This hands-on CTF-style training focuses on elevating your security knowledge into the cloud. Learn to defend your AWS & Azure cloud infrastructure by building automated detection, alerting and response pipelines for your workloads by using native cloud services. This training focuses on building security knowledge on the cloud and for the cloud.

This training takes both investigator and builder approach towards security. It teaches you the fundamentals of cloud infrastructure security and focuses on building highly scalable threat detection, monitoring, and response tools by using cloud-native services like serverless, containers, object stores, IAM/AD, logic apps, SQL/KQL queries and much more.

By the end of this training, we will be able to(applies to both AWS & Azure):

• Use cloud technologies to detect & build automated responses against IAM & AD attacks.
• Understand and mitigate advanced identity based attacks like pivoting and privilege escalation and build defense techniques against them.
• Use serverless functions to perform on-demand threat scans.
• Deploy containers to build threat detection services at scale.
• Build notification services to create detection alerts.
• Analyze malware-infected virtual machines to perform automated forensic investigations.
• Define step functions & logic apps to implement automated forensic artifacts collection for cloud resources.
• Build cloud security response playbooks for defense evasion, persistence and lateral movements.
• Perform advanced security investigations through architecting and deploying security data-lake for real-time threat intelligence and monitoring.
• Enforce multi-cloud security strategy through assessments, compliance checks and benchmarking automation.

Abhinav Singh is a cybersecurity researcher with a decade long experience working for global leaders in security technology, financial institutions and as an independent trainer/consultant. He is the author of Metasploit Penetration Testing Cookbook (first, second & third editions) and Instant Wireshark Starter, by Packt. He is an active contributor to the security community in the form of patents, open-source tools, paper publications, articles, and blogs. His work has been quoted in several security and privacy magazines, and digital portals. He is a frequent speaker and trainer at eminent international conferences like Black Hat, RSA & Defcon. His areas of expertise include malware research, reverse engineering, enterprise security, forensics, and cloud security.

**Day 1:**

*Introduction*

- Quick Introduction to AWS & Azure cloud services.
- Basic terminologies: IAM, VPC, AMI, serverless, ARNs etc.
- Introduction to Logging services in cloud.
- Setting up your free tier account.
- Setting up AWS & Azure command-line interface.

*Cloud Attack Surface*

- Cloud service enumeration for attack surface identification.
- Exploiting serverless functions and harvesting cloud credentials.

*Detecting and monitoring against AWS IAM attacks.*

- Identity & Access management crash course.
- Policy enumeration from an attacker's & defender's perspective.
- Detecting and responding to user account brute force attempts.
- Building controls against privilege escalation and access permission flaws.
- Attacking and defending against user role enumeration.
- Brute force attack detection using cloudTrail & Athena SQL queries.
- Automated notification for alarms and alerts.
- Exercise on detecting IAM attacks in a simulated environment containing web application compromise and lateral movement.

*Malware detection and investigation on/for cloud infrastructure*

- Quick Introduction to cloud infrastructure security.
- Building clamAV & Yara based static scanner for S3 buckets using AWS lambda.
- Building signature update pipelines using static storage buckets to detect recent threats.
- Malware alert notification through SNS and slack channel.
- Adding advanced context to slack notification for quick remediation.
- Exercise on simulating a malware infection in AWS and building an automated detection & alerting system.

**Day 2:**

*Threat Response & Intelligence analysis techniques on/for Cloud infrastructure*

- Integrating playbooks for threat feed ingestion and Virustotal lookups.
- Building a SIEM-like service for advance alerting and threat intelligence gathering using Elasticsearch.
- Creating a Security datalake for advance analytics and intelligence search.
- Building dashboards and queries for real-time monitoring and analytics.
- CTF exercise to correlate multiple logs to determine the source of infection.

*Azure AD Attacks & Defenses*

- Azure AD enumeration & permission gathering.
- Privilege escalation & lateral movement through RBAC, service principals etc.
- Auditing & logging in Azure.
- Detecting attacks through KQL queries.

*Forensic Acquisition & analysis In the Cloud.*

- Building an IR 'flight simulator' in the cloud(AWS).
- Creating an API service for automated instance isolation and volume snapshots(AWS).
- lambda functions to perform instance isolation and status alerts(AWS).
- Automating alert using Sentinel(Azure) for threat analysis.
- Automating threat response through Azure logic apps.
- Implementing rulebook for cloud IR in an enterprise.
- Enforcing security measures and policies to avoid instance compromise.

*Multi-cloud Compliance*

- Building a multi-cloud security assessment & monitoring strategy.
- Automatic inventory and change detection in a multi-cloud environment.
- Implementing compliance standards and benchmark standards(CIS) to the cloud environment.

• Basic understanding of cloud services.
• System administration and linux cli.
• Able to write basic programs in python.
• Familiarity with SQL and KQL queries will be a plus.
• Laptop with internet access.
• Free tier account for AWS with commandline tools installed.
• Free Tier account for Azure with commandline tools installed.
• Read and complete the pre-training briefing document that will be sent a week before the training date.

Threat modeling is the primary security analysis task performed during the software design stage. Threat modeling is a structured activity for identifying and evaluating application threats and vulnerabilities. The security objectives, threats, and attacks modeling activities during the threat modeling are designed to help you find vulnerabilities in your application and the supporting architecture. You can use the identified vulnerabilities to help shape your design and direct and scope your security testing.
Threat modeling allows you to consider, document, and discuss the security implications of designs in the context of their planned operational environment and in a structured fashion. It also allows consideration of security issues at the component or application level. The threat modeling course will teach you to perform threat modeling through a series of workshops, where our trainer will guide you through the different stages of a practical threat model.
This course is aimed at software developers, architects, system managers or security professionals. Before attending this course, students should be familiar with basic knowledge of web and mobile Applications, databases & Single sign on (SSO) principles. The students should bring their own laptop to the course.

This threat modeling training includes a capture the flag-style war game with red and blue threat modeling teams, where you'll battle for control over an offshore wind turbine park using skills and knowledge from our experience in securing real-world OT infrastructure. This edition also includes enhanced sections on privacy by design and compliance, as well as a new section on medical devices.

You'll receive a Threat Modeling Playbook and one-year access to our online learning platform. During the training, you'll create your own threat model and receive individual feedback on it. After the training, we'll hold an online review session with all participants.

As experienced professionals, we understand the gap between theoretical knowledge of threat modeling and practical application. To bridge that gap, we've developed hands-on workshops using real-life use cases based on actual projects. Each use case includes a description of the environment and questions and templates to build a threat model. Our methodology provides a challenging and practical training experience, as well as the tools to implement threat modeling best practices in daily work. During the training, students will work in groups of 3 to 4 to complete the various stages of threat modeling on the following:
- Diagramming web and mobile applications, sharing the same REST backend
- Threat modeling an IoT gateway with a cloud-based update service
- Get into the defender's head - modeling points of attack against a nuclear facility
- Threat mitigation of microservices and S3 buckets
- Privacy analysis of a new face recognition system in an airport
- Battle for control over "Zwarte Wind", an offshore wind turbine park
After each hands-on workshop, the results are discussed, and students receive a documented solution.

Sebastien Deleersnyder led engagements in the domain of ICT-security, Web and Mobile Security with several customers in the private and public sector. Sebastien is the Belgian OWASP Chapter Leader, served as vice-chair of the global OWASP Foundation Board and performed several public presentations on Web Application, Mobile and Web Services Security. Furthermore, Sebastien co-founded the yearly BruCON conference.

Steven Wierckx is a software and security tester with 15 years of experience in programming, security testing, source code review, test automation, functional and technical analysis, development, and database design, Steven shares his passion for web application security through writing and training on testing software for security problems, secure coding, security awareness, security testing, and threat modeling. He is the project leader for the OWASP Threat Modeling Project and organizes the BruCON student CTF. Last year, he spoke at Hack in the Box Amsterdam, hosted a workshop at BruCON and delivered threat modeling trainings at OWASP AppSec USA and O’Reilly Security New York.

Threat modeling introduction
- Threat modeling in a secure development lifecycle
- What is threat modeling?
- Why perform threat modeling?
- Threat modeling stages
- Different threat modeling methodologies
- Document a threat model

Diagrams – what are you building?
- Understanding context
- Doomsday scenarios
- Data flow diagrams
- Trust boundaries
- Sequence and state diagrams
- Advanced diagrams
- Hands-on: diagramming web and mobile applications, sharing the same REST backend

Identifying threats – what can go wrong?
- STRIDE introduction
- Spoofing threats
- Tampering threats
- Repudiation threats
- Information disclosure threats
- Denial of service threats
- Elevation of privilege threats
- Attack trees
- Attack libraries
- Hands-on: STRIDE analysis of an Internet of Things (IoT) gateway and cloud update service

Addressing each threat
- Mitigation patterns
- Authentication: mitigating spoofing
- Integrity: mitigating tampering
- Non-repudiation: mitigating repudiation
- Confidentiality: mitigating information disclosure
- Availability: mitigating denial of service
- Authorization: mitigating elevation of privilege
- Specialist mitigations
- Hands-on: threat mitigations OAuth scenarios for web and mobile applications

Threat modeling and compliance
- How to marry threat modeling with compliance
- GDPR and Privacy by design
- Privacy threats
- LINDUNN and Mitigating privacy threats
- Threat modeling medical devices (FDA)
- Threat modeling Industrial Control Systems (IEC 62443)
- Threat Assessment and Remediation Analysis for automotive (TARA, SAE 21434)
- Mapping threat modeling on compliance frameworks
- Hands-on: privacy threat modeling of a face recognition system in an airport

Penetration testing based on offensive threat models
- Create pentest cases for threat mitigation features
- Pentest planning to exploit security design flaws
- Vulnerabilities as input to plan and scope security testing
- Prioritization of pentesting based on risk rating
- Hands-on: get into the defender's head – modeling points of attack of a nuclear facility.

Advanced threat modeling
- Typical steps and variations
- Validation threat models
- Effective threat model workshops
- Communicating threat models
- Agile and DevOps threat modeling
- Scaling up threat modeling
- Improving your practice with the Threat Modeling Playbook
- Threat models examples: medical devices, automotive, industrial control systems, IoT and Cloud

Threat modeling resources
- Open-Source tools
- Commercial tools
- General tools
- Threat modeling tools compared

Examination
- Hands-on examination
- Grading and certification

Review session (online session after 1 month)
- Hand-in of your own threat model
- Individual feedback on your threat model
- Review session

The students should bring their own laptop or tablet to read and use the training handouts and exercise descriptions.

This training will familiarize system administrators and security professionals with modern Windows attacks and best security practices, such as Windows security components, network interception, Active Directory mapping, privilege escalation, lateral movements, credentials theft and common persistence techniques. After covering a large attack overview, the course introduces associated counter-measures such as credentials protection and much more. After the workshop, members will understand how to protect their infrastructure against modern attacks. Hands-on: This class is practice-oriented, lectures present real-world attacks that participants put into practice in various labs.

The course gives an idea of how pentesters and hackers think, and the best way to defend against them. To do so, this training is given by a duo of pentesting engineers. Both trainers have in combination more than 15 years of experience in offensive and defensive security.

Clément is an IT security professional with 8 years of experience. He started as a network engineer and then switched to a security engineer career. After working 5 years in the field, he eventually joined SCRT in 2020, thus totaling 6 years of experience in IT security. Aside from the regular audit activities, he also has a strong interest in vulnerability research and exploit development, especially in Windows environments. In this regard, he also publishes his findings and tools on his personal blog and on GitHub. Most notably, he is the maintainer of a Windows privilege escalation enumeration tool called PrivescCheck that helps penetration testers and system administrators identify vulnerabilities and weaknesses on Windows machines.

Julien is an IT security professional with 8 years of experience. He started his career in 2013 as a scientific collaborator at the Fribourg Engineering College where he worked on various projects related to critical infrastructure security. He joined the SCRT Pentesting team in 2015 and he is now Deputy Head of the Audit Division. Over the years, he performed missions on a wide range of technologies including Windows, Linux, mobile/web application, and social engineering. He specialized on Windows environment and organized many Red Team audits. Besides the pentesting activity, he is also a trainer for multiple courses given by SCRT and a forensic analyst.

Network access to initial account

• Windows network protocols poisoning (LLMNR, NetBIOS, DHCPv6)
• Initial network discovery (nmap port scan)

Active Directory mapping

• Active directory enumeration (Bloodhound, PingCastle)
• Kerberos authentication
• Common domain password extraction techniques (GPP passwords, Kerberoast, ASREPRoast)

Lateral movement

• Kerberos delegation (Unconstrained, constrained, ressource-based)
• NTLM authentication and cross-protocol relay attacks
• Ways to coerce a machine account NTLM authentication and abuse it (Printer Bug, PetitPotam, ntlmrelayx)

Windows credentials dumping

• Windows credentials storage (SAM, LSA secrets, LSASS, etc.)

Getting access to a key asset

• From RDP access to administrator
• Abusing impersonation privileges in Windows services

Domain compromise and persistence

• Domain credentials storage
• Kerberos Silver/Golden tickets

Bonus

• Physical device security (BitLocker and known attacks)
• LSA protection (how it works and how it can be bypassed)
• Credential Guard (how it works and how it can be bypassed)

A laptop with a SSH, RDP and VNC client.

This is a hands-on training which covers a broad scope of vulnerabilities that can be found in Web applications. The objective is to provide participants with the methodology and tools required in order to assess a Web application. It is tailored for developers or junior security engineers who want to start their journey in attacking and compromising Web applications. It does not dive in-depth into specific vulnerabilities, but rather covers a broad spectrum of issues to provide the participants with a basic understanding of all the relevant topics.
 

Alain Mowat joined SCRT in 2008 as a penetration tester and is now leading the pentesting team in the same company. While still performing various engagements throughout the year, Alain is also dedicated to exploring new approaches to be used by the offensive security industry to better secure client infrastructures.
Aside from these activities, Alain was an active member in the 0daysober CTF team that finished 3^rd at DEFCON CTF in 2015 and has responsibly disclosed vulnerabilities in multiple products such as Citrix NetScaler, SonicWall SRA & SMA, Barracuda, Twitter and McAfee’s ePolicy Orchestrator.
Alain is also responsible for giving Web and general security awareness trainings at SCRT and has presented at several Swiss conferences, such as Insomni’hack, Secure IT VS and CyberSecurity Alliance.
 

# Introduction
 * Overview of technologies in use
 * Encodings
 * Introduction to BurpSuite

# Information gathering
 * Generic information gathering
 * Specific information gathering

# Entry point analysis
 * Identifying entry points
 * Analysing entry points
 * Fuzzin entry points

# Authentication & Authorisations
 * Session issues
 * Authentication issues
 * Delegating authentication
 - SAML
 - Oauth2/OIDC
 - JWT
 * Access control
 - Function
 - Resource-based

# Server-side attacks
 * Injections
 * XML
 * Path traversal
 * Server-Side Request Forgery
 * Deserialization
 * Race conditions

# Client-side attacks
 * Same Origin Policy
 * Cross-Origin Resource Sharing
 * PostMessage API
 * JSONP
 * Cross-Site Scripting
 * Cross-Site Request Forgery
 * Websockets

# Infrastructure attacks
 * Attacking encryption mechanisms
 * Request smuggling
 * Cache poisoning

Basic knowledge of Web technologies