One of the greatest changes in the move to the cloud is how logging and auditing of security-related data is performed. Rather than collecting standard system log data on individual virtual machines as is often the case in traditional IT management, cloud deployments must support log data across all varieties of deployed services and infrastructure. Containers, serverless platforms, serverless functions, and software services can all be compromised in a project and accurate logging information must be collected to identify vectors that have been exploited. In prior work, we have developed Thunder CTF, an open-source CTF that students can deploy on Google Cloud Platform at minimal cost (https://thunder-ctf.cloud). As with many CTFs, it focuses on “red-team” activities that follow an adversary from initial access to subsequent compromise of a project. A subsequent effort has designed exercises that implement a set of “defender” codelabs in which students, after playing Thunder CTF’s offensive path, then utilize native cloud logging and auditing facilities to track down evidence of the attacks in the audit data collected.
While the defender exercises are tractable when the number of events to sift through is small, the scale at which infrastructure can be deployed in cloud environments has a problematic consequence in that the number of events to examine can be immense. Security-related events from fleets of machines and services that each generate non-stop streams of log data have forced security organizations to adopt data-science solutions for forensic analysis. Specifically, ``Security Information and Event Management’’ (SIEM) solutions are being adopted that can be used to aid analysis of systems. Such solutions can range from a proprietary third-party solution such as Splunk, a manually deployed open-source solution such as an ELK stack (ElasticSearch, Logstash, Kibana), or a solution integrated into a cloud provider’s services such as Google’s Cloud Audit and Big Query (https://cloud.google.com/logging/docs/audit/best-practices). It is important that students gain experience performing security auditing at scale. Towards this end, we seek to build a set of cloud-focused forensic codelabs and CTF exercises in which students learn to use iterative querying and refinement to perform an investigation into a project compromise with approaches similar to what is done in practice. To do so, the project seeks to leverage the Thunder CTF framework to not only deploy an emulated enterprise, but also to generate large streams of events that are then ingested into a SIEM. Students will then apply appropriate investigative queries using the SIEM to do forensic analysis at scale.