Penetration Testing in the Cloud Demands a Different Approach

  /     /     /  
Publicated : 23/11/2024   Category : security


Penetration Testing in the Cloud Demands a Different Approach


Attackers use a different set of techniques to target the cloud, meaning defenders must think differently when pen testing cloud environments.



Most companies are familiar with the pattern: As attackers adjust their techniques, defenders must rethink their security strategies. Now, as the attack surface expands and criminals target cloud environments, the pressure is on businesses to ensure their cloud infrastructure is secure.
Many organizations rely on penetration testing to find security gaps in their systems, but the process has historically looked different, said Josh Stella, Fugue co-founder and CTO, in a presentation at this years virtual (ISC)² Security Congress. In the traditional data center world, pen testers are primarily concerned with gaining access to network devices and with moving through the TCP/IP network, through perimeters of defense, to access assets such as databases, he explained.
Pen testing is a little behind on cloud technologies, Stella said. The attack surfaces have changed. 
Many cloud vulnerabilities are often missed because pen testers are focused on data center techniques and not cloud tactics. Security gaps are not addressed by compliance frameworks and not recognized by DevOps or security teams. Flaws are often only apparent in the full context of the environment — if you dont understand the big picture, you miss them, according to Stella.
He pointed to
the Uber breach
, which occurred in 2016 and compromised the information of 57 million global users and 600,000 US drivers. An attacker reportedly stole credentials to gain access to Ubers private code on GitHub, where they found hardcoded AWS S3 credentials. They were able to use these credentials to log in to Ubers AWS account and download files.
This is not an unusual attack pattern for hackers to use … to use multiple cloud services the target is utilizing to get across these boundaries, Stella continued. The attackers arent using a network or operating system vulnerability because they could breach the cloud environment without one.
The vulnerabilities attackers use to breach cloud environments tend to be architectural issues or process problems, as opposed to a version of a library that has a flaw, Stella said. While these problems do exist in the cloud, theyre less common than they are in the data center. Much of pen testing in the cloud involves piecing together content from different places to make a breach happen.
In the traditional attack pattern, an attacker chooses a target and then searches for, or tries to create, vulnerabilities to break in. This isnt how most breaches unfold in the cloud. Even high-profile attacks tend to employ a new pattern: Attackers use automation to find vulnerabilities — often a misconfiguration of cloud resource APIs — and then choose where they want to break in.
By the time you put something out there and have configured it, whether its an S3 bucket or what have you, attackers have probed it for things they know are misconfigurations and vulnerabilities, Stella said. Often, adversaries will find your cloud resources within minutes.
Ugly S3 Problems
The Uber attack highlighted the danger of
S3 data exfiltrations
, an all-too-common enterprise issue that he described as ugly for a number of reasons: These are extraordinarily hard to detect because, in most cases, the data doesnt traverse any customer-accessible networks. The exfiltration happens on the cloud provider network that a customer organization doesnt really have access to; the event log the organization can access will alert to stolen data after its already gone.
Businesses should be especially concerned about S3 lists, which Stella described as one of the most wonderful tools for an attacker.
The majority of dangerous cloud misconfigurations are Read misconfigurations, which are used for discovery, he noted. After its 2019 breach, in which an attacker stole an AWS API key from an internal system left accessible from the Internet, Imperva took steps to increase its audit of snapshot access. This is almost certainly examining IAM policies and role associations that are allowed Read access, Stella said. Organizations should be trying to figure out everywhere API keys are stored because that is what the attackers will be doing.
Imperva, which he noted had a strong breach response, also took steps to rotate credentials and strengthen the credential management process — another must-do for businesses that want to improve their cloud security posture, he said. All credentials should be rotated, even those in development and test environments where the security controls tend to be weaker.
Dev and test are probably more popular, or at least as popular as production, for hacking in the cloud, and a lot of that has to do with the more relaxed set of security controls that tend to be in those environments, Stella added.
The kind of questions youd ask to check your vendors security posture are the same ones you should ask a pen tester, Stella said. Do they understand the vulnerability surface and their exposure to it? Are they testing control plane APIs, especially if theyre hosted in the cloud? This is another aspect businesses should keep in mind when strengthening their cloud posture: When data is taken from the cloud, he said, its almost always through the control plane API.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Penetration Testing in the Cloud Demands a Different Approach