SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
BETA
SEC559: Cloud and Hybrid Identity Security
SEC559Cloud Security
- 5 Days (Instructor-Led)
- 30 Hours
Course authored by:
Maxim Deweerdt
Course authored by:Maxim Deweerdt
- 30 CPEs
Apply your credits to renew your certifications
- In-Person or Virtual
Attend a live, instructor-led class from a location near you or virtually from anywhere
- Advanced Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 20 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Attackers don't break in—they log in. Build the skills to detect, govern, and respond to identity-based attacks across the full identity lifecycle.
Course Overview
Today, identity is the main way to control access in organizations and is also the top target for attackers. Instead of using old methods, attackers now take advantage of tokens, applications, hybrid trust setups, and non-human identities to get ongoing and often hidden access. SEC559 gives defenders the knowledge and hands-on experience they need to secure, monitor, and respond to identity-based attacks in Microsoft Entra ID and hybrid Active Directory environments. The course covers topics like OAuth and token abuse, synchronization attacks, and cross-tenant trust risks. With real-world examples and practical labs, students learn how to spot, stop, and respond to modern identity threats throughout the entire identity lifecycle.
What You'll Learn
- Detect OAuth consent abuse, token replay, and Graph API misuse across user, workload, and agent identities
- Analyze OAuth, OIDC, and SAML authentication flows to identify anomalies in tokens, claims, and session behavior
- Identify and remediate compromised applications, service principals, and managed identities, including credential abuse and persistence
- Map and investigate identity attack paths across cloud and hybrid environments, including Active Directory to Microsoft Entra ID escalation scenarios
- Detect and respond to hybrid identity attacks such as synchronization abuse, federation trust manipulation, and Kerberos-based escalation
- Uncover governance and lifecycle weaknesses that enable long-term persistence, including overprivileged access and external identity abuse
- Execute safe, effective remediation by revoking sessions, rotating credentials, securing identity infrastructure, and restoring trust without disrupting operations
Business Takeaways
- Reduce risk from identity-based attacks that bypass traditional defenses by targeting the identity control plane
- Detect attackers operating with legitimate credentials, tokens, and application identities before they escalate access
- Prevent tenant-wide and domain-wide compromise by breaking identity attack paths early across cloud and hybrid environments
- Improve visibility across Microsoft Entra ID and Active Directory to enable faster, more accurate detection and response
- Strengthen Zero Trust by enforcing strong authentication, conditional access, and continuous session evaluation
- Mature identity governance programs by addressing privilege sprawl, ownership gaps, and lifecycle weaknesses
- Enhance incident response capabilities with repeatable processes to contain, remediate, and validate identity compromises across the full identity lifecycle
Meet Your Author
Maxim Deweerdt
Principal InstructorWith over 10 years of experience in cyber defense, Max has garnered insights spanning risk and compliance, threat hunting, incident response, and SOC operations. As a trusted advisor, he has served governments, large corporations, and businesses.
Read more about Maxim DeweerdtCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in SEC559: Cloud and Hybrid Identity Security.
Section 1Identity as the Control Plane
Day 1 introduces identity as the core security control plane. Students explore identity types, applications, permissions, and relationships in Microsoft Entra ID, learning how misconfigurations, privilege paths, and ownership gaps create attack surfaces attackers’ exploit.
Topics covered
- Identity-first security model and control plane concepts
- Identity types: users, devices, workloads, and agents
- Applications, service principals, and managed identities
- Authorization model: roles, permissions, and Microsoft Graph
- Identity relationships, privilege paths, and attack surface
Labs
- Explore identity types and relationships in Entra Portal
- Manage applications and service principals
- Using managed identities
- Explore Graph API permissions and access paths
Section 2Authentication, Tokens and Session Security
Day 2 focuses on how authentication and token issuance define access in modern environments. Students analyze how tokens, sessions, and authentication methods work in Microsoft Entra ID, and how attackers abuse them to gain persistent, often invisible access.
Topics covered
- Authentication flows and identity providers vs relying parties
- Authentication strength: passwordless, FIDO2, and device binding
- Token model: access, refresh, PRT, and token chaining
- Token abuse: replay, persistence, device code, and session hijacking
- Conditional Access, session control, and token protection
Labs
- Implement phishing-resistant authentication
- Investigate OAuth tokens and relationships
- Simulate OAuth and token abuse scenarios
- Protect access with Conditional Access policies
Section 3Hybrid Identity and Active Directory Security
Day 3 expands identity security into hybrid environments, where Active Directory and Microsoft Entra ID form a combined control plane. Students analyze how synchronization, trust, and Kerberos enable cross-plane attacks and privilege escalation.
Topics covered
- Hybrid identity architecture and trust boundaries
- Identity synchronization models and object matching
- Sync infrastructure and connector identity risks
- Hybrid privilege escalation and cross-plane attack paths
- Kerberos, federation, and modern hybrid authentication models
Labs
- Investigate hybrid domain configurations in Entra
- Analyze Active Directory - Entra sync configuration
- Simulate hybrid privilege escalation
- Hybrid attack path analysis with AzureHound and BloodHound
Section 4Identity Governance, External Trust and Lifecycle Security
Day 4 focuses on identity governance and lifecycle security as critical controls for limiting attack persistence. Students analyze how weak ownership, excessive privileges, and external trust in Microsoft Entra ID enable long-term access.
Topics covered
- Identity lifecycle risks: joiner, mover, leaver and ownership gaps
- Privileged access governance: PIM, JIT, and break-glass accounts
- Access governance: reviews, entitlement management, and policies
- External identities, cross-tenant access, and delegated administration
- Governance failures enabling persistence and long-lived access
Labs
- Identify risky roles and PIM misconfigurations
- Analyze lifecycle and governance gaps
- Explore cross-tenant access and risks
- Identify persistence via external identities
Section 5Hybrid Identity Threat Detection, Prevention and Response
Day 5 focuses on detecting and responding to identity-based attacks across hybrid environments. Students use telemetry from Microsoft Entra ID and Active Directory to investigate attacks, contain compromised identities, and restore trust.
Topics covered
- Identity telemetry: sign-in, audit, and Graph activity logs
- Identity attack patterns across the kill chain
- Detecting token abuse, OAuth attacks, and session hijacking
- Hybrid attack detection: sync, federation, and trust abuse
- Incident response: containment, remediation, and validation
Labs
- Model identity attack paths
- Investigate sign-in and audit logs
- Investigate a hybrid attack chain
- Contain and remediate compromised identities
Things You Need To Know
Relevant Job Roles
Cloud Security Analyst Training, Salary, and Career Path
Cloud SecurityA Cloud Security Analyst monitors and analyzes activity across cloud environments, proactively detects and assesses threats, and implements preventive controls and targeted defenses to protect critical business systems and data.
Explore learning pathCloud Threat Detection and Response
Cloud SecurityMonitor, test, detect, and investigate threats to cloud environments.
Explore learning pathCourse Schedule and Pricing
Looking for Group Purchasing Options?Contact Us
Location & instructorDate & TimeCourse priceRegistration Options
- Date & TimeFetching schedule..Course price€7,715 EUR*Prices exclude applicable local taxes
Showing 1 of 1
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources