Training Details

Training Duration: 3 Days

This hands-on CTF-style training focuses on elevating your security knowledge into the cloud. Learn to defend your public cloud infrastructure by building automated detection, alerting and response pipelines for your public cloud workloads by using native cloud services. This training focuses on building security knowledge on the cloud and for the cloud. By the end of this training, we will be able to: * Use cloud technologies to detect IAM attacks. * Understand and mitigate cloud native pivoting and privilege escalation and defense techniques. * Use serverless functions to perform on-demand threat scans. * containers to deploy threat detection services at scale. * build notification services to create alerts * analyze malware-infected virtual machines to perform automated forensic investigations and artifacts collection. * Use Elasticsearch and Athena for building SIEM and security data-lake for real-time threat intelligence and monitoring.



Day 1:

  • Introduction
    • Introduction to cloud services
    • Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.
    • Understanding cloud deployment architecture.
    • Introduction to Logging services in cloud.
    • Introduction to shared responsibility model.
    • Setting up your free tier account.
    • Setting up AWS command-line interface.
    • Understanding Cloud attack surfaces.
  • Detecting and monitoring against IAM attacks.
    • Identity & Access management crash course.
    • Policy enumeration from an attacker’s & defender’s perspective.
    • Detecting and responding to user account brute force attempts.
    • Building anomaly detection using CloudWatch events.
    • Building controls against privilege escalation and access permission flaws.
    • Attacking and defending against user role enumeration.
    • Brute force attack detection using cloudTrail.
    • Automated notification for alarms and alerts.
    • Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.
  • Malware detection and investigation on/for cloud infrastructure
    • Quick Introduction to cloud infrastructure security.
    • Building clamAV based static scanner for S3 buckets using AWS lambda.
    • Integrating serverless scanning of S3 buckets with yara engine.
    • Building signature update pipelines using static storage buckets to detect recent threats.
    • Malware alert notification through SNS and slack channel.
    • Adding advanced context to slack notification for quick remediation.
    • Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.


Day 2:

  • Threat Response & Intelligence analysis techniques on/for Cloud infrastructure
    • Integrating playbooks for threat feed ingestion and Virustotal lookups.
    • Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch.
    • Creating a Security datalake for advance analytics and intelligence
    • Building dashboards and queries for real-time monitoring and analytics.
    • CTF exercise to correlate multiple logs to determine the source of
  • Network Security & monitoring for Cloud infrastructure
    • Understanding Network flow in cloud environment.
    • Quick introduction to VPC, subnets and security groups.
    • Using VPC flow logs to discover network threats.
    • VPC traffic mirroring to detect malware command & Control.


Day 3:

  • Forensic Acquisition, analysis and intelligence gathering of cloud AMI’s
    • Analysis of an infected VM instance.
    • Building an IR ‘flight simulator’ in the cloud.
    • Creating a step function rulebook for instance isolation and volume
    • lambda functions to perform instance isolation and status alerts.
    • Building forensic analysis playbook to extract key artifacts, run
      volatility and build case tracking.
    • Automated timeline generation and memory dump.
    • Storing the artifacts to S3 bucket.
    • On-demand execution of Sleuthkit instance for detailed forensic
    • Enforcing security measures and policies to avoid instance compromise.
  • Security Assessment & Security CI/CD pipelines for cloud infrastructure
    • Introduction to cloud infrastructure security assessment.
    • Executing automated security assessments and analyzing report to plug
      the holes.
    • Securing Infrastructure as code by creating custom linting rules.
    • Enforcing source code security through automated scans integrated into
      CI/CD pipelines.


Who should attend this course?:

  • Red, Blue & Purple team members
  • Cloud Security team members
  • Incident Responders & Analysts
  • Malware Investigators & Analysts
  • Threat Intelligence Responders & Analysts



  • Laptop with Internet Access
  • Free tier AWS Account
  • Basic Understanding of cloud services
  • System administration and linux CLI
  • Able to write basic programs in python