New

SEC588: Cloud Penetration Testing

GIAC Cloud Penetration Tester (GCPN)
GIAC Cloud Penetration Tester (GCPN)
  • In Person (6 days)
  • Online
36 CPEs

SEC588 will equip you with the latest cloud-focused penetration testing techniques and teach you how to assess cloud environments. The course dives into topics like cloud-based microservices, in-memory data stores, serverless functions, Kubernetes meshes, and containers. It also looks at how to identify and test cloud-first and cloud-native applications. You will also learn specific tactics for penetration testing in Azure and Amazon Web Services, particularly important given that AWS and Microsoft account for more than half the market. It is one thing to assess and secure a data center, but it takes a specialized skill set to evaluate and report on the risks to an organization if its cloud services are left insecure. 27 Hands-on Labs

What You Will Learn

You have been asked to perform a penetration test, security assessment, maybe an Attacker Simulation or a red team exercise. The environment in question is mainly cloud-focused. It could be entirely cloud-native for the service provider or Kubernetes-based. Perhaps the environment in question is even multi-cloud, having assets in both Amazon and Azure. What if you have to assess Azure Active Directory, Amazon Web Services (AWS) workloads, serverless functions, or Kubernetes? SEC588: Cloud Penetration Testing will teach you the latest penetration testing techniques focused on the cloud and how to assess cloud environments.

Computing workloads have been moving to the cloud for years. Analysts predict that most, if not all, companies will have soon have workloads in public and other cloud environments. While organizations that start in a cloud-first environment may eventually move to a hybrid cloud and local data center solution, cloud usage will not decrease significantly. So when assessing risks to an organization going forward, we need to be prepared to evaluate the security of cloud-delivered services.

The most commonly asked questions regarding cloud security when it comes to penetration testing are: Do I need to train specifically for engagements that are cloud-specific? and Can I accomplish my objectives with other pen test training and apply it to the cloud? In cloud-service-provider environments, penetration testers will not encounter a traditional data center design, there will be new attack surface areas in the service (control) planes of these environments. Learning how such an environment is designed and how you as a tester can assess what is in it is a niche skill set that must be honed. What we rely on to be true in a classical data center environment such as who owns the Operating System and the infrastructure and how the applications are running will likely be very different. Applications, services, and data will be hosted on a shared hosting environment unique to each cloud provider.

SEC588: Cloud Penetration Testing draws from many skill sets required to assess a cloud environment properly. If you are a penetration tester, the course will provide a pathway to understanding how to take your skills into cloud environments. If you are a cloud-security-focused defender or architect, the course will show you how the attackers are abusing cloud infrastructure to gain a foothold in your environments.

The course dives into topics of classic cloud Virtual Machines, buckets, and other new issues that appear in cloud-like microservices, in-memory data stores, files in the cloud, serverless functions, Kubernetes meshes, and containers. It also covers Azure and AWS penetration testing, which is particularly important given that AWS and Microsoft account for more than half of the market. The goal is not to demonstrate these technologies but to teach you how to assess and report on the actual risk your organization could face if these services are left insecure.

You Will Be Able To

  • Conduct cloud-based penetration tests
  • Assess cloud environments and bring value back to the business by locating vulnerabilities
  • Understand first-hand how cloud environments are constructed and how to scale factors into the gathering of evidence
  • Assess security risks in Amazon and Microsoft Azure environments, the two largest cloud platforms in the market today
  • Immediately apply what you have learned to your work

Business Takeaways

  • Learn how to assess and test cloud environments through real-world cloud-based labs
  • Understand the differences between cloud-native, multi-cloud, and cloud hybrid infrastructures
  • Penetration testing on real world microservices
  • Learn how containers and CI/CD Pipelines are abused
  • Attack Kubernetes, Serverless Functions, and Windows Containers
  • Understand how identity systems work in the cloud and how to attack them

You Will Receive With This Course

  • Access to the in-class Virtual Training Lab for 27 in-depth labs
  • Access to recorded course audio to help hammer home important penetration testing lessons

Syllabus (36 CPEs)

Download PDF
  • Overview

    In this initial course section students will conduct the first phases of a cloud-focused penetration testing assessment. We will get familiar with how the terms of service, demarcation points, and limits imposed by cloud service providers function. The section features labs on how to perform scans and discovery jobs on an Internet scale that can be used in near real time and through historical searches to uncover target infrastructure and vulnerabilities. We will also describe how web scale affects reconnaissance and how to best address it. The section helps you manually build an asset discovery pipeline that you can use for your external and internal reconnaissance. This crucial part of the class helps you discover the vulnerabilities you will leverage for the rest of the course.

    Exercises
    • Domain Discovery Lab
    • Portscans at Internet Scale
    • Identifying and Scanning Systems for Vulnerabilities Using Tools like Nuclei
    • Scaling Discovery with Frameworks like rEngine
    Topics
    • Testing Process
    • Testing and Limitations
    • Recon at Cloud Scale
    • Domain Discovery Tools and Wordlists
    • IP Addresses and Hosts
    • Mapping URLs and Wordlists
    • External Vulnerability Scanning
    • Visualizations during Recon
    • Asset Discovery Frameworks

  • Overview

    Identity systems are crucial to cloud infrastructure. They are often used to access cloud providers, software services, and other cloud-related technologies. Identity systems can even provide data plane access, such as a VPN. In this section, we will examine the various identity systems, looking at authentication, authorization, and unauthenticated access. Walking through protocols such as OAuth and OpenIDConnect will give the tester a better understanding of the breaking point of these systems. We finish the section by leveraging an app consent phishing exercise using Microsoft Graph to backdoor access into Microsoft Products.

    Exercises
    • Hunting for Key Material
    • Finding Valid Users in IdPs
    • Password Attacks
    • Hunting for Open File Shares
    • App Consent Phishing and Microsoft Graph

    Topics
    • Introduction to Authentication
    • Username Harvesting in the Cloud
    • Username Harvesting Tools
    • Passwords
    • Open File Shares
    • Introduction to Microsoft Cloud Services
    • Azure AD
    • Authentication Standards
    • App Consent Phishing and Microsoft Graph
  • Overview

    Cloud infrastructure lends itself to potential privilege escalation through mechanisms afforded to systems administrators and developers. We can abuse these features to move laterally, escalate privileges, or change our permission sets. This course section walks students through several Compute automation structures where we can perform attacks on cloud targets to show each use case. The section is hefty on labs to enforce the concepts of how these attacks operate with or without attacker tools.

    Throughout the section, students will apply what they have learned from the previous two sections to abuse Compute, Identity, and Permissions in AWS and Azure. From looking for misconfigured AssumeRole issues in an account to leveraging an overly permissive account, we will show how you can go from the control plane to the data plane in an environment. The concepts learned apply to other clouds covered in the course, such as GCP, OCI and others.

    Exercises
    • CLI Tools
    • EC2 Attack Setup
    • Pacu Lab
    • AssumeRole Lab
    • Azure VMs
    • Running Commands on Azure VMs

    Topics
    • AWS CLI
    • Filtering and Output
    • AWS IAM
    • AWS KMS
    • AWS IAM and Privilege Escalation
    • AWS Compute
    • Compute Attack Scenarios
    • PACU
    • Socat and Shells
    • Confused Deputy
    • Azure VMs
    • Code Execution on Azure

  • Overview

    This course section focuses on what are referred to as cloud-native applications. While we look at web applications themselves, the section is designed to show how cloud-native applications operate and how we can assess them. Applications in the wild are increasingly container-packaged and microservice-oriented. They are also primarily stateless applications that require different patterns to use. These applications will have their unique nuances. They will typically be deployed in a service mesh that could indicate a system like Kubernetes is being used. Some of the questions we will explore in this section include:

    • Which application vulnerabilities are critical in my environment?
    • How do Serverless and Lambda change my approach?
    • What is the continuous integration/continuous delivery (CI/CD) pipeline, and how can it be abused?
    • How do microservice applications operate?

    The section will cover technologies such as AWS Lambda, Azure Functions, CI/CD pipelines, Terraform and Infrastructure as Code, Command Line injections and limitations between languages, and working with new and traditional databases.

    Exercises
    • Terraform State Files
    • Backdooring CI/CD Pipelines
    • SSRF Impacts on Cloud Environments
    • Command Line Injections
    • SQL Injections
    • Attacks on Serverless Functions
    • Databases, NoSQL, and Exposed Ports

    Topics
    • Introduction to Cloud Native Attacks
    • Mapping Applications
    • Infrastructure as Code
    • Deployment Pipelines and Attacks
    • Web Application Injections
    • Server-Side Request Forgeries and Their Impacts
    • Command Line Injections
    • Serverless Functions Attacks
    • Exposed Databases and Ports
    • SQL Injections in Cloud Applications

  • Overview

    This course section explores the world of Kubernetes and infrastructures, then dives into exploitation and red teaming in the cloud. Container technologies like Docker are explored in-depth. Since students will have a base understanding of our target environments by this point in the course, we will explore how to exploit what we have found, advance further into the environments, and finally move around laterally. The section will focus on breaking out containers, understanding service meshes, and exfiltrating data in various ways to show the real business impact of these attacks. We will wrap up the section by discussing strategies you can use to build attack infrastructure leveraging the cloud, including exploring strategies you can use with cloud providers to conduct operations on the target infrastructure.

    Exercises
    • Docker Labs
    • Kubernetes and Peirates Lab
    • Backdooring Containers
    • Web Shells
    • Domain Fronting

    Topics
    • Docker
    • Kubernetes
    • Backdooring Containers
    • Red Team and Exploitation
    • Payloads and Payload Selection
    • Red Team Ops in the Cloud
    • Obfuscating in the Cloud

  • Overview

    In the final course section, be prepared to work as a team and complete an end-to-end assessment in a new cloud environment. The applications and settings are all newly designed to imitate real-world environments. This capstone event allows students to put together the all the knowledge acquired during the week, reinforce theory and practice, and simulate an end-to-end test. Students will be asked to write a report using a method that is easy to read for both developers and administrative staff. We will provide students with a few rubrics and ways to work through the scenarios. There are always new and novel solutions, and we like students to share what they have learned and how they did what they did with one another.

GIAC Cloud Penetration Tester

The GCPN certification validates a practitioner's ability to conduct cloud-focused penetration testing and assess the security of systems, networks, architecture, and cloud technologies.

  • Cloud Penetration Testing Fundamentals, Environment Mapping, and Service Discovery
  • AWS and Azure Cloud Services and Attacks
  • Cloud Native Applications with Containers and CI/CD Pipelines
More Certification Details

Prerequisites

Courses that can lead up to SEC588 include:

SANS SEC488: Cloud Security Essentials

SANS SEC542: Web Application Penetration Testing and Ethical Hacking

SANS SEC540: Cloud Security and DevOps Automation

SANS SEC560: Network Penetration Testing and Ethical Hacking

This course has many labs that are run from the command line, so students must come prepared with the following base level of knowledge:

  • Familiarity with Linux bash; not expert level, but a base understanding.
  • Basic familiarity with Azure and AWS CLI tools. Watching a simple introductory video will suffice.
  • Base understanding of networking and TCP/IP.
  • A sense of how Port Pivots work using Netcat and SSH

Students who have taken SEC560 will have the knowledge needed on some of the topics above, but they may want to also look at the following:

Students coming from SEC540 or a different cloud course will want to look over the following materials:

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.

System Hardware Requirements

CPU

  • 64-bit Intel i5/i7 2.0+ GHz processor
  • Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. Your CPU and OS must support a 64-bit guest virtual machine.
    • VMware provides a free tool for Windows that will detect whether your host supports 64-bit guest virtual machines.
    • Windows users can use this article to learn more about their CPU and OS capabilities.
    • Apple users can use this support page to learn more information about Mac 64-bit capability.

BIOS

  • Enabled Intel-VT
  • Intel's VT (VT-x) hardware virtualization technology should be enabled in your BIOS or UEFI settings. You must be able to access the BIOS in your system throughout the class. If your BIOS is password-protected, you must have the password.

USB

  • At least one available USB 3.0 type-A port is required for copying large data files from the USB 3.0 thumb drives we provide in class. The USB port must not be locked in hardware or software. Some newer laptops may have only the smaller type-C ports. In this case, you will need to bring a USB type-C to type-A adapter.

RAM

  • 8 GB RAM (4 GB minimum) is required for the best experience. To verify on Windows 10, press Windows key + I to open Settings, then click System then About. Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click About this Mac.

Hard Drive Free Space

  • 60 GB FREE of FREE space on the hard drive is critical to host the virtual machines and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.

Operating System

  • The latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run the VMware virtualization products described below is required. It is necessary to fully update your host operating system prior to the class to ensure that you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
  • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Additional Hardware Requirements

The requirements below are in addition to the baseline requirements provided above. Before starting class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

  • Network, Wireless Connection
  • A wireless 802.11 B, G, N, or AC network adapter is required. This can be the internal wireless adapter in your system or an external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.

Software Requirements

  • Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.
  • Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.
  • VMware Workstation Pro and VMware Player on Windows 10 are not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.

System Configuration Settings

  • Local Admin - Have an account with local admin privileges.
  • Some of the tools used in the course will require local admin access. This is absolutely required. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different system.
  • Disable VPN - The ability to disable your enterprise VPN client temporarily for some exercises.
  • Enterprise VPN clients may interfere with the network configuration required to participate in the class. To avoid any frustration in class, uninstall or disable your enterprise VPN client for the duration of the class. If you keep it installed, make sure that you have the access to disable or uninstall it at class.
  • Disable Anti-Virus - The ability to disable your anti-virus tools temporarily for some exercises.
  • You will be required to disable your anti-virus tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes, because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

Author Statement

When I was first asked about putting together a cloud penetration testing class, there were many questions. Could there be room for a class as niche as this? We felt the need to have a class with all new material and topics we had not covered in our other penetration testing classes. I believe we have met that need with SEC588 in ways most could not have imagined. This course breaks the rules and allows us to help you test, assess, and secure cloud environments.

- Moses Frost

Reviews

This emerging course perfectly complements the change in the direction of red team engagement scopes.
Kyle Spaziani
Sanofi
SEC588 taught me crucial information needed before putting data in a cloud.
Maria Lopez
NVCC
SANS course SEC588 taught me more than I expected. With the rapid development of new technologies offered by cloud providers, SEC588 has given me an important framework for cloud pen testing.
Jonus Gerrits
Phillips66

    Register for SEC588

    Loading...