Prior pen test / security experience is not a strict requirement, however, some
knowledge of Cloud Services and a familiarity with common Unix command line syntax
will be beneficial. The syllabus for the class is as follows:
• Introduction to Cloud Computing
• Why cloud matters
• How cloud security differs from conventional security
• Types of cloud services
• Legalities around attacking / pen testing cloud services.
• Understanding the Attack Surfaces of variousCloud offerings, such as IaaS, PaaS,
SaaS, FaaS
• Exploiting serverless applications
• Owning cloud machines
• Attacking cloud services such as storage service or database services
• Examples and case studies of various cloud hacks
• Privilege escalation (horizontal and vertical) and pivoting techniques in cloud
• Obtaining persistence in cloud
• Exploiting dormant assets: Id’s, services, resources groups, security groups and more
• Cloud Infrastructure Defence
• Monitoring and logging
• Benchmarks
• Auditing Cloud Infrastructure (Manual and automated approach)
• Base Images / Golden Image auditing for Virtual Machine / Container Infrastructure
• Preventive measures against cloud attacks
• Host-based Defence
• Using Cloud services to perform defence
• Ending CTF to reinforce the learning