SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsAs demonstrated in the last workshop in the Aviata Cloud series, public cloud resources pose a major risk. One mitigation, Private Endpoints, allows users and workloads to connect to cloud services without internet access. This allows cloud administrators to isolate workloads from the world while enabling them to continue using the cloud services they need. They can also be used to prevent access to sensitive data in cloud services if the request did not originate from the private network. Without internet access, it should not be possible to exfiltrate private data or perform Remote Code Execution (RCE). Unfortunately, attackers can leverage improperly configured private endpoints to do both. By creating their own publicly accessible cloud resources, attackers can trick workloads into downloading malicious code and exfiltrate data without a single packet leaving the cloud network.
In this workshop, we will analyze a real cloud application powered by AWS Lambda, exfiltrate data with an RCE executed through a supply-chain attack, and escalate privileges using AWS IAM credentials. We will then lock down the Lambda to a private network with private endpoints and prevent these IAM credentials from being used externally. Next, we will then demonstrate that this configuration is still vulnerable to this attack. Finally, we will lock down the private endpoint policy to block the attack altogether.
This workshop was inspired by the CloudSecNext Summit 2021 talk: "Exfiltration Paths in Isolated Environments using VPC Endpoints" by Jonathan Adler. You can watch it here in preparation for the workshop: https://www.youtube.com/watch?v=mFK-GksgopI
Each monthly workshop in the series is independent of the others. There are no technical or educational dependencies from one to the others.
Who Should Attend
This workshop is ideal for cloud security professionals, network engineers, and system administrators who are tasked with implementing and managing cloud security controls.
Learning Objectives
Setup two sandbox AWS accounts
See firsthand how private endpoints can be used to prevent cloud credential theft
Prove that a misconfigured endpoint policy can enable data exfiltration
Implement a proper endpoint policy to block exfiltration via AWS services
Exploit a supply-chain attack to perform Remote Code Execution without internet access
Analyze how a supply-chain attack can enable bad actors to exfiltrate data from compute instances, including AWS Lambda functions
Use exfiltrated cloud credentials to escalate privileges for other AWS services
Isolate the Lambda in a private VPC and use private endpoints to enable legitimate access to AWS services
Block access to data in AWS services from outside of the private VPC
Prove that a misconfigured endpoint policy can enable data exfiltration from an isolated environment using AWS services
Implement a proper endpoint policy to block exfiltration using AWS services.
Please scroll down for prerequisites and laptop requirements.
Brandon is an independent security consultant and SANS Senior Instructor. He is lead author for SEC510: Cloud Security Controls and Mitigations; GPCS holder #1, multi-year RSA Conference presenter, and cloud Bug Bounty collector.
Read more about Brandon Evans