Security Automation for Offense, Defense, and Cloud

Security Automation for Offense, Defense, and Cloud will equip you with the expertise to apply automated solutions to prevent, detect, and respond to security incidents. Students first train to understand the concept of automation, then learn how existing technologies can be best leveraged to build automation stories that translate repeatable problems to automated scripts.

Course Key Learnings: 

• Prevention, detection, and response for specific attack techniques used by real-world adversaries and penetration testers
• Offensive and defensive perspectives of these attack techniques through hands-on exercises
• How to translate repeatable activities into automated tasks
• How to improve the efficiency and effectiveness of a security operations team
• Cloud security automation in AWS and Azure
• Where to apply security automation and how to properly engineer your environment for automation
• The power of leveraging automation in purple team exercises

Skills Gained: 

• Understand the security issues that most organizations are facing today.
• Translate security issues into smaller problems, define automated solutions for those specific problems, and then fully chain features that can be used to tackle multiple issues in an automated manner.
• Use tools like Terraform, Ansible, CHEF Puppet, and many more to locally automate secure configurations, set a desired-state configuration, deploy infrastructure as code in different environments, and detect and respond to security incidents in an automated manner.
• Evaluate real-world scenarios within a combination of on-premise and cloud environments using a reference framework that can be immediately used and implemented in your organization.

Course content:

Module1: SEC598.1: Security Automation Concepts

Overview

Section one lays the foundation for the remainder of the course by explaining overall security automation concepts and how they can be used within different environments and technology stacks. Concepts to be discussed include automation triggers, desired state configuration and security automation, and SOAR.

Exercises

• Lab 1.1: Red Team Exercise
• Lab 1.2: Desired State Configuration
• Lab 1.3: Linking Triggers to Automation Scripting
• Lab 1.4: Defining Your First Automation Playbook

Topics

Course Outline and Lab Setup

• Course Objective and Lab Environment
• Why Security Automation Matters
• Introducing GLOBEX Automation

Security Architecture and Configuration

• Current State of Enterprise Architecture
• Infrastructure as Code
• Desired State Configuration

Security Automation Fundamentals

• Triggers for Automation
• Automation Playbooks
• Automated Incident Response
• How to Apply SOAR and SOEL

Module2: Security Automation Engineering

Overview

Section two focuses on security task automation in your infrastructure and explains how security automation can be engineered with built-in scripting and configuration management tooling. We will analyze how PowerShell can be used for desired state configuration to detect and respond to system misconfigurations. We will also look at what you can achieve with infrastructure as code tooling and a variety of SOAR tools. Finally, we will discuss playbook design and development for automated incident handling and mitigation techniques.

Exercises

• LAB 2.1: PowerShell OS Hardening
• LAB 2.2: Hardening with Ansible
• LAB 2.3: Creating a Cortex Analyzers Responder
• LAB 2.4: XSOAR Playbook Development

Topics

• Automating Security Hardening
• PowerShell Basics
• Configuration Management Tooling
• Security Orchestration and Automation
• Security Automation with Python
• Security Orchestration Tools
• SOAR Playbooks
• Automated Security Controls
• Automating Security Compliance
• Automating Security Hardening
• Introduction to Cloud Environments
• Cloud 101A

Module3: Security Automation in the Cloud

Overview

Sections one and two covered security automation based largely on on-premise technology stacks, so in section three we will move towards cloud native automation tooling. Attendees will gain an in-depth understanding of cloud native technologies used for security automation. We will zoom into blueprinting, compliance validation, and automated remediation by using real-world examples of cloud misconfigurations.

Exercises

• Lab 3.1: Detecting an Exposed Server with Azure Policy
• Lab 3.2: Creating Automated Actions in Azure
• Lab 3.3 Locking Down an Azure Storage Account
• Lab 3.4: Using the Amazon Web Services (AWS) Configuration Rule
• Lab 3.5: Integrating AWS/Azure with Third-Party API
• Lab 3.6: Deploying Reference Architecture with ARM Templates and the AWS CloudFormation Template

Topics

Introduction to the Cloud

• Azure Basics
• AWS Basics

Microsoft Azure Automation

• Azure Policy and Blueprinting
• Security Monitoring and Automation Triggers
• How to Automate within Microsoft Cloud Environments
• Logic App and Azure Functions

AWS Automation

• AWS Configuration
• Security Monitoring via CloudWatch and CloudTrail
• How to Automate within AWS

Bringing It All Together

• Reference Architectures and Blueprints

Module4 : Offensive Security Automation

Overview

In section four, we will use the automation techniques we learned in previous sections for offensive security automation activities. This section presents examples on how to automate offensive techniques used by real-world adversaries and goes on to explain how chaining attack techniques can be used to emulate these adversaries.

Exercises

• Lab 4.1: Configuring the Atomic Red Team
• Lab 4.2: Fully Automating Adversary Techniques
• Lab 4.3: Using Caldera to Run a Breach Exercise

Topics

Introduction

• History of Offensive Security
• Introduction to Purple Teaming
• The MITRE ATT&CK Framework

Automating Offensive Security Testing

• Focus of Automation within Offensive Security
• Automated ATT&CK Testing with SOAR and the Atomic Red Team

Emulating Real-World Cyber Attacks

• Adversary Emulation
• Autonomous Breach-and-Simulation Exercise

Chaining Techniques and Automating Adversaries

Organizing Chaos

• Creating Your Automated Chaos (Netflix Use Case)

Offensive Security in the Cloud

• Automated Testing for Cloud

Module5:  Defensive Security Automation

Overview

Section five focuses on defensive security controls and how we use automation to prevent, detect, and respond to security incidents. Students will gain an in-depth understanding of how attacks can be detected and how to enrich incidents to minimize false positives and automatically trigger responses.

Exercises

• Lab 5.1: Creating an Incident Response Playbook in PowerShell
• Lab 5.2: Creating an Incident Response Playbook using XSOAR
• Lab 5.3: Terraform in Action: Secured Infrastructure
• Lab 5.4: Detecting a Specific APT with Known Techniques and Automating Security Controls to Detect and Respond to This Attack

Module6:: Security Automation Capstone