SEC588: Cloud Penetration Testing

GIAC Cloud Penetration Tester (GCPN)
GIAC Cloud Penetration Tester (GCPN)
  • In Person (6 days)
  • Online
36 CPEs
SEC588 will equip you with the latest cloud-focused penetration testing techniques and teach you how to assess cloud environments. The course dives into topics like cloud-based microservices, in-memory data stores, serverless functions, Kubernetes meshes, and containers. It also looks at how to identify and test cloud-first and cloud-native applications. You will also learn specific tactics for penetration testing in Azure and Amazon Web Services, particularly important given that AWS and Microsoft account for more than half the market. It is one thing to assess and secure a data center, but it takes a specialized skill set to evaluate and report on the risks to an organization if its cloud services are left insecure. 27 Hands-on Labs

What You Will Learn

You have been asked to perform a penetration test, security assessment, maybe an Attacker Simulation or a red team exercise. The environment in question is mainly cloud-focused. It could be entirely cloud-native for the service provider or Kubernetes-based. Perhaps the environment in question is even multi-cloud, having assets in both Amazon and Azure. What if you have to assess Azure Active Directory, Amazon Web Services (AWS) workloads, serverless functions, or Kubernetes? SEC588: Cloud Penetration Testing will teach you the latest penetration testing techniques focused on the cloud and how to assess cloud environments.

Computing workloads have been moving to the cloud for years. Analysts predict that most, if not all, companies will have soon have workloads in public and other cloud environments. While organizations that start in a cloud-first environment may eventually move to a hybrid cloud and local data center solution, cloud usage will not decrease significantly. So when assessing risks to an organization going forward, we need to be prepared to evaluate the security of cloud-delivered services.

The most commonly asked questions regarding cloud security when it comes to penetration testing are: Do I need to train specifically for engagements that are cloud-specific? and Can I accomplish my objectives with other pen test training and apply it to the cloud? In cloud-service-provider environments, penetration testers will not encounter a traditional data center design, there will be new attack surface areas in the service (control) planes of these environments. Learning how such an environment is designed and how you as a tester can assess what is in it is a niche skill set that must be honed. What we rely on to be true in a classical data center environment such as who owns the Operating System and the infrastructure and how the applications are running will likely be very different. Applications, services, and data will be hosted on a shared hosting environment unique to each cloud provider.

SEC588: Cloud Penetration Testing draws from many skill sets required to assess a cloud environment properly. If you are a penetration tester, the course will provide a pathway to understanding how to take your skills into cloud environments. If you are a cloud-security-focused defender or architect, the course will show you how the attackers are abusing cloud infrastructure to gain a foothold in your environments.

The course dives into topics of classic cloud Virtual Machines, buckets, and other new issues that appear in cloud-like microservices, in-memory data stores, files in the cloud, serverless functions, Kubernetes meshes, and containers. It also covers Azure and AWS penetration testing, which is particularly important given that AWS and Microsoft account for more than half of the market. The goal is not to demonstrate these technologies but to teach you how to assess and report on the actual risk your organization could face if these services are left insecure.

You Will Be Able To

  • Conduct cloud-based penetration tests
  • Assess cloud environments and bring value back to the business by locating vulnerabilities
  • Understand first-hand how cloud environments are constructed and how to scale factors into the gathering of evidence
  • Assess security risks in Amazon and Microsoft Azure environments, the two largest cloud platforms in the market today
  • Immediately apply what you have learned to your work

Business Takeaways

  • Learn how to assess and test cloud environments through real-world cloud-based labs
  • Understand the differences between cloud-native, multi-cloud, and cloud hybrid infrastructures
  • Penetration testing on real world microservices
  • Learn how containers and CI/CD Pipelines are abused
  • Attack Kubernetes, Serverless Functions, and Windows Containers
  • Understand how identity systems work in the cloud and how to attack them

You Will Receive With This Course

  • Access to the in-class Virtual Training Lab for 27 in-depth labs
  • Access to recorded course audio to help hammer home important penetration testing lessons

Syllabus (36 CPEs)

Download PDF
  • Overview

    In this initial course section students will conduct the first phases of a cloud-focused penetration testing assessment. We will get familiar with how the terms of service, demarcation points, and limits imposed by cloud service providers function. The section features labs on how to perform scans and discovery jobs on an Internet scale that can be used in near real time and through historical searches to uncover target infrastructure and vulnerabilities. We will also describe how web scale affects reconnaissance and how to best address it. The section helps you manually build an asset discovery pipeline that you can use for your external and internal reconnaissance. This crucial part of the class helps you discover the vulnerabilities you will leverage for the rest of the course.

    Exercises
    • Domain Discovery Lab
    • Portscans at Internet Scale
    • Identifying and Scanning Systems for Vulnerabilities Using Tools like Nuclei
    • Scaling Discovery with Frameworks like rEngine
    Topics
    • Testing Process
    • Testing and Limitations
    • Recon at Cloud Scale
    • Domain Discovery Tools and Wordlists
    • IP Addresses and Hosts
    • Mapping URLs and Wordlists
    • External Vulnerability Scanning
    • Visualizations during Recon
    • Asset Discovery Frameworks

  • Overview

    Identity systems are crucial to cloud infrastructure. They are often used to access cloud providers, software services, and other cloud-related technologies. Identity systems can even provide data plane access, such as a VPN. In this section, we will examine the various identity systems, looking at authentication, authorization, and unauthenticated access. Walking through protocols such as OAuth and OpenIDConnect will give the tester a better understanding of the breaking point of these systems. We finish the section by leveraging an app consent phishing exercise using Microsoft Graph to backdoor access into Microsoft Products.

    Exercises
    • Hunting for Key Material
    • Finding Valid Users in IdPs
    • Password Attacks
    • Hunting for Open File Shares
    • App Consent Phishing and Microsoft Graph

    Topics
    • Introduction to Authentication
    • Username Harvesting in the Cloud
    • Username Harvesting Tools
    • Passwords
    • Open File Shares
    • Introduction to Microsoft Cloud Services
    • Azure AD
    • Authentication Standards
    • App Consent Phishing and Microsoft Graph
  • Overview

    Cloud infrastructure lends itself to potential privilege escalation through mechanisms afforded to systems administrators and developers. We can abuse these features to move laterally, escalate privileges, or change our permission sets. This course section walks students through several Compute automation structures where we can perform attacks on cloud targets to show each use case. The section is hefty on labs to enforce the concepts of how these attacks operate with or without attacker tools.

    Throughout the section, students will apply what they have learned from the previous two sections to abuse Compute, Identity, and Permissions in AWS and Azure. From looking for misconfigured AssumeRole issues in an account to leveraging an overly permissive account, we will show how you can go from the control plane to the data plane in an environment. The concepts learned apply to other clouds covered in the course, such as GCP, OCI and others.

    Exercises
    • CLI Tools
    • EC2 Attack Setup
    • Pacu Lab
    • AssumeRole Lab
    • Azure VMs
    • Running Commands on Azure VMs

    Topics
    • AWS CLI
    • Filtering and Output
    • AWS IAM
    • AWS KMS
    • AWS IAM and Privilege Escalation
    • AWS Compute
    • Compute Attack Scenarios
    • PACU
    • Socat and Shells
    • Confused Deputy
    • Azure VMs
    • Code Execution on Azure

  • Overview

    This course section focuses on what are referred to as cloud-native applications. While we look at web applications themselves, the section is designed to show how cloud-native applications operate and how we can assess them. Applications in the wild are increasingly container-packaged and microservice-oriented. They are also primarily stateless applications that require different patterns to use. These applications will have their unique nuances. They will typically be deployed in a service mesh that could indicate a system like Kubernetes is being used. Some of the questions we will explore in this section include:

    • Which application vulnerabilities are critical in my environment?
    • How do Serverless and Lambda change my approach?
    • What is the continuous integration/continuous delivery (CI/CD) pipeline, and how can it be abused?
    • How do microservice applications operate?

    The section will cover technologies such as AWS Lambda, Azure Functions, CI/CD pipelines, Terraform and Infrastructure as Code, Command Line injections and limitations between languages, and working with new and traditional databases.

    Exercises
    • Terraform State Files
    • Backdooring CI/CD Pipelines
    • SSRF Impacts on Cloud Environments
    • Command Line Injections
    • SQL Injections
    • Attacks on Serverless Functions
    • Databases, NoSQL, and Exposed Ports

    Topics
    • Introduction to Cloud Native Attacks
    • Mapping Applications
    • Infrastructure as Code
    • Deployment Pipelines and Attacks
    • Web Application Injections
    • Server-Side Request Forgeries and Their Impacts
    • Command Line Injections
    • Serverless Functions Attacks
    • Exposed Databases and Ports
    • SQL Injections in Cloud Applications

  • Overview

    This course section explores the world of Kubernetes and infrastructures, then dives into exploitation and red teaming in the cloud. Container technologies like Docker are explored in-depth. Since students will have a base understanding of our target environments by this point in the course, we will explore how to exploit what we have found, advance further into the environments, and finally move around laterally. The section will focus on breaking out containers, understanding service meshes, and exfiltrating data in various ways to show the real business impact of these attacks. We will wrap up the section by discussing strategies you can use to build attack infrastructure leveraging the cloud, including exploring strategies you can use with cloud providers to conduct operations on the target infrastructure.

    Exercises
    • Docker Labs
    • Kubernetes and Peirates Lab
    • Backdooring Containers
    • Web Shells
    • Domain Fronting

    Topics
    • Docker
    • Kubernetes
    • Backdooring Containers
    • Red Team and Exploitation
    • Payloads and Payload Selection
    • Red Team Ops in the Cloud
    • Obfuscating in the Cloud

  • Overview

    In the final course section, be prepared to work as a team and complete an end-to-end assessment in a new cloud environment. The applications and settings are all newly designed to imitate real-world environments. This capstone event allows students to put together the all the knowledge acquired during the week, reinforce theory and practice, and simulate an end-to-end test. Students will be asked to write a report using a method that is easy to read for both developers and administrative staff. We will provide students with a few rubrics and ways to work through the scenarios. There are always new and novel solutions, and we like students to share what they have learned and how they did what they did with one another.

GIAC Cloud Penetration Tester

The GIAC Cloud Penetration Tester (GCPN) certification validates a practitioner's ability to conduct cloud-focused penetration testing and assess the security of systems, networks, architecture, and cloud technologies.

  • Cloud Penetration Testing Fundamentals, Environment Mapping, and Service Discovery
  • AWS and Azure Cloud Services and Attacks
  • Cloud Native Applications with Containers and CI/CD Pipelines
More Certification Details

Prerequisites

Courses that can lead up to SEC588 include:

This course has many labs that are run from the command line, so students must come prepared with the following base level of knowledge:

  • Familiarity with Linux bash; not expert level, but a base understanding.
  • Basic familiarity with Azure and AWS CLI tools. Watching a simple introductory video will suffice.
  • Base understanding of networking and TCP/IP.
  • A sense of how Port Pivots work using Netcat and SSH

Students who have taken SEC560 will have the knowledge needed on some of the topics above, but they may want to also look at the following:

Students coming from SEC540 or a different cloud course will want to look over the following materials:

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY SEC588 SYSTEM HARDWARE REQUIREMENTS
  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 60GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
MANDATORY SEC588 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

When I was first asked about putting together a cloud penetration testing class, there were many questions. Could there be room for a class as niche as this? We felt the need to have a class with all new material and topics we had not covered in our other penetration testing classes. I believe we have met that need with SEC588 in ways most could not have imagined. This course breaks the rules and allows us to help you test, assess, and secure cloud environments.

- Moses Frost

Reviews

Meticulously designed, SEC588 balances in-depth theory with practical labs, addressing today's pivotal cloud security challenges. This course is indispensable for security professionals seeking cutting-edge knowledge.
Armin Iraqi
Fortum
SANS course SEC588 taught me more than I expected. With the rapid development of new technologies offered by cloud providers, SEC588 has given me an important framework for cloud pen testing.
Jonus Gerrits
Phillips66
SEC588 taught me crucial information needed before putting data in a cloud.
Maria Lopez
NVCC
This emerging course perfectly complements the change in the direction of red team engagement scopes.
Kyle Spaziani
Sanofi

    Register for SEC588

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...