The third class I took in the SANS Cloud Security certificate program was SEC 541 Cloud Security Attacker Techniques, Monitoring, and Threat Detection. This really is THE blue team course for cloud infrastructure. Shaun McCullough and Ryan Nicholson did a great job with it. It’s a good balance between AWS and Azure. The course uses real-world examples of attacks tied to the MITRE ATT&CK TTPs, then goes through how to ensure proper logging is enabled and detect the various attacks. The last day of the course I took focused on ways to push automation into all these different detections.

The labs for this course are HEAVY on the commands. It is very easy to just copy and paste from the lab book to complete the task quickly. Do not do that. Copy from the workbook so you don’t make typos, but really make sure you understand what the commands are doing. This is needed not only for the exam, but you can easily take these back to your day-to-day work, and if you understand the components, quickly update them for your environment.

For the GCTD exam, it was very similar to the practice tests. If you really understand the material it’s not too difficult.

This was technically one of the program’s electives, but I recommend that everyone take it. It is the best cloud defense focus class I’ve taken.