With the growth of cloud storage, many companies have moved their infrastructure from on-premise to cloud storage. Because of the way cloud itself worked, white hat hackers had to develop new techniques and discover some new and interesting angles when approaching penetration testing.
The problem with applications running in the cloud is the fact that there are several obstacles when it comes to pen testing. When you want to check the security of the application, both legal and technical issues can arise. Here’s how, as a beginner, to approach white hat hacking on cloud.
Step 1: Make sure you understand how the cloud provider policy works
As we know, there are private and public clouds. We will focus on the public side in this article as they have their own policies when it comes to penetration testing.
A white hat hacker should always wait for the client’s confirmation before performing the test. This places many limitations on what can be done as part of the process.
To be precise, when you want to test an application running in a public cloud, you have to do a lot of research into what techniques are in scope and recommended and allowed by the client. If you don’t follow the procedures set up by the client, you can get a lot of problems.
For example, your test can sometimes seem like a real attack, which can lead to your account being closed permanently.
Every deviation in a cloud is noticed by the client, who is constantly looking for deviations. Sometimes someone will call you to check what’s going on. More often, however, you are faced with a series of automated procedures that shut down the system if your actions are viewed as an attack. This can lead to several bad things, such as the fact that all your cloud-stored systems and data go offline and you have to explain a lot to your provider before they bring it back online.
Another thing that can happen if you do your penetration tests irresponsibly is that you risk influencing other users. You may always load resources used by other users during pen testing. This is a problem with public clouds, as there are always multiple active users, so not the entire system can be assigned to one user. This can also lead to outrage at the provider. They may call you in a not so friendly way or just close your account.
Long story short, there are rules when you want to snoop around in public clouds. You should keep in mind the legal requirements along with all the procedures and policies the provider instructs you to do. If you don’t do this, you will get some headaches.
Step 2: Come in with a plan
When you want to perform a penetration test on a cloud, you have to submit a plan. In your plan, you should cover the following:
- Application (s): Get to know APIs and user interfaces
- Data Access: Understand how the data will respond to the test
- Network access: Understand how the data and application are protected by the system
- Virtualization: Make sure you measure how your workload is handled by virtual machines
- Compliance: Get to know the regulations and laws you must observe when performing the Penetration Test.
- Automation: Select which tools you want to use while performing the penetration tests
- Approach: see which administrators you will involve in the pen test. There are advantages to not notifying the administrators. This provides insight into how administrators would react during an actual attack. This approach is highly criticized by most administrators.
If you work in a team, plan the approach with the rest of the team and make sure everyone follows every part of the plan. The entire team must ensure that you do not deviate from it, as this could lead to all your efforts being wasted because the administrator killed your access to the system.
Step 3: Choose which tools you will use
The market offers you many tools that can be used in penetration testing. In the past, cloud pen tests were performed with on-premise tools. Recently, however, many tools have been created that are used specifically for testing cloud pens and will prove to be a cheaper option. Another advantage of these tools is the fact that they leave a small hardware footprint.
What you need to know about these tools is the fact that they simulate actual attacks. There are many automated processes that can detect vulnerabilities in a system. Hackers have performed automated activities such as guessing passwords and searching APIs to get into a system. It is your job to simulate these activities.
Sometimes these tools cannot do everything you need them to do. Your last resort is usually to write your own penetration system. This should always be avoided as much as possible as it can bring you back quite a bit.
Step 4: Observe the answer
While performing a penetration test, you should pay close attention to:
a) Human Response – When it comes to cloud penetration testing, always keep track of how administrators and users will respond to your test. Many will shut down the system immediately to prevent damage to the system. Other administrators first try to diagnose the situation to identify the threat and the solution to something similar. You should also keep a close eye on how people respond to your customer provider.
b) Automatic Response – The first thing to look at is how the system itself will respond to your penetration test. The tea system will recognize you and respond to you. These responses can range from blocking an IP address to shutting down your entire system. Either way, you need to alert administrators responsible for applications and security to see what actions they have taken and what has happened in their areas.
Both answers must be documented. Once you document and consider your findings, you will finally see where the weaknesses in the system are and how secure the system is.
Step 5: Find and remove vulnerabilities
The end product of penetration testing is a list of vulnerabilities that the team noted. There can be a lot of problems, while sometimes there are few or none. If you don’t find one, you may need to take another test to re-evaluate the results from the previous one.
The vulnerabilities you may encounter in cloud application penetration testing usually look like this:
Access to application data allowed with the xxxxx API.
- API access granted after 20 attempts.
- Password generator detected while accessing an application.
- Encryption does not comply with the regulations.
The problems will almost always differ depending on which application you are testing and what type of test you have performed.
Don’t forget that there are several layers to test. All components such as network, storage system, database, etc. are all tested separately. The problems, in turn, are also reported separately. You should always run a test with all layers together to see how they interact. It is always wise to report what happened in each layer.
You must keep your cloud provider involved every step of the way to avoid any policy or legal issues that may arise from your penetration test. This also helps you determine which approach is optimal and how it should be applied to the different applications. Most providers have best practices that provide the most accurate results on their networks.
General advice on Cloud Pen Testing
Another thing to keep in mind is who is on the penetration team. If you do this in-house, you should always assume that not everything has been found. Test teams that come from within the company usually leave some room for oversight. They know too much about the applications from the start and may always miss things they think are not worth looking at. White hat hackers are the safer method, although a bit more expensive. They will search your system more efficiently and in more detail.
Always check with your provider to see which practices are most efficient, which applications to test, and requirements to be met with the pen test. Using proven approaches is usually a good way to start.
Penetration tests are now more important than ever before. It’s the only way to make sure that the things you have in the cloud are as secure as possible to accommodate as many users as possible.
Pen testing is not an option these days. It’s the only way to prove that your cloud-based applications and data are secure enough to enable maximum user access with minimal risk.