rights reserved. Pentesting is Cool! People seem to be in awe of hackers. Many people aspire to be pentesters. In reality, hacking is easier than defending. We should be in awe of defenders, but I digress. @teriradichel
rights reserved. What this talk is About Getting the most from a pentest. Being prepared. Cloud vs. On-Premises. NOT about lots of nifty hacking tricks. @teriradichel
rights reserved. Why might you need a pentest? Compliance. It’s required explicitly, or implicitly. Often testing by a third party. Prove the system can be broken into. (Not that it can’t be.) @teriradichel
rights reserved. Pentest Preparation Mutual NDA - protects you and the pentester. Define scope - what is in scope, what is not, objectives. Rules of engagement - contacts, time of testing. Contract - time, cost, ownership, data protection, and more. @teriradichel
rights reserved. You still need permission! Not having to submit a form does not mean anything goes. You can only test systems for which you have permission. You can’t test anything that is off limits per the cloud provider. But for basic testing, no more pentest request forms. @teriradichel
rights reserved. Dynamic resources The IP address for a system may change during the test. The IP address may then be assigned to a different customer. What about AWS Lambda, API Gateway, CloudFront? Use domain names instead of IP addresses, or Elastic IPs. @teriradichel
rights reserved. Layer 4 + Responsibility # Layer Examples Customer 7 Application Web requests, application load balancers, WAF, DNS 6 Presentation Translation between network and application layers 5 Session Stateful firewall – tracks all the packets in a particular session. 4 Transport TCP, UDP protocols (ports), load balancers, stateless firewalls Cloud Provider 3 Network IP Protocol (no ports), IP routers 2 Data Link Ethernet, 802.11, Mac Layer 1 Physical Network interface card and other hardware @teriradichel
rights reserved. Only what is Allowed Each cloud provider has pentesting requirements. You need abide by the terms of service (TOS). Also acceptable use policy (AUP). You still need permission from the resource owner! @teriradichel
rights reserved. New Configurations Have you heard of an S3 Bucket? It’s all about the configurations inside the cloud. Lots of new services to configure ...or misconfigure. Pentesters will check these new types of services. @teriradichel
rights reserved. New Technology Stacks Serverless - Lambda, Google and Azure functions Containers - often misunderstood and misconfigured Container management - Docker, Kubernetes, ECS New types of storage - DynamoDB, Redshift @teriradichel
rights reserved. New Cloud Provider Tools Cloud platforms offer SDKs and CLIs. These powerful new tools call cloud APIs. They make changes in your accounts. These same tools can be used and abused by pentesters! @teriradichel
rights reserved. Pentesting Tools…old and new Tried and true pentesting tools (Metasploit, Burp). New tools like PACU from Rhino Security built for AWS. In some cases, the provider CLI is very powerful by itself. In most cases, use a combination of old and new techniques. @teriradichel
rights reserved. Mashup of connected services Many systems in the cloud integrate with other systems. If you are leveraging any third party systems - need permission. Make sure any and all are listed as in or out of scope. May not be able to test - you’ll have to get their pentest. @teriradichel
rights reserved. Cloud Platform is out of scope When pentesting on AWS... The platform is out of scope for your test You will have to rely on their pentesting or compliance results Some services, like Cognito, will be out of scope as well @teriradichel
rights reserved. Read-only access for pentesters Pentesters can save time with read-only access in the cloud. The same results (or better) as a network scan in less time. Testers can verify they are attacking your resources. Get a broader assessment of security gaps and vulnerabilities. @teriradichel
rights reserved. Test Web Applications in the cloud Recommendation: Include web app penetration testing. Often can leverage a old and new technologies. Also include credentials. Once authorized more attack surface. Pentesters can check for lateral access and elevated access. @teriradichel
rights reserved. Are Cloud Security Services on? Have you enabled all the cloud security services? Some will tell you if resources are misconfigured. Review and fix any findings. Also make sure logging has been turned on for all services. @teriradichel
rights reserved. What about a Vulnerability Scan? Have you run a vulnerability scanner over your systems? That’s one of the first thing the pentester will do. Any vulnerabilities may be leveraged in an attack. Vulnerability scanners report known software flaws. @teriradichel
rights reserved. Do you follow Best Practices? Have you evaluated your systems against CIS Benchmarks? Best practices for: AWS, Docker, Kubernetes, Windows, more… AWS Well-Architected Framework Evaluate and fix issues you find before your test. @teriradichel
rights reserved. Credential Attacks and cloud Standard credential attacks can apply in and out of cloud. Mimikatz, brute force attacks on passwords, RDP vulnerability. Once credentials are obtained, see what can access. Phishing and social engineering still apply as well. @teriradichel
rights reserved. Credentials and Segregation Credentials are a critical point of failure in cloud security. Do you have MFA on all critical credentials? Are permissions segregated to reduce the blast radius? If developers have broad access, might want to fix that first. @teriradichel
rights reserved. Developers and Networking Did the developers get their first? Did they build the network? With no network training? In that case, may be using default network rules... Open outbound access, default CIDR blocks and ports. @teriradichel
rights reserved. Is your system Complete? You can have a pentester test early to get initial results. Security up front and early is always a good idea. However if your system is not complete - expect to test again. Likely things will break in ways that limit test coverage. @teriradichel
rights reserved. Can you do Basic Pentesting? Running web scanning tools is not rocket science. You’ll need permission from your organization (C-Level) Burp Suite doesn’t cost much and Zed Attack Proxy is free. Fix the basics and let your pentester know risks you accept. @teriradichel
rights reserved. Are you ready to Fix It? After the test, you may need to go back and fix things. Do you have the capacity and approval to fix the findings? Will you need a follow-on penetration test to verify the fixes? A new test may may produce new findings. @teriradichel
rights reserved. Let’s Pentest! Now let’s get busy and pentest. Defining your scope properly is most important to get started. Hopefully after you’ve prepared for all of the above… Your pentest will produce more meaningful results. @teriradichel
radichel
yushin_n
pamelafox
macloud
yamahiro
kongmingstrap
sansantech
__allllllllez__
oracle4engineer
os1ma
makies
daitak
nagix
malarkey
moore
maltzj
marcelosomers
bkeepers
phodgson
chrislema
addyosmani
tanoku
davidbonilla
geeforr
jakevdp
