Incident Response & Threat Intelligence

T4-2H. Deconstructing AWS Intrusions: Attack, Detect, Defend Lab

Tuesday, June 11, 2024 1:00 PM - 4:00 PM

Room 2H

Description

NOTE: ATTENDEES MUST BRING THEIR OWN LAPTOPS TO PARTICIPATE IN THIS WORKSHOP.

Cloud is not necessarily a new technology but unless they you are working within a cloud environment professional it is likely a bit of a black box. The goal of this workshop is to demystify how the cloud can be leveraged by attackers and more importantly how defenders can detect and defend against them. This session will allow the participants to walk through a few steps of a basic AWS attack, similar to the Capital One attack. Attendees will then build queries to find the activity, and fix misconfigurations that allowed it to take place to begin with. If you want to learn more about how attackers gain access to and leverage the cloud this is the workshop for you! The ideal attendee with have the following: - Some experience with Command Line/Terminal - Basic understanding of cloud - Basic understanding of web attacks Proposed Schedule: Hour 1 - Intro - Setup lab - Assist students in gaining access to AWS instance - Install Burp Suite on students laptops - Attack - Perform SSRF against vulnerable server - Gain AWS Creds Hour 2 - Attack - Discovery - Privilege Escalation to another user - Enumerate privileges - Download S3 Object - Investigate Activity Hour 3 - Build Detections - Remediation/Defensive Configurations - Summary

NOTE: ATTENDEES MUST BRING THEIR OWN LAPTOPS TO PARTICIPATE IN THIS WORKSHOP.

Learner Objectives

After this session, learner will... - Leverage SSRF to gain access to AWS Creds - Enumerate permissions and elevate privileges - Exfiltrate data from S3 Buckets - Investigate logs from the attack - Walk through mitigations and preventative controls