Are you ready for a cloud pentest? AWS re:Inforce 2019

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Are you ready for a cloud pentest?
Teri Radichel | @teriradichel
S e s s i o n I D

PentestingisCool!
People seem to be in awe of hackers.
Many people aspire to be pentesters.
In reality, hacking is easier than defending.
We should be in awe of defenders, but I
digress.
@teriradichel

WhatthistalkisAbout
Getting the most from a pentest.
Being prepared.
Cloud vs. On-Premises.
NOT about lots of nifty hacking tricks.
@teriradichel

Whymightyou need apentest?
Compliance. It’s required explicitly, or
implicitly.
Often testing by a third party.
Prove the system can be broken into.
(Not that it can’t be.)
@teriradichel

Pentest Preparation
Mutual NDA - protects you and the pentester.
Define scope - what is in scope, what is not, objectives.
Rules of engagement - contacts, time of testing.
Contract - time, cost, ownership, data protection, and
more.
@teriradichel

Whatyou do not havetodo
@teriradichel

Youstillneed permission!
Not having to submit a form does not mean anything
goes.
You can only test systems for which you have
permission.
You can’t test anything that is off limits per the cloud
provider.
But for basic testing, no more pentest request forms.
@teriradichel

What’sDifferent in theCloud?
@teriradichel

Dynamic resources
The IP address for a system may change during the test.
The IP address may then be assigned to a different
customer.
What about AWS Lambda, API Gateway, CloudFront?
Use domain names instead of IP addresses, or Elastic
IPs.
@teriradichel

Layer4+
Responsibility # Layer Examples
Customer 7 Application Web requests, application load balancers, WAF, DNS
6 Presentation Translation between network and application layers
5 Session
Stateful firewall – tracks all the packets in a particular
session.
4 Transport
TCP, UDP protocols (ports), load balancers, stateless
firewalls
Cloud Provider 3 Network IP Protocol (no ports), IP routers
2 Data Link Ethernet, 802.11, Mac Layer
1 Physical Network interface card and other hardware
@teriradichel

Only whatisAllowed
Each cloud provider has pentesting requirements.
You need abide by the terms of service (TOS).
Also acceptable use policy (AUP).
You still need permission from the resource owner!
@teriradichel

NewConfigurations
Have you heard of an S3 Bucket?
It’s all about the configurations inside the cloud.
Lots of new services to configure ...or misconfigure.
Pentesters will check these new types of services.
@teriradichel

NewTechnologyStacks
Serverless - Lambda, Google and Azure functions
Containers - often misunderstood and misconfigured
Container management - Docker, Kubernetes, ECS
New types of storage - DynamoDB, Redshift
@teriradichel

NewCloud ProviderTools
Cloud platforms offer SDKs and CLIs.
These powerful new tools call cloud APIs.
They make changes in your accounts.
These same tools can be used and abused by
pentesters!
@teriradichel

ArpSpoofing doesn’twork
@teriradichel

PentestingTools…oldand new
Tried and true pentesting tools (Metasploit, Burp).
New tools like PACU from Rhino Security built for AWS.
In some cases, the provider CLI is very powerful by itself.
In most cases, use a combination of old and new
techniques.
@teriradichel

PentestingResources onGitHub
@teriradichel

ConsideringScope
@teriradichel
Vulnerable
Internal Server
Credentials

Mashupof connected services
Many systems in the cloud integrate with other systems.
If you are leveraging any third party systems - need permission.
Make sure any and all are listed as in or out of scope.
May not be able to test - you’ll have to get their pentest.
@teriradichel

Cloud Platformis outof scope
When pentesting on AWS...
The platform is out of scope for your test
You will have to rely on their pentesting or compliance results
Some services, like Cognito, will be out of scope as well
@teriradichel

OptimizingResults
@teriradichel

Read-only accessfor pentesters
Pentesters can save time with read-only access in the cloud.
The same results (or better) as a network scan in less time.
Testers can verify they are attacking your resources.
Get a broader assessment of security gaps and vulnerabilities.
@teriradichel

TestWebApplications in thecloud
Recommendation: Include web app penetration testing.
Often can leverage a old and new technologies.
Also include credentials. Once authorized more attack surface.
Pentesters can check for lateral access and elevated access.
@teriradichel

AreCloudSecurityServices on?
Have you enabled all the cloud security services?
Some will tell you if resources are misconfigured.
Review and fix any findings.
Also make sure logging has been turned on for all services.
@teriradichel

Whatabout aVulnerabilityScan?
Have you run a vulnerability scanner over your systems?
That’s one of the first thing the pentester will do.
Any vulnerabilities may be leveraged in an attack.
Vulnerability scanners report known software flaws.
@teriradichel

Do you follow BestPractices?
Have you evaluated your systems against CIS Benchmarks?
Best practices for: AWS, Docker, Kubernetes, Windows, more…
AWS Well-Architected Framework
Evaluate and fix issues you find before your test.
@teriradichel

CredentialAttacks and cloud
Standard credential attacks can apply in and out of cloud.
Mimikatz, brute force attacks on passwords, RDP vulnerability.
Once credentials are obtained, see what can access.
Phishing and social engineering still apply as well.
@teriradichel

CredentialsandSegregation
Credentials are a critical point of failure in cloud security.
Do you have MFA on all critical credentials?
Are permissions segregated to reduce the blast radius?
If developers have broad access, might want to fix that first.
@teriradichel

Developers and Networking
Did the developers get their first?
Did they build the network? With no network training?
In that case, may be using default network rules...
Open outbound access, default CIDR blocks and ports.
@teriradichel

Is your systemComplete?
You can have a pentester test early to get initial results.
Security up front and early is always a good idea.
However if your system is not complete - expect to test again.
Likely things will break in ways that limit test coverage.
@teriradichel

Can you do BasicPentesting?
Running web scanning tools is not rocket science.
You’ll need permission from your organization (C-Level)
Burp Suite doesn’t cost much and Zed Attack Proxy is free.
Fix the basics and let your pentester know risks you accept.
@teriradichel

Are youready to Fix It?
After the test, you may need to go back and fix things.
Do you have the capacity and approval to fix the findings?
Will you need a follow-on penetration test to verify the fixes?
A new test may may produce new findings.
@teriradichel

Let’sPentest!
Now let’s get busy and pentest.
Defining your scope properly is most important to get started.
Hopefully after you’ve prepared for all of the above…
Your pentest will produce more meaningful results.
@teriradichel

Thank you!
Teri Radichel @teriradichel
https://2ndsightlab.com
https://medium.com/cloud-security

Are you ready for a cloud pentest? AWS re:Inforce 2019

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Are you ready for a cloud pentest? AWS re:Inforce 2019

Similar to Are you ready for a cloud pentest? AWS re:Inforce 2019 (20)

More from Teri Radichel

More from Teri Radichel (20)

Recently uploaded

Recently uploaded (20)

Are you ready for a cloud pentest? AWS re:Inforce 2019