Overview
As organizations continue to move to the cloud for hosting applications and development, security teams must protect multiple attack surfaces, including the applications and cloud infrastructure. Additionally, attackers are automated and capable. While these attackers continuously probe and find access or vulnerabilities on many different levels, their success usually results from human error in code or infrastructure configurations, such as open admin ports and overprivileged identity roles.
Learn how to better secure both the application layer and cloud infrastructure, using both automated tools and capable penetration testers to uncover logic flaws and other soft spots. Karl Fosaaen, Practice Director at NetSPI, and Mike Rothman, President at DisruptOps, share how to find and remediate your own vulnerabilities more efficiently before attackers do.
Key highlights:
- 4:10 – Common pentesting requirements
- 9:30 – How do we pentest “The Cloud?”
- 12:58 – What services do we care about?
- 20:02 – How to plan/scope your cloud pentest
- 30:57 – The security hamster wheel of pain
- 33:07 – Why is cloud security at scale hard?
- 36:40 – Capabilities to look for in a Cloud SecOps platform
- 43:55 – The key to automation: decisions
- 45:35 – Top down meets bottom up
Common Pentesting Requirements
Cloud adoption has seen a notable increase over the past five to 10 years and continues to accelerate. From an application pentesting perspective, a business may already have standard application pentesting requirements as part of the development process.
Here’s an overview of common pentesting requirements:
- Application Testing
- Recently ported legacy applications
- New applications
- Recent or upcoming code pushes
- Web/mobile/thick client
- Network Testing
- Internal network
- External network
- Segmentation testing (PCI)
Now, a lot of legacy applications are being ported up into cloud environments. This opens a variety of potential vulnerabilities because of the cloud infrastructure that’s being used, in addition to the fact that a lot of new applications are being built native in the cloud.
As new applications are built, security concerns emerge that may not necessarily be taken into consideration. Because of this, pentesting is an effective method to help identify potential security concerns.
Every time new code pushes come up or new developments are made to cloud applications, pentesting those applications as they’re being deployed is important to identify new issues that may arise from an application standpoint. One consideration to keep in mind is that not only are web applications involved in the cloud, but also many mobile applications and thick client applications are hosted in the cloud, allowing new security issues to emerge.
On the network side, more external IPs and internal infrastructure are also being hosted in the cloud, which requires network pentesting.
How do we Pentest “The Cloud?”
When it comes to pentesting the cloud, a best practice is to complete application and network pentesting, as has been the case in the past, and add in a cloud configuration review to take a deeper dive into how services are being configured and used.
Steps to pentest the cloud:
- With permission, including read access for configurations with the cloud provider to have an in-depth view of networks and applications hosted in the cloud environment
- Traditional network/app testing
- Traditional vulnerability/port scanners
- Nessus, Nmap, Burp Suite, etc.
- Cloud configuration review
- Automated tools to dump configurations and find issues
- Manual review of console/portal interfaces
Focus Services in Cloud Pentesting
From a pentesting and configuration review perspective, some of the most important services include:
- Virtual machines
- Virtual machine infrastructure as a service is one of the key services that’s seeing issues from as long as 10 years ago that are reemerging with cloud environments. Understanding how these services are configured and making sure everything is properly set up is critical.
- Serverless code
- Serverless code is something worth diving deeper into to learn how the code is executed and run. Similar problems appear across all the different cloud providers from a serverless code perspective and it’s important to see how permissions are applied across different services.
- Platform users and groups
- How permissions are applied (IAM)
- Integrations with identity providers (IDPs/Federation/SSO)
- (Potentially) public-facing PaaS services
- Web application services
- Database services
- Data storage
How to Scope your Cloud Pentest
The next step is understanding how to effectively plan or scope your cloud pentest to secure cloud assets. Some steps to consider include:
- Gather counts of resources in your environment
- Numbers of:
- Virtual machines
- Public IPs
- PaaS services
- Numbers of:
- Include public-facing IPs in your external ranges
- Beware of dynamic IPs
- Include application testing as part of your scope
- Complete a separate cloud environment pentest
- Scope should cover app/network/configuration
The Security Hamster Wheel of Pain
Many businesses are stuck on an endless hamster wheel of pain from a risk management perspective. This is an endless cycle of the following stages:
- Ignorance is bliss
- Am I hosed?
- Yes, the vendor’s tools prove it
- Sheer panic
- “Fix” problems
Rather than being stuck on this wheel, businesses need to think more strategically about security operations and understand the reality that the environment is a lot more complicated, and developments are happening a lot faster.
Why is Cloud Security at Scale Hard?
Cloud security is challenging to scale due to several factors, including:
- Complexity: Hundreds of cloud services and tens of thousands of resources spread across multiple cloud accounts.
- Speed of change: DevOps and agile approaches have led to frequent and even continuous change.
- Human error: Lack of human expertise and tools leaves issues undetected and unresolved.
- Automated attackers: Exposed cloud resources are rapidly discovered and exploited by automated attacks.
Capabilities to Look for in a Cloud SecOps Platform
A Cloud SecOps platform can help your organization get off the security hamster wheel of pain and improve your overall cloud security.
Top capabilities to look for in a Cloud SecOps platform include:
- Serverless: DisruptOps is fully cloud-native and serverless for cloud-scale support.
- Event-driven: Internal architecture is completely event-driven for both internal and external events.
- Software-as-a-Service (SaaS): DisruptOps is a fully multi-tenant SaaS application.
- Secure by design: Security is baked in, including an advanced least-privilege provisioning system.
The Key to Automation: Decisions
In the past, automation was often a security concern because there were many instances of automation running awry and taking down half a network – or similar examples. However, automation has since become more widely adopted.
As part of the DisruptOps platform, the team built a chatbot that integrates with Slack and Microsoft Teams. The chat sends an alert of any security concerns, along with any actions the team needs to take. Alerts can also be delayed by a set time window, such as 15 minutes or an hour, if a team member doesn’t have time to address the issue right away. Human-integrated automation puts power in the hands of decision-makers.
Top Down Meets Bottom Up
The decision technology, chatbots, and ability to have humans involved in the process can help increase team members’ comfort with automation. This is an example of when top-down meets bottom-up. Steps include:
- Identify the issue
- Remediate once
- Automate
- Continuous assessment
Secure Cloud Environments with NetSPI Cloud Penetration Testing
As cloud environments continue to evolve and expand, and cybercriminals become more sophisticated, organizations are at risk of vulnerabilities, configuration issues, and other threats.
NetSPI’s Cloud Penetration Testing services can help identify vulnerabilities in cloud infrastructure, reduce organizational risk, and improve cloud security. Our expert cloud pentesters follow manual and automated penetration testing processes and focus on configuration review, external cloud pentesting, and internal network pentesting.
Learn more about NetSPI’s Cloud Penetration Testing services or schedule a demo with our team to learn more.