Incident Response in AWS
In this two-day course, you’ll experience a cloud incident and subsequent data breach in real-time, simulated in a vulnerable-by-design application. Students will act as our fictional company’s incident response team and experience the various phases of the IR lifecycle. As an adversary compromises our simulated application, we’ll cover detection, conduct a forensic investigation of the CloudTrail logs to determine what the attacker did, execute containment activities, and then perform an analysis to see if a data breach occurred.
Target Audience & Prerequisites
The class targets SOC analysts and security engineers new to AWS and need a crash course in CloudTrail, S3, IAM, Serverless, and the many ways the public cloud changes the incident response process. This class doesn’t teach you to be an incident responder; it will teach an incident responder how to respond in AWS. Students need only a basic understanding of AWS and their laptops, as the entire cloud environment will be pre-built for our incident.
This class is offered on-site in either a two or three-day format.
The two-day format is 7 hours each day (with an hour for lunch), while the three-day format is 4 hours each day. Both formats allow busy students time to deal with daily tasks, so they’re not forced to answer emails or put out fires during class.
- Intro to the class
- Introduction to AWS & Cloud Security
- Lab 1 - Introduction to Fooli
- Investigations in CloudTrail
- Lab 2 - Investigating a CryptoMining Incident
- Running the Fooli Investigation
- Containment Strategies
- Lab 3 - Containing the Fooli Breach
- Recap of Day 1
- Day Two of the Investigation (Ransom note)
- Forensics on EC2
- Lab 4 - EC2 Forensics
- Logging & Other Forensics
- Determining a Data Breach
- Lab 5 - CloudTrail & Athena
- Incident Review & Lessons Learned
- Review the Incident from the Attacker’s perspective
- Wrap up & Take Away
Day 3 (optional)
The optional third day focuses on remediation issues and eradicating and recovering the meme factory.
- Review of the Fooli CSPM Findings
- Fooli IAM Failures
- Fooli Network Failures
- Fooli Application Failures
Each section will include a lecture on how to fix the issues and the general trade-offs and impacts. Students will then be able to leverage CI/CD to remediate the issues in their meme factories.
On-site classes in the US & Canada are $15,000 for the two-day or $20,000 for the three-day class. Classes can support up to 20 students. PrimeHarbor will provide each student with their own Fooli lab environment. The hosting company only needs to provide a projector, wireless connectivity, and HTTP/HTTPS and SSH access to the internet.
This class leverages Splunk enterprise as the Fooli SEIM. All PrimeHarbor classes can be customized to reflect your company’s tools and processes. Contact us for more information!