Internal Penetration Testing in the Cloud

Organizations often spend the vast majority of their resources on securing their systems from external threat actors, while spending far less time protecting the “gooey” center of their networks. The same seems to hold true for cloud environments. While companies continue to flock to the cloud faster than ever before (more than 93% of companies were found to have some cloud elements as of last year), moving large portions of their services to cloud-based offerings, we’ve seen that most are slow to consider security during these transitions. Those that do consider security, treat their cloud much the same way they’ve been treating their primary office networks, holding to the hard shell paradigm with external penetration testing, while not giving much thought to internal penetration testing. Let’s dive into why internal penetration testing in the cloud still plays a role in your overall security program.

Looking within these cloud networks, many have internal networking and private addressing configured on top of the services that are exposed on the perimeter. This presents risk in a couple ways, so let’s consider these scenarios:

  • An attacker compromises a cloud host from the Internet. The next logical step will be for them to pivot in order to expand and escalate their level of access. If you’ve not considered the internal interfaces of your cloud systems and what you’re exposing, this could be trivial, and result in a significantly increased scope of breach.
  • An attacker compromises a host on your internal network, but you’ve got a VPN connection with your cloud environment. If you’re not carefully restricting what traffic is flowing to and from that cloud environment, you could allow the attacker to pivot to those systems or use that connection to exfiltrate data from the internal network.

Is Internal Penetration Testing in the Cloud Even Possible?

I’m so glad you asked! Yes, penetration testing from this perspective is possible and can be really streamlined with an attack team with experience in this realm. The only hurdle is getting access to the internal cloud environment. But there are several options to accomplish this:

  • Spin up a new host in your environment and provide your penetration testing team the credentials to access it. With fairly minimal set-up time, they can have a proper testing environment configured with all the tools necessary.
  • Most cloud providers have options for Virtual Private Networks, such as VPCs in AWS. This will allow your penetration testing team to spin up their testing tools in their own cloud, and then you simply connect the test team’s cloud to your cloud.
  • Some cloud environments already have a client VPN option configured, so you could provide your testing team a set of credentials to login there. They would then just test through the VPN connection.
  • In some clouds, it may be easier for the penetration testing team to send you an image file of their testing system which you can then spin up in your cloud. Much like the first option, the system will still exist in your environment but you’ll save the set-up and configuration time.

When it comes to internal penetration testing in the cloud, the setup process is often the most significant hurdle. Once that parts done, the test can be conducted very similarly to a traditional penetration test, with some small differences in attack surface and techniques.

What Does This Kind of Testing Tell Me?

So knowing that it’s important and knowing that it’s possible may still not tell you if internal penetration testing in the cloud is right for your environment. To help make an informed decision, let’s touch on the outcome of this testing:

  • More holistic view for your security and compliance programs. Your cloud environment is still part of the attack surface of your network, so you’ve got to consider it.
  • Understand the risks of an attacker that compromises one of your externally exposed cloud hosts or applications.
    • Can they jump to other hosts in your cloud environment?
    • Can they gain access to sensitive data?
    • Can the pivot to your internal organization network?
  • Identify vulnerabilities that you wouldn’t otherwise see. Many times, cloud networks are left out of organizational vulnerability management programs, hardening/configuration reviews, and regular testing cycles.
  • Are your controls and monitoring tools functioning in your cloud environment the same as they would on your internal network? Identifying gaps here could significantly improve future incident response times.

If you’d like to learn more about penetration testing in the cloud, in general, check out our blog here. As always, if you have any questions or want to continue the discussion, comment below or reach out to us!