Course Outline
Most incident responders have strong muscle memory for on-prem ransomwareendpoint alerts, DCs, file servers, and network shares. But when the same adversaries pivot into AWS, many SOCs are still asking basic questions:
Where are the logs? What does lateral movement look like in IAM? How do we scope and contain S3 data theft under pressure?
In this one-day intensive, youll be dropped into the middle of an active cloud incident involving compromised AWS access keys, suspicious role assumptions, mass S3 access, and the risk of ransomware in the cloud. Using realistic log data and a guided playbook, youll reconstruct the kill chain, scope impact, and make containment and recovery decisions under realistic constraints.
Overview
This course is not a generic intro to AWS. Instead, it focuses on the incident response skills defenders need when things go wrong in the cloud. Students will work through a realistic enterprise-style AWS environment and respond to:
• A compromised access key
• Abnormal IAM role activity
• Suspicious S3 operations suggestive of data theft and encryption activity
• Adversaries abusing cloud-native features instead of malware on endpoints
Using a combination of CloudTrail, S3 access logs, GuardDuty findings, and supporting artifacts, youll reconstruct attacker actions, assess blast radius, and prioritize containment for executives who want answers now.
Rather than try to teach every AWS service, this training zeroes in on IR workflows: triage, log pivoting, scoping, containment decisions, communications, and post-incident hardening.
What You'll Learn
By the end of this training, students will be able to:
• Understand cloud-specific ransomware and data theft tactics Recognize how traditional ransomware operators adapt their playbooks for AWS, focusing on identity abuse, data theft, and extortion over pure encryption.
• Quickly orient in an unfamiliar AWS account Identify key services, regions, and high-value resources; locate CloudTrail trails, S3 buckets, GuardDuty configuration, and key IAM entities relevant to the investigation.
• Triage AWS security alerts under pressure Use GuardDuty findings, CloudTrail events, and S3 access patterns to differentiate noise from true attacker actions and build a coherent incident timeline.
• Trace attacker movement via identity and API calls Map suspicious API activity (AssumeRole, List/Put/GetObject, KMS calls, etc.) to attacker phases: initial access, discovery, privilege escalation, data staging, encryption, and exfiltration.
• Scope S3 data theft and potential encryption Identify which buckets and objects were accessed, modified, or encrypted; assess what data may have been exposed or impacted and what regulators/stakeholders will care about.
• Make informed containment decisions Decide when to revoke keys, rotate credentials, isolate roles, apply SCPs/permission boundaries, or temporarily lock down S3balancing speed with business impact.
• Design a practical AWS ransomware/data theft playbook Take away a checklist and response framework you can adapt for your own AWS environments, including logging baselines, pre-incident hardening, and response runbooks.
Hands-On Experience
Students will work through a guided, scenario-driven lab based on the fictional private equity firm Greybridge Capital, operating workloads in AWS. Throughout the day you will:
• Use your own AWS account to:
•• Enable and review CloudTrail
•• Examine S3 bucket configurations and access patterns
•• Explore GuardDuty or equivalent detection mechanisms
• Pivot between findings, relevant API calls, and identity entities
• Rebuild an incident timeline from initial access to data staging and extortion
• Identify which S3 buckets, IAM roles, and KMS keys were involved
• Draft an executive-ready situation report summarizing impact and next steps
• Propose concrete hardening actions (logging, IAM design, S3 controls) to improve future resilience
Target Audience
This training is designed for:
• SOC analysts and incident responders who support cloud-hosted workloads
• Threat hunters looking to expand into AWS telemetry and cloud-native TTPs
• Security engineers and architects responsible for AWS security posture
• Draft an executive-ready situation report summarizing impact and next steps
• Blue teamers who know AWS exists but havent yet had to respond to a major AWS
Prerequisites & Requirements
Knowledge Prerequisites:
• Basic understanding of AWS concepts (accounts, regions, IAM roles & policies, S3 basics)
• Familiarity with incident response fundamentals: triage, containment, eradication, recovery
• Ability to read JSON-style logs and follow sequences of API calls
Hardware / Software Requirements
• Laptop capable of running a modern browser (Chrome or Firefox recommended)
• Reliable Wi-Fi capability for accessing the AWS console and lab resources
AWS Account Requirement (Mandatory):
Students must:
• Have an AWS account they control (Free Tier or training account is fine) before class starts
• Be able to log into the AWS Management Console from their laptop
• Have an IAM user or role in that account with permissions sufficient to
••Create and configure CloudTrail
••Create and configure S3 buckets
••View and adjust IAM users, roles, and policies
••Enable and review GuardDuty (where available)
All sensitive lab guidance and sample data will be provided; you will use your own account to replicate and investigate the attack patterns.
Trainer Bios
Katelin Groganis a cybersecurity analyst and GIAC certification-holder with 4 years of professional experience identifying vulnerabilities across customer system and network configurations in the DC/Virginia area. She was a recipient of the CyberCorps Scholarship for Service at Auburn University where she graduated in 2021. Outside of work, she enjoys thrifting and repurposing cheap tech, home-labbing, and reverse-engineering malware, having presented her her first conference talk JMP Into Malware Analysis at BSidesCharm 2025 and workshop From Detection to Eradication: Live Ransomware Incident Response in an Enterprise Lab at National Cyber Summit 2025. She is a CompTIA Security+ and CySA+ SME as well as a member of the NoVA Hackers Club.
Rich Dunham is a cybersecurity professional with over 15 years of experience in offensive and defensive cyber operations as well as experience in tactical and strategic ground communications with the US Army. Rich has held positions within the Department of Defense, where he led national-level cyber missions. In addition to his work in defense and critical infrastructure, Rich has contributed to cybersecurity initiatives for humanitarian organizations around the world, helping them improve digital resilience in high-risk regions. He holds many certifications including CISSP, GSE, GPEN, GCFA, GCIH, and PMP, and is a CompTIA SME and part of the CompTIA SME Technical Advisory Committee (CSTAC).
Hector Gomez is a penetration tester and CISSP-certified cybersecurity practitioner with four years of experience uncovering vulnerabilities across enterprise networks throughout the DMV. Before transitioning to industry, Hector spent five years in the U.S. Army executing cybersecurity missions with direct implications for national security. He brings a mission-focused approach to offensive security, specializing in adversary emulation, attack surface analysis, and delivering actionable insights that help organizations strengthen their defensive strategy.