Note from the Editor: This blog is part 4 of a 10-part series on Everything you need to know about an Internal Penetration Test. To read the series from the beginning, please go to the blog, What is an Internal Penetration Test?
Organizations often spend the vast majority of their resources on securing their systems from external threat actors, while spending far less time protecting the “gooey” center of their networks. The same seems to hold true for cloud environments. While many organizations are moving large portions of their services to cloud-based offerings, they are less likely to consider security during these transitions. Those that do consider security, many hold to the hard shell paradigm with external penetration testing, while not giving much thought to internal penetration testing. Let’s dive into why internal penetration testing in the cloud still plays a role in your overall security program.
Role of Internal Penetration Testing in the Cloud
Looking within these cloud networks, many have internal networking and private addressing configured on top of the services that are exposed on the perimeter. This presents risk in a couple ways, so let’s consider these scenarios:
- An attacker compromises a cloud host from the Internet. The next logical step will be for them to pivot in order to expand and escalate their level of access. If you’ve not considered the internal interfaces of your cloud systems and what you’re exposing, this could result in a significantly increased scope of breach.
- An attacker compromises a host on your internal network, but you’ve got a VPN connection with your cloud environment. If you’re not carefully restricting what traffic is flowing to and from that cloud environment, you could allow the attacker to pivot to those systems or use that connection to exfiltrate data from the internal network.
Is Internal Penetration Testing in the Cloud Even Possible?
Yes! Penetration testing from this perspective is possible and can be streamlined with an attack team with experience in this realm. The only hurdle is getting access to the internal cloud environment. But there are several options to accomplish this:
- Spin up a new host in your environment and provide your penetration testing team the credentials to access it. With fairly minimal set-up time, they can have a proper testing environment configured with all the tools necessary.
- Most cloud providers have options for Virtual Private Networks (VPN), such as VPCs in AWS. This will allow your penetration testing team to spin up their testing tools in their own cloud, and then you simply connect the test team’s cloud to your cloud.
- Some cloud environments already have a client VPN option configured, so you could provide your testing team a set of credentials to login there. They would then just test through the VPN connection.
- In some clouds, it may be easier for the penetration testing team to send you an image file of their testing system which you can then spin up in your cloud. Much like the first option, the system will still exist in your environment but you’ll save the set-up and configuration time.
When it comes to internal penetration testing in the cloud, the setup process is often the most significant hurdle. Once that is done, the test can be conducted very similarly to a traditional penetration test, with some small differences in attack surface and techniques.
What Does This Kind of Testing Tell Me?
Knowing that it’s important and knowing that it’s possible may still not tell you if internal penetration testing in the cloud is right for your environment. To help make an informed decision, let’s touch on the outcome of this testing:
Testing in the Cloud Outcomes
- More holistic view for your security and compliance programs. Your cloud environment is still part of the attack surface of your network, so you’ve got to consider it.
- Understand the risks of an attacker that compromises one of your externally exposed cloud hosts or applications. Such as:
- Can they jump to other hosts in your cloud environment?
- Can they gain access to sensitive data?
- Can the pivot to your internal organization network?
- Identify vulnerabilities that you wouldn’t otherwise see. Many times, cloud networks are left out of organizational vulnerability management programs, hardening/configuration reviews, and regular testing cycles.
- Are your controls and monitoring tools functioning in your cloud environment the same as they would on your internal network? Identifying gaps here could significantly improve future incident response times.
If you’d like to learn more about penetration testing in the cloud, or how SIG Cyber can help your institution with internal penetration testing please contact us today.
About the Author:
JR, Director of Penetration Testing at SIG, holds a BS in Computer Science Engineering from the University of Florida and a MS in Information Assurance and Cybersecurity from the Florida Institute of Technology. JR is an avid collector of security-related certifications, including OSCP, OSWE, GWAPT, CISSP, C|EH, CISA, and PCI QSA. You can find him on Twitter @InfoSecJR.
