THIS CLASS IS NOW BEING HELD ONLINE FOLLOWING SINGAPORE TIMEZONE (CET +6)
DURATION: 2 DAYS
CAPACITY: 15 pax
SEATS AVAILABLE: CLASS CANCELLED
USD1899
Overview
This training focuses on elevating your malware analysis, forensic investigations, and incident response knowledge into the cloud. The hands-on training focuses on building a fully automated malware analysis, threat intelligence, and forensics investigation pipeline by utilizing cloud services like AWS, Azure, and GCP. We will cover scenarios, exercises and demos about building fully automated and scalable services that can perform both static as well as dynamic malware analysis, forensic artifact collection at scale, performing automated investigations against IAM attacks, gathering threat intelligence as well as creating alerts and reports.
By the end of this training, we will be able to use cloud technologies like Cloudtrail and Cloudwatch to detect IAM attacks, serverless functions to perform on-demand scans, docker containers to deploy our threat scanning services at scale, notification services to create detection alerts, malware-infected virtual machines to perform automated forensic investigations and artifacts collection, DynamoDB and Athena for building real-time threat intelligence and monitoring dashboards.
We will learn to use in-built cloud services along with open source and custom-built tools to connect our file scanning services. In all, we will be building a fully automated incident response as well as threat intelligence pipeline that can be used by large scale security teams and researchers.
Key Learning Objectives
- Using serverless functions, containers and event notifiers to build your own incident response pipeline.
- Building real-time dashboards for threat tracking and intelligence gathering.
- Building Advanced automated pipelines for forensic investigations, artifact storage, and malware feature extractors.
- Integrating and utilizing open source services and tools like AWS_IR, Scout, Cloud custodian, Virustotal lookups, Volatility, Yara and many more.
Who Should Attend
- Incident responders, Analysts
- Malware investigators and Analysts
- Threat intelligence analysts and Responders
- Blue team and Purple team members
- Cloud Security Teams
Prerequisite Knowledge
- Basic understanding of cloud services
- System administration and linux cli
- Able to write basic programs in python
Hardware / Software Requirements
- Laptop with internet access
- Free tier account for AWS
Agenda – Day 1:
1. Introduction
- Introduction to cloud services
- Basic terminologies: IAM, VPC, AMI, serverless, containers etc.
- Introduction to Logging services in cloud.
- Introduction to shared responsibility model.
- Setting up your free tier account.
- Setting up AWS command-line interface.
2. Detecting and monitoring against IAM attacks.
- Detecting and responding to user account brute force attempts.
- Detecting compromised credentials of IAM user.
- Detecting privilege escalation and access permission flaw using aws_escalate.
- Attacking and defending against user role enumeration.
- Brute force attack detection using cloudTrail.
- PagerDuty notification for alarms and notifications.
3. Malware detection and investigation on/for cloud infrastructure
- Quick introduction to static and dynamic malware analysis
- Building clamAV based static scanner for S3 buckets using AWS lambda.
- Integrating serverless scanning of S3 buckets with yara engine.
- Building signature update pipelines using static storage buckets to detect recent threats.
- Malware alert notification through SNS and slack channel.
- Adding advanced context to slack notification for quick remediation.
- Detecting malware command and control through VPC traffic mirroring and GuardDuty.
Agenda – Day 2:
4. Threat Response & Intelligence analysis techniques on/for Cloud
infrastructure
- Auto remediation of malware files through event notifiers and object tags.
- Building highly scalable heuristic feature extractor using docker containers.
- Optimizing the workload with malware file-type identification and hash calculations.
- Integrating playbooks for threat feed ingestion and Virustotal lookups.
- Advance alerting and threat intelligence gathering using AWS Elasticsearch and Athena.
- Building dashboards and queries for real-time monitoring and analytics.
- Advance Dynamic analysis using cuckoo sandbox on AWS EC2 instance and using DynamoDB.
5. Forensic Acquisition, analysis and intelligence gathering of cloud AMI’s.
- Analysis of an infected EC2 instance.
- Building an IR ‘flight simulator’ in the cloud.
- Creating a step function rulebook for instance isolation and volume snapshots.
- lambda functions to perform instance isolation and status alerts.
- Building forensic analysis playbook to extract key artifacts, run volatility and build case tracking.
- Automated timeline generation and memory dump.
- Storing the artifacts to S3 bucket.
- On-demand execution of Sleuthkit instance for detailed forensic analysis.
- Enforcing security measures and policies to avoid instance compromise.
6. Security Assessment Automation for cloud infrastructure
- Introduction to cloud infrastructure security assessment.
- Using scout for automated security assessment.
- Analyzing report and plugging the holes
