The cloud is an ever-evolving landscape, which can be a major challenge for digital forensic investigators. As such, the authors of FOR509: Enterprise Cloud Forensics & Incident Response course make a concerted effort to also constantly evolve our course to address changes. With our summer 2023 course update, we aim to do just that.
In order to address the latest updates to Microsoft 365, Azure, AWS, Kubernetes, Google Workspace and Google Cloud Forensics, this course update contains more than 50% new content.
As always, a new release comes with updates to screenshots, product names, and other relevant changes made by the cloud providers since our last release. A primary focus of this update was to include new content related to the most common tactics, techniques, and procedures (TTPs) currently being observed in real-world incidents.
One topic that has been expanded on for this reason is the use of cloud technologies for lateral movement. In order to discuss how threat actors are using cloud-native tools to move laterally, content further detailing Azure Run Commands and AWS SSM has been added. Privilege escalation also is covered in more depth now based on recent observations of novel techniques in the wild.
Given that identity and access management (IAM) is the cornerstone of cloud investigations, we’ve updated the Google Cloud section to delve further into the complexities of Google Cloud IAM. We’ve included coverage of Google Policy Analyzer to provide a way to investigate Google Cloud permissions as well as improved on the existing content to provide easier ways of understanding who and what was accessed in Google Cloud IAM. From an endpoint perspective, there is also more coverage on Google Cloud VMs and how to hunt in such environments.
When we expanded the course to 6 days, we added a section on Kubernetes. We’ve improved upon this section to add coverage of common types of attacks. Additionally, SOF-ELK now includes a parser for Kubernetes to allow for more efficient log analysis.
As big supporters of open-source projects, we are continuously on the lookout for projects like these being shared by practitioners that will prove valuable to our students. In this update, we’ve added sections covering two recently-released community tools, Microsoft Extractor Suite and Automated Audit Log Forensic Analysis for Google Workspace (ALFA).
New labs based on recent real-world scenarios were added throughout the course.
Section 1 of the course includes a new lab covering a real-world extortion scenario resulting from a Microsoft 365 breach. In this lab, students get the opportunity to implement the knowledge from new content surrounding file operations in Microsoft 365 to track data that has been accessed, deleted, and exfiltrated. Section 3 of the course, which covers AWS, has five completely redesigned labs, all connected by a single scenario built on realistic datasets covering the most common TTPs.
In addition to a wealth of new Kubernetes content comes a new Kubernetes lab. This lab provides hands-on experience analyzing Kubernetes logging to identify and interpret malicious activity. Section 5, focused on Google Cloud, also contains an all new set of inter-connected labs. Each lab provides a look into new parts of Google Cloud while allowing the student to follow a single incident.
Just like the cloud, SANS FOR509 is continuously evolving and this is just one of many releases to come to ensure that our students are up-to-date on the cloud threat landscape.
With the significant amount of new content and labs in this release, it’s by far our most major update since the release of the 6-day version of the course last year. We will continue to have regular updates to the course to ensure our students can leave the class feeling prepared to implement the knowledge and skills learned in the real-world. You can find a flyer covering many of the latest updates here.
Listen to course co-author David Cowen explain the new update
