A Step Forward in my Journey: On Cloud Penetration Testing
When I started on this cloud security journey, I thought I understood the threat model and offensive tactics. “It’s just like an on-prem security assessment but in the cloud.” I’ll find the ‘domain administrator’ leverage their credentials, and laterally move through the environment listing all the services and data I can access. After downloading some cloud-pentesting tools, I found a training lab and started hacking. As you can imagine, I didn’t get very far. It turns out, the cloud is not just someone else’s computer. In this post, I’ll list some essential concepts to understand about cloud security assessments.
Cloud is a heavy term. The first step in getting the assessment right is to understand the scope. What exactly are you targeting? Are you trying to determine if an IaaS deployment has misconfigurations that allow an attacker in? Maybe you’re in the IaaS environment and are checking for unpatched and vulnerable VMs in the cloud to exploit. The differences matter a great deal.
Assessing a PaaS environment may be more focused on misconfigurations and data exposure. It all matters where you start. For example, you may be given limited access to the environment to ensure the IAM permissions are set appropriately. In other cases, you may be given limited insight and are challenged to gain access and then move laterally. Typically, the farther away the attacker starts, the higher the security maturity level of the client organization.
SaaS environment assessments will typically involve data security. Since the underlying platform and operating systems are secured by the vendor, a SaaS assessment should look for ways an adversary can access sensitive data or become the account administrator to manipulate the environment any way they see fit.
In all these cases, the cloud providers have guidelines on the activities they allow on their platforms. For example, In November 2020, AWS updated its policy to permit any organization to test its cloud infrastructure without the need to submit a form first. However, certain techniques are still off-limits, and only a handful of the AWS service offerings can be tested. Since they are responsible for providing service to all their customers, they don’t want to risk disrupting services from a security practitioner’s activity.
I learned a lot by digging into the nuances of cloud security assessments. Before doing the research I was frustrated with the cloud-pentesting labs I was doing. More accurately, I was uncomfortable because it was out of my comfort zone. After arming myself with an understanding of the concepts and learning the methodologies, growing my skills was challenging but less frustrating. The longer I’m in cybersecurity the more I’m reminded that as systems and technology change, it’s okay to not understand it at first. Sometimes we need to step back, evaluate what’s in front of us, and study the new technology. You must keep a rookie mindset when approaching something you’ve never worked with. Even when a technology isn’t new to the market, it may be new to you. Give yourself a break and pause. Learning isn’t easy, but it certainly is worth it.
What are some new concepts you’ve struggled with in your career? How did you approach learning them? Thanks for reading.
