SANS Security East 2021 features 20+ courses - Register now to get a MacBook Air or Microsoft Surface Pro 7 or Take $350 Off

Stay Sharp: Blue Team & Cloud - Live Online

Virtual, US Eastern | Mon, Dec 7 - Wed, Dec 9, 2020
This course is sold out. Join the wait below or view other class locations & virtual options.

SEC541: Cloud Security Monitoring and Threat Hunting Waitlist

Mon, December 7, 2020

Course Syllabus  ·  6 CPEs  ·   Lab Requirements
Instructor: Shaun McCullough  ·  Price: 700 USD

Because this course is offered as a beta including discounted pricing, seating is limited to a maximum of two seats per organization. No additional discounts apply.

Due to high demand, SEC541: Cloud Security Monitoring and Threat Hunting is sold out at this event. It is running again on February 1-2, 2021. Please register for that event here.

Attackers Can Run But Not Hide. Our Radar Sees All Threats.

SEC541: Cloud Monitoring and Threat Hunting Will Prepare You To:

  • Understand the threats against AWS cloud infrastructure
  • Deep dive into AWS core logging services.
  • Research, detect, and investigate threats
  • Incorporate scripting and automation to make threat hunters more efficient
  • Understand how good architecture improves threat hunting

COURSE OVERVIEW

Cloud infrastructure provides organizations with new and exciting services to better meet the demands of their customers. However, these services bring with them new challenges, particularly the need to effectively hunt down and identify threats attacking your infrastructure. Securely operating cloud infrastructure requires new tools and approaches.

This course is a deep dive into the native services available within Amazon Web Services (AWS) to gather, analyze, and detect threats. You will learn about common attack techniques used against cloud infrastructure, and then investigate how to detect those threats in AWS. SEC541 is all about gaining the hands-on experience that gives you the skills and confidence to seek out threats in your own environment. We'll also discuss architectural design patterns that can make detection easier and attacks harder, as well as ways to automate tasks wherever possible.

LAB INFORMATION

These labs in this courseare hands-on, deep dives into the AWS service. Each lab will start by researching a particular threat, and the data needed to detect it. Then, the student will use native services within AWS to extract, transform, and analyze the threat. The course lecture coupled with the labs will give students a full picture of how those services within AWS services work, the data they produces, and common ways to analyze those data.

Do not expect to spend the labs clicking on screens. The labs are focused almost entirely on using the AWS command line interface (CLI), which is the best way to really understand the native services within AWS. The use of the CLI will also facilitate scripting and automation.

WHAT YOU WILL RECEIVE

  • Electronic courseware
  • Virtual machine with all lab resources
  • MP3 of the course

WHAT TO TAKE NEXT

SEC588: Cloud Penetration Testing Course

Course Syllabus


Shaun McCullough
Mon Dec 7th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET

Exercises
  • Identify Cloud Service Discovery Attacks with CloudTrail
  • Identify Brute Force Attacks with VPC Flow Logs
  • Identify Web App Attacks through CloudWatch Logs
  • Leverage GuardDuty as a Threat Detection Service

CPE/CMU Credits: 6

Topics

Analyzing the AWS management plane with CloudTrail

  • How AWS's API works
  • Understanding the CloudTrail service
  • Athena for analysis

Collecting network traffic

  • The VPC flow log
  • Athena for log analysis

Analyzing custom logging through CloudWatch

  • Using CloudWatch for analysis
  • Automating response actions in AWS
  • CloudWatch Insights for log analysis

Leveraging GuardDuty

  • Basics of GuardDuty
  • Tuning in GuardDuty

Investigate Security Hub

  • How to use Security Hub as part of your security program
  • Tools that Security Hub leverages

Additional Information

SEC541 students will run the exercises from a virtual machine that is configured with all the tools, and documentation needed. All exercises will use Amazon Web Services (AWS).

IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that can also install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VMs to function properly in the class. A VMware product must also be installed prior to coming to class. Verify that under BIOS, Virtual Support is ENABLED.

Mandatory System Requirements:

  • System running Windows, Linux, or Mac OS X 64-bit version
  • At least 8 GB of RAM
  • 40 GB of available disk space (more space is recommended)
  • Administrator access to the operating system
  • Anti-virus software will need to be disabled in order to install some of the tools
  • An available USB port
  • Wireless NIC for network connectivity
  • Machines should NOT contain any personal or company data
  • Verify that under BIOS, Virtual Support is ENABLED

Mandatory Downloads Prior to Coming to Class:

Mandatory Amazon Web Services (AWS) Account Prior to Coming to Class:

  • An AWS account is required to do hands-on exercises during this course. The AWS account must be created prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS account in class.
  • Estimated additional costs for the week of AWS account usage are $15 to $25.

It is critical that your CPU and operating system support 64-bits so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines.

Please download and install VM Workstation Pro 15.5 or higher, VMware Fusion 11.5 or higher, or VMware Workstation Player 15.5 or higher versions on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Security Analysts
  • Security Architects
  • Technical Security Managers
  • Security Monitoring Analysts
  • Cloud Security Architects
  • System Administrators
  • Cloud Administrators

The target students for this course are persons who are already familiar with AWS and have worked with it hands-on, especially security professionals working in the cloud security field who understand basic threats and attack vectors.

The course will assume that students are able to understand or do the following without help:

  • Build an EC2
  • Understand how IAM roles/policies work
  • Create access keys and configure the AWS command line interface
  • Create key pairs for SSH log-in
  • Create S3 buckets security, understanding basic security options
  • Understand VPC, security groups, subnets, and routing
  • Navigate the AWS console

Author Statement

"Cloud service providers are giving us new tools faster than we can learn how to use them. As with any new and complex tool, when need to get past the surface level "how-to" in order to radically reshape our infrastructure. This course is a deep dive into elements of AWS that we may have used before but and are ready to truly explore. At the end of the class, you can be confident in knowing you will be able to start looking for the threats, and can start building a true Threat Hunting program in AWS."

- Shaun McCullough

Pricing
Price Options
700 USD