Technical Cloud Penetration Test vs. a CIS Audit: Which One Do You Need?

Authored by Chance Pearson, ethical hacker at Packetlabs.

Cloud computing has become increasingly regularly adopted by organizations to help manage information technology assets without the need for on-prem devices. 

As the cloud is still relatively new, organizations are looking for the best way to secure these assets and data that a third party like Microsoft is now handling. The question becomes, should you get a CIS audit or a cloud penetration test?

Let's explore:

Packetlabs's Cloud Penetration Testing Solutions

The Packetlabs Cloud Penetration Test helps clients understand the impact that could occur in their cloud environment if a user is compromised. The recommended approach for this is through an assumed breach.

This shows how if a developer or common Azure provisioned account was compromised, what could occur from an attacker? During the engagement, testers look at all services used within the subscription from various areas, such as virtual machines, automation accounts, and role-based access controls. Additionally, looking at the Entra side to see what a user could do from this side. This would include items like dynamic groups and enterprise applications.  

Packetlabs asks for two different accounts to perform this type of assessment. One of these accounts is a standard developer, familiar user role, etc., that uses Azure. This is to simulate the assumed breach portion, which acts as if one of the users gets compromised through leaked credentials, phishing, or another method that could be done. The second set of credentials asked for in this engagement is a Global Reader and reader over the subscriptions. This account lets Packetlabs look at the configurations throughout the environment, which a standard user may not be able to see.

This allows Packetlabs to ensure that configurations are secure and are used with the best cloud security practices. Combining these two accounts will enable Packetlabs to dig deeper to ensure that the configurations are being used the best for the environment and look at the user side to ensure that current role-based access works as intended. Every finding reported would also include supporting evidence so you can see what the impact of these findings produces. This ensures clients understand the risk of these findings so they can focus on the higher impact finding to provide better security coverage. 

Via this method, your assigned Packetlabs testers take a realistic approach to testing, emphasizing the post-breach risk and strength of the current security controls. It also allows testers to remove the initial foothold, which can take time to develop and focus on how real threat actors would use the vulnerabilities after getting access. If understanding if users are susceptible to phishing or web applications being used by the cloud service are protected is important, pairing them with our Social Engineering exercises or Application Security Testing to get fuller coverage would be recommended.

A Primer on CIS Audits

A CIS audit is a group of controls created by the Center for Internet Security. These controls were created to help organizations secure themselves through configurations. They were developed to be widely adoptable, meaning that many organizations can use them to strengthen their security posture. CIS has done this for the cloud through a community consensus to create a list of secure configurations within those guidelines for various providers. These are provided for free by CIS, and the organization can check these configurations themselves.

Packetlabs offers a service to check and validate these configurations against false positives. This is done by using a global reader account, which is used to check the various CIS Benchmark configurations. The report includes screenshots of configurations missing or not done securely according to the CIS Benchmark. This can help clients reduce time in the validation of these items and be provided a list of only validated findings.

This service is an excellent start for any new cloud services being adopted. This provides a good framework for the organization to be secure without spending much time or effort. The drawback of this service is that it does not show the impact of what an attacker could do with these settings, and because CIS has to be developed for broad audiences, some of the CIS benchmark settings may have little or no impact on your organization's risk. Additionally, if other third-party tools are used to manage specific areas, this will not be reviewed during the CIS benchmark testing for the same reason stated above.

Conclusion

Packetlabs would recommend Cloud Penetration Testing over CIS benchmarks audits, as these show clients the impact of these findings within their organization. These can show where you need to focus to secure your cloud tenants. A CIS benchmark is a good option if you have a relatively new team to the cloud and would like to ensure your settings have a good baseline or, if required, for any auditing purposes. A penetration test should be selected if you have a big environment or use custom roles. The other reason to pick a penetration test is if you have a list of items that keep you up at night within your environment. Packetlabs can use that information to focus testing and help find those issues within those areas before an attacker does to help ensure you are secure in facing the threats that the cloud brings.

While this blog uses Azure terminology for these examples, the concepts apply to Google Cloud Platform (GCP) and Amazon Web Services (AWS). The only major changes are the names of the services, types of services offered, and roles.