Kaiser Permanente SEC541 | September 2021

Online, Virtual Event Tue, Aug 31 - Thu, Sep 2, 2021

Welcome to SEC541: Cloud Security Monitoring and Threat Detection

Instructor: Ryan Nicholson | 18 CPEs

SEC541 is a cloud security course that examines how attackers are attacking the Amazon Web Services (AWS) and Microsoft Azure environments, the characteristics of those attackers, and how to detect them and investigate suspicious activity in your cloud infrastructure.

What You Will Learn

Attackers Can Run But Not Hide. Our Radar Sees All Threats.

Cloud infrastructure provides organizations with new and exciting services to better meet the demands of their customers. However, these services bring with them new challenges, particularly for organizations struggling to make sense of the cloud native logs, keeping ahead of fast-moving development teams, and trying to learn about how threats are adapting to cloud services. Securely operating cloud infrastructure requires new tools and approaches.

SEC541 starts by walking through a real world attack campaign against a cloud infrastructure. We will break down how it happened, what made it successful, and what could have been done to catch the attackers in the act. We spend the first section of the course dissecting the attacks, learning how to leverage cloud native and cloud integrated capabilities to detect, hunt, or investigate similar attacks in a real environment, and building our arsenal of analytics, detections and best practices for you to bring back to work as soon as the course is over.

SEC541: Cloud Monitoring and Threat Detection Will Prepare You To:

  • Research attacks and threats to cloud infrastructure and how they could affect you
  • Break down a threat into detectable components
  • Effectively use AWS and Azure core logging services to detect suspicious behaviors
  • Make use of cloud native API logging as the newest defense mechanism in cloud services
  • Move beyond the cloud-provided Graphic User Interfaces to perform complex analysis
  • Perform network analysis with cloud-provided network logging
  • Understand how application logs can be collected and analyzed inside the cloud environment
  • Learn about the AWS and Azure security specific services such as AWS Security Hub, Azure Security Center, and AWS GuardDuty
  • Integrate container, operating system, and deployed application logging into cloud logging services for more cohesive analysis
  • Centralize log data from across your enterprise for better analysis
  • Perform inventory of cloud resources and sensitive data using scripts and cloud native tooling


This course formerly had only one course section. Two additional course sections have been added that focus on AWS and Azure, with additional labs added as well. All labs will be conducted in the students' AWS accounts.


The labs in this course are hands-on explorations into AWS logging and monitoring services. Each lab will start by researching a particular threat and the data needed to detect it. Then students will conduct the attack against their accounts, generating the logs and data needed to perform analysis. Then the student will use native AWS services and open-source products to extract, transform, and analyze the threat. The course lecture coupled with the labs will give students a full picture of how those services within AWS work, the data they produce, and common ways to analyze the data.


  • Printed and Electronic courseware
  • Online Resources
  • MP3 of the course



Depending on your current job role or future plans, any of the following SANS courses could be an excellent follow-on to SEC541:

    Course Syllabus

    SEC541.1: Management Plane and Network Logging


    SEC541 starts with an investigation into the attack of the developer services company, Code Spaces. The class will break down the attack and map each action to the MITRE attack framework.

    This leads to an investigation of the detection and logging capability most unique to Cloud Services, the Cloud API Service. The Cloud API is at the heart of most activity in the cloud and is the first best place to start for analysis and detection.

    The class then investigates network analysis options in AWS and Azure cloud services, understanding what data is available, what is missing, and some of the ways that network analysis could have been used to detect Code Spaces and similar attacks.

    • SEC541 Environment Deployment
    • Analyzing Cloud API logs with CloudTrail
    • Parsing JSON-Formatted Logs with JQ
    • Network Analysis

    Debrief: Code Spaces

    • Walk through of the attack on the developer services company, Code Spaces
    • Understanding threat-focused detection and analysis

    Cloud API Logging

    • Cloud API logging overview
    • AWS CloudTrail service
    • Azure Activity Log
    • Log parsing with JQ

    Cloud-Native Logging Services

    • AWS CloudWatch logging
    • CloudWatch Insights for analytics
    • Azure Log Analytics

    Network Flow Logging

    • AWS VPC Flow Logs
    • AWS Athena
    • Azure Flow Logs
    • Capturing Packets with AWS VPC Mirroring and Azure Virtual Tap

    SEC541.2: Compute and Cloud Services Logging


    Section 2 starts with a dive into the attack against Tesla's Kubernetes management services. As with Section 1, the class will investigate the specific tactics used in the attack and how they map to MITRE's new Container ATT&CK Framework.

    Containers are becoming ever more common in cloud services, especially when they help common application development in multi-cloud or hybrid architectures. Section 2 starts with looking at how application logs can be gathered in AWS and Azure, at what level, and the types of data typically gathered. The class then looks at Kubernetes, Docker, AWS, and Azure container orchestration services, what data is logged, and how to investigate that log data to detect activity or help with investigations.

    The section rounds out by looking at proxies that operate in the cloud environment. Proxies have the promise of improving operations and maybe even security, but cloud-managed proxies lose some visibility. The class will understand what services are available and how to make the most of the logging.

    • Section 2 environment setup
    • Application/OS log lab with OpenCanary
    • CloudWatch agent and customization
    • Strange ECS Behavior
    • Finding data exfiltration

    Debrief Tesla Attack

    • Story Overview
    • Introduce MITRE Container Matrix
    • Discuss Threats to Container-based Deployments

    Making use of Operating System Logs

    • Windows operating system logs
    • Powershell logs
    • Linux logging

    Gathering Application Generated Logs

    • Web server logs
    • Database logs
    • Honeypots

    Log Agents

    • AWS CloudWatch Agent
    • Azure Log Analytics Agent

    Container Logs

    • Docker logging
    • Kubernetes logging
    • AWS ECS (EC2 and Fargate)
    • AWS EKS (EC2 and Fargate)
    • Azure Container Instances
    • Azure AKS

    SEC541.3: Cloud Service and Data Discovery


    Section 3 starts with an investigation into the Capital One attack. After pulling apart the techniques used by the attacker, the class will look at how AWS clouds metadata service can be used to gain unauthorized access to cloud infrastructure through application vulnerabilities, and what is different from Azures implementation.

    After a discussion of AWS services that help with security monitoring, the section will discuss tools and cloud-managed services that are used to perform an inventory of resources and perform data discovery. Cloud environments are constantly changing, and the investigator needs these discovery tools to pinpoint problems quickly.

    AWS and Azure provide services to help with application, host, and configuration vulnerabilities that may point to potential intrusion and attacker activities. The class will look at some cloud company services build to help perform and remediate these vulnerabilities.

    Lastly, this section will discuss the benefits of centralizing the data collected from cloud, host, and application logs. The class will look at AWS and Azure services that help manage data centralization, which one to use, and their benefits.

    • Metadata services and GuardDuty
    • Cloud Inventory
    • Discovering sensitive data in unapproved location with Macie
    • Vulnerability assessment with Inspector
    • Data Centralization with Graylog

    Debrief: Capital One

    • Story Overview
    • AWS and Azure metadata services
    • AWS GuardDuty Overview

    AWS Cloud Inventory Techniques and Services

    • Command Line Discovery
    • AWS Configuration
    • Inventory with Azure

    Using Data Discovery Tools

    • Hunting data in cloud services
    • AWS System Manager
    • AWS Macie
    • Azure cognitive search

    Vulnerability Analysis Services

    • AWS Inspector
    • AWS Security Hub
    • Azure Security Center
    • AWS ECR

    Data Centralization

    • AWS Event Bus
    • AWS Kinesis Data Firehose
    • AWS Elasticsearch


    Students should be familiar with AWS or Azure and have worked with them hands-on, especially security professionals working in the cloud security field who understand basic threats and attack vectors.

    The course assumes that students can understand or do the following without help:

    • Understand basic cloud resources such as virtual machines, storage services, and Identity Access Management
    • Hands-on experience in the command line, as much of the labs will be leveraging a Linux command line console.
    • Understand how identity access roles/policies work in cloud environments
    • Understand basic cloud networking capabilities

    The natural prerequisite SANS courses for SEC541 are either:

    Other SANS Courses SEC541 Students Have Taken

    Laptop Requirements

    SEC541 students will run the exercises from a virtual machine, in an AWS account, that is configured with all the tools and documentation needed. All exercises will use Amazon Web Services (AWS).

    IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that can also install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the virtual machines to function properly in the classVerify that under BIOS, Virtual Support is ENABLED.

    Mandatory System Requirements

    • System running Windows, Linux, or Mac OS X 64-bit version
    • At least 8 GB of RAM
    • 40 GB of available disk space (more space is recommended)
    • An available USB port
    • Wireless NIC for network connectivity
    • Machines should NOT contain any personal or company data
    • Verify that under BIOS, Virtual Support is ENABLED
    • Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

    Mandatory Downloads BEFORE Coming to Class

    • A 64-bit host operating system is installed (Windows is recommended)
    • A mondern web browser
    • Adobe Acrobat or other PDF reader application

    Mandatory AWS Account BEFORE Coming to Class:

    • An AWS account is required to do the hands-on exercises during this course. The AWS account must be created before the start of class. Your ability to execute the exercises will be delayed if you wait to set up the AWS account in class.
    • Estimated additional costs for the AWS account should be less than $20
    • You will receive detailed instructions for setting up your AWS account before the start of class in what will be called Lab 0.