What is the difference between cloud penetration testing and regular penetration testing?

A few days ago it became public that malicious actors are exploiting a critical vulnerability in Aviatrix, a solution that allows companies to manage their cloud infrastructure through multiple servers. Thanks to this, attackers could remotely execute code on the victim’s infrastructures and deploy malware in corporate Cloud environments.

This event is not anecdotal but a critical trend in enterprise cybersecurity: the bad guys have put the focus on Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS).

Why? Suppose companies migrate a large part of their assets and processes to the cloud. In that case, hostile actors must modify their techniques and tactics to carry out cyberattacks against Cloud environments.

And what about cybersecurity services? They have also adapted, unsurprisingly, to the cloud world through cloud infrastructure security audits and cloud penetration testing, a variant of advanced penetration testing specifically focused on cloud environments.

We will now break down the keys to cloud penetration testing and explain how it differs from a traditional penetration testing service.

1. The security of a company in the cloud is the responsibility of the company and its providers

In SaaS, PaaS or IaaS, there is a model of shared responsibility in terms of cybersecurity. Why? This type of service is provided by companies that offer, for example, business software such as a work environment or a stock control program.

This means that both the providers and the companies themselves have to assume a share of the responsibility for protecting cloud assets and preventing security incidents.

In this regard, it is essential to point out that companies that contract SaaS, PaaS or IaaS from third parties must implement security mechanisms to control access to services by users and protect the information they share in the cloud. Otherwise, they will be exposing themselves to serious security incidents that can have far-reaching economic, reputational and legal consequences.

2. From generic penetration testing to cloud penetration testing: Specialize or die

Penetration testing is a type of security service that has been essential over the years in protecting companies. But what exactly does penetration testing consist of?

It is a set of offensive security tests that are carried out in a controlled environment against a series of predefined assets. For what purpose? The objectives are varied and can range from evaluating the security measures implemented to protect corporate assets to exploring whether it is possible to escalate user privileges or persist in the company’s technological infrastructure.

In the course of the penetration testing, not only the objectives agreed with the organization are met, but also all the vulnerabilities detected are listed in order to proceed to mitigate them subsequently.

What is the particularity of cloud penetration testing? The assets that are subjected to advanced penetration testing are located in the cloud or operate in the cloud:

• Infrastructure.
• Processes.
• Users.

Thus, cloud penetration testing focuses on simulating attacks to test the security of APIs or databases. While penetration testing services were born in a pre-Cloud world, in which the infrastructure of companies was on-premise, today, the as-a-Service models have become hegemonic for reasons such as price or scalability.

It should, therefore, come as no surprise that the methodology of penetration testing services has adapted to the changes, and cloud penetration testing services are now provided to help companies protect their cloud environments against an increasingly complex and demanding threat landscape.

3. Are the types and phases of cloud penetration testing different?

No. As with traditional advanced penetration testing, cybersecurity companies provide three different types of cloud penetration testing:

• Black box. In this type of cloud penetration testing, the specialists providing the service have no information about the organization’s cloud infrastructure or its users.
• White box. On the other hand, in this type of cloud penetration testing, cybersecurity professionals are provided with all the information about the cloud environment: technology, user accounts, etc.
• Gray box. As is easy to deduce, in this case the cloud penetration testing team has only partial information about the cloud assets.

Similarly, cloud penetration testing is based on the same five main phases as traditional penetration testing:

• Reconnaissance. In this phase, the professionals in charge of cloud penetration testing must gather as much information as possible about the assets to be subjected to the intrusion tests.
• Identification. In the second phase, vulnerabilities are tracked down to enable the specialists to meet the objectives set.
• Exploitation. Previously detected vulnerabilities are exploited.
• Post-exploitation. In the fourth phase, the objectives are met: move laterally, persist, exfiltrate customer data or critical corporate information…
• Preparation of pentest reports. Finally, the team in charge of cloud penetration testing must deliver to the company a detailed report with all the tests performed, the vulnerabilities found, the evidence collected and a list of measures that can contribute to improving the company’s security posture and mitigate the weaknesses found in the assets tested.

4. Are there specific tools for performing cloud penetration testing?

Yes, penetration testing professionals have at their disposal a wide range of tools that are useful when performing advanced penetration tests, such as vulnerability scanning tools (Nessus), brute force attack solutions (Hydra) or APIKeys analysis and discovery tools (Trufflehog).

As far as cloud penetration testing is concerned, multiple solutions can be used to perform security analysis in Cloud environments from the three main providers worldwide:

• Microsoft Azure: Adconnectdump, MicroBurst, ROADtools, ScoutSuite, Stormspotter, Azure command line interface tools…
• Amazon Web Services: AWS_Consoler, Boto3, BucketFinder, Cloudspaining, Enumerate-iam, Pacu, AWS command line interface tools.
• Google Cloud: GCP BucketBrute, GCP Firewall Enum, GCP IAM Collector, Hayat, ScoutSuite…

5. Benefits of cloud penetration testing for companies

Why should companies operating in the cloud and working with SaaS or IaaS have cloud penetration testing services? What are the benefits of advanced penetration testing focused on cloud assets?

1. Prevent the most common threats in cloud environments (data breaches, ransomware deployment, supply chain attacks) and improve your resilience to security incidents.
2. Reliably verify whether malicious actors can effectively attack a critical asset in the cloud.
3. Discover the vulnerabilities present in the corporate Cloud infrastructure.
4. Know what measures can be implemented to address the weaknesses detected during cloud penetration testing and improve the company’s defensive mechanisms with respect to its cloud assets.

Conclusion: an essential service in the current scenario

In short, both cloud security audits and cloud penetration testing have become critical cybersecurity services in the face of the massive extension of cloud infrastructures, services and applications in companies of all sectors and sizes.

Thanks to these services, companies can act proactively to prevent security incidents that result in financial losses and legal disputes of enormous gravity. Do you want to know more? Contact us to let us know your needs and we will evaluate, without obligation, the appropriate solutions for your case.