hat, RSA & Defcon. His areas of expertise include malware research, reverse engineering, enterprise security, forensics, and cloud security.
Previous Training:
2023:
- Blackhat
- DEFCON Las Vegas
- OWASP AppSec Days, New Zealand
- RSA Conference
- Insomni'hack, Geneva
- Infosecworld
- BruCon(virtual)
- BruCon 2023
- OWASP Lascon
2022
- Defcon Las Vegas, Aug 2022
- Hack in Paris June 2022
- Insomnihack, Geneva, March 2022
- Blackhat 2022
- Lascon 2022, SaintCon 2022.
2019-2021
- Blackhat EU 2021
- Troopers 2021, 2020
- HITB 2020, 2021.
- OWASP Appsec Days 2021.
- Insomnihack 2019, HITB 2019.
DATE: November 11th-14th, 2024
TIME: 8am to 5pm
VENUE: Holiday Inn Express, Canal De La Villette, Paris
TRAINER: Abhinav Singh
- 32 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
-VAT included in the price.
Payment via wire is accepted.
Wire Instructions:
SWIFT/BIC code: WFBIUS6S
Bank Name: Wells Fargo Bank
Bank Address: 420 Montgomery San Francisco, CA 94104
Account Name: Def Con Communications Inc
Routing number: 121000248
Account number: 2019560081
You'll receive confirmation within 1 business day.
Registration terms and conditions:
Trainings are refundable before September 15th, the processing fee is €250.
Trainings are non-refundable after October 1st, 2024.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.