Science & Technology

Penetration testing in the cloud requires a different approach

Most companies are familiar with this pattern. As attackers adjust their technology, defenders need to rethink their security strategies. Enterprises need to secure their cloud infrastructure as the attack surface is expanding and criminals are targeting cloud environments today.

Many organizations rely on penetration testing to find security gaps in their systems, but the process looked historically different, said Fugue co-founder and CTO Josh Stella this year’s virtual (ISC). ) ² Stated in a presentation at a security conference. In the traditional data center world, pentesters are primarily interested in gaining access to network devices and accessing assets such as databases through defensive perimeters over TCP / IP networks. He explained.

“Penetration testing is a bit behind cloud technology,” Stella said. “The attack surface has changed.”

Many cloud vulnerabilities are often overlooked because pentesters focus on data center technology rather than cloud tactics. Security gaps are not addressed by the compliance framework and are not recognized by DevOps or the security team. According to Stella, flaws are often only apparent in the perfect environment. If you don’t understand the big picture, you’ll miss the flaws.

He pointed out Uber infringementOccurred in 2016, information on 57 million global users and 600,000 US drivers was compromised. The attacker reportedly stole the credentials on GitHub to access Uber’s private code and found the hard-coded AWS S3 credentials. They were able to use these credentials to log in to Uber’s AWS account and download the file.

“This isn’t a rare attack pattern for hackers … to use multiple cloud services that targets use to cross these boundaries,” Stella continued. The attacker is not using a network or operating system vulnerability. This is because if it is not vulnerable, it can invade the cloud environment.

According to Stella, the vulnerabilities that attackers use to compromise cloud environments tend to be architectural or process issues, as opposed to defective versions of the library. These issues exist in the cloud, but are less common than in data centers. Many penetration tests in the cloud involve stitching content from different locations together to create a breach.

In traditional attack patterns, an attacker selects a target and then seeks out or creates an invading vulnerability. This is not the way most compromises occur in the cloud. Even high-profile attacks tend to adopt new patterns. Attackers use automation to find vulnerabilities (often misconfigured cloud resource APIs) and select a destination.

“By the time we put something there and configure it, whether it’s an S3 bucket or not, attackers are investigating what we know to be misconfigured or vulnerable,” Stella said. .. In many cases, an attacker will find cloud resources within minutes.

“Ugly” S3 problem
Uber’s attack Extraction of S3 dataA very common corporate problem he described as “ugly for some reason”: In most cases, the data does not go through the network accessible to the customer, making it very difficult to detect. The spill occurs in a cloud provider network that the customer organization does not actually have access to. Event logs accessible to your organization warn you of stolen data after it’s already gone.

Companies need to be particularly concerned about the S3 list, which Stella described as “one of the best tools for attackers.”

He states that the majority of dangerous cloud misconfigurations are the read misconfigurations used for detection. After a 2019 breach in which an attacker stole an AWS API key from an internal system that remained accessible from the Internet, Imperva took steps to enhance auditing of snapshot access. This is “almost certainly” looking at the role associations with IAM policies that allow read access, Stella said. Organizations need to try to figure out where every API key is stored. This is because the attacker will do it.

Imperva noted that there was a strong breach response and took steps to rotate the credentials and strengthen the credential management process. This is another requirement for companies that want to improve their cloud security. All credentials should be rotated, even for development and test environment credentials that tend to have weaker security controls.

“Development and testing are probably more popular for hacking in the cloud, or at least as popular as production environments. Many of them are for a more relaxed set of security controls that tend to occur in these environments. It’s related, “Stella added. ..

Stella said the types of questions asked to confirm the vendor’s security are the same as those asked to penetration testers. Do they understand the surface of the vulnerability and its exposure to it? Are you testing the control plane API, especially if it is hosted in the cloud? This is another aspect that enterprises should keep in mind when strengthening their cloud stance. When data comes from the cloud, it’s most often done through the control plane API.

Penetration testing in the cloud requires a different approach Penetration testing in the cloud requires a different approach

Back to top button