NorthSec 2026

Type: Intermediate–Advanced
Focus: Adversary emulation, detection engineering, IR workflows
Style: Fast, offensive-defensive, “learn by attacking and defending”

Cloud platforms like Amazon Web Services (AWS) are foundational to many critical infrastructures and enterprise applications, making them prime targets for attackers. In this session, we will not only explore the most relevant attack vectors cybercriminals use to compromise AWS infrastructures but will also simulate these attacks using known threat actor techniques in an adversary emulation context. From initial access to hardcore persistence, this talk will provide a comprehensive look at how attackers operate in AWS environments.

We will take a technical journey through the tactics, techniques, and procedures (TTPs) employed by attackers at every stage of the threat lifecycle, aligned with the MITRE ATT&CK framework. We’ll start by reviewing common methods of initial access, such as exploiting exposed credentials or vulnerabilities in services like IAM, Lambda, and EC2. From there, we’ll detail how attackers escalate privileges, move laterally, and evade detection from tools like CloudTrail.

The session will conclude with an in-depth look at advanced persistence techniques in AWS, including the manipulation of IAM policies, backdooring Lambda functions or Docker containers, and tampering with logs. Along the way, we’ll demonstrate how security teams can implement defensive and detection strategies to mitigate these risks. By leveraging AWS-native services and third-party tools, attendees will learn how to enhance their incident response capabilities.

This hands-on workshop will give attendees practical, technical insights into AWS security, adversary behavior, and how to better defend against sophisticated, persistent attacks. A full hands-on experience, this presentation ensures deep technical immersion.

Requirements:
Participants should have the following ready before the training:
AWS CLI installed
Terraform installed
GitHub account for cloning lab repos
Knowledge of AWS Security Fundamentals

An email with detailed setup instructions will be sent beforehand.
Provided Material:
Github Repository with the solution to the workshops

Final Notes
This training is designed for security engineers, SOC analysts, incident responders, and anyone who wants to truly understand AWS security through hands-on work. By the end of the session, you’ll have a deep understanding on how real attack and defense techniques work in AWS, being able to understand the hardening requirements, replicate attacks, generate detection use cases, and execute forensic techniques.

What’s more frightening than a 0-day? A series of false negatives combined with the false sense of security in an unprepared Security Operations Team.
Today, most AWS detection and response strategies rely on CloudTrail and GuardDuty, with logs shipped to a SIEM, the heart of security monitoring. But few teams account for the complexity of this supply chain: multiple moving parts, permissions, policies, and inevitable delays. These blind spots create opportunities for attackers to quietly dismantle detection controls.
In this demo-driven talk, I’ll explore the concept of Cloud Antiforensics. Using a real scenario with AWS API calls shipped to Datadog and a decoupled GuardDuty instance reporting to Discord, I’ll show how an attacker can disrupt log collection and evade detection within the delay window.
The goal is not just to demonstrate attacks, but to raise awareness: centralizing everything in a SIEM is not enough. We must design anti-antiforensics mechanisms that operate independently, ensuring resilience even when attackers target the detection pipeline itself.