Lately, we at Fugue have been demonstrating live hacks against cloud infrastructure based on real events in the news. We often walk through a theft of data from Amazon S3 by exploiting little-known misconfigurations of Security Groups, EC2, IAM, and S3 in combination. See A Technical Analysis of the Capital One Cloud Misconfiguration Breach.
One of the points we drive home during these sessions is that your penetration (pen) testers must be able to execute the same kinds of cloud misconfiguration attacks. At Fugue, our "white hat" vendor is Hacker One. What you're really looking for is expertise for the particular cloud services you are using and your specific use cases.
Here are some recommendations for developing your approach to understanding your needs and evaluating pen test vendors. And I’ll point out some things you should be concerned about that you may not be considering.
The cloud is different than what most pen testers are used to
In the data center era, pen testing was generally focused on probing TCP/IP endpoints and employing various kinds of social engineering and phishing techniques. And it often tested your physical security. While two of these are still important when operating in the cloud, the cloud service providers (CSPs) are now responsible for the physical security for their data centers. But you now need to be concerned with a lot more potential attack surface, depending on which cloud services you use—and how you use them.
For example, if you are running containers or VMs in the cloud, you are likely using trust relationships (such as AWS IAM) to determine what those resources are authorized to do in your environment. Attacks using IAM are common, and many of the pitfalls are not well known or understood.
With functions-as-a-service, such as AWS Lambda, code injection becomes a major concern, in which bad actors modify source code or libraries to introduce back doors. With CSP-managed databases and other persistence services, exposed credentials—often in backups of disk images—are a major attack vector. In the data center era, most of these weren't nearly as much a concern, or the methods the bad guys used were so different that different techniques are called for.
We’ve spent years at Fugue working on addressing cloud misconfigurations and security threats, and often when a new cloud breach is made public, we learn something new about how bad actors are attacking cloud services. Put another way, no matter how confident you are in your security architecture and implementation, don't ever believe you've thought of everything.
Pen Testing and Bounties
At Fugue, we have used two approaches to pen testing/red teaming our cloud environment: hiring a dedicated vendor and team; and using services that offer bounties to curated networks of white hat hackers. We recommend doing both.
We started out with a dedicated team, and while they found no serious issues, they did point out some areas where we could improve. When evaluating a dedicated team for your pen testing, it's important to be able to interview the specific individuals who will be involved so that you can assess their skills as they relate to real attack vectors on the cloud services you use.
Even in a relatively small firm, there will be diversity in skill level and knowledge of cloud-specific attack vectors. Some questions you might want to ask:
- For Service X (one you use), can you describe the common attack vectors?
- Can you describe in detail an attack vector that leverages more than one cloud service at a time?
- Can you describe a specific recommendation that you have provided a customer on how to avoid a found misconfiguration?
Once we had engaged with a pen test vendor, we offered bounties to white hat hackers to find more. In our case, we are extremely security conscious, so again, not a lot was found, but there were places we could further harden our security posture, and we did so.
We now repeat that bounty-driven process frequently. One of the nice things about it is that you benefit from a diversity of white hat hackers looking at your system, which we believe increases the likelihood of identifying problems that a single team might not think about. Another nice aspect of this approach is that the better your security, the less you pay in bounties over time.
Of course, before you engage in a pen testing program, you should be performing internal cloud security testing and analysis to catch the majority of vulnerabilities before engaging any outside vendors. This will help your team develop their own skills related to cloud security, and will reduce your costs if you choose to fund bounties.
Fugue can help you find many of the major misconfigurations that lead to cloud breaches - the ones the pen testers will be looking for. Fugue Developer is a free plan, and it takes about 15 minutes to identify misconfigurations and policy violations in your cloud account.