Offensive Cloud Security Training

Delegates must have the following to make the most of the course:

• Basic to intermediate knowledge of cybersecurity (1.5+ years’ experience)
• Experience with common command line syntax

Who it’s for:

• Cloud administrators and architects
• Penetration testers and red teamers
• Blue teams, CSIRT / SOC analysts, and responders
• Cloud developers & engineers
• Security & IT managers and team leads

This course is suitable for anyone with a stake or interest in cloud security, from technical practitioners to decision makers. The syllabus has been designed to cover the latest vulnerabilities and advances in hacking, as well as the skills to penetration test cloud systems and environments and remediate vulnerabilities.

This course uses a Defense by Offense methodology based on real world offensive research (not theory). That means everything we teach has been tried and tested on live environments and in our labs and can be applied once the course is over. By the end, you’ll know how to:

• Think and behave like an advanced, real world threat actor
• Identify and exploit complex vulnerabilities and security misconfigurations in AWS, Microsoft Azure, and Google Cloud Platform (GCP)
• Design your penetration tests around real-world attacker behaviours and tooling, making it relevant to the threats facing your organisation
• Identify the attack surface exposure created by cloud-based services such as virtual machines (VMs), buckets, container as a service (CaaS) platforms, and serverless functions
• Support cloud defense strategies that include patching, asset inventory management, and other security controls

Top 3 takeaways

• Exploitation techniques to gain cloud entry via exposed services
• Post-exploitation techniques to enumerate systems and achieve exfiltration
• Methods for defending different cloud environments

What you’ll be doing

You’ll be learning hands on:

• Spending most of the session (~60%) on lab-based exercises
• Using lab-based flows to explore and hack lifelike cloud environments
• Exploiting, defending, and auditing different cloud environments
• Competing In a Capture the Flag (CTF) challenge to test your new skills
• Discussing case studies with your course leader to understand the real-world impact of the hacks covered

Why it’s relevant

The cybersecurity skills shortage is felt perhaps nowhere as deeply as in the cloud. With new rulebooks and standards, practitioners often find themselves playing catch up with the latest developments in technology and in the threat landscape. This course is designed to be a highly informative bootcamp to help you advance your skills in the most important and relevant areas of cloudsec. Across four days, you’ll learn about the high-impact vulnerabilities and flaws that could be open in your organisation right now and how to fix them.

Our syllabuses are revised regularly to reflect the latest in-the-wild hacks, the newest system releases, and whatever proof of concepts we’ve been developing in our own research. Because they remain so up to date with the threat landscape and security industry standard, many delegates return every 1-2 years to update their skills and get a refresh.

Module 1: Introduction To Cloud Computing

This module introduces the core concepts of cloud computing, emphasising the importance of security. It explores the shared responsibility model, comparing cloud security with traditional models. Additionally, it sheds light on the significance of cloud metadata APIs from an attacker's perspective. This module lays the groundwork for a deeper understanding of cloud security and its unique challenges.

• Introduction to the Cloud
• Importance of Cloud Security
• Shared Responsibility Model in the Cloud
• Comparison with Conventional Security Model
• Importance of Cloud Metadata API from an Attacker's Perspective

Module 2: Cloud Asset Enumeration

This module will explore DNS-based Enumeration techniques, gaining insights into identifying cloud assets through DNS records.

The module then delves into 'OSINT Techniques for Cloud Asset Enumeration,' equipping participants with open-source intelligence methods to uncover valuable information. Additionally, it covers 'Username Enumeration using Cloud Provider APIs,' empowering attendees to utilise cloud provider APIs to enumerate usernames effectively.

• Importance of DNS in the Cloud
• DNS-based Enumeration
• OSINT Techniques for Cloud Asset Enumeration
• Username Enumeration using Cloud Provider APIs

Module 3: Attack Surface of Cloud Services

This module delves into the attack surfaces of key cloud service models: Infrastructure as a Service (IaaS), Function as a Service (FaaS), Platform as a Service (PaaS), and Container as a Service (CaaS). It provides an in-depth understanding of the vulnerabilities and security challenges associated with each model. The module kicks off with an examination of the 'IaaS Attack Surface,' followed by the 'FaaS Attack Surface,' 'PaaS Attack Surface,' and 'CaaS Attack Surface.'

• Understanding Infrastructure as a Service (IaaS) Attack Surface
• Understanding Function as a Service (FaaS) Attack Surface
• Understanding Platform as a Service (PaaS) Attack Surface
• Understanding Container as a Service (CaaS) Attack Surface

Module 4: Cloud Storages

This module covers cloud storage security in AWS, GCP, and Azure. It starts with an introduction to AWS S3, followed by addressing AWS S3 misconfigurations. The module then explores GCP and Azure storage solutions. It culminates with a focus on securing Azure's Shared Access Signature (SAS) URLs. Attendees will gain the knowledge and skills to secure their cloud storage effectively, avoiding common pitfalls and optimising data protection in these cloud environments.

• Introduction to AWS S3
• AWS S3 Misconfigurations
• Introduction to GCP Storage
• Introduction to Azure Storage
• Azure: Shared Access Signature (SAS) URL Misconfiguration

Module 5: Introduction to Azure and Attacking Microsoft Azure AD

This Module commences with an 'Introduction to Azure and Microsoft Entra ID,' setting the foundation for understanding Azure security.

The module extensively covers 'Azure Application Attacks' across critical components such as App Service, Function App, and Storages. Participants will also delve into the intricacies of securing Azure Databases and the significance of the Automation Account, Azure Key Vault, a pivotal component in safeguarding sensitive data, is thoroughly explored.

Additionally, this module introduces 'Microsoft Entra ID' and elaborates on its authentication methods and associated risks. Participants will gain insights into potential attacks on Microsoft Entra ID, particularly concerning Managed User Identities. The training provides advanced techniques for bypassing Multi-Factor Authentication (MFA) security and navigating Conditional Access Policies effectively.

Participants will also learn how to exploit Dynamic Membership Policies and harness Azure Identity Protection to monitor user behaviour, enhancing the overall security posture.

• Introduction to Azure and Microsoft Entra ID
• Azure Application Attacks on App Service, Function App, and Storages
• Azure Database
• Automation Account
• Azure Key Vault
• Introduction to Microsoft Entra ID Authentication Methods and Risks
• Microsoft Entra ID Attacks (Managed User Identities)
• Bypassing MFA Security and Conditional Access Policy
• Abusing Dynamic Membership Policy
• Azure Identity Protection to Monitor User Behaviour

Module 6: Introduction to AWS

This module offers an in-depth exploration of advanced Amazon Web Services (AWS) security topics. Beginning with an Introduction to AWS Identity and Access Management (IAM) and Policies, the module explores policy evaluation and AWS Cognito Service, with a focus on potential IAM misconfigurations.

The training delves into various aspects of AWS security, including Elastic Beanstalk, AWS Cross-Account misconfigurations, and the enumeration of roles using Pacu. Participants will gain insights into gaining access to EC2 instances by exploiting instance attributes and addressing resource-based policy misconfigurations.

Additionally, the module covers Lambda and API Gateway exploitation, AWS Elastic Container Registry (ECR), and Elastic Container Service (ECS). It educates participants on protecting sensitive data within Docker images and introduces AWS Organisations and IAM Access Analyzer.

Upon completion of this Module, attendees will emerge with a deep understanding of advanced AWS security practices and the practical skills required to secure cloud environments effectively. This module is designed to empower individuals to proactively address security challenges within AWS infrastructures.

• Introduction to AWS IAM and Policies
• Understanding AWS Policy Evaluation
• AWS Cognito Service
• IAM: Misconfigurations
• Elastic Beanstalk
• AWS Cross-Account Misconfigurations
• Enumerate Roles using Pacu
• Gaining Access to EC2 Instance by Abusing Instance Attribute
• Resource Based Policy Misconfiguration
• Lambda and API Gateway Exploitation
• AWS ECR and ECS Service
• Stealing sensitive information from the Docker images
• Introduction of AWS Organisation
• IAM Access Analyzer

Module 7: Introduction to GCP

Participants will delve into essential GCP security aspects, including IAM Role and Service Account, Authentication methods using Service Account files and Access tokens. The module introduces Compute Engine, Cloud Storage, App Engine, and Identity-Aware Proxy (IAP). Furthermore, this module covers the GCP services like Cloud Function, Cloud Storage, Pub/Sub, Cloud Run and databases.

Security-related topics include IAM Impersonation and Secret Manager, bolstering access control. The module concludes by introducing Container Registry, a vital component of GCP container management.

• Introduction to GCP
• Introduction to IAM Role, Service account
• Understanding the Authentication in GCP:
  • Service Account file
  • Access token
• Introduction to Compute Engine and Cloud Storage
• Understanding App Engine, IAP
• Database: Firestore/Firebase
• Cloud Function and Cloud Storage
• Pub/Sub and Cloud Run
• IAM Impersonation and Secret Manager
• Container Registry

Module 7: Revisiting AWS, Azure and GCP Misconfigurations in Hardened Environment

This section revisits the key cloud misconfigurations discussed in the Azure, AWS, and GCP sections, focusing on comprehensive fixes in a hardened environment. The module provides insights into the practical implementation of robust security measures, ensuring that cloud environments are fortified against vulnerabilities and risks. By actively validating these fixes, participants will be better prepared to enhance cloud security and maintain a robust posture across Azure, AWS, and GCP platforms.

• Validate Fixes for the Following Topics:
  • Microsoft Entra ID
  • Azure MFA Bypass
  • Azure Key Vault
  • Elastic Beanstalk
  • AWS IAM Misconfigurations
  • ECS and ECR
  • AWS Cognito
  • GCP IAM
  • GCP IAP

Module 9: Backdooring and Maintaining Access

Module 10: Difference Between AWS, Azure, & GCP IAM and Pitfalls

This module offers a concise comparison of Identity and Access Management (IAM) in AWS, Azure, and GCP. It illuminates the key differences and potential pitfalls associated with IAM in these cloud platforms. Participants will gain insights into the nuanced IAM features and challenges specific to each provider, equipping them with a solid understanding to navigate and secure access control effectively.

Module 11: Cloud Defense Using Open-Source and Cloud-Native Tools

This module focuses on an all-encompassing approach to cloud defense, encompassing four fundamental pillars: identification, protection, detection, and response. Participants will gain insights into how to proactively identify vulnerabilities and potential threats within their cloud infrastructure. They will also explore strategies for safeguarding cloud assets and data. The module delves into the critical aspect of real-time threat detection, equipping individuals with the skills to recognise and respond to security incidents effectively. By the end of this module, participants will be well-prepared to establish robust cloud defense mechanisms, ensuring the security and resilience of their cloud environments.

• Identification of Cloud Assets
• Hybrid Account Asset Inventory
• AWS Multi-Account Asset Inventory using Open Source Tools
• Protection of Cloud Assets
• Principle of Least Privilege (with examples like EC2, IAM, RDS, etc.)
• Financial Protections by Enabling Budgets
• Metadata API Protection
• Demo of Metadata API Protection using Linux Firewall Rules
• Monitoring Cloud Activities using Cloud Native Tools
• Hybrid Cloud Account Monitoring Strategy
• Automated Response in Cloud Against Malicious Activities
• Response to Attacks Using AWS Config and AWS Step

Module 12: Auditing and Benchmarking of Cloud

This module delves into the comprehensive CIS benchmark, and essential cloud security best practices designed to establish a baseline security posture within cloud infrastructures. Participants will gain profound insights into industry standards and proven methodologies for enhancing cloud security, ultimately fortifying their cloud environments against vulnerabilities and threats.

• Preparing for the Audit
• Automated Auditing via Tools
  • Exercise
• Golden Image / Docker Image Audits
  • Exercise
• Relevant Benchmarks for Cloud