Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Are you ready for a cloud pentest?

Teri
June 26, 2019

Are you ready for a cloud pentest?

Presentation from AWS re:Inforce 2019. Pentesting in the cloud. Copyright 2nd Sight Lab and Amazon Web Services.

Teri

June 26, 2019
Tweet

More Decks by Teri

Other Decks in Technology

Transcript

  1. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Are you ready for a cloud pentest? Teri Radichel | @teriradichel S e s s i o n I D
  2. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Pentesting is Cool! People seem to be in awe of hackers. Many people aspire to be pentesters. In reality, hacking is easier than defending. We should be in awe of defenders, but I digress. @teriradichel
  3. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What this talk is About Getting the most from a pentest. Being prepared. Cloud vs. On-Premises. NOT about lots of nifty hacking tricks. @teriradichel
  4. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Why might you need a pentest? Compliance. It’s required explicitly, or implicitly. Often testing by a third party. Prove the system can be broken into. (Not that it can’t be.) @teriradichel
  5. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Pentest Preparation Mutual NDA - protects you and the pentester. Define scope - what is in scope, what is not, objectives. Rules of engagement - contacts, time of testing. Contract - time, cost, ownership, data protection, and more. @teriradichel
  6. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What you do not have to do @teriradichel
  7. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. You still need permission! Not having to submit a form does not mean anything goes. You can only test systems for which you have permission. You can’t test anything that is off limits per the cloud provider. But for basic testing, no more pentest request forms. @teriradichel
  8. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What’s Different in the Cloud? @teriradichel
  9. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Dynamic resources The IP address for a system may change during the test. The IP address may then be assigned to a different customer. What about AWS Lambda, API Gateway, CloudFront? Use domain names instead of IP addresses, or Elastic IPs. @teriradichel
  10. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Layer 4 + Responsibility # Layer Examples Customer 7 Application Web requests, application load balancers, WAF, DNS 6 Presentation Translation between network and application layers 5 Session Stateful firewall – tracks all the packets in a particular session. 4 Transport TCP, UDP protocols (ports), load balancers, stateless firewalls Cloud Provider 3 Network IP Protocol (no ports), IP routers 2 Data Link Ethernet, 802.11, Mac Layer 1 Physical Network interface card and other hardware @teriradichel
  11. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Only what is Allowed Each cloud provider has pentesting requirements. You need abide by the terms of service (TOS). Also acceptable use policy (AUP). You still need permission from the resource owner! @teriradichel
  12. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. New Configurations Have you heard of an S3 Bucket? It’s all about the configurations inside the cloud. Lots of new services to configure ...or misconfigure. Pentesters will check these new types of services. @teriradichel
  13. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. New Technology Stacks Serverless - Lambda, Google and Azure functions Containers - often misunderstood and misconfigured Container management - Docker, Kubernetes, ECS New types of storage - DynamoDB, Redshift @teriradichel
  14. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. New Cloud Provider Tools Cloud platforms offer SDKs and CLIs. These powerful new tools call cloud APIs. They make changes in your accounts. These same tools can be used and abused by pentesters! @teriradichel
  15. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Arp Spoofing doesn’t work @teriradichel
  16. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Pentesting Tools…old and new Tried and true pentesting tools (Metasploit, Burp). New tools like PACU from Rhino Security built for AWS. In some cases, the provider CLI is very powerful by itself. In most cases, use a combination of old and new techniques. @teriradichel
  17. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Pentesting Resources on GitHub @teriradichel
  18. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Considering Scope @teriradichel Vulnerable Internal Server Credentials
  19. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Mashup of connected services Many systems in the cloud integrate with other systems. If you are leveraging any third party systems - need permission. Make sure any and all are listed as in or out of scope. May not be able to test - you’ll have to get their pentest. @teriradichel
  20. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Cloud Platform is out of scope When pentesting on AWS... The platform is out of scope for your test You will have to rely on their pentesting or compliance results Some services, like Cognito, will be out of scope as well @teriradichel
  21. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Optimizing Results @teriradichel
  22. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Read-only access for pentesters Pentesters can save time with read-only access in the cloud. The same results (or better) as a network scan in less time. Testers can verify they are attacking your resources. Get a broader assessment of security gaps and vulnerabilities. @teriradichel
  23. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Test Web Applications in the cloud Recommendation: Include web app penetration testing. Often can leverage a old and new technologies. Also include credentials. Once authorized more attack surface. Pentesters can check for lateral access and elevated access. @teriradichel
  24. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Are Cloud Security Services on? Have you enabled all the cloud security services? Some will tell you if resources are misconfigured. Review and fix any findings. Also make sure logging has been turned on for all services. @teriradichel
  25. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What about a Vulnerability Scan? Have you run a vulnerability scanner over your systems? That’s one of the first thing the pentester will do. Any vulnerabilities may be leveraged in an attack. Vulnerability scanners report known software flaws. @teriradichel
  26. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Do you follow Best Practices? Have you evaluated your systems against CIS Benchmarks? Best practices for: AWS, Docker, Kubernetes, Windows, more… AWS Well-Architected Framework Evaluate and fix issues you find before your test. @teriradichel
  27. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Credential Attacks and cloud Standard credential attacks can apply in and out of cloud. Mimikatz, brute force attacks on passwords, RDP vulnerability. Once credentials are obtained, see what can access. Phishing and social engineering still apply as well. @teriradichel
  28. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Credentials and Segregation Credentials are a critical point of failure in cloud security. Do you have MFA on all critical credentials? Are permissions segregated to reduce the blast radius? If developers have broad access, might want to fix that first. @teriradichel
  29. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Developers and Networking Did the developers get their first? Did they build the network? With no network training? In that case, may be using default network rules... Open outbound access, default CIDR blocks and ports. @teriradichel
  30. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Is your system Complete? You can have a pentester test early to get initial results. Security up front and early is always a good idea. However if your system is not complete - expect to test again. Likely things will break in ways that limit test coverage. @teriradichel
  31. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Can you do Basic Pentesting? Running web scanning tools is not rocket science. You’ll need permission from your organization (C-Level) Burp Suite doesn’t cost much and Zed Attack Proxy is free. Fix the basics and let your pentester know risks you accept. @teriradichel
  32. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Are you ready to Fix It? After the test, you may need to go back and fix things. Do you have the capacity and approval to fix the findings? Will you need a follow-on penetration test to verify the fixes? A new test may may produce new findings. @teriradichel
  33. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Let’s Pentest! Now let’s get busy and pentest. Defining your scope properly is most important to get started. Hopefully after you’ve prepared for all of the above… Your pentest will produce more meaningful results. @teriradichel
  34. Thank you! © 2019, Amazon Web Services, Inc. or its

    affiliates. All rights reserved. Teri Radichel @teriradichel https://2ndsightlab.com https://medium.com/cloud-security