Hero
MANDIANT ACADEMY™

Incident Response in Google Cloud

Instructor-led training course

Please contact us if you have any questions.

Course Description

This intensive course is designed to teach investigators techniques needed to respond to an investigation of a Google Cloud organization. The fast-paced course is built upon a series of hands-on labs that highlight how to investigate and respond to a targeted attack in a Google Cloud organization. Examples of skills taught include how to identify evidence of a threat actor using Google Cloud native tools, utilize open source utilities to enhance the investigators capabilities, and provide effective containment and eradication of a threat actor. 

The course includes detailed discussions of evidence collection and their limitations as well as how threat actors move around in the Google Cloud organization. This information is then re-enforced through a dynamic hands-on lab environment powered by Google Cloud Skills Boost. The labs will have recent evidence of compromise and provide each student with their own lab environment.

Learning Objectives

In this lab, you will learn how to perform the following tasks:

  • Define the NIST Incident Response Process
  • Utilize the MITRE ATT&CK during an investigation
  • Identify the core components of a Google Cloud Organization
  • Utilize Log Explorer and Log Analytics to perform cloud investigations
  • Deploy and update a Compute Instance for local analysis
  • Identify logs for:
    • Service Account abuse
    • Service Account Key creation
    • Storage Bucket access
    • GKE container logs
  • Utilize open-source tools like Plaso, Timesketch, dfTimewolf, and many others

Course Outline

  • Introduction to the Incident Response Process
    • NIST 800-61r2
    • MITRE ATT&CK
  • The TL;DR; on Google Cloud
    • What is Google Cloud
    • Google Cloud Architecture
    • Shared Responsibility Model
    • Key Components
    • Identity and Access Management
    • Google Cloud Compute
    • Google Cloud Networking
    • Google Cloud Storage
  • Preparation for Incident Response in Google Cloud
    • Security Command Center
    • Logging
    • Chronicle
    • Incident Response Prep
    • Lab: Deploying a Forensics VM

 

  • Detection and Analysis
    • Cloud Logs
    • Analysis
  • Containment, Eradication, and Recovery
    • Key Containment Steps
    • Evidence Preservation
    • Eradication and Remediation
  • Post Incident Analysis
    • Root Cause & Impact
    • Lessons Learned and Communication
    • Post Incident Lab Activity

Who should attend

This class is designed for intermediate-level students who have a responsibility to respond to or alert on security incidents in Google Cloud. Students should have a basic understanding of Windows and Linux operating systems along with a basic understanding of Google Cloud or Cloud Concepts.

Prerequisites

Three eLearning modules are recommended prerequisites for this course. They can be found on Google’s Cloud Skills Boost and are part of the Security Engineer Learning Path. A one-month subscription of $29 is required to take the courses. Please complete the following and provide the completion certificate to the instructor prior to the course.

  1. Security Best Practices in Google Cloud (11 Hours)
  2. Logging and Monitoring in Google Cloud (8 Hours)
  3. Managing Security in Google Cloud (8.5 hours)

Delivery method

In-classroom and virtual instructor-led training

Duration

  • 3 days (in-person delivery)
  • 4 days (virtual delivery)

What to bring

Participants will need a laptop and a stable internet connection.