Astute Hunting in the Cloud - Bring the Thunder!

Event Information

Share this event

Date and Time

Location

Location

Hyatt Place Salt Lake City/Lehi

3700 North Outlet Parkway

Lehi, UT 84043

View Map

Refund Policy

Refund Policy

Refunds up to 7 days before event

Event description

Description

Astute Hunting in the Cloud - Bring the Thunder!

Hands-on Training Course - Course Overview

AWS & Azure provide a vast number of services that hackers seek to ravage for their own ends. Join us, in this fast paced course which invites you to get your hands dirty and find the hackers hiding within these cloud providers! With a focus on AWS and Azure, you will discover the Tactics, Techniques, and Procedures (TTPs) needed to hunt threats in your cloud environment. Get inside the mind of a cloud hacker, see the vulnerabilities, and understand what clues attackers often leave behind for you to hunt them with!


In this course you will:

  • Dive into the AWS & Azure services that enable hunting (CloudTrail, Log Analytics, etc...)

  • Hunt through various data sources to discover a wide variety of real-world threats

  • Track hackers in AWS & Azure from the initial vulnerability to a full account compromise

  • Discover which techniques are applicable to cloud environments (e.g. MITRE ATT&CK)


Course Syllabus

The Course Syllabus includes...

Day 1 - Hunting in AWS:

    • Introduction to AWS Services that Enable Hunting (e.g. CloudTrail, Guard Duty, etc…)

    • Review of Applicable Cloud Centric Adversary TTPs (e.g. MITRE ATT&CK)

    • Assessment of AWS Data Sources for Quality & Usefulness

    • Creating effective Hunt Plans for various AWS services (e.g. EC2, RDS, Lambda)

    • Baselining AWS accounts with AWS Services (e.g. Inspector) and other 3rd party tools

    • Leveraging AWS Services to hunt for the unknown (e.g. Macie, etc...)

    • Hunting within AWS native services (e.g. Elasticsearch Service, Athena, etc...)

    • Providing a more comprehensive security view (e.g. Security Hub, etc...)


    Day 2 - Hunting in Azure:

    • Introduction to Azure Services that Enable Hunting (e.g. Log Analytics, etc…)

    • Review of Applicable Cloud Centric Adversary TTPs (e.g. MITRE ATT&CK)

    • Assessment of Azure Data Sources for Quality & Usefulness

    • Creating effective Hunt Plans for various AWS services (e.g. VMs, Blobs, Functions)

    • Baselining Azure accounts with native services (e.g. Secure Score) and 3rd party tools

    • Leveraging Azure Services to hunt for the unknown (e.g. Common Queries, etc...)

    • Hunting within Azure native services (e.g. Log Analytics, etc...)

    • Providing a more comprehensive security view (e.g. Security Center, etc...)


    Course includes a hands-on Capture The Flag (CTF) competition where participants hunt to win! Hunting occurs within an typical AWS & Azure account, which each has an active intrusion performing remote operations within the environment, throughout the course!


    KEY TAKEAWAYS

    • How to more effectively leverage AWS & Azure services to Hunt for hackers within these cloud environments, mapping hunts back to known techniques (MITRE ATT&CK) which are applicable to these cloud providers.

    • Enabling blue teams to better understand what which red team techniques create logs where and how, so they can more effective monitor for malicious activity within their AWS & Azure environment.

    • How to design/architect more secure systems within AWS & Azure environments.


    WHO SHOULD TAKE THIS COURSE

    This course assumes the student already has some basic computer network defense (CND) knowledge and would like to learn more about how to apply hunting techniques to cloud centric environments.

    This includes:

    • Blue Teamers (Hunters, Analysts, & Engineers) & other Security Professionals working are working in an Incident Response (IR) and/or a Forensics role

    • Red Teamers & Penetration Testers, who wish to see how defensive teams are detecting them

    • Site Reliability Engineers (SREs) & System Administrators, who work with cloud technologies


    STUDENT REQUIREMENTS

    Students will need to bring to the class:

    • A laptop with admin access to install software with wireless network support to access AWS & Azure services.


    Students should be comfortable:

    • Using Linux and SSH.

    • With basic networking concepts and services (e.g. TCP/IP, DNS, DHCP, etc…)

    • Some experience interacting with AWS and Azure platforms.

    • Some python scripting knowledge is recommended, but not required.


    STUDENT REQUIREMENTS

    Intermediate


    WHAT STUDENTS SHOULD BRING

    Students must:

    • Bring their own laptop, with admin rights to install software (e.g. PuTTY, Chrome, etc...).

    • The Laptop needs to be able to join a wireless network and access AWS & Azure services.



    WHAT STUDENTS WILL BE PROVIDED WITH

    • 2 days of hands-on training

    • A detailed lab guide

    • A copy of all course slides

    • Lunch each day

    • Thursday Night Movie at the Megaplex Theatres at Thanksgiving Point


    TRAINERS

    Bryce Kunz (@TweekFawkes) is an Information Security Researcher located in Salt Lake City, Utah, who specializes in exploiting cloud environments through R&D access vectors for key systems (e.g. containers, orchestration systems, web applications, etc…). As a security professional, Bryce has spent time at various agencies (i.e. NSA, DoD, DHS, CBP) and tech companies (i.e. Adobe) focusing on vulnerability research, penetration testing, and incident response. Previously, Bryce received an MBA from a NSA designated "Center of Excellence" Idaho State University (ISU) program with an emphasis in Information Assurance (IA) on a full academic scholarship from the National Science Foundation (NSF). Bryce holds numerous certifications (e.g. OSCP, CISSP, ...) and has spoken at various security conferences (i.e. BlackHat, DerbyCon, BSidesLV, etc...).

    Joe Cruz is a Senior Cloud Security Architect located in San Antonio, Texas, who specializes in troubleshooting, architecting secure and compliant cloud environments (with a background in Network Security). As a Cloud Security Architect, Joe has spent time at various tech companies (i.e. Rackspace), primarily focusing on securing and building out cloud architectures. Joe holds numerous cloud certifications (e.g. CCSKv4, AWS Specialties (Security, Big Data, Advanced Networking) and AWS Associates (SysOps, Solutions Architect, Developer) and has architected HIPPAA, SOC-1, and FIPS 140-2 Level 3 compliant solutions, for companies listed among the Big Four and Fortune 500.

    Heath Upton (GCIA, OSCP, etc...) is an Information Security Researcher located in Augusta, Georgia.


    Questions?

    Please email info@stage2sec.com with any questions!




    Date and Time

    Location

    Hyatt Place Salt Lake City/Lehi

    3700 North Outlet Parkway

    Lehi, UT 84043

    View Map

    Refund Policy

    Refunds up to 7 days before event

    Save This Event

    Event Saved