Written by: Joseph Sarkisian, OSCP, GWAPT
Almost every business now utilizes the cloud in some capacity. From a security and controls perspective, this usually produces positive outcomes, but the nature of cloud architecture creates some unique risks and attack vectors that businesses must be aware of. Attackers have refined their techniques to capitalize on the increase in popularity and use of the cloud, and it’s important to use penetration testing to evaluate how susceptible you might be to these newer attacks.
More Than Just an Extension of the Network
If you have assets in the cloud, then you no longer have a traditional network boundary. A typical network penetration test will likely miss critical aspects of this infrastructure. The tactics used during a cloud-focused test are intended to ensure the unique aspects of your cloud deployment are secure as well.
The cloud is more than just “someone else’s computer,” and the standard approach to securing operating systems, applications, and data storage must be reconsidered. Instead, the focus must be on cloud services offered from the provider and how both the provider and the customer protect identity and data in tandem. Different containers, Identity and Access Management (IAM) systems, Key Management Service (KMS) functions, serverless technologies, and numerous other services, depending on the provider, could be exposed.
Unfortunately, cloud security is still in a nascent stage, and the older your tenant/deployment, the more likely it is that old default configurations of some assets are still waiting to be found by attackers.
Techniques and Risks for Cloud Penetration Testing
An effective cloud penetration test starts by enumerating the entire cloud stack used by your organization. Penetration testers can identify potential areas of exposure and develop an attack approach by learning everything about your:
- Domain Name System (DNS) records
- IP addresses and hosts
- S3 buckets and other storage
- Serverless assets
- Tenant structure
- Virtual machines
- Other applications or services used
Depending on scope, social engineering can play a major role in testing. While some of these steps are recognizable as traditional penetration testing procedures, the methodology, tools, structure, approach, and enumeration techniques are very different.
Access controls and authentication are key in any internet-based platform. Attacks specifically designed to bypass multi-factor authentication (MFA) or escalate the privileges of a user can be especially dangerous. Migrating assets to the cloud is often done quickly at the expense of security. Applications deployed with default configurations not aligned with best practices are enormous vectors for an attacker.
There are always new vulnerabilities and exploits being developed. This applies to the software supporting your cloud infrastructure as well as any other application. Penetration testing can ensure these have been addressed in your environment, and if not, what type of damage an attacker could cause with them. Some of the most significant risks could be traversing between cloud assets to steal data, or even between the cloud and your on-premises systems, leading to complete organizational compromise.
You should be confident in the security of your cloud architecture, but not complacent. Expand your traditional network penetration testing to include an explicit focus on cloud solutions and learn what you should be doing to thwart the latest attack techniques.