Attackers Can Run But Not Hide. Our Radar Sees All Threats.
Cloud infrastructure provides organizations with new and exciting services to better meet the demands of their customers. However, these services bring with them new challenges, particularly for organizations struggling to make sense of the cloud native logs, keeping ahead of fast-moving development teams, and trying to learn about how threats are adapting to cloud services. Securely operating cloud infrastructure requires new tools and approaches.
SEC541 starts by walking through a real world attack campaign against a cloud infrastructure. We will break down how it happened, what made it successful, and what could have been done to catch the attackers in the act. We spend the first section of the course dissecting the attacks, learning how to leverage cloud native and cloud integrated capabilities to detect, hunt, or investigate similar attacks in a real environment, and building our arsenal of analytics, detections and best practices for you to bring back to work as soon as the course is over.
SEC541: Cloud Monitoring and Threat Detection Will Prepare You To:
- Research attacks and threats to cloud infrastructure and how they could affect you
- Break down a threat into detectable components
- Effectively use AWS and Azure core logging services to detect suspicious behaviors
- Make use of cloud native API logging as the newest defense mechanism in cloud services
- Move beyond the cloud-provided Graphic User Interfaces to perform complex analysis
- Perform network analysis with cloud-provided network logging
- Understand how application logs can be collected and analyzed inside the cloud environment
- Learn about the AWS and Azure security specific services such as AWS Security Hub, Azure Security Center, and AWS GuardDuty
- Integrate container, operating system, and deployed application logging into cloud logging services for more cohesive analysis
- Centralize log data from across your enterprise for better analysis
- Perform inventory of cloud resources and sensitive data using scripts and cloud native tooling
NOTICE TO STUDENTS
This course formerly had only one course section. Two additional course sections have been added that focus on AWS and Azure, with additional labs added as well. All labs will be conducted in the students' AWS accounts.
The labs in this course are hands-on explorations into AWS logging and monitoring services. Each lab will start by researching a particular threat and the data needed to detect it. Then students will conduct the attack against their accounts, generating the logs and data needed to perform analysis. Then the student will use native AWS services and open-source products to extract, transform, and analyze the threat. The course lecture coupled with the labs will give students a full picture of how those services within AWS work, the data they produce, and common ways to analyze the data.
WHAT YOU WILL RECEIVE
- Printed and Electronic courseware
- Online Resources
- MP3 of the course
WHAT TO TAKE NEXT
Depending on your current job role or future plans, any of the following SANS courses could be an excellent follow-on to SEC541:
SEC541 students will run the exercises from a virtual machine, in an AWS account, that is configured with all the tools and documentation needed. All exercises will use Amazon Web Services (AWS).
IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that can also install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the virtual machines to function properly in the classVerify that under BIOS, Virtual Support is ENABLED.
Mandatory System Requirements
- System running Windows, Linux, or Mac OS X 64-bit version
- At least 8 GB of RAM
- 40 GB of available disk space (more space is recommended)
- An available USB port
- Wireless NIC for network connectivity
- Machines should NOT contain any personal or company data
- Verify that under BIOS, Virtual Support is ENABLED
- Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
Mandatory Downloads BEFORE Coming to Class
- A 64-bit host operating system is installed (Windows is recommended)
- A mondern web browser
- Adobe Acrobat or other PDF reader application
Mandatory AWS Account BEFORE Coming to Class:
- An AWS account is required to do the hands-on exercises during this course. The AWS account must be created before the start of class. Your ability to execute the exercises will be delayed if you wait to set up the AWS account in class.
- Estimated additional costs for the AWS account should be less than $20
- You will receive detailed instructions for setting up your AWS account before the start of class in what will be called Lab 0.
"Cloud service providers are giving us new tools faster than we can learn how to use them. As with any new and complex tool, we need to get past the surface-level "how-to" in order to radically reshape our infrastructure. This course is an overview of the elements of AWS and Azure that we may have used before but are ready to truly explore. By the end of the class, youll be confident knowing that you have the skills to start looking for the threats and building a true threat detection program in AWS and Azure." - Shaun McCullough and Ryan Nicholson
"I really enjoyed learning more about the AWS data sources and then performing relevant attacks against them to generate events that we could hunt for." - Gavin Knapp, Bridewell Consulting