“Cloud Penetration Testing for Red Teamers” by Kim Crawley is a must-read for cybersecurity professionals and red teamers seeking to deepen their knowledge and expertise in cloud penetration testing, with a specific focus on three major cloud platforms: Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Crawley’s insightful and well-organized approach makes this book an invaluable resource for both beginners and seasoned penetration testers.

cover

Review

The book kicks off with a solid introduction to cloud computing and its security implications, providing a strong foundation for readers unfamiliar with cloud concepts. Crawley then seamlessly transitions into the intricacies of penetration testing, ensuring that readers have a robust understanding of the fundamentals before delving into the specific challenges posed by cloud environments.

One of the standout features of the book is its in-depth coverage of each cloud platform. Crawley goes beyond the basics, offering practical insights and real-world scenarios that red teamers are likely to encounter. The author provides step-by-step guides and hands-on exercises, allowing readers to apply theoretical knowledge to practical situations. This approach not only enhances understanding but also equips readers with the skills needed to conduct effective penetration tests in the cloud.

The chapters dedicated to Azure, AWS, and GCP are meticulously crafted, with a focus on the unique characteristics and security considerations of each platform. Crawley covers a wide range of topics, including identity and access management, network security, data storage, and more. The book doesn’t just stop at highlighting vulnerabilities; it also provides detailed guidance on remediation and best practices for securing cloud environments.

Crawley’s writing style is engaging and accessible, making complex concepts approachable for readers at various skill levels. The inclusion of real-world case studies and examples adds a practical dimension to the theoretical content, making the learning experience more immersive.

In addition to technical content, the book also addresses the ethical considerations and legal aspects of cloud penetration testing. Crawley emphasizes the importance of responsible testing practices and compliance with relevant laws and regulations, ensuring that readers approach their work with a strong ethical framework.

“Cloud Penetration Testing for Red Teamers” stands out as a comprehensive guide that not only imparts technical knowledge but also instills a holistic understanding of cloud security. Kim Crawley’s expertise shines through, making this book an indispensable asset for anyone involved in penetration testing within cloud environments. Highly recommended for those looking to stay at the forefront of cybersecurity in the ever-evolving landscape of cloud computing.

Example chapter

How Are Cloud Network Cyber Attacked?

When you begin your journey to becoming a cloud pentester, it helps to start with the basics. Your job is to test cloud networks to see how they can be cyber attacked. The organization you work for can then use your discoveries to improve the cybersecurity of its cloud networks. Because Amazon (AWS), Microsoft (Azure), and Google (GCP) own the infrastructure on which you’ll be testing, you won’t be allowed to do literally anything a cyber attacker may try to do in real life. But you need to understand all the kinds of cyberattacks that cloud networks deal with, even if you can’t simulate all of them.

The best pentesters can think like real cyber attackers. This chapter will give you a better understanding of how cloud networks are cyber attacked in order to help you conduct more effective pentests. In this chapter, we’ll cover the following main topics:

Understanding penetration testing
External and internal attacks
Attacks on the confidentiality, integrity, and availability of data
Understanding lateral movement in the cloud
Zero-trust networks Let’s get started!

Understanding penetration testing

Penetration tests (or pentests for short) are simulated cyberattacks that are designed to find vulnerabilities in computer networks and applications. The biggest difference between a pentest and an actual cyberattack is that the former is conducted with the full consent of the owner of the computer or network, whereas the latter isn’t.

As a pentester or red team member, not only will you need consent from the owner of the target you’re testing, but you’ll also have to sign a legal agreement that explains in detail what you’re allowed to do, what you’re forbidden from doing, and the scope of your pentest. This applies whether you’re an employee of the organization being pentested, a third-party contractor of the organization being pentested, someone who conducts simple one-off pentests, or a red team member who pentests as part of your red team engagements.

Whether or not an organization has a red team, it will commence pentesting after a history of vulnerability assessments. A vulnerability assessment is the first way to find security vulnerabilities. It analyzes the state of an application or network based on checklists of criteria. The criteria are most often based on a set security standard, such as the OWASP Application Security Verification Standard (https:// owasp.org/www-project-application-security-verification-standard/) or the PCI PTS POI Modular Security Requirements (https://www.pcisecuritystandards. org/wp-content/uploads/2023/01/PTS_POI_v6.2_Bulletin.pdf). There are hundreds of different security standards that could apply to the organization you work for. Vulnerability assessments are appropriate for all businesses and enterprises, at all possible security maturity levels.

Security maturity is a complex concept, but in a nutshell, it’s about how well developed an organization’s security policies and controls are.

Once an organization has done some vulnerability assessments, security-hardened its networks based on those findings, and assembled a team of cybersecurity professionals, then it may be ready for pentesting. Pentesting is supposed to discover security vulnerabilities that can only be discovered by simulating cyberattacks. Legally and procedure-wise, pentesting is a lot different from cyber attacking, but the computers and networks you pentest don’t know the difference. Your pentests will break things, even if the effects are as temporary as taking a few computers offline for an hour in a denial-of-service (DoS) attack. That’s why only organizations with some security maturity should be pentesting, and it’s also why a specific scope is always agreed upon before starting a pentest. For instance, your organization may move its production from one network segment to another so you can pentest within a segment without interfering with its everyday operations.

A red team is a dedicated group of people within your organization who conduct frequent pentests according to patterns in the cyber threat landscape. As an example, if a new enterprise ransomware threat emerges, your red team may be tasked with simulating that particular new ransomware within your network and seeing what happens.

In order to pentest effectively, you absolutely must understand how cloud networks are cyber attacked. In this book, you will learn about a lot of tools that are often used to pentest in AWS, Azure, and GCP environments. Using these tools in the right way and in the right situations will help you pentest effectively, finding vulnerabilities that your organization must address. But the greatest tools in the world are only good if you know how to use them and why. You’ll also sometimes conduct some activities without those tools. In all scenarios, you must understand how cloud networks are cyber attacked in order to be an effective cloud pentester. That’s what this chapter is all about!

External and internal attacks

When your organization’s defensive security team prepares for cyberattacks, it needs to understand each and every step that threat actors take when they try to maliciously interfere with your data. No cyber intrusion is a one-step process. Ransomware may have needed an employee to accidentally execute an email attachment before it spread between poorly configured cloud instances. A data breach may have required bribing an employee and giving them a USB stick with custom-designed spyware.

The MITRE ATT&CK database (https://attack.mitre.org/) is an excellent resource to help all kinds of cybersecurity professionals understand the various steps cyber threat actors take when they engage in their crimes. I will be citing it frequently in this chapter. Especially if you’re pentesting as part of a red team, these may be the kinds of cyberattacks you’ll be simulating in your engagements. Some cyberattack chains can be simple, and others are relatively complex. But they all have an origin that’s either external or internal to your organization. You will need to understand the differences between external and internal cyberattacks as a cloud pentester. You’ll likely be pentesting both kinds of scenarios over the course of your career. Business and enterprise cloud networks are a prime target for many of the most devastating cyber exploits.

There was a time, perhaps in the 1990s and early 2000s, when consumers were very frequently targeted by cybercriminals. Ordinary people should still be careful about the security of their phones, tablets, and PCs. They sometimes get targeted by phishing scams, digital surveillance, and malware. An ordinary person may be exploited to pay a cyber attacker a few hundred dollars’ worth of cryptocurrency in a ransomware attack. Even small businesses may have revenue in the millions of dollars, and they could be coerced into paying a cyber attacker a million-dollar cryptocurrency ransom. Also, other sorts of financially motivated cybercrime, such as data breaches, are much more profitable when businesses are targeted than when a senior citizen is targeted.

The companies you’ll be working for as a pentester, both as an employee and as a third-party contractor, are lucrative targets for cybercrime. And that’s why they’re hiring you to simulate these cybercrimes, so they can learn how they can improve their defenses.

The classic kinds of cyberattacks you’ll hear about most often in the news and in your favorite fictional entertainment media will usually be external in origin. For example, a hoodie-wearing cybercriminal working from their PC in their dark basement cracks an encrypted terminal on the network, then downloads all of the terminal’s sensitive files! A skull-and-crossbones graphic blinks on the screen… “You’ve been hacked!” The victim organization never sees the attacker. It hires a top-notch cyber investigations team to follow the attacker around the world. Eventually, the cops identify the cybercriminal at a café on another continent. The criminal is handcuffed. Everyone applauds and the credits roll.

Real-world cybercrime can be just as devastating, but it can look much more benign in person. Investigating it isn’t quite as quick or exciting, because you’ll be helping the company you work for prepare for real cyberattacks and it won’t follow a typical movie script. Now, let’s understand the nature of these attacks and look at some real-life examples.

External cyberattacks

External cyberattacks originate from outside of the targeted organization. The attacker usually has to go through the internet to start the process of cyber attacking your organization’s cloud servers. An external cyber attacker has to break into the organization’s network they’re attacking. Then, they’ll likely have to privilege escalate.

Privilege escalation

This is when an attacker begins with access to a user account with limited access control privileges and works their way up to using accounts with more access control privileges. Sometimes, they’ll escalate all the way up to accessing an account with full administrative privileges in the network they’re attacking… which is especially dangerous!

Now, let’s examine some possible vectors for external cyberattacks on cloud networks.

Drive-by compromise

First, there’s “drive-by compromise.” According to MITRE ATT&CK (https://attack.mitre. org/techniques/T1189/), drive-by compromise happens when a user visits a website through their usual web browsing activities. An attacker with control of the website uses it to attack the user through their web browser. Sometimes, attackers also use this technique for malicious actions that aren’t exploits, such as acquiring application access tokens.

A lot of access to cloud networks is through the web, so this is a really pertinent attack vector.

Exploit public-facing application

Another external attack vector that’s really relevant to cloud networks is “exploit public-facing application.” MITRE ATT&CK (https://attack.mitre.org/techniques/T1190/) describes it as when adversaries take advantage of internet-connected computers or applications through their vulnerabilities. Frequent means of exploitation include SQL databases, standard internet services such as SSH or SMB, network management protocols, and applications with internet-accessible open sockets such as web browsers. But other internet-connected technologies can also be used in these exploits. If these exploits involve cloud infrastructure or containerized applications (such as with Kubernetes or Docker), attackers can do really catastrophic damage. They could intercept other instances or containers, and quite often acquire access to their APIs too.

External remote services

The next entry point vector from MITRE ATT&CK that I’m going to cover is “external remote services.” It’s another common way in which external cyberattacks begin. MITRE ATT&CK (https://attack. mitre.org/techniques/T1133/) describes it as when attackers target external services to acquire malicious access or maintain persistence in a network. Commonly targeted remote services include VPNs, Citrix, or similar technologies that facilitate remote access. Attackers often need access to valid accounts for their targeted service in order for this exploit to work. Access to valid accounts can be acquired by stealing credentials through already compromised networks or means such as credential pharming. Of course, in external cyberattacks, access to a valid account may be acquired by phishing an employee. Phishing attacks take many forms, but they most often use fake websites, fake emails, fake text messages, or fake social media posts to imitate a trusted entity.

Valid accounts

This next MITRE ATT&CK vector category is a common entry point for most internal cyberattacks, known as “valid accounts.” According to MITRE ATT&CK (https://attack.mitre.org/ techniques/T1078/), attackers can acquire malicious access to computer systems by compromising legitimate user accounts that have privileges within them. They may also compromise privileged accounts to establish persistence, for privilege escalation, or for defense evasion. Sometimes, inactive user accounts are also exploited. Network administrators should watch the behavior of the accounts in their system and deactivate user accounts of former employees and contractors as soon as possible.

Cloud accounts

I’m going to include one subcategory of attack vector here because it’s specifically relevant to cloud pentesting; it is known as “valid accounts: cloud accounts” (https://attack.mitre.org/ techniques/T1078/004/). Go ahead and read about it on MITRE ATT&CK’s website. Cloud networks have lots of working parts. They can have multiple SaaS applications, containers, servers within servers, virtual machines, and so on. They can get really complicated. So, there can be a lot more user accounts and machine identities that attackers can exploit. Organizations not only have to watch internal cyber attackers with active accounts but also inactive accounts, which are a common attack vector. When you work as a cloud pentester, you may need to compromise an inactive account that an organization forgot to remove.

Download

Book

Cloud penetration testing for red teamers by Kim Crawley (2023)

Table Of Contents