cloud penetration testing

What is cloud penetration testing?

Cloud penetration testing is a tactic an organization uses to assess its cloud security effectiveness by attempting to evade its own defenses. Through penetration testing, a security team can assess its security posture at a given point in time and identify security vulnerabilities that might be exploited by others.

Historically, organizations owned and operated their systems and networks, which made penetration testing rather straightforward. As an organization's IT assets become more widely distributed, it is necessary to reevaluate penetration testing.

Penetration testing in the cloud is considerably more complicated than traditional penetration testing. These challenges arise from the dynamic environments created by software-defined networking and the blurred boundaries resulting from the shared responsibility model and cloud's distributed nature. Piecing together the data in a coherent story requires strong orchestration skills by the analyst; however, once testing is completed, the analyst possesses key threat-hunting insights.

Penetration testing vs. cloud penetration testing

Simple penetration testing covers a well-defined, discrete area. Reports generated by hosts in the same physical location require some basic analysis and formatting.

Cloud penetration testing, in contrast, involves a distributed physical area. It must consider both the global infrastructure of the cloud and the underlying hypervisors, also known as virtual machine monitors (VMMs). Coordination and orchestration of the various results must be shaped into a final, coherent report.

Why is cloud penetration testing important?

An organization that relies on cloud services implicitly outsources part of its cloud security management to the service provider. Keep in mind that in the hierarchy of penetration testing, the enterprise domain (or virtual network) exists above the infrastructure and platform. So, even if the virtual network has network devices, these devices have limited views into actual vulnerabilities.

For example, a VM might appear to have no vulnerabilities, but a vulnerability can exist in the configuration of the underlying infrastructure. The VM has no logs of any activity, much less suspicious activity, thus making the activity invisible. Attackers exploit that invisibility and configure VMs in ways so that their activities will not be logged.

The most severe instances of this type of attack would be those present in the libraries used by both operating systems (OSes) and VMs. In this case, both environments are vulnerable to the same problem, but they are managed by different entities. If an organization patches before the cloud service provider does (a possible, but unlikely scenario), the enterprise remains vulnerable until the service provider enacts the patch. For the cloud customer to be protected from a vulnerability that exists at both locations, the vulnerability must be patched at the same time or by the service provider first.

Main benefits of cloud penetration testing

Cloud penetration testing should factor into a cloud security strategy. When done correctly, it can provide important advantages, including the following:

1. A full picture of the enterprise security posture. A well-orchestrated cloud penetration test can reveal potential flaws in the end-to-end processing path.
2. Verification of a cloud provider's security claims and posture. A service provider and customer will set security expectations in a cloud service-level agreement (cloud SLA), but cloud penetration testing will actually verify the vendor's claims.
3. Verification of touchpoint security. Touchpoints are meeting points where one party's coverage ends and another party's coverage begins. One such place is between the enterprise and the cloud service provider.

Types of cloud penetration testing

Three common types of cloud penetration testing are black box, white box and gray box.

In a black box test, the tester has no view into the network. Going in blind might sound like the most realistic and therefore preferred approach, but it is not. Penetration testing relies heavily on automated tools, whereas a real and coordinated attack takes place over time using OSINT (open systems intelligence), HUMINT (human intelligence) and SIGINT (signals intelligence). Penetration testing relies on OSINT; the other two are not typically part of a penetration testing package.

The white box approach involves the IT and security teams sharing all information, including schematics, configurations and other relevant information (including source code where applicable) that might be of assistance to the pen testing team. This approach should produce the most accurate results.

In a gray box scenario, the tester could be aware of the VM and VMM information but not the additional touchpoints or the details of the SLA. The findings might lack the orchestration that paints the full picture of the network.

Common challenges in cloud penetration testing

While useful, cloud penetration is not a simple process to undertake. Be aware of the following challenges:

1. SLA details. SLAs make it difficult to run tests with a one-size-fits-all approach. Even though penetration testers are supposed to create unique reports, the tools tend to be fairly standard.
2. Scope of the work. Here the challenge comes when the work is limited to the VMs or when the testing is specifically black box. The scope will vary according to customer needs and service provider rules.
3. Orchestration. It is not always easy to discern between a benign anomaly, an indicator of compromise or a full-fledged attack -- even with full access. This is because the attackers do not always enter on the same IP address, with the same username or via the same port. A sophisticated attack might use a group of IP addresses, several stolen credentials and other techniques. Tracing the path relies in part on understanding threat intelligence data. This does not necessarily mean following the cybersecurity kill chain, but rather understanding the cloud environment and determining which assets might be valuable to particular adversaries.

Best practices for cloud penetration testing

For successful cloud penetration testing, consider the following steps:

1. Specify white box testing.
2. Understand the shared responsibility model, including at the touchpoints.
3. Work with an experienced provider.
4. Identify security vulnerabilities where they exist and share findings immediately with owners.
5. Set realistic expectations and timelines.
6. Maintain privacy of findings.
7. Have a rapid incident-response effort in place.

The big three cloud service providers (Amazon Web Services, Azure and Google Cloud) permit tenants to run penetration tests in their own cloud environments and against their allocated infrastructure. Providers have rules for penetration testing; customers need to stay within those boundaries. Testing that can affect the working environment is strictly prohibited. Contractors should seek explicit permission before they begin any pen testing.