Penetration Testing in the Cloud Demands a Different Approach
Most companies are familiar with the pattern: As attackers adjust their techniques, defenders must rethink their security strategies. Now, as the attack surface expands and criminals target cloud environments, the pressure is on businesses to ensure their cloud infrastructure is secure.
Many organizations rely on penetration testing to find security gaps in their systems, but the process has historically looked different, said Josh Stella, Fugue co-founder and CTO, in a presentation at this year’s virtual (ISC)² Security Congress. In the traditional data center world, pen testers are primarily concerned with gaining access to network devices and with moving through the TCP/IP network, through perimeters of defense, to access assets such as databases, he explained.
“Pen testing is a little behind on cloud technologies,” Stella said. “The attack surfaces have changed.”
Many cloud vulnerabilities are often missed because pen testers are focused on data center techniques and not cloud tactics. Security gaps are not addressed by compliance frameworks and not recognized by DevOps or security teams. Flaws are often only apparent in the full context of the environment — if you don’t understand the big picture, you miss them, according to Stella.
He pointed to the Uber breach, which occurred in 2016 and compromised the information of 57 million global users and 600,000 US drivers. An attacker reportedly stole credentials to gain access to Uber’s private code on GitHub, where they found hardcoded AWS S3 credentials. They were able to use these credentials to log in to Uber’s AWS account and download files.
“This is not an unusual attack pattern for hackers to use … to use multiple cloud services the target is utilizing to get across these boundaries,” Stella continued. The attackers aren’t using a network or operating system vulnerability because they could breach the cloud environment without one.
The vulnerabilities attackers use to breach cloud environments tend to be architectural issues or process problems, as opposed to a version of a library that has a flaw, Stella said. While these problems do exist in the cloud, they’re less common than they are in the data center. Much of pen testing in the cloud involves piecing together content from different places to make a breach happen.
In the traditional attack pattern, an attacker chooses a target and then searches for, or tries to create, vulnerabilities to break in. This isn’t how most breaches unfold in the cloud. Even high-profile attacks tend to employ a new pattern: Attackers use automation to find vulnerabilities — often a misconfiguration of cloud resource APIs — and then choose where they want to break in.
“By the time you put something out there and have configured it, whether it’s an S3 bucket or what have you, attackers have probed it for things they know are misconfigurations and vulnerabilities,” Stella said. Often, adversaries will find your cloud resources within minutes.
“Ugly” S3 Problems
The Uber attack highlighted the danger of S3 data exfiltrations, an all-too-common enterprise issue that he described as “ugly for a number of reasons”: These are extraordinarily hard to detect because, in most cases, the data doesn’t traverse any customer-accessible networks. The exfiltration happens on the cloud provider network that a customer organization doesn’t really have access to; the event log the organization can access will alert to stolen data after it’s already gone.
Businesses should be especially concerned about S3 lists, which Stella described as “one of the most wonderful tools for an attacker.”
The majority of dangerous cloud misconfigurations are Read misconfigurations, which are used for discovery, he noted. After its 2019 breach, in which an attacker stole an AWS API key from an internal system left accessible from the Internet, Imperva took steps to increase its audit of snapshot access. This is “almost certainly” examining IAM policies and role associations that are allowed Read access, Stella said. Organizations should be trying to figure out everywhere API keys are stored because that is what the attackers will be doing.
Imperva, which he noted had a strong breach response, also took steps to rotate credentials and strengthen the credential management process — another must-do for businesses that want to improve their cloud security posture, he said. All credentials should be rotated, even those in development and test environments where the security controls tend to be weaker.
“Dev and test are probably more popular, or at least as popular as production, for hacking in the cloud, and a lot of that has to do with the more relaxed set of security controls that tend to be in those environments,” Stella added.
The kind of questions you’d ask to check your vendor’s security posture are the same ones you should ask a pen tester, Stella said. Do they understand the vulnerability surface and their exposure to it? Are they testing control plane APIs, especially if they’re hosted in the cloud? This is another aspect businesses should keep in mind when strengthening their cloud posture: When data is taken from the cloud, he said, it’s almost always through the control plane API.