The same great content plus much, much more.
Eric Johnson and I (Brandon Evans) have been delighted to be the authors of SEC510: Cloud Security Controls and Mitigations for nearly five years. The course teaches the nuances between the Big 3 cloud providers and how to securely configure their platforms to prevent incidents from becoming breaches. We are always happy to see the value our students have gained from taking the course, such as when Sean Ayres of UPS stated, “If you Cloud, you need this course - period.”
We are proud to have iterated on the course every year, adding novel mitigation techniques, case studies, and lab exercises. We have also worked hard to continuously improve the student experience, including eliminating the need to run a heavyweight virtual machine in favor of a completely web browser-based lab environment.
This year, we took this to the next level! We streamlined our existing content to make room for some amazing new additions. This includes 50% new or overhauled labs. Most of the “cut” content has been moved to bonus challenges. Here is just a sample from our many new labs:
Recover from Ransomware
Cloud customers believe that the cloud takes extra steps to protect their data from ransomware. This is not true for cloud storage services, at least with the default configuration. This means that, with the right identity and access management (IAM) permissions, an attacker can obliterate all your cloud storage buckets within a matter of minutes.
We demonstrate this in a lab by exploiting an all-too-common vulnerability: developers that install programs created by strangers on the internet. The student will play the role of the developer by unwittingly running an installation script like the one in the below slide from the updated course:
In this case, the script uses the developer’s excessive IAM privileges to encrypt all the files in their cloud storage buckets. By default, the organization would not be able to recover. Thankfully, we implemented the compensating controls covered in the lecture. The student will learn how to use these controls to recover their precious data back to its original form.
IAM Broken Access Control and Policy Analysis (Now with GenAI!)
We made massive expansions to our IAM content in Section 1, including how to thwart even more dangerous IAM permissions and privilege escalation techniques than before.
One of the new labs in this section covers various IAM policy analyzer tools, such as the AWS IAM Access Advisor and the Google Cloud Policy Analyzer. While we cover Azure’s solution, Microsoft Entra ID Permissions Management, it can be too expensive for many organizations to use.
So, we will supplement these analyzers with Generative Artificial Intelligence (GenAI), specifically Large Language Models (LLMs) through ChatGPT. GenAI is all the rage, and security organizations are scrambling to figure out how to use it effectively. However, as Ahmed AbuGharbia and I stated in a chapter of a recent eBook, security should be skeptical of its effectiveness. GenAI is just a tool: in some cases, it can be useful, and in others, it can be useless or even counterproductive.
This lab makes the case that LLMs, when used properly, can greatly assist with IAM policy analysis and generation. Students will experiment with various IAM-related prompts to see which yield the best results. Unsurprisingly, generic prompts like “Provide a set of Azure role assignments that will prevent me from getting hacked” will fall flat. Still, well-crafted prompts informed by the organization’s context can help security engineers translate authorization logic in plain English to the brackets and braces the cloud providers require to get the job done.
Remote Code Execution via Private Endpoint Abuse
Building off our recent workshop, we will push network isolation to its limits. In the previous labs, student learned how to run cloud compute instances in a network that does not allow any egress traffic. For the application running on one of these instances to continue to run properly, they must create a private endpoint. This allows the workload to communicate with cloud services, like Amazon Simple Storage (S3), without any internet connectivity.
However, these private endpoints can be exploited. To demonstrate this, students will be provided with two different AWS accounts: one for the attacker and one for the target. They will then use a software package supply chain attack to download a malicious payload from the attacker’s S3 bucket, execute it, and exfiltrate data through the private endpoint, all without internet access!
This is a complex attack, but it has a fairly simple solution. The lab will conclude with the student applying the appropriate policy on the target’s private endpoint. They will then witness firsthand how this policy prevents this attack altogether.
Protecting Public Virtual Machines with Web Application Firewalls
Application Load Balancers (ALBs) and Web Application Firewalls (WAFs) are brand-new topics for SEC510. One of the course’s core themes is that application security affects cloud security. Once an attacker has a foothold in a cloud environment, the cloud offers many different pivot points. At the same time, few security professionals are well-equipped to resolve application security vulnerabilities. This is why it is so critical to use common-sense controls and mitigations to minimize the impact of the inevitable application security flaws.
WAFs provide organizations with another layer of defense-in-depth. They are designed to prevent malicious payloads from getting to the application in the first place. While far from perfect, they can keep less sophisticated attackers out.
The related lab tests the effectiveness of the built-in WAFs for the Big 3 cloud providers. After demonstrating how the application has a command injection vulnerability, we will deploy an ALB with WAF integration to each cloud. Which payloads will it block? Which will it allow in? Tune in to find out!
Prevent Cross-Cloud Confused Deputy
Eric and I have been doing a lot of research on cloud vendor integrations. If done improperly, a vulnerability in the vendor can compromise the customer’s entire cloud environment. Organizations should work to minimize the level of trust they put into the vendors to which they expose their cloud data.
Our research has culminated in us finding a Confused Deputy Vulnerability in Microsoft Defender for Cloud. The Microsoft Security Response Center (MSRC) rated this flaw to be “Critical,” and we were awarded a bounty. While we really enjoyed this process, we found it fascinating how similar issues are likely affecting many other vendors.
To demonstrate this, we created a fictional application that has a similar vulnerability to the one we discovered in Microsoft Defender for Cloud. Students will integrate this tool with the cloud environments in their lab environment. They will then see how one of these vendor’s customers, if malicious, could trick the vendor into giving them data from another one of their customer’s accounts. While this should be resolved by the vendor itself, the lab will explore partial mitigations that can be performed on their end to minimize unintentional cross-customer and cross-cloud data sharing.
Bonus: Get Up and Running Faster with a Better, Completely Free Lab Environment
Our labs are performed in real cloud environments. Nothing is simulated. While this is great for reinforcing the concepts that we cover in our lectures, it also poses challenges. Real clouds have real turbulence, after all. As such, getting started with our labs can take some time. Your time is precious, and we want you to use it to learn critical skills.
This is why I am overjoyed to announce that, for the first time ever, students will be provided with accounts for all three cloud providers at the start of class. Deploying to these environments will now be much, much quicker for students. Additionally, because these accounts are managed by SANS, you will not need to spend a single penny on the cloud resources you create. Leave your credit card at home!
We hope that you will enjoy our newest revision of SEC510: Cloud Security Controls and Mitigations. It is up to you to prevent incidents in your organization from becoming breaches!
Learn More
Click here to stay up to date with all that’s new in SANS cloud security, explore courses and instructors, and access more free cloud security resources.
