Offensive Security assessments in cloud environments can be performed in many ways. Today, we discuss the differences between Cloud Penetration Testing and Cloud Audit as well as advantages of each. While discussing the advantages we will also point out limitations and requirements of each as well as testing methodologies.
Hack the Box’s BlackSky Cloud Hacking Labs
In our recent posts we wrote about a Cloud Penetration Test against Hack the Box’s BlackSky Cloud Hacking Labs and published a post about AWS penetration testing: a step-by-step guide. You can find our feedback and some insights for each of the scenarios in our previous posts:
Amazon Web Services
Google Cloud Platform
Microsoft Azure
Cloud Penetration Test vs Cloud Audit
Before jumping into the methodologies, we quickly discuss the differences between a Cloud Penetration Test and Cloud Audit. The most crucial difference is probably the perspective used to review the cloud configuration.
A Cloud Penetration Test is usually performed from the perspective of an External Attacker having no or limited knowledge of the internal Cloud configuration, similar to an Application or Infrastructure assessment. The focus is usually set on the external exposure and resilience of the target.
In a Cloud Audit assessment,Read-Only access to the Cloud environment is used to identify configuration vulnerabilities within the components, this is similar to a Configuration Review of an operating system. The aim of the assessment usually is identifying misconfiguration and general architectural vulnerabilities as part of an in-depth review.
You may now ask how the results of both tests could differ. In a Cloud Penetration Test we may for example not get to the point to identify how back-end services communicate with each other (e.g., HTTP vs HTTPS) or how an AWS EC2 instance is configured in detail (e.g., disk encryption). In a Cloud Audit we have access to all configurations and hence can determine if a vulnerability exists. On the other hand, a Cloud Audit would not include an application or service level test as we would perform it in a Cloud Penetration Test. This could mean that input validation vulnerabilities like SQL-Injection or Command Execution would not be found.
Therefore, we usually recommend performing both types of testing as part of a White-box approach.
Cloud Penetration Test | Cloud Audit | |
---|---|---|
Perspective | External Attacker | Read-Only Access to Cloud |
Focus | Vulnerabilities that can be identified by an external attacker | Misconfiguration and Design |
Advantage | Verification of external resilience | In-depth configuration and compliance review |
Testing Methodologies
Y-Security uses two different methodologies to deliver the outlined services. Both align and complete common methodologies and frameworks in particular the OWASP Web Security Testing Guide, the BSI Leitfaden IT-Sicherheits-Penetrationstest, applicable CIS Benchmarks, the MITRE ATT&CK® Framework and Cloud Provider specific security best practice guidelines.
The methodologies include the below high-level categories which consist of further checks we run through in every assessment. We work according to a transparent principle. All our test steps can be traced using our methodology. During an assessment, our team writes comprehensible notes on positive and negative tests for each test step. These can be made available in addition to the report if required.
Cloud Penetration Test
- Service Discovery and Analysis
- Authentication, Authorisation, and Session
- Encryption
- Information Disclosure
- Input Validation and Data Sanitisation
- Service Logic
- Server Configuration
Cloud Audit
- Attack Surface Detection
- Identity and Access Management
- Storage
- Logging
- Monitoring
- Networking
- Virtual Machines
- Threat Detection
- Micro Service
Which is the best for me?
In our unified scoping process, we work with our clients to determine the overall scope of the assessment and which of the presented methodologies fits best. Crucial in this process is to understand the expected outcome, which can for example be the external resilience or an assumed breach scenario in which credentials were successfully stolen by an attacker or internal employee.
It is often the case that a combination of both is used to get the best outcome. With read-only access to the cloud environment it is easy to identify misconfiguration that can be abused from an external perspective. Testing from an external perspective ensures that no further controls exist that introduce vulnerabilities that could not have been covered by a Cloud Audit.
Get In Touch With Us For Consultancy
We have more to say and present which doesn’t all fit into a post, especially as the scope depends on used cloud services. If you are interested in further information about our Cloud Methodology or Penetration Testing and Attack Simulation Services, then give us a ping via request@y-security.de.
Author
Christian Becker
christian@y-security.de
Y-Security GmbH
04. May 2023