DeepSec2019 Talk: Mastering AWS Pentesting and Methodology – Ankit Giri

The Cloud (whatever it really is) is the future (of whomever taking advantage of it). This is how information security experts see the outsourcing technologies based on virtualisation and application containment. Ankit Giri explains at DeepSec 2019 what defenders need to be aware of and how you can test your security controls before your adversaries do this.

(Pen)Testing the Cloud

The intent here is to highlight the fact that pentesting cloud environment comes with legal considerations. AWS (Amazon Web Services) has established a policy that requires a customer to raise a permission request to be able to conduct penetration tests and vulnerability scans to or originating from the AWS environment. We can focus on user-owned entities, identity and access management, user permissions configuration and use of the AWS API integrated into the AWS ecosystem. Some of the examples would be targeting and compromising AWS Identity and Access Management (IAM) keys, establishing access through backdoor functions provisioned through different services, testing S3 bucket configuration and permission flaws and covering tracks by obfuscating CloudTrail logs.

The Question we are trying to answer, or the Problem we are trying to solve

The flaws reported in AWS environment have the highest impact. When we talk about vulnerabilities found in a cloud environment there seems to be not much information available, as there is no specific exploit scenario. These bugs vary drastically from one cloud vendor to another. These flaws are much more complex than they appear to be because one can’t completely rely on the AWS security implementation as a cloud environment works on a shared responsibility model. This can lead organisations to underestimate the risk that they are susceptible to. However, this is what makes the configuration of the AWS platform and the traditional application code or assets in the environment even more crucial from the security standpoint of an organizations point of view.

Takeaway for the Audience from the Talk

There is no standard methodology to pentest AWS environments, as it is dependent on the type and size of infrastructure being tested and the varied services of the AWS. Looking at a configuration/feature, it can be used to perform an action which is not expected. The security audit/assessment which includes these flaws discovered in the AWS environment is a value add for the application owners organization, as these vulnerabilities would not have been detected by any tool, basic pentesting (based only on OWASP Top 10 or WASC Classification), and/or scanner.
The attendees will get an overview of different tools available to aid in pentesting cloud-specific environments, a short demo about a couple of tools, what different aspects are covered by a different set of tools, and how to use all of this as an exhaustive toolset for a comprehensive pentest.

Session Objectives

  • Developing an approach towards pentesting a specific cloud environment
  • Different tools available for pentesting cloud-specific environments, short demo of a couple of tools.
  • Areas to look in an AWS for flaws and misconfigurations, understanding the shared responsibility model.

 

We asked Ankit a few more questions about his talk.

 

Please tell us the top 5 facts about your talk.

 

  1. Developing an approach towards pentesting a specific cloud environment.
  2. Different tools available for pentesting cloud-specific environments, short demo on couple of tools.
  3. Areas to look in an AWS for flaws and misconfiguration, understanding shared responsibility model.
  4. Possible exploit scenarios and AWS inbuilt solution to reduce the risk.
  5. Third party tools for secure account upkeep and cases of account compromise.

 

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

While I was working for one of the security consulting firms, and their client was one of the major CSP, I got the chance to pentest the services in the pipeline for release. During pentesting cloud services in itself comes with a lot of challenges like basic knowledge about the cloud specific services, terminologies, setting up the environment and looking for specific vulnerabilities related to cloud environment. In my journey to do such pentests, i had to do some repeated tasks and realized that for someone doing these kind of pentest for the first time will be a challenge. Keeping this challenging situation in mind, I thought of creating a pentesting methodology for cloud environments, which can cover the things to look for, like user-owned entities, identity and access management, user permissions configuration and use of the API integrated into the cloud ecosystem. Some of the examples would be targeting and compromising Account IAM keys, establishing access through backdoor functions provisioned through different services, testing cloud bucket bucket configuration and permission flaws and covering tracks by obfuscating service logs.

 

Why do you think this is an important topic?

The flaws reported in cloud environment have the highest impact. When we talk about vulnerabilities found in a cloud environment, there seems to be much less information available, as there is no specific exploit scenario. These bugs vary drastically from one cloud vendor to another. These flaws are much more complex than they appear to be because one can’t completely rely on the Cloud Service Provider security implementation as a cloud environment works on the shared responsibility model. This can lead organisations to underestimate the risk that they are susceptible to. However, this is what makes configuration of the cloud platform and the traditional application code or assets in the environment even more crucial from a security standpoint from an organization’s point of view.

 

Is there something you want everybody to know – some good advice for our readers maybe?

There is no standard methodology to pentest cloud environments, as it is dependent on the type and size of infrastructure being tested and the varied services of the Cloud Service Provider. Looking at a configuration/feature, it can be used to perform an action which is not expected. The security audit/assessment which includes these flaws discovered in the cloud environment is a value add for the application owner’s organization, as these vulnerabilities would not have been detected by any tool, basic pentesting (based only on OWASP Top 10 or WASC Classification), and/or scanner. The attendees will get an overview of different tools available to aid in pentesting cloud-specific environments, a short demo about a couple of tools, what different aspects are covered by a different set of tools, and how to use all of this an exhaustive toolset for a comprehensive pentest.

 

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I would say there has been increasing use of cloud services, migration has increased multifold as well. As a result, it is important to challenge existing cloud security measures to be able to detect potential issues. If the last five years belonged to adoption and move to the cloud, the next five years or so would be in the direction of securing cloud environments or rather secure adoption of cloud. With the new buzzword already being “DevSecOps” from “DevOps”, we would see a lot of new solutions in the cloud security space and new research in the same direction. The major challenge still being able to manage huge infrastructure from security point of view, things are easier to handle in small or initial phases. But when, the same security measures are to be scaled for large infrastructure the fight between usability and security would also come into the picture. These challenges will always present us with new possibilities, innovations and maybe more new talks like these to come in future 🙂

 

Looking forward to see you all for Ankit’s presentation!

 

Speaker, presenter, and a blogger, Ankit has a diverse background in writing informational blogs. A penetration tester by profession with 4+ years of experience. Part time bug bounty hunter. Featured in Hall of fame of EFF,GM,SONY, HTC, Pagerduty, HTC, AT&T,Mobikwik and  multiple other Hall Of Fames. He loves speaking at conferences, has given talks at RSA APAC 2018, BSides Delhi 2017, CSA, Dehradun, Cyber Square Summit, OWASP Jaipur and has been a regular feature at Infosec meetups like Null and OWASP Delhi Chapter. He also leads the show for Peerlyst Delhi-NCR chapter. He has an upcoming talk at RSA US 2019 on Mastering AWS pentesting and methodology.

Tags: , , , ,

Leave a Comment