Hands-On Workshop: Building Better Detections - Azure Edition

This is a 2 hour hands-on workshop.

As with any enterprise environment, we can (and should) focus on hardening our defenses to keep the adversaries out, but these defenses may some day be evaded via a variety of methods. Cloud is no different. In this workshop, which is a follow-on from the talk “Building Better Cloud Detections... By Hacking? (Azure Edition)“, we will work through the process of creating a detection that we can use as defenders to spot an adversary performing attack techniques against our Azure environments.

The overall process and takeaways will be:

Establish proper logging to detect the adversarial activity
Perform the attack to generate the appropriate artifacts
Review the log event data
Create an automated process to quickly discover this activity
Test that the automated process is working effectively by “re-attacking” the Azure account

Prerequisites: An Azure account with administrator access

System Requirements: A modern web browser

About the Creators / Speakers
Alexander Braulik
Alexander Braulik is a Cyber Security Expert in the CSIRT and Detection Engineering Team of NVISO Security. He comes from a background in forensic investigations across Windows, MacOS, and Linux hosts, to leading, planning and executing red team and purple team exercises. In his current role he applies his expertise in both offense and defense to the development of SIEM use cases and SOC automation, as well as leading Digital Forensic & Incident Response engagements. Alex can be found teaching SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection. Learn more about Alex at https://www.sans.org/profiles/alexand...

Ryan Nicholson
Ryan's passion for information technology started in 2001 when he found himself constantly trying to make his high school's computers and even calculators do things that they weren't exactly intended to do. They lacked games, so he learned how to create some. Yes, some may call this hacking. Ryan called it "fun", which led to attending college with intentions of becoming a software engineer. During school, Ryan obtained an internship with a very cybersecurity-minded organization -- the Defense Information Systems Agency (DISA). Ever since then, he’s been hooked on cybersecurity. Ryan is the author for SEC488: Cloud Security Essentials, co-author of SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection. Learn more about Ryan at https://www.sans.org/profiles/ryan-ni...

SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection https://www.sans.org/cyber-security-c...

SANS Cloud Security focuses the deep resources of SANS on the growing threats to The Cloud by providing training, GIAC certification, research, and community initiatives to help security professionals build, deploy and manage secure cloud infrastructure, platforms, and applications.

SANS Cloud Security Curriculum: www.sans.org/cloud-security
Twitter: @SANSCloudSec
LinkedIn:   / sanscloudsec