Your Guide to Cloud Penetration Testing

Overview

The shift to cloud computing has been an ascendant trend in enterprise IT over the past decade, and all signs indicate the trend will continue well into the foreseeable future. In fact, the majority of online services today operate on a cloud-native model. 92% of organizations report using some form of cloud infrastructure, and more than half of those use multiple public clouds; 21% say they use three or more. Cloud infrastructure offers operational convenience and efficiency, leading to improved productivity and lower costs than comparable on-prem infrastructure. 

On average, data breaches of cloud assets cost victims almost $5 million USD to recover.

Securing cloud assets against internal and external threats is essential, considering the amount of value that cloud systems and data represent. Research from IBM reveals that data breaches of cloud assets cost victims almost $5 million USD to recover on average. It's no wonder that the global cloud security market size reached almost 29.26 billion USD in 2021, with projections estimating USD 106.02 Billion by 2029, at a CAGR of 18.1%.

Despite the fact that cloud solutions often include convenient push-button security features such as reliable and easily deployable backups, scalable compute power, and a depth of technical support documentation, there are unique security risks associated with cloud infrastructure that need to be addressed. Also, a skills shortage in cloud computing skills further confounds the deployment of secure cloud systems.

Cloud Penetration Testing can fill in the visibility gaps created when deploying complex cloud-native solutions. By developing a Cloud Pentesting methodology from leading IT security authorities and deploying highly certified and experienced in-house pentesters, Packetlabs is positioned to lead the way towards the highest degree of risk assurances for cloud infrastructure by providing pentesting services that meet regulatory requirements for government contracts such FedRamp, and satisfy industry standards such as PCI-DSS, ISO-27001, and SOC-2. 

Who Will Benefit From This Guide

• C-level executives that deal with IT security (CISOs/CSOs/VP of security)

• Other high-level management (CEO/Business Owner/ Business Executive)

• Managed Service Providers (MSP)

• Cybersecurity Architects, Network Architects, and Network Administrators

This guide will benefit an organization’s leaders, such as CEOs, CTOs, and CISOs, as well as other senior team leaders, including security managers, security engineers, network engineers, and administrators. This guide can also help to inform other IT professionals such as MSPs, IaaS, PaaS, and SaaS providers.

What Is Cloud Penetration Testing?

Cloud Penetration Testing simulates real-world cyber-attacks against an organization's cloud infrastructure, cloud-native services and applications, APIs, and enterprise components such as Infrastructure as Code (IaC), serverless computing platforms, and federated login systems. Cloud Pentesting is a distinct methodology optimized for the specific threats, vulnerabilities, and risks associated with cloud infrastructure and cloud-native services. 

A Cloud Penetration Test provides a detailed report, attack narrative, and vulnerability severity assessment to help interpret the impacts of each finding. Cloud Penetration Tests only report true positive vulnerabilities residing within your cloud infrastructure which is a significant benefit over traditional vulnerability scanning which includes false positives. 

The ultimate goal of Cloud Pentesting is to protect digital infrastructure against an ever-evolving threat landscape and provide an organization with the highest degree of IT security assurance to meet its risk requirements.

Why Is Cloud Penetration Testing Important?

Cloud infrastructure and services are quickly becoming a dominant asset class for all sizes of enterprises. This means an organization's cloud resources increasingly hold more value and represent more risk. Many companies increasingly include a wide array of applications, services, and data in their cloud such as file-sharing and business productivity applications, public web-applications, mobile app data, network monitoring data and log files, system backups, security services, and both employee and customer data. This makes the cloud a primary target for attackers. Cloud Penetration Testing provides the best evidence that an organization has strong operational resilience and is protected against cyber-attack, forced disruptions, unauthorized access, data theft, malware, and ransomware.

The number of services hosted in a typical organization's cloud makes cloud a primary target for attackers.

Cloud infrastructure and services entail a distinct set of vulnerabilities and cloud-specific penetration testing is required to gain a high degree of assurance. Also, some compliance standards such as FedRamp, PCI-DSS, SOC-2, ISO-270001, and NIST CSF explicitly require penetration testing which should ideally be cloud-focused when securing cloud infrastructure. Cloud Penetration Testing can also have other benefits such as lowering the cost of cyber insurance.

The benefits of a cloud penetration testing engagement include:

• Improved risk assurances - Traditional vulnerability assessments do not simulate actual cyber-attacks and therefore cannot provide strong risk assurances. Cloud systems are complex, requiring precise configurations to remain secure and threat actors are constantly changing their tactics and employing novel attack strategies to stay one step ahead of defenders. 

• Increased compliance - Partners and customers are increasingly looking to partner with companies that demonstrate strong security posture through IT security compliance standards. In some cases, compliance is a mandatory prerequisite of partnership and can also reduce cyber insurance premiums.

• Enhanced cost savings - Penetration testing increases the return on security investment (ROSI) by greatly reducing the chances that an organization will suffer a cyber breach. Avoiding the high financial penalties associated with the ransom, system and data recovery, reputational damage, potential fines and lawsuits, and increased cyber-insurance premiums represent enormous cost savings to organizations of all sizes. 

• Peace of mind - by employing cloud-specific penetration testing activities to cloud-native resources an organization can rest easier knowing they have achieved the highest possible degree of assurance that their assets are resilient to cyber-attack and their business operations are safe.

What Does Cloud Pentesting Include?

Packetlabs Cloud Penetration Testing methodology references industry-leading pentesting frameworks such as the SANS Pentest Methodology, MITRE ATT&CK Enterprise and Cloud matrices, Azure Threat Research Matrix, and NIST SP800-115 Information Security Testing and Assessment standard. By following guidance from industry-leading frameworks, Packetlabs is able to meet or exceed the regulations for security assessments for contracts with government entities such as FedRamp and industry compliance standards such as PCI-DSS, SOC-2, and ISO-270001.

Most Common Cloud Vulnerabilities

Cloud Penetration Testing must first and foremost include simulated attacks against the most common cloud vulnerabilities. Assessing an organization's cloud infrastructure for resilience against the most common attacks ensures that attackers who leverage easily accessible automated attack tools will not find an easy payoff. This in itself greatly reduces the probability of suffering a breach.

Here are the most common cloud vulnerabilities:

• Cloud Misconfigurations - Inexperience, failure to follow IT security best practices, and lack of static code reviews often cause misconfigurations in production cloud services. Cloud misconfiguration is considered a top IT security threat by the NSA and represents a low-hanging fruit that novice attackers can seek to exploit with automated tools. 

• External services and applications including APIs - Cloud-hosted services have an exposed attack surface that can be scanned for known vulnerabilities and attacked using both automated attack tools and novel custom exploits. It's critical to thoroughly test exposed attack surfaces and continuously monitor them for changes that may give an attacker a window of opportunity.

• Exposed sensitive information, data, and documents - As organizations move quickly to develop and deploy new digital services, security visibility has a tendency to fall through the cracks. Sometimes sensitive data such as passwords, encryption keys, private key certificates, financial information, or trade secrets can be left exposed allowing anyone to access it. Cloud Penetration Testing seeks to identify unintentionally exposed data so it can be properly secured.

• Internal testing of cloud servers and services - For the highest degree of security assurances it is critical to simulate what an attacker could do if they successfully gained access to a system or account. A "defence in depth" approach aims to ensure that defensive security is layered and can prevent attacks from all positions within the network. Internal penetration testing of cloud resources also helps to uncover the potential damage that an insider attack could have on an organization's systems and data.

• Containers and pods - Security contexts define privilege and access control settings for Kubernetes Pods, other Infrastructure as Code (IaC) platforms, and containers. A misconfiguration could allow unauthorized access to applications and services or the underlying virtual environment - an attack known as "virtual machine (VM) escape". IaC and container configurations are also often completely or partially sourced from 3rd parties and their security configuration is not properly tested to identify security weaknesses.

• Identity and access management (IAM) - Using common or weak passwords can result in an attacker quickly gaining unauthorized access to an account. In other cases default accounts with publicly known credentials may be exposed, unused accounts may be active, or API keys or PKI certificates may have been publicly leaked allowing authentication systems to be compromised.

• Amazon Lambda, Azure Function, and Google Cloud Function vulnerabilities - Serverless computing platforms automatically run code and manage the underlying cloud infrastructure in response to event triggers. Since these platforms provide direct access to cloud computing resources, they must be monitored and undergo vulnerability assessment to protect them against exploitation.

OWASP Top 10 Cloud Security Risks

The OWASP Top 10 Cloud Security Risks is a key industry-leading framework for evaluating potential security gaps in cloud IT operations and aims to gain visibility into an organization's cloud security posture by uncovering vulnerabilities related to governance, regulatory compliance, policies, and business continuity planning (BCP).

1. Accountability and Data Ownership - Uncovers any concerns about data ownership according to existing contracts between the organization and the cloud service provider and maps the mechanisms for protecting cloud data, including backup and recovery processes

2. User Identity Federation - Ensures that users are properly identified across cloud computing platforms to reduce the attack surface and prevent exposures due to misconfiguration and control access to privileged resources

3. Regulatory Compliance - Laws could have a dramatic impact on an organization's confidentiality and availability. It is critical to understand how compliance and national laws apply to cloud infrastructure based on the geolocation it resides. 

4. Business Continuity and Resiliency - An organization's ability to continue providing services if an outage were to occur is critical. It's therefore important that an organization coordinate with its cloud service provider to ensure that a robust disaster recovery and business continuity plan is in place for emergencies.

5. User Privacy and Secondary Usage of Data - Data stored on a cloud-based platform represents a high-value target to hackers and must be protected with a secure access control configuration and the principle of least privilege. This is true during the whole lifecycle of data as it potentially traverses across multiple clouds and is exchanged between different owners.

6. Service and Data Integration - Protecting data-in-transit with cloud-based solutions can lead to sensitive data exposure, compromise of company information, and potential fines, lawsuits, and loss of reputation. It's critical to ensure that data is transmitted with secure protocols and encryption.

7. Multi-Tenancy and Physical Security - Multi-tenant environments represent an important attack surface and a security risk if resources hosted in the cloud are not logically segmented to ensure the isolation of each tenant’s data.  Although multi-tenancy is a good way to reduce costs, some data is far too sensitive to risk exposure through multi-tenancy and instead private cloud solutions should be negotiated with the cloud IaaS provider.

8. Incidence Analysis and Forensic Support - Cloud environments present unique challenges for forensic analysis that are often required to maintain security. This type of analysis is related to network detection and prevention security and security operation center investigations into potential cyber-incidents. A lack of ability to properly conduct forensic analysis could leave an organization without insight into the true impact of a cyber attack.

9. Infrastructure Security - Fundamental network security best practices are also applicable to cloud infrastructure, such as routine vulnerability assessments and applying security patches and updates. Implementing appropriate network security in the cloud is even more critical because the cloud attack surface is publicly accessible.

10. Non-Production Environment Exposure - Although the cloud is a convenient way to deploy staging, testing, and development environments, special standards must be in place to prevent unauthorized access since these environments are inherently less secure than the production ones.  It's important to ensure that the attack surface of these environments is minimized by removing any sensitive user information, trade secrets, or unrequired code.

Kubernetes Security Assessment

Kubernetes (also known as K8s) is an open-source Infrastructure as Code (IaS) platform that enables automatic deployment and management of cloud VPS and containerized applications. Kubernetes has quickly become a fundamental component of cloud architecture due to its ability to optimize load balancing, and automate VM, container, and enterprise application deployment. Between 2020 to 2021, the number of Kubernetes engineers increased by 67% to nearly 4 million and Kubernetes now accounts for 31% of all enterprise backends.

Penetration testing Kubernetes requires deep technical insight and experience with the configuration, operation, and management of Kubernetes and should include tactics that seek to identify weaknesses in the following areas:

• Configuration

• Identity and access management (IAM)

• Multi-tenancy & pod security

• Container image security

• Exposed secrets such as authentication keys or plain text passwords

Limitations On Pentesting Cloud Infrastructure

Cloud service providers maintain strict policies that define which penetration testing activities may be conducted on their infrastructure and which may not. Some cloud providers also require prior notice of any planned pentesting activities before testing begins. It's crucial that these cloud service providers' policies are thoroughly reviewed and adhered to by the penetration testing entity throughout a testing engagement. If an engagement's activities violate the cloud provider's policies an organization may be heavily penalized; potentially through termination of service.

Here are some pentesting activities that are commonly not allowed:

• Virtual machine escape

• DOS and DDoS attacks

• Any type of illegal activity

• Phishing or social engineering the cloud provider's employees

• Deploying trojans, ransomware, or other known malware strains

• Other violations of the cloud provider's acceptable use policy

How Is Cloud Pentesting Different From Infrastructure Pentesting?

The most obvious difference between Cloud Penetration Testing is that hardware assets considered in scope for a Cloud Pentesting engagement are not owned by the target organization. Instead, they are owned by a cloud Infrastructure as a Service (IaaS) provider. This key difference imposes some limitations that traditional Infrastructure Penetration Testing does not due to the service level agreements (SLA) and acceptable use policies of the IaaS.

Otherwise, the tactical approach to Cloud Penetration Testing encompasses all tactics used in Infrastructure Penetration Testing but additionally includes cloud-specific techniques. Also, since the cloud infrastructure is off-premises, there is no need for physical penetration testing techniques.

Cloud Penetration Testing With Packetlabs

Packetlabs offers premium professional cloud penetration testing services. Each member on our team of over 20 in-house penetration testers has a minimum OSCP certification and we do not outsource any pentesting activities to 3rd parties. Packetlabs is also SOC-2 Type II accredited and Canada Data Residency compliant.

While there are many free and fully automated "pentesting tools" designed to quickly scan an application or environment for vulnerabilities, these tools do not provide the high degree of security assurance required by enterprise risk management because they do not simulate an organization's true ability to manage a real-world cyber-attack. Packetlabs' penetration testing process consists of 95% manual testing activities which are essential for identifying the most potentially risky vulnerabilities that real-world adversaries look for. Also, by focusing on the most stringent form of penetration testing activities - manual testing - we eliminate all false positives from our reporting since each vulnerability is verified directly.

Packetlabs also strives to excel at client communication by reporting our IT security findings to both a general audience level as well as highly technical descriptions of the vulnerabilities uncovered, associated threat intelligence, and appropriate mitigation steps. With over 20 in-house testers Packetlabs is ready for quick engagement starts and flexible with retesting time frames to meet client scheduling requirements.

What You'll Get With A Cloud Penetration Test

Each Cloud Penetration Test begins with a consulting period to define the scope and rules of engagement (RoE) for the pentest. The scope and RoE formally outline which of the target organization's assets will be tested, which types of vulnerabilities the pentesting entity will focus on exploiting, communication channels between the target and testing entities, and severity thresholds that warrant halting the testing process and immediately communicating highly critical findings.

The initial consultation is followed by a pentesting engagement that complies with IT industry standard pentesting methodology. Pentesting activities result in a delivered report summarizing the findings uncovered by the pentesting activities.  The report includes a technical description of the exploitation process, a comprehensive severity assessment of each vulnerability, and detailed steps for remediation.

Packetlabs' Cloud Penetration Testing methodology is underpinned by the following testing phases: 

• Passive reconnaissance - Pentesters gather any publicly available information about the target. This includes searching historical DNS records, internet archives, and leaked data repositories databases for any information that could be useful in an attack against the target organization.

• Active scanning - Pentesters identify potentially vulnerable attack surfaces and against their target by scanning to map network topology data, operating systems, applications, services and their versions, user accounts, exposed files, directories, APIs, and collect any other available network data such as protocols or encryption standards in use.

• Vulnerability assessment - The collected information is compared with known exploit data and attack strategies are planned to exploit any potential security weaknesses. This includes the use of cybersecurity threat intelligence (CTI) to orchestrate activities that simulate known adversarial behaviour.

• Exploitation - Real cyber attacks are conducted by pentesters against the target's infrastructure that seek to exploit any potential vulnerabilities identified during the previous stages. Typical exploitation tactics include gaining initial access to unauthorized systems, elevating privileges to gain administrative access, stealing data, intercepting traffic, and mapping any newly accessible systems or data.

• Reporting - Pentesters prepare a comprehensive report that highlights any vulnerabilities found and their severity scores along with evidence collected from the testing process and detailed descriptions of appropriate remediation steps.

Packetlab's Cloud Penetration Testing methodology focuses on exploiting security weaknesses in cloud-native infrastructure and therefore includes a subset of cloud-specific activities in addition to assessing traditional Infrastructure Pentesting security.

Some of the cloud-specific activities included in Packetlabs' Cloud Penetration Testing service offering are:

• Assessing cloud architecture for the OWASP Top 10 Cloud Security Risks

• Testing serverless cloud services such as AWS Lambda, Azure Function, and Google Cloud Functions

• Specialized activities for the most common cloud vulnerabilities

  • Cloud Misconfigurations

  • External services and applications including APIs

  • Exposed sensitive information, data, and documents

  • Internal testing of cloud servers and services

  • Internal testing of cloud servers and services

  • Container and Pod security testing

  • Identity and access management (IAM)

Who Will Complete This Test?

The pentester role (also known as an ethical hacker) is a distinct IT security role that requires specialized training and certification. Ethical hackers may be categorized as generalists who are broadly trained in penetration testing tactics or specialists with deeper skills in some particular aspect of the pentesting process. Specialists may also be distinguished by the specific exploitation frameworks, protocols, operating systems, or exploitation procedures they are experts in. For Cloud Penetration Tests, Packetlabs provides a specializedGIAC Cloud Penetration Tester (GCPN).

The OSCP is a globally recognized and industry-leading ethical hacking certification offered by Offensive Security. Offensive Security offers several certifications but the OSCP is the broadest and most well-known. Packetlabs is a passionate team of highly trained ethical hackers with the industry’s most advanced certifications. All Packetlabs pentesters are required to have a minimum of OSCP. While OSCP is the Packetlabs minimum requirement, many team members go above and beyond to gain additional certified expertise including:

• Offensive Security Experienced Penetration Tester (OSEP) (OSEP)

• Offensive Security Wireless Attacks (OSWP)

• Offensive Security Exploit Developer (OSED)

• Offensive Security Web Expert (OSWE)

• Certified Information Systems Security Professional (CISSP)

• Certified Information Systems Auditor (CISA)

• GIAC Web Application Penetration Tester (GWAPT)

• GIAC Mobile Device Security Analyst (GMOB)

• GIAC Systems and Network Auditor (GSNA)

• GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)

• GIAC Certified Incident Handler (GCIH)

• Burp Suite Certified Practitioner

This allows our team of OSCP penetration testing professionals to demonstrate industry-leading comprehensive hands-on mastery of penetration testing.

Packetlabs offers comprehensive cloud penetration testing solutions that can help protect your cloud environment from malicious threat actors. For more information, download our cloud sample report today.