Incident Response in Google Cloud

This intensive course is designed to teach investigators techniques needed to respond to an investigation of a Google Cloud organization. The fast-paced course is built upon a series of hands-on labs that highlight how to investigate and respond to a targeted attack in a Google Cloud organization. Examples of skills taught include how to identify evidence of a threat actor using Google Cloud native tools, use open source utilities to enhance the investigators' capabilities, and provide effective containment and eradication of a threat actor.

The course includes detailed discussions about methods of evidence collection and their limitations as well as how threat actors move around in the Google Cloud organization. This information is then reinforced through a dynamic hands-on lab environment powered by Google Cloud Skills Boost. The labs will have recent evidence of compromise and provide each student with their own lab environment.

Three eLearning modules are recommended prerequisites for this course. They can be found on Google Cloud Skills Boost and are part of the Security Engineer Learning Path. A one-month subscription of $29 is required to take the courses. Please complete the following and provide the completion certificate to the instructor prior to the course:

• Security Best Practices in Google Cloud (11 hours)
• Logging and Monitoring in Google Cloud (8 hours)
• Managing Security in Google Cloud (8.5 hours)

In this lab, you learn how to perform the following tasks:

• Define the NIST incident response process
• Use the MITRE ATT&CK during an investigation
• Identify the core components of a Google Cloud organization
• Use Log Explorer and Log Analytics to perform cloud investigations
• Deploy and update a compute instance for local analysis
• Identify logs for:
• Service account abuse
• Service account key creation
• Storage bucket access
• GKE container logs
• Use open source tools like Plaso, Timesketch, dfTimewolf, and many others

This class is designed for intermediate-level students who have a responsibility to respond to or alert on security incidents in Google Cloud. Students should have a basic understanding of Windows and Linux operating systems along with a basic understanding of Google Cloud or cloud concepts.

In-classroom or virtual instructor-led training

• 3 days (in-person delivery)
• 4 days (virtual delivery)

Participants will need a laptop and stable internet connection.