SEC588: Cloud Penetration Testing

Cert: GCPN GIAC Cloud Penetration Tester

SEC588 will equip you with the latest in cloud focused penetration testing techniques and teach you how to assess cloud environments. In this course we dive into topics like cloud based microservices, in-memory data stores, serverless functions, Kubernetes meshes, and containers, as well as identifying and testing in cloud-first and cloud-native applications. You will also learn specific tactics for penetration testing in Azure and AWS, particularly important given that Amazon Web Services and Microsoft account for more than half of the market. It's one thing to asses and secure a datacentre, but it takes a specialized skillset to truly assess and report on the risk that an organization faces if their cloud services are left insecure.

What You Will Learn
Aim Your Arrows To The Sky And Penetrate The Cloud

Computing workloads have been moving to the cloud for years. Analysts predict that most if not all companies will have workloads in public and other cloud environments in the very near future. While organizations that start in a cloud-first environment may eventually move to a hybrid cloud and local data center solution, cloud usage will not decrease significantly. So when it comes to assessing risk to organizations, we need to be prepared to assess the security of cloud-delivered services. In this course you will learn the latest in penetration testing techniques focused on the cloud and how to assess cloud environments.

The most commonly asked questions regarding cloud security are "Do I need training for cloud-specific penetration testing" and "Can I accomplish my objectives with other pen test training and apply it to the cloud?" The answer to both questions is yes, but to understand why, we need to address the explicit importance of having cloud-focused penetration testing. In cloud-service-provider environments, penetration testers will not encounter a traditional data center design. Specifically, what we rely on to be true in a traditional setting - such as who owns the Operating System, who owns the infrastructure, and how the applications are running - will likely be very different. Applications, services, and data will be hosted on a shared hosting environment that is potentially unique to each cloud provider.

What makes cloud native different? The Cloud Native Computing Foundation, which was chartered to provide guidance on what is a cloud-first and cloud-native application, states that the application and environment will be composed of containers, service meshes, microservices, immutable infrastructure, and declarative APIs.

While some of these items are available in a non-cloud environment, in the cloud these features are further decomposed into services that are made available by cloud providers. In this environment, an example of complexity is a microservices architecture in which there may be a virtual machine, a container, or even what is considered a "serverless" hosting area. We must therefore deal with additional complexity in order to appropriately assess this environment, stay within the legal bounds, and learn new and different ways to perform what we would consider legacy attacks.

SEC588 dives into these topics as well as other new topics that appear in the cloud like microservices, in-memory data stores, files in the cloud, serverless functions, Kubernetes meshes, and containers. The course also specifically covers Azure and AWS penetration testing, which is particularly important given that Amazon Web Services and Microsoft account for more than half of the market. The goal is not to demonstrate these technologies, but rather to teach you how to assess and report on the true risk that the organization could face if these services are left insecure.

Syllabus (36 CPEs)

SEC588.1: Discovery, Recon, and Architecture at Scale

SEC588.2: Mapping, Authentication, and Cloud Services

SEC588.3: Azure and Windows Services in the Cloud

SEC588.4: Vulnerabilities in Cloud Native Applications

SEC588.5: Exploitation and Red Team in the Cloud

SEC588.6: Capstone

GIAC Cloud Penetration Tester
"The GIAC Cloud Penetration Testing (GCPN) certification provides our industry with a first focused exam on both cloud technologies and penetration testing disciplines. This certification will require a mastery in assessing the security of systems, networks, web applications, web architecture, cloud technologies, and cloud design. Those that hold the GCPN have been able to cross these distinct discipline areas and simulate the ways that attackers are breaching modern enterprises." - Moses Frost, Course Author SEC588: Cloud Penetration Testing

Cloud Penetration Testing Fundamentals, Environment Mapping, and Service Discovery

AWS and Azure Cloud Services and Attacks

Cloud Native Applications with Containers and CI/CD Pipelines

Laptop Requirements
Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.

System Hardware Requirements

CPU

64-bit Intel i5/i7 2.0+ GHz processor
Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher. Your CPU and OS must support a 64-bit guest virtual machine.
VMware provides a free tool for Windows that will detect whether or not your host supports 64-bit guest virtual machines.
Windows users can use this article to learn more about their CPU and OS capabilities.
Apple users can use this support page to learn more information about Mac 64-bit capability.
BIOS

Enabled "Intel-VT"
Intel's VT (VT-x) hardware virtualization technology should be enabled in your system's BIOS or UEFI settings. You must be able to access your system's BIOS throughout the class. If your BIOS is password-protected, you must have the password.
USB

USB 3.0 Type-A port
At least one available USB 3.0 Type-A port is required for copying large data files from the USB 3.0 thumb drives we provide in class. The USB port must not be locked in hardware or software. Some newer laptops may have only the smaller Type-C ports. In this case, you will need to bring a USB Type-C to Type-A adapter.
RAM

8 GB RAM (4 GB minimum) is required for the best experience. To verify on Windows 10, press Windows key to open Settings, then click "System," then "About." Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac."
Hard Drive Free Space

60 GB FREE of FREE space on the hard drive is critical to host the virtual machines and additional files we distribute. SSD drives are also highly recommended, as they allow virtual machines to run much faster than mechanical hard drives.
Operating System

Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.
Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Who Should Attend SEC588?
Both attack-focused and defense-focused security practitioners will benefit greatly from this course by gaining a deep understanding of vulnerabilities, insecure configurations, and associated business risk to their organizations.

This course benefits penetration testers, vulnerability analysts, risk assessment officers, DevOps engineers,