SlideShare une entreprise Scribd logo

Are You Ready for a Cloud Pentest?

Télécharger en tant que PPTX, PDF
T
Teri Radichel

Is your company in need of a cloud penetration test on AWS, Azure, or Google? Here are some things you might want to consider before starting your cloud pentest. Also tips for pentesters getting started in the cloud.

Technologie
1  sur  51
Are You Ready For a Cloud Pentest? Teri Radichel | @teriradichel
Pentesting is cool! People seem to be in awe of hackers. Many people aspire to be pentesters. In reality, hacking is easier than defending. We should be in awe of defenders, but I digress. © 2nd Sight Lab, 2019
What this talk is about Getting the most from a pentest. Being prepared. Cloud vs. On-Premises. NOT about lots of nifty hacking tricks. © 2nd Sight Lab, 2019
Why might you need a pentest? Compliance. It’s required explicitly, or implicitly. Often testing by a third party. Prove the system can be broken into. (Not that it can’t be.) © 2nd Sight Lab, 2019
Pentest preparation Mutual NDA - protects you and the pentester Define scope - what is in scope, what is not, objectives Rules of engagement - contacts, time of testing Contract - time, cost, ownership, data protection, and more © 2nd Sight Lab, 2019
What you do not have to do All three cloud providers have discontinued upfront approval. You no longer have to submit a request. You may want to, in order to ensure your test isn’t terminated. A funny thing happened…. © 2nd Sight Lab, 2019
My last request I made a request to allow my students to pentest in class I received an email saying requests were no longer required I posted it on Twitter - it wasn’t even on the AWS web site yet It went viral... © 2nd Sight Lab, 2019
The infamous response © 2nd Sight Lab, 2019
Then GeekWire wrote about it © 2nd Sight Lab, 2019
You still need permission! Not having to submit a form does not mean anything goes. You can only test systems for which you have permission. You can’t test anything that is off limits per the cloud provider. But for basic testing, no more pentest request forms. © 2nd Sight Lab, 2019
May still want to send a request Let the cloud provider know you are testing. Make sure your test doesn’t get shut down. Your testing exceeds the base permission… AWS only allows testing of 8 services by default. © 2nd Sight Lab, 2019
For example... © 2nd Sight Lab, 2019
What’s different in the cloud? Dynamic resources and moving parts - scope changes Layer 4 and up - and only what is allowed by the provider. New technologies and configuration considerations. Underlying platform may cause traditional methods to fail. © 2nd Sight Lab, 2019
Dynamic resources The IP address for a system may change during the test. The IP address may then be assigned to a different customer. What about AWS Lambda, Azure and Google Functions? Use domain names instead of IP addresses, or Elastic IPs. © 2nd Sight Lab, 2019
Layer 4 + in AWS, Azure, GCP Layer 4 and up on infrastructure as a service clouds. If you’re used to testing routers and switches, sorry no. As for layer 4 and up, most of the same attacks apply. Pentesting your web applications will be mostly the same. © 2nd Sight Lab, 2019
Layer 4 + in AWS, Azure, GCP © 2nd Sight Lab, 2019 Responsibility # Layer Examples Customer 7 Application Web requests, documents, application load balancers, WAF, DNS 6 Presentation Translation between network and application layers 5 Session Stateful firewall – tracks all the packets in a particular session. 4 Transport TCP, UDP protocols (with ports), load balancers, stateless firewalls Cloud Provider 3 Network IP Protocol (no ports), IP routers 2 Data Link Ethernet, 802.11, Mac Layer 1 Physical Network interface card and other hardware
But only what is allowed Each cloud provider has pentesting requirements. You need abide by the terms of service (TOS). Also acceptable use policy (AUP). You still need permission from the resource owner! © 2nd Sight Lab, 2019
Actions and resource sizes Certain types of tests cannot be performed. The cloud provider may limit throughput. Resource sizes may be limited or at least recommended. Scope documentation should be aligned accordingly. © 2nd Sight Lab, 2019
Not allowed AWS does not allow the following Azure: No Denial of Service attacks © 2nd Sight Lab, 2019
Pre-authorized tools Some tools may be pre-authorized by the cloud provider. Using these tools may ensure you’re following the rules. These tools are available in the marketplace. The cloud provider may also offer tools directly. © 2nd Sight Lab, 2019
Like this one: Nessus © 2nd Sight Lab, 2019
New Configurations Have you heard of an S3 Bucket? It’s all about the configurations inside the cloud. Lots of new services to configure ...or misconfigure. Pentesters will check these new types of services. © 2nd Sight Lab, 2019
New Technology Stacks Serverless - Lambda, Google and Azure functions. Containers - often misunderstood and misconfigured. Container management - Docker, Kubernetes, ECS New types of storage - DynamoDB, CosmosDB, BigTable © 2nd Sight Lab, 2019
New Cloud Provider Tools Cloud platforms offer SDKs and CLIs. These powerful new tools call cloud APIs. They make changes in your accounts. These same tools can be used and abused by pentesters! © 2nd Sight Lab, 2019
Cloud Platform Differences Under the hood where you can’t see things may be different. AWS doesn’t use ARP. They created a Mapping Service. They wrap packets leaving a VM NIC in custom headers. What does that mean? No more ARP Spoofing. © 2nd Sight Lab, 2019
Why Arp Spoofing doesn’t work © 2nd Sight Lab, 2019
Pentesting Tools…old and new Tried and true pentesting tools may be limited (Metasploit). New tools like PACU from Rhino Security Cloud built for AWS. In some cases, the provider CLI is very powerful by itself. In most cases, use a combination of old and new techniques. © 2nd Sight Lab, 2019
Pentesting Resources on GitHub © 2nd Sight Lab, 2019
How all that affects a Pentest Hire someone that understands the cloud. Define Domain Names, not IP addresses. Understand the cloud provider requirements. Include someone technical in the scoping process, if possible. © 2nd Sight Lab, 2019
Considering Scope © 2nd Sight Lab, 2019
Network access to your cloud Traffic no longer stays in your network. Developers may be calling APIs from your environment. People are logging into the console. The network equipment could be attacked. © 2nd Sight Lab, 2019
Mashup of connected services Many systems in the cloud integrate with other systems. If you are leveraging any third party systems - need permission. Make sure any and all are listed as in or out of scope. May not be able to test - you’ll have to get their pentest. © 2nd Sight Lab, 2019
Cloud Platform is out of scope Whatever the cloud platform, AWS, Azure, Google The platform is out of scope for your test You will have to rely on their pentesting or compliance results Some services, like Cognito, will be out of scope as well © 2nd Sight Lab, 2019
Web applications in the cloud Recommendation: Include web app penetration testing. Often can leverage a old and new technologies. Also include credentials. Once authorized more attack surface. Pentesters can check for lateral access and elevated access. © 2nd Sight Lab, 2019
Optimizing Your Results Have you had an assessment? That may be a place to start. Are you already following best practices? Can you do basic pentesting yourself? Why giving read-only access may be beneficial. © 2nd Sight Lab, 2019
Assessment vs. pentest An assessment involves a review of best practices. It does not include exploitation and pivoting. An assessment may actually find more problems. A simple assessment can be faster and cost less. © 2nd Sight Lab, 2019
Do you follow Best Practices? Before calling in a pentester have you read the best practices? AWS well-architected framework, Azure Scaffold, CIS... If you implement those first will save some pages in the report. If you have a network team, have they reviewed the network? © 2nd Sight Lab, 2019
Best practices: CIS Benchmarks Have you evaluated your systems against CIS Benchmarks? Best practices for many systems: AWS, Azure, GCP, Docker, Kubernetes, Windows, more… Evaluate and fix issues you find before your test. © 2nd Sight Lab, 2019
Are Cloud Security Services on? Have you enabled all the cloud security services? Some will tell you if resources are misconfigured. Review and fix any findings. Also make sure logging has been turned on for all services. © 2nd Sight Lab, 2019
What about a vulnerability scan Have you run a vulnerability scanner over your systems? That’s one of the first thing the pentester will do. Any vulnerabilities may be leveraged in an attack. Vulnerability scanners report known software flaws. © 2nd Sight Lab, 2019
Credentials and Segregation Credentials are a critical point of failure in cloud security. Do you have MFA on all critical credentials? Are permissions segregated to reduce the blast radius? If developers have broad access, might want to fix that first. © 2nd Sight Lab, 2019
Credential Attacks and cloud Standard credential attacks can apply in and out of cloud. Mimikatz, brute force attacks on passwords, SMB. Once credentials are obtained, see what can access. Phishing and social engineering still apply as well. © 2nd Sight Lab, 2019
Developers and Networking Did the developers get their first? Did they build the network? With no network training? In that case, may be using default network rules... Open outbound access, default CIDR blocks and ports. © 2nd Sight Lab, 2019
Is your system Complete? You can have a pentester test early to get initial results. Security up front and early is always a good idea. However if your system is not complete - expect to test again. Likely things will break in ways that limit test coverage. © 2nd Sight Lab, 2019
Can you do Basic Pentesting? Running web scanning tools is not rocket science. You’ll need permission from your organization (C-Level) Burp Suite doesn’t cost much and Zed Attack Proxy is free. Fix the basics and let your pentester know risks you accept. © 2nd Sight Lab, 2019
Read-only access for pentesters Pentesters can save time with read-only access in the cloud. The same results (or better) as a network scan in less time. Testers can verify they are attacking your resources. Testers can verify they are not breaking provider rules. © 2nd Sight Lab, 2019
Assessing Best-Practices With read-only access testers can assess best practices. For example, testers can quickly assess S3 buckets. Additionally paths can be mapped out to attack resources. Tests can focus on more advanced attacks. © 2nd Sight Lab, 2019
Cloud Architecture Review Possible with read-only access and related experience. Get an architecture review that spans cloud, app and network. Reviews can also include team structure and processes. For best results include documentation and interviews. © 2nd Sight Lab, 2019
Are you ready to fix it? After the test, you may need to go back and fix things. Do you have the capacity and approval to fix the findings? Will you need a follow-on penetration test to verify the fixes? A new test may may produce new findings. © 2nd Sight Lab, 2019
Let’s pentest! Now let’s get busy and pentest. Defining your scope properly is most important to get started. Hopefully after you’ve prepared for all of the above… Your pentest will produce more meaningful results. © 2nd Sight Lab, 2019
Thank you! https://2ndsightlab.com https://medium.com/cloud-security Teri Radichel | @teriradichel

Recommandé

Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWSSanjeev Kumar Jaiswal
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsPatrick Coble
 
JHipster on AWS
JHipster on AWSJHipster on AWS
JHipster on AWSGerard Gigliotti
 

Recommandé

Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionMichael Hendrickx
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Penetration Testing AWS
Penetration Testing AWSPenetration Testing AWS
Penetration Testing AWSSanjeev Kumar Jaiswal
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSMike Felch
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
 
DerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsDerbyCon 7 - Hacking VDI, Recon and Attack Methods
DerbyCon 7 - Hacking VDI, Recon and Attack MethodsPatrick Coble
 
JHipster on AWS
JHipster on AWSJHipster on AWS
JHipster on AWSGerard Gigliotti
 
Spring security
Spring securitySpring security
Spring securitySaurabh Sharma
 
Compliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesAmazon Web Services
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Web Services
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...MITRE ATT&CK
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesAmazon Web Services
 
Aws Architecture Fundamentals
Aws Architecture FundamentalsAws Architecture Fundamentals
Aws Architecture Fundamentals2nd Watch
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWSAmazon Web Services
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptxHamzaJamil41
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepalICT Frame Magazine Pvt. Ltd.
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...Simplilearn
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptxMohammedYaseen638128
 
Architecting for AWS
Architecting for AWSArchitecting for AWS
Architecting for AWSAmazon Web Services
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty LabAmazon Web Services
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Teri Radichel
 
The Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfThe Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfCraw Cyber Security
 

Contenu connexe

Tendances

Compliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesAmazon Web Services
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Web Services
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGRomuald SZKUDLAREK
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...MITRE ATT&CK
 
Aws Architecture Fundamentals
Aws Architecture FundamentalsAws Architecture Fundamentals
Aws Architecture Fundamentals2nd Watch
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelinesSrishti Ahuja
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...Simplilearn
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 

Tendances (20)

Spring security
Spring securitySpring security
Spring security
 
Compliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” PrinciplesCompliance in the Cloud Using “Security by Design” Principles
Compliance in the Cloud Using “Security by Design” Principles
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
Amazon Virtual Private Cloud (VPC) - Networking Fundamentals and Connectivity...
 
Mobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTGMobile Security at OWASP - MASVS and MSTG
Mobile Security at OWASP - MASVS and MSTG
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Aws Architecture Fundamentals
Aws Architecture FundamentalsAws Architecture Fundamentals
Aws Architecture Fundamentals
 
Cloud Security using NIST guidelines
Cloud Security using NIST guidelinesCloud Security using NIST guidelines
Cloud Security using NIST guidelines
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
WAFs.pptx
WAFs.pptxWAFs.pptx
WAFs.pptx
 
Cyber security awareness presentation nepal
Cyber security awareness presentation nepalCyber security awareness presentation nepal
Cyber security awareness presentation nepal
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
AWS Training For Beginners | AWS Certified Solutions Architect Tutorial | AWS...
 
Security Awareness Training.pptx
Security Awareness Training.pptxSecurity Awareness Training.pptx
Security Awareness Training.pptx
 
Architecting for AWS
Architecting for AWSArchitecting for AWS
Architecting for AWS
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 

Similaire à Are You Ready for a Cloud Pentest?

Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Teri Radichel
 
The Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfThe Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfCraw Cyber Security
 
Iirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIaetsd Iaetsd
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Priyanka Aash
 
Building Cloud capability for startups
Building Cloud capability for startupsBuilding Cloud capability for startups
Building Cloud capability for startupsSekhar Mohanty
 
Cloud basics for pen testers, red teamers, and defenders
Cloud basics for pen testers, red teamers, and defendersCloud basics for pen testers, red teamers, and defenders
Cloud basics for pen testers, red teamers, and defendersGerald Steere
 
Gomez Blazing Fast Cloud Best Practices
Gomez Blazing Fast Cloud Best Practices Gomez Blazing Fast Cloud Best Practices
Gomez Blazing Fast Cloud Best Practices Compuware APM
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Amazon Web Services
 
AWS Secret Region – Lessons Learned Around DevSecOps
AWS Secret Region – Lessons Learned Around DevSecOpsAWS Secret Region – Lessons Learned Around DevSecOps
AWS Secret Region – Lessons Learned Around DevSecOpsAmazon Web Services
 
Auditing in the Cloud
Auditing in the CloudAuditing in the Cloud
Auditing in the Cloudtcarrucan
 
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...AWS Summits
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Amazon Web Services
 
Implementing cloud based devops for distributed agile projects
Implementing cloud based devops for distributed agile projectsImplementing cloud based devops for distributed agile projects
Implementing cloud based devops for distributed agile projectsTom Stiehm
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Amazon Web Services
 
Enabling Deep Learning in IoT Applications with Apache MXNet
Enabling Deep Learning in IoT Applications with Apache MXNetEnabling Deep Learning in IoT Applications with Apache MXNet
Enabling Deep Learning in IoT Applications with Apache MXNetAmazon Web Services
 
Cloud computing present
Cloud computing presentCloud computing present
Cloud computing presentJames Sutter
 

Similaire à Are You Ready for a Cloud Pentest? (20)

Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019
 
The Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfThe Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdf
 
Iirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environmentIirdem a novel approach for enhancing security in multi cloud environment
Iirdem a novel approach for enhancing security in multi cloud environment
 
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform...
 
Building Cloud capability for startups
Building Cloud capability for startupsBuilding Cloud capability for startups
Building Cloud capability for startups
 
To Cloud or Not to Cloud for Transaction Document Production
To Cloud or Not to Cloud for Transaction Document ProductionTo Cloud or Not to Cloud for Transaction Document Production
To Cloud or Not to Cloud for Transaction Document Production
 
Cloud basics for pen testers, red teamers, and defenders
Cloud basics for pen testers, red teamers, and defendersCloud basics for pen testers, red teamers, and defenders
Cloud basics for pen testers, red teamers, and defenders
 
Cloud capability for startups
Cloud capability for startupsCloud capability for startups
Cloud capability for startups
 
Gomez Blazing Fast Cloud Best Practices
Gomez Blazing Fast Cloud Best Practices Gomez Blazing Fast Cloud Best Practices
Gomez Blazing Fast Cloud Best Practices
 
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
 
AWS Secret Region – Lessons Learned Around DevSecOps
AWS Secret Region – Lessons Learned Around DevSecOpsAWS Secret Region – Lessons Learned Around DevSecOps
AWS Secret Region – Lessons Learned Around DevSecOps
 
Auditing in the Cloud
Auditing in the CloudAuditing in the Cloud
Auditing in the Cloud
 
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
AWS Summit Singapore 2019 | Learn How to Achieve Complete Visibility, Strong ...
 
Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...Integrating network and API security into your application lifecycle - DEM07 ...
Integrating network and API security into your application lifecycle - DEM07 ...
 
Implementing cloud based devops for distributed agile projects
Implementing cloud based devops for distributed agile projectsImplementing cloud based devops for distributed agile projects
Implementing cloud based devops for distributed agile projects
 
Cloud Foundations
Cloud FoundationsCloud Foundations
Cloud Foundations
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
Gain visibility and real-time security alerts with VPC Flow Logs & AWS - DEM0...
 
Enabling Deep Learning in IoT Applications with Apache MXNet
Enabling Deep Learning in IoT Applications with Apache MXNetEnabling Deep Learning in IoT Applications with Apache MXNet
Enabling Deep Learning in IoT Applications with Apache MXNet
 
Cloud computing present
Cloud computing presentCloud computing present
Cloud computing present
 

Plus de Teri Radichel

So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
Cloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptxCloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptxTeri Radichel
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Teri Radichel
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud CompromiseTeri Radichel
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack VectorsTeri Radichel
 
Top Priorities for Cloud Application Security
Top Priorities for Cloud Application SecurityTop Priorities for Cloud Application Security
Top Priorities for Cloud Application SecurityTeri Radichel
 
How the Cloud Changes Cyber Security
How the Cloud Changes Cyber SecurityHow the Cloud Changes Cyber Security
How the Cloud Changes Cyber SecurityTeri Radichel
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTeri Radichel
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your CloudTeri Radichel
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWSTeri Radichel
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWSTeri Radichel
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016Teri Radichel
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachTeri Radichel
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSTeri Radichel
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 

Plus de Teri Radichel (20)

So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
Cloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptxCloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptx
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud Compromise
 
Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack Vectors
 
Top Priorities for Cloud Application Security
Top Priorities for Cloud Application SecurityTop Priorities for Cloud Application Security
Top Priorities for Cloud Application Security
 
Azure for Auditors
Azure for AuditorsAzure for Auditors
Azure for Auditors
 
How the Cloud Changes Cyber Security
How the Cloud Changes Cyber SecurityHow the Cloud Changes Cyber Security
How the Cloud Changes Cyber Security
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 

Dernier

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Dernier (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Are You Ready for a Cloud Pentest?

  • 1. Are You Ready For a Cloud Pentest? Teri Radichel | @teriradichel
  • 2. Pentesting is cool! People seem to be in awe of hackers. Many people aspire to be pentesters. In reality, hacking is easier than defending. We should be in awe of defenders, but I digress. © 2nd Sight Lab, 2019
  • 3. What this talk is about Getting the most from a pentest. Being prepared. Cloud vs. On-Premises. NOT about lots of nifty hacking tricks. © 2nd Sight Lab, 2019
  • 4. Why might you need a pentest? Compliance. It’s required explicitly, or implicitly. Often testing by a third party. Prove the system can be broken into. (Not that it can’t be.) © 2nd Sight Lab, 2019
  • 5. Pentest preparation Mutual NDA - protects you and the pentester Define scope - what is in scope, what is not, objectives Rules of engagement - contacts, time of testing Contract - time, cost, ownership, data protection, and more © 2nd Sight Lab, 2019
  • 6. What you do not have to do All three cloud providers have discontinued upfront approval. You no longer have to submit a request. You may want to, in order to ensure your test isn’t terminated. A funny thing happened…. © 2nd Sight Lab, 2019
  • 7. My last request I made a request to allow my students to pentest in class I received an email saying requests were no longer required I posted it on Twitter - it wasn’t even on the AWS web site yet It went viral... © 2nd Sight Lab, 2019
  • 8. The infamous response © 2nd Sight Lab, 2019
  • 10. You still need permission! Not having to submit a form does not mean anything goes. You can only test systems for which you have permission. You can’t test anything that is off limits per the cloud provider. But for basic testing, no more pentest request forms. © 2nd Sight Lab, 2019
  • 11. May still want to send a request Let the cloud provider know you are testing. Make sure your test doesn’t get shut down. Your testing exceeds the base permission… AWS only allows testing of 8 services by default. © 2nd Sight Lab, 2019
  • 12. For example... © 2nd Sight Lab, 2019
  • 13. What’s different in the cloud? Dynamic resources and moving parts - scope changes Layer 4 and up - and only what is allowed by the provider. New technologies and configuration considerations. Underlying platform may cause traditional methods to fail. © 2nd Sight Lab, 2019
  • 14. Dynamic resources The IP address for a system may change during the test. The IP address may then be assigned to a different customer. What about AWS Lambda, Azure and Google Functions? Use domain names instead of IP addresses, or Elastic IPs. © 2nd Sight Lab, 2019
  • 15. Layer 4 + in AWS, Azure, GCP Layer 4 and up on infrastructure as a service clouds. If you’re used to testing routers and switches, sorry no. As for layer 4 and up, most of the same attacks apply. Pentesting your web applications will be mostly the same. © 2nd Sight Lab, 2019
  • 16. Layer 4 + in AWS, Azure, GCP © 2nd Sight Lab, 2019 Responsibility # Layer Examples Customer 7 Application Web requests, documents, application load balancers, WAF, DNS 6 Presentation Translation between network and application layers 5 Session Stateful firewall – tracks all the packets in a particular session. 4 Transport TCP, UDP protocols (with ports), load balancers, stateless firewalls Cloud Provider 3 Network IP Protocol (no ports), IP routers 2 Data Link Ethernet, 802.11, Mac Layer 1 Physical Network interface card and other hardware
  • 17. But only what is allowed Each cloud provider has pentesting requirements. You need abide by the terms of service (TOS). Also acceptable use policy (AUP). You still need permission from the resource owner! © 2nd Sight Lab, 2019
  • 18. Actions and resource sizes Certain types of tests cannot be performed. The cloud provider may limit throughput. Resource sizes may be limited or at least recommended. Scope documentation should be aligned accordingly. © 2nd Sight Lab, 2019
  • 19. Not allowed AWS does not allow the following Azure: No Denial of Service attacks © 2nd Sight Lab, 2019
  • 20. Pre-authorized tools Some tools may be pre-authorized by the cloud provider. Using these tools may ensure you’re following the rules. These tools are available in the marketplace. The cloud provider may also offer tools directly. © 2nd Sight Lab, 2019
  • 21. Like this one: Nessus © 2nd Sight Lab, 2019
  • 22. New Configurations Have you heard of an S3 Bucket? It’s all about the configurations inside the cloud. Lots of new services to configure ...or misconfigure. Pentesters will check these new types of services. © 2nd Sight Lab, 2019
  • 23. New Technology Stacks Serverless - Lambda, Google and Azure functions. Containers - often misunderstood and misconfigured. Container management - Docker, Kubernetes, ECS New types of storage - DynamoDB, CosmosDB, BigTable © 2nd Sight Lab, 2019
  • 24. New Cloud Provider Tools Cloud platforms offer SDKs and CLIs. These powerful new tools call cloud APIs. They make changes in your accounts. These same tools can be used and abused by pentesters! © 2nd Sight Lab, 2019
  • 25. Cloud Platform Differences Under the hood where you can’t see things may be different. AWS doesn’t use ARP. They created a Mapping Service. They wrap packets leaving a VM NIC in custom headers. What does that mean? No more ARP Spoofing. © 2nd Sight Lab, 2019
  • 26. Why Arp Spoofing doesn’t work © 2nd Sight Lab, 2019
  • 27. Pentesting Tools…old and new Tried and true pentesting tools may be limited (Metasploit). New tools like PACU from Rhino Security Cloud built for AWS. In some cases, the provider CLI is very powerful by itself. In most cases, use a combination of old and new techniques. © 2nd Sight Lab, 2019
  • 28. Pentesting Resources on GitHub © 2nd Sight Lab, 2019
  • 29. How all that affects a Pentest Hire someone that understands the cloud. Define Domain Names, not IP addresses. Understand the cloud provider requirements. Include someone technical in the scoping process, if possible. © 2nd Sight Lab, 2019
  • 30. Considering Scope © 2nd Sight Lab, 2019
  • 31. Network access to your cloud Traffic no longer stays in your network. Developers may be calling APIs from your environment. People are logging into the console. The network equipment could be attacked. © 2nd Sight Lab, 2019
  • 32. Mashup of connected services Many systems in the cloud integrate with other systems. If you are leveraging any third party systems - need permission. Make sure any and all are listed as in or out of scope. May not be able to test - you’ll have to get their pentest. © 2nd Sight Lab, 2019
  • 33. Cloud Platform is out of scope Whatever the cloud platform, AWS, Azure, Google The platform is out of scope for your test You will have to rely on their pentesting or compliance results Some services, like Cognito, will be out of scope as well © 2nd Sight Lab, 2019
  • 34. Web applications in the cloud Recommendation: Include web app penetration testing. Often can leverage a old and new technologies. Also include credentials. Once authorized more attack surface. Pentesters can check for lateral access and elevated access. © 2nd Sight Lab, 2019
  • 35. Optimizing Your Results Have you had an assessment? That may be a place to start. Are you already following best practices? Can you do basic pentesting yourself? Why giving read-only access may be beneficial. © 2nd Sight Lab, 2019
  • 36. Assessment vs. pentest An assessment involves a review of best practices. It does not include exploitation and pivoting. An assessment may actually find more problems. A simple assessment can be faster and cost less. © 2nd Sight Lab, 2019
  • 37. Do you follow Best Practices? Before calling in a pentester have you read the best practices? AWS well-architected framework, Azure Scaffold, CIS... If you implement those first will save some pages in the report. If you have a network team, have they reviewed the network? © 2nd Sight Lab, 2019
  • 38. Best practices: CIS Benchmarks Have you evaluated your systems against CIS Benchmarks? Best practices for many systems: AWS, Azure, GCP, Docker, Kubernetes, Windows, more… Evaluate and fix issues you find before your test. © 2nd Sight Lab, 2019
  • 39. Are Cloud Security Services on? Have you enabled all the cloud security services? Some will tell you if resources are misconfigured. Review and fix any findings. Also make sure logging has been turned on for all services. © 2nd Sight Lab, 2019
  • 40. What about a vulnerability scan Have you run a vulnerability scanner over your systems? That’s one of the first thing the pentester will do. Any vulnerabilities may be leveraged in an attack. Vulnerability scanners report known software flaws. © 2nd Sight Lab, 2019
  • 41. Credentials and Segregation Credentials are a critical point of failure in cloud security. Do you have MFA on all critical credentials? Are permissions segregated to reduce the blast radius? If developers have broad access, might want to fix that first. © 2nd Sight Lab, 2019
  • 42. Credential Attacks and cloud Standard credential attacks can apply in and out of cloud. Mimikatz, brute force attacks on passwords, SMB. Once credentials are obtained, see what can access. Phishing and social engineering still apply as well. © 2nd Sight Lab, 2019
  • 43. Developers and Networking Did the developers get their first? Did they build the network? With no network training? In that case, may be using default network rules... Open outbound access, default CIDR blocks and ports. © 2nd Sight Lab, 2019
  • 44. Is your system Complete? You can have a pentester test early to get initial results. Security up front and early is always a good idea. However if your system is not complete - expect to test again. Likely things will break in ways that limit test coverage. © 2nd Sight Lab, 2019
  • 45. Can you do Basic Pentesting? Running web scanning tools is not rocket science. You’ll need permission from your organization (C-Level) Burp Suite doesn’t cost much and Zed Attack Proxy is free. Fix the basics and let your pentester know risks you accept. © 2nd Sight Lab, 2019
  • 46. Read-only access for pentesters Pentesters can save time with read-only access in the cloud. The same results (or better) as a network scan in less time. Testers can verify they are attacking your resources. Testers can verify they are not breaking provider rules. © 2nd Sight Lab, 2019
  • 47. Assessing Best-Practices With read-only access testers can assess best practices. For example, testers can quickly assess S3 buckets. Additionally paths can be mapped out to attack resources. Tests can focus on more advanced attacks. © 2nd Sight Lab, 2019
  • 48. Cloud Architecture Review Possible with read-only access and related experience. Get an architecture review that spans cloud, app and network. Reviews can also include team structure and processes. For best results include documentation and interviews. © 2nd Sight Lab, 2019
  • 49. Are you ready to fix it? After the test, you may need to go back and fix things. Do you have the capacity and approval to fix the findings? Will you need a follow-on penetration test to verify the fixes? A new test may may produce new findings. © 2nd Sight Lab, 2019
  • 50. Let’s pentest! Now let’s get busy and pentest. Defining your scope properly is most important to get started. Hopefully after you’ve prepared for all of the above… Your pentest will produce more meaningful results. © 2nd Sight Lab, 2019

Notes de l'éditeur

  1. #ebf3fe
  2. #ebf3fe