As cybersecurity professionals, we are aware of the role that penetration testing plays as part of a comprehensive security program. One of the main benefits is finding vulnerabilities and identifying potential security gaps that exist within our systems, as well as validating that security controls have been properly implemented and are operating in an effective manner.
As more entities adopt cloud technology, the way we execute penetration testing changes. It’s important to take into consideration new challenges that are introduced with IT services delivered via cloud technologies.
Challenge #1: Understanding Ownership of Resources
One of the challenges that arises revolves around ownership of resources. Just because we subscribe to a cloud service, doesn’t mean we have unlimited permission to test the providers’ systems and try to discover vulnerabilities that could potentially affect other tenants.
The first step as cloud consumers is to understand what level of testing the cloud provider allows. Contracts are the element that defines exactly what we can and can’t do within our cloud service provider. A good contract should specify what level of testing we can perform. It then becomes our responsibility to make sure we adhere to these limits or, if we subcontract penetration testing services, make sure that our vendor understands what our contract says.
Depending on the cloud model, there may be different levels of flexibility to scope and conduct penetration testing activities. For example, under infrastructure as a service (IaaS) we have more control because we own the IT infrastructure resources that are being tested. If a system is affected, the impact is usually limited to systems that we own. However, under software as a service (SaaS), the scenario changes. Since we operate under shared infrastructure, providers may impose strict limitations on the testing activity that we can perform.
After all, if every customer decided to run a penetration test on any given day, the provider could end up with extremely high utilization, potentially leading to a denial-of-service condition that could affect multiple tenants.
To avoid this, some providers in this delivery model require advance notification of testing and will impose specific conditions on how to run those tests. A typical scenario is to limit the scope of testing to a subdomain assigned to your tenant.
Coming Soon: CompTIA PenTest+ (PT0-002)
The next version of CompTIA PenTest+ will be available later this year and covers pen testing in the cloud. CompTIA is developing a full suite of training solutions to accompany the new exam to help you learn the skills you need to think like a hacker and protect your organization. Get started today by downloading the objectives for CompTIA PenTest+ (PT0-002).
Challenge #2: Choosing an Offensive Security Technique
Once you understand the rules of engagement that govern penetration testing against your provider, consider how you can use one of the below listed offensive security techniques to attempt to gain access to your systems.
- Scan online code repositories for cloud credentials or access keys: Unfortunately, leaking secrets on these platforms is a problem that shows no signs of stopping anytime soon.
- Engage social engineering: You can try to attack your cloud engineers and other personnel in charge of your cloud platform to gain access to their credentials.
- Think like an attacker: One way to understand how bad actors are executing their nefarious activities and penetrating systems in the cloud is by leveraging the MITRE ATT&CK framework. This is a catalog of adversary tactics and techniques that attackers use to compromise systems. The value is that it has been derived from analyzing real intrusions. The findings on how those attacks were executed were catalogued in a matrix that presents what techniques were used in different phases of the attack.
These tools allow penetration testers and other defenders to understand how to build detection for different use cases as well as how to mitigate weaknesses that exist in your environment. From a penetration testing perspective, we can use this information to attack our own cloud platforms and identify potential weak spots that need to be corrected.
Challenge #3: Selecting the Right Tools
If you are able to gain access, you will need some tools to help you conduct reconnaissance, scanning, exploitation and exfiltration on your target. Cloud penetration testing tools have evolved considerably, and selecting the right tool depends on your cloud provider.
Cloud Penetration Testing Tools
| Amazon Web Services (AWS) | Open-source AWS exploitation framework based on python | |
| Amazon Web Services (AWS) | Stand up vulnerable AWS resources as a target for PACU | |
| Microsoft Azure | A collection of scripts based on PowerShell that can be leveraged to attack your Azure environment | |
| Microsoft Azure | Conduct a security assessment against your Azure subscription | |
| Google Cloud | An open-source tool to enumerate buckets, list permissions and attempt privilege escalation |
Amazon Web Services (AWS)
If you are operating under Amazon Web Services (AWS) you can use PACU. This tool is an open-source AWS exploitation framework based on Python that allows you to conduct attacks via modules. For example, you can target different services like Lambda, S3 and EC2 individually.
Worried about affecting your production systems? The developers of PACU have also created a utility named CloudGoat that can help you stand up vulnerable AWS resources that you can use as a target for PACU.
Microsoft Azure
If your cloud systems live in Microsoft Azure, you can find great tools like MicroBurst. This is a collection of scripts based on PowerShell that can be leveraged to attack your Azure environment. Some of the key features include service enumeration, password and key dumping, and many others.
Another useful tool is Azucar. This tool allows you to conduct a security assessment against your Azure subscription and outputs a lot of detailed information about your resources and their configuration.
Google Cloud
Initially Google Cloud was not as popular as AWS and Azure, but it has been consistently gaining ground. If you are using their services, you can also find open-source tooling to help you conduct penetration testing. For example, you can use GCPBucketBrute to enumerate buckets, list permissions and attempt privilege escalation.
The cloud is here to stay, and it’s redefining the way IT services are deployed and delivered. It is essential that all penetration testing professionals enhance their skill set by understanding the nuances that cloud introduces to penetration testing. Understanding ownership of resources, choosing an offensive security technique and selecting the right tools will help you help your organization identify vulnerabilities and provide better protection from cyber threats.
CompTIA is here to support you throughout your IT career. Get free resources, career advice, and special offers on CompTIA training and certifications!
