Training Program Agenda

Former Police Officer from Argentina, now a Cloud Incident Responder and Security Engineer with over 10 years of IT experience. A Digital Nomad and international speaker, I've presented on Cloud Security and Incident Response at Ekoparty, FIRST, Virus Bulletin (three times), Hack.Lu, and various BSides events worldwide. I hold a Bachelor's degree in Information Security and an MBA (Master in Business Administration).

Cloud platforms like Amazon Web Services (AWS) are foundational to many critical infrastructures and enterprise applications, making them prime targets for attackers. In this session, we will not only explore the most relevant attack vectors cybercriminals use to compromise AWS infrastructures but will also simulate these attacks using known threat actor techniques in an adversary emulation context. From initial access to hardcore persistence, this talk will provide a comprehensive look at how attackers operate in AWS environments.

We will take a technical journey through the tactics, techniques, and procedures (TTPs) employed by attackers at every stage of the threat lifecycle, aligned with the MITRE ATT&CK framework. We’ll start by reviewing common methods of initial access, such as exploiting exposed credentials or vulnerabilities in services like IAM, Lambda, and EC2. From there, we’ll detail how attackers escalate privileges, move laterally, and evade detection from tools like CloudTrail.

The session will conclude with an in-depth look at advanced persistence techniques in AWS, including the manipulation of IAM policies, backdooring Lambda functions or Docker containers, and tampering with logs. Along the way, we’ll demonstrate how security teams can implement defensive and detection strategies to mitigate these risks. By leveraging AWS-native services and third-party tools, attendees will learn how to enhance their incident response capabilities.

This hands-on workshop will give attendees practical, technical insights into AWS security, adversary behavior, and how to better defend against sophisticated, persistent attacks. With only two slides and full hands-on experience, this talk ensures deep technical immersion. Requirements:

• Participants should have the following ready before the training:
• AWS CLI installed
• Terraform installed
• GitHub account for cloning lab repos
• Knowledge of AWS Security Fundamentals

An email with detailed setup instructions will be sent beforehand.

Provided Material:

• Github Repository with the solution to the workshops

Final Notes This training is designed for security engineers, SOC analysts, incident responders, and anyone who wants to truly understand AWS security through hands-on work. By the end of the session, you’ll have a deep understanding on how real attack and defense techniques work in AWS, being able to understand the hardening requirements, replicate attacks, generate detection use cases, and execute forensic techniques.

Full Agenda:

• Phase 1: Attacking The Cloud

  • Title 1: From Initial Access to Privilege Escalation (30 Mins + 30 min hands on)

  • Understanding AWS IAM in full

  • Lateral Movement with IAM

  • Malware Analysis of Team TNT Infostealer

  • Getting Credentials from Missconfigurations

  • Privilege Escalation via IAM policies

  • Privilege Escalation via IAM Roles

  • Privilege Escalation via Exec to Instances and Containers

  • Title 2: From Defense Evasion to Persistence (30 mins + 30 mins hands on)

  • Getting Blindspots in the Share Responsibility Model

  • Bypassing Guardduty

  • Understanding how Cloudtrail logs work

  • Tampering Cloudtrail without getting caught

  • Living on the land Techniques

  • Persistence in AWS via SSH implant

  • Persistence in AWS via lotl

• Phase 2: The Blue Team Way

  • Title 1: Security Detection in AWS (30 min + 30 mins hands on)

  • Cloudtrail for API Call Logging

  • Understanding the complete supply chain

  • SIEM Integration and Detection Use Case Creation

  • Understanding the Delays in SIEM integration

  • Understanding Event Bridge for Automated Response

  • Hardening Best Practices

  • Title 2: Incident Response in AWS (30 min + 30 mins hands on)

  • Using the Cloudtrail Digest to detect tampers

  • Creating an Athena table for Cloudtrail Analysis when SIEM Fails

  • Using Event History as a last resource

  • Forensic Images of EC2 instances

  • Network Isolation of AWS instances

  • AWS Threat Hunting 101

  • How to detect persistence in AWS

Jeffrey Carpenter has dedicated more than 35 years to improving the state of information security in roles such as analyst, product security officer, information security officer and leader. He currently works with companies to help them improve and exercise their cyber.

In 1995, Jeffrey joined the CERT® Coordination Center, located at Carnegie Mellon University’s Software Engineering Institute. He became the incident response team leader in 1998 and technical manager in 2000, managing a team of more than 50 technical staff members. Jeffrey led the incident response and threat intelligence services for Dell Secureworks for almost a decade and is now the Deputy CISO of Accuray, a medical device manufacturer.

Jeffrey’s active involvement in the incident response community over the years has included presenting in various forums and serving on Forum of Incident Response and Security Teams (FIRST) committees and working groups.

In 2021, Jeffrey was inducted into the Incident Response Hall of Fame by the Forum of Incident Response and Security Teams (FIRST).

Don Stikvoort was born in 1961, and in 1987 finished his MSc in physics, with the highest honours. From 1988 onwards he was one of Europe's Internet and cyber security pioneers. Led the 2nd European CSIRT until 1998, started the cooperation of European CSIRTs in 1993, and was founding father of NCSC-NL, the Dutch national team. Co-author of the CSIRT Handbook, and creator of the SIM3 CSIRT maturity model. FIRST hall-of-fame member and experienced keynote speaker. Co-founder and current chair of the Open CSIRT Foundation. Apart from these 30+ years in cyber security, Don is also an NLP master trainer & practitioner, and has been giving train-the-trainer trainings worldwide, especially in the cyber security community. Additionally, Don performs executive life/work coaching and therapy for a very limited number of clients.

This workshop is designed to enhance the communication skills of incident response and security analysts, so they can confidently and competently relay key messages to business stakeholders during a cyber crisis. No prior experience of qualifications is needed, as it will provide attendees with advice and recommended best practice, as well as the opportunity to practice communications in a safe environment. Ultimately, the session will immediately enable and equip incident responders with the tools to proactively and consciously develop their own effective communication capability.

High Level Goals • Raise awareness of the value and direct benefit associated with effective communication • Understand key requirements for meaningful communication • Learn how to organise and tailor information based on the intended audience • Develop a clear message to convey; supporting that message with facts and ensuring expectations are managed • Determining the best method for communicating and making the most of existing tools • Learn to use AI effectively to help formulate the message and enhance presentation materials

This workshop is a combination of lecture, hands-on construction of a briefing using data from a sample incident and practiced delivery.

This workshop was presented at FIRST in Montreal in 2023 and the OCSC conference in 2024 with very positive feedback.

Armins Palms is the Incident Response Team Manager at CERT.LV, Latvia’s national and governmental CSIRT. He leads the national incident response efforts and is the author of several key cybersecurity projects, including the National DNS Firewall — a service actively used across Latvia — and an intelligence platform for monitoring activity on Telegram, among others.

Armins is also a developer and instructor for multiple hands-on technical workshops, such as “DNS Openshield”, where participants gain practical skills to build their own DNS Firewall services using open-source tools. He is the author of the “LearnDocker” tutorial, designed to teach the fundamental concepts of Docker and containerization.

His latest course, “Let’s Automate RTIR”, is developed for the cybersecurity community and professionals working with RTIR. The workshop helps participants extend RTIR’s capabilities through automation and integration, making daily inc

There are many ticketing systems available to help manage and oversee the daily work of an Incident Response (IR) team. Among them, RTIR (Request Tracker for Incident Response) is one of the most widely used systems by CERT and CSIRT teams. It offers extensive functionality, including support for manual scripting. However, to truly extend RTIR’s capabilities, it’s often necessary to go beyond the standard interface and leverage its API.

In this workshop, you will learn how to enhance RTIR through automation and integration. Using the RTIR API, you will explore how to:

• Prepare RTIR for automation
• Parse and process incoming events
• Automate routine tasks within RTIR
• Enrich tickets with data from external sources
• Integrate RTIR with external tools such as Mattermost

This hands-on course is designed for beginners and provides the foundational knowledge needed to automate and extend RTIR. By the end of the workshop, participants will be equipped with the skills to customize and automate their organization’s RTIR environment to better suit their needs.

John Kristoff is currently a PhD candidate in Computer Science at the University of Illinois Chicago, a principal analyst at NETSCOUT on the ATLAS Security Engineering and Response Team (ASERT), and operates Dataplane.org. John’s primary career interests, experience, and expertise are in Internet infrastructure. He is particularly focused on better understanding and improving the routing system (BGP), the naming system (DNS), and internetwork security. John is or has been associated with a number of other organizations and projects involving Internet operations and research, some of which include: DNS-OARC, DePaul University, Dragon Research Group (DRG), FIRST, ICANN, IETF, Internet2, NANOG, Neustar - formerly UltraDNS, Northwestern University, nsp-security, ops-trust, REN-ISAC, and Team Cymru.

This training is designed to align with the objectives of the FIRST NETSEC SIG, focusing on the advancement of network security education. It aims to provide an introduction to essential network security concepts and practices, thus supporting efforts to enhance incident response coordination across the network.

Topics:

• Introduction to foundational network security concepts
• Infrastructure device security
• BGP overview
• Resource Public Key Infrastructure (RPKI) introduction
• Distributed Denial of Service (DDoS) concepts
• Remote Triggered Blackhole (RTBH) and flow-specification technology overview
• Network flow analysis tools
• DNS security concepts
• Passive DNS overview
• DNSSEC overview
• Network security communities