Almost every business now utilizes the cloud in some capacity. From a security and controls perspective, this use usually produces positive outcomes, but the nature of cloud architecture creates some unique risks and attack vectors that businesses must be aware of. Hackers have refined their techniques to capitalize on the increase in popularity and use of the cloud, and it’s important to use penetration testing to evaluate how susceptible you might be to these newer attacks to ensure your cloud security.
More Than Just an Extension of the Network
If your network lives in the cloud, a traditional network penetration test will likely include analysis of the cloud. However, the tactics used during the test are somewhat platform-agnostic. In any type of penetration test, the tester will seek to abuse services, protocols, vulnerabilities, and intercept traffic regardless of the underlying physical and platform infrastructure. Those techniques can expose weaknesses in your cloud-based network, but they may not address weaknesses in the configuration of the cloud hosting solutions themselves.
The cloud is more than just “someone else’s computer,” and the standard approach to operating systems, applications, and data storage must be reconsidered. Instead, focus on cloud services offered from the provider and how they interact with various networks. Different containers, service meshes, Identity and Access Management (IAM) functions, Key Management Service (KMS) functions, and the hosting platforms’ administrative portals themselves all could be exposed.
Techniques and Risks for Cloud Penetration Testing
An effective cloud penetration test starts by enumerating the entire cloud stack used by your organization. Penetration testers can identify potential areas of exposure and develop an attack approach by learning everything about your:
- Domain Name System (DNS) records
- IP addresses and hosts
- S3 buckets and other storage
- Tenant structure
- Virtual machines
- Other applications or services used
Depending on the parameters of the test, social engineering can play a major role in the approach as well. While some of these steps are recognizable as traditional penetration testing procedures, the methodology, tools, structure, approach, and enumeration techniques are very different.
Access controls and authentication are key in any internet-based platform. Attacks specifically designed to bypass multi-factor authentication (MFA) or escalate the privileges of a user on the cloud can be especially dangerous. Migrating assets to the cloud is often done quickly, and isn’t always done securely. Applications deployed with default configurations not aligned with best practices are vulnerable vectors for an attacker.
There are always new vulnerabilities and exploits being developed. This applies to the software supporting your cloud infrastructure as well as any other application. Penetration testing can ensure these have been addressed in your environment, and if not, what type of damage an attacker could cause with them. Some of the most significant risks could be traversing between cloud instances, or even between the cloud and your on-premise systems, leading to complete organizational compromise.
You should be confident in the security capabilities of your cloud architecture, but not complacent. Expand your traditional network penetration testing to include an explicit focus on cloud solutions, and learn what you should be doing to thwart the latest attack techniques.