Breaking and Owning Cloud Servers and Applications in AWS

Trainer Name:Akash Mahajan & Riyaz Walikar
Title: Breaking and Owning Cloud Servers and Applications in AWS
Duration: 3 Days
Dates: 27^th Feb - 1^st March 2018

Background for the training

Amazon Web Services (AWS) runs the most popular and used cloud infrastructure and boutique of services. There is a need for security testers, Cloud/IT admins and people tasked with the role of DevSecOps to learn on how to effectively attack and test their cloud infrastructure. In this tools and techniques based training we will cover attack approaches, creating your attack arsenal in the cloud, distilled deep dive into AWS services and concepts that should be used for security.

The training is meant to be a hands-on training with guided walkthroughs, scenario based attacks, coverage of tool that can be used for attacking and auditing. Due to the attack, focused nature of the training, we will not be spending a lot of time on security architecture, defence in depth etc. While mitigations will be covered, we will point out to the relevant security documentation provided by AWS for further self-study.

We expect the trainees to bring their own AWS account for the training. We will be providing detailed instructions on how to ensure that you are ready to tackle the class before you arrive for it.

Target audience (Who should attend)

• Pentesters and Security Testers
• Security Professionals
• Cloud / IT Professionals
• DevSecOps Professionals

Training delivery approach (What to expect)

• Completely hands-on
• Automation scripts will be provided to bring up your AWS cloud infrastructure
• Fast paced training
• Using cloud control panel, CLI, AWS services and chosen security and management tools which will be provided
• Internet connectivity will be provided
• While we will be using free-tier AWS services as much as possible, you can expect some minimal account charges

Hardware and Software requirements

• Laptop with a modern OS like Windows 10 / OSX / Linux
• Ability to connect to the conference wireless network
• Own AWS account which has been activated for payments
• VirtualBox 5.2.6 or above installed

Pre-requisites (What you should know)

• Familiarity with AWS console
• Familiarity with Security Testing basics and tools like nmap, Burp Suite / OWASP ZAP
• Comfortable using command line tools to login to servers, install packages, executing scripts and applications
• Basics of HTTP, JavaScript
• Basics of Networking concepts enough to understand Cloud Architecture
• Ideally you should have started VMs in AWS, configured S3 buckets and have an idea of IAM

What not to expect

• DevOps concepts
• How to build out cloud infrastructure
• A lot of theory

Giveaways

• Complete training hands-on guide
  • This will be in an e-book formats such as ePub, Mobi, PDF and HTML
  • You can use it with e-book readers such as Kindle etc.
• Access to our online AWS Workbench for a month
  • Use this to practice some key concepts and skills from beginner to intermediate
• References and links for further studying
• One month access to exclusive training slack channel
  • This is to ensure that if you are practicing after the class, you have us available to guide and answer questions
  • This also provides a platform for class to continue the discussions online

Hashtags

• #awscloudsec

Courseware

Cloud compute

We look at the compute services of AWS such as EC2 (Virtual machines), Lambda (Serverless) and ELB (Load Balancers) from a point of view of attacking and auditing them. Additionally, we will start with creating our attackers machine in the cloud as well. This allows for rapid provisioning, creation of VMs etc.

• Setting up Attack Tools and VMs using automation
• Attacking EC2 and ELBs
• Application Misconfigurations
• EC2 meta data abuse
• Stealing credentials
• Attacks against virtualization
• Using AWS Inspector for audits and attacks
• Attacking Serverless endpoints (AWS Lambda)

Cloud storage

Most of the applications require storage. Either this is block storage that we are used to like HDDs or object storage the kind AWS S3 provides. We will learn how to attack, abuse, steal and pillage stored data due to misconfigurations or by the virtue of doing forensics on existing snapshots etc.

• Abusing AWS S3 misconfigurations
• Disovering and pillaging EBS
• Cloud forensics for discovery and attacks

Cloud databases

Apart from the standard storage most data are stored in databases. We will attack AWS RDS for finding out misconfigurations which will allow us to steal data and increase our foothold.

• AWS RDS misconfigurations
• Data pilferage

OSINT against cloud targets

Cloud infrastructures are relatively new compared to the traditional on premise enterprise IT. This means that a lot of resources are not secured properly or people haven't realised what all to secure. By applying OSINT techniques, we will learn more about our targets and use that information to super charge our attacks.

• Techniques for OSINT
• Tools for finding public buckets
• Tools for discovering, stealing keys and endpoints

Cloud security and compliance

Security is not always about attack and defence. A vibrant running ecosystem involves governance and compliance activities. Here we will look at how we can use AWS Trusted Advisor (free version) for this and then Botmetric. Botmetric is leading tool for managing security and compliance for AWS clouds. While this is a paid tool, we have managed to get each of the attendees a one month trial which will be more than enough for the class and any additional practice you may want to do afterwards

• Using Trusted Advisor
• Using Botmetric

AWS services and concepts for security

While most of the class is hands-on and scenario based, we will cover the following topics at relevant places during the training. These will be some beginners to intermediate tasks done in a sequence to build our capacity.

• AWS IAM
• AWS Security Groups
• AWS VPCs
• AWS CloudWatch
• AWS CloudTrail
• AWS Flowlogs
• AWS Cloud DNS Route53
• AWS Config
• Requirements for Pentesting AWS Cloud Infra

Capture the flag

We will end the training with a hands-on CTF for all the attendees. The challenges are meant to evaluate key concepts and skills that you would have gained over the course of 3 days of the training. By repeating them in a challenge format you will be able to self-evaluate how much of the knowledge has been retained and what are the concepts that you need to practice more.

• Hands on challenges for the attendees
• Walkthrough of all challenges

About the trainer

Riyaz Walikar

Riyaz Walikar is the Chief Offensive Security Officer at Appsecco, a company that specializes in Web Application Security. His primary interests lie with application security, penetration testing and security evangelism. He is a security evangelist, offensive security expert and researcher with over 9 years of experience in the Internet and web application security industry. He has many years of experience providing web application security assessments, has lead penetration testing engagements in many countries and performed numerous onsite reviews on infrastructure and system security.

He also leads the Bangalore chapters of OWASP and the null community, actively encouraging participation and mentoring new comers in the industry.

Riyaz is also a frequent speaker at security events and conferences around the world including BlackHat, nullcon, c0c0n, xorconf and OWASP AppsecUSA.

He also dabbles in vulnerability research and has found bugs with several popular online services of major companies including Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, and EBay. When he is not writing/breaking code, you can find him sleeping, playing football, reading or fishing.

Akash

Akash is a Director at Appsecco, a company that specializes in Web Application Security. He is an accomplished security professional with over a decade’s experience of providing specialist application and infrastructure consulting services at the highest levels to companies, governments and organisations around the world.

He has a deep experience of working with clients to provide cutting edge security insight that truly reflects the commercial and operational needs of the organisation from strategic advice to testing and analysis to incident response and recovery.

Akash has also authored a book titled “BurpSuite Essentials” that comes recommended by the creator of BurpSuite itself and is an active participant in the international security community and conference speaker both individually, as chapter lead of the Bangalore chapter of OWASP the global organisation responsible for defining the standards for web application security and as a co-founder of NULL India’s largest open security community.