Mike is a 25-year security veteran, specializing in the sexy aspects of security, such as; protecting networks, protecting endpoints, security management, compliance, and helping clients navigate a secure evolution in their path to full cloud adoption. In addition to his role at DisruptOps, Mike is an Analyst & President of Securosis.
As organizations continue to move to the cloud for hosting applications and development, security teams must protect multiple attack surfaces, including the applications and cloud infrastructure. Additionally, attackers are automated and capable. While these attackers continuously probe and find access or vulnerabilities on many different levels, their success usually results from human error in code or infrastructure configurations, such as open admin ports and overprivileged identity roles.
Learn how to better secure both the application layer and cloud infrastructure, using both automated tools and capable penetration testers to uncover logic flaws and other soft spots. Karl Fosaaen, Practice Director at NetSPI, and Mike Rothman, President at DisruptOps, share how to find and remediate your own vulnerabilities more efficiently before attackers do.
Cloud adoption has seen a notable increase over the past five to 10 years and continues to accelerate. From an application pentesting perspective, a business may already have standard application pentesting requirements as part of the development process.
Here’s an overview of common pentesting requirements:
Application Testing
Recently ported legacy applications
New applications
Recent or upcoming code pushes
Web/mobile/thick client
Network Testing
Internal network
External network
Segmentation testing (PCI)
Now, a lot of legacy applications are being ported up into cloud environments. This opens a variety of potential vulnerabilities because of the cloud infrastructure that's being used, in addition to the fact that a lot of new applications are being built native in the cloud.
As new applications are built, security concerns emerge that may not necessarily be taken into consideration. Because of this, pentesting is an effective method to help identify potential security concerns.
Every time new code pushes come up or new developments are made to cloud applications, pentesting those applications as they’re being deployed is important to identify new issues that may arise from an application standpoint. One consideration to keep in mind is that not only are web applications involved in the cloud, but also many mobile applications and thick client applications are hosted in the cloud, allowing new security issues to emerge.
On the network side, more external IPs and internal infrastructure are also being hosted in the cloud, which requires network pentesting.
How do we Pentest “The Cloud?”
When it comes to pentesting the cloud, a best practice is to complete application and network pentesting, as has been the case in the past, and add in a cloud configuration review to take a deeper dive into how services are being configured and used.
Steps to pentest the cloud:
With permission, including read access for configurations with the cloud provider to have an in-depth view of networks and applications hosted in the cloud environment
Traditional network/app testing
Traditional vulnerability/port scanners
Nessus, Nmap, Burp Suite, etc.
Cloud configuration review
Automated tools to dump configurations and find issues
Manual review of console/portal interfaces
Focus Services in Cloud Pentesting
From a pentesting and configuration review perspective, some of the most important services include:
Virtual machines
Virtual machine infrastructure as a service is one of the key services that’s seeing issues from as long as 10 years ago that are reemerging with cloud environments. Understanding how these services are configured and making sure everything is properly set up is critical.
Serverless code
Serverless code is something worth diving deeper into to learn how the code is executed and run. Similar problems appear across all the different cloud providers from a serverless code perspective and it’s important to see how permissions are applied across different services.
Platform users and groups
How permissions are applied (IAM)
Integrations with identity providers (IDPs/Federation/SSO)
(Potentially) public-facing PaaS services
Web application services
Database services
Data storage
How to Scope your Cloud Pentest
The next step is understanding how to effectively plan or scope your cloud pentest to secure cloud assets. Some steps to consider include:
Gather counts of resources in your environment
Numbers of:
Virtual machines
Public IPs
PaaS services
Include public-facing IPs in your external ranges
Beware of dynamic IPs
Include application testing as part of your scope
Complete a separate cloud environment pentest
Scope should cover app/network/configuration
The Security Hamster Wheel of Pain
Many businesses are stuck on an endless hamster wheel of pain from a risk management perspective. This is an endless cycle of the following stages:
Ignorance is bliss
Am I hosed?
Yes, the vendor’s tools prove it
Sheer panic
“Fix” problems
Rather than being stuck on this wheel, businesses need to think more strategically about security operations and understand the reality that the environment is a lot more complicated, and developments are happening a lot faster.
Why is Cloud Security at Scale Hard?
Cloud security is challenging to scale due to several factors, including:
Complexity: Hundreds of cloud services and tens of thousands of resources spread across multiple cloud accounts.
Speed of change:DevOps and agile approaches have led to frequent and even continuous change.
Human error: Lack of human expertise and tools leaves issues undetected and unresolved.
Automated attackers: Exposed cloud resources are rapidly discovered and exploited by automated attacks.
Capabilities to Look for in a Cloud SecOps Platform
A Cloud SecOps platform can help your organization get off the security hamster wheel of pain and improve your overall cloud security.
Top capabilities to look for in a Cloud SecOps platform include:
Serverless: DisruptOps is fully cloud-native and serverless for cloud-scale support.
Event-driven: Internal architecture is completely event-driven for both internal and external events.
Software-as-a-Service (SaaS): DisruptOps is a fully multi-tenant SaaS application.
Secure by design: Security is baked in, including an advanced least-privilege provisioning system.
The Key to Automation: Decisions
In the past, automation was often a security concern because there were many instances of automation running awry and taking down half a network – or similar examples. However, automation has since become more widely adopted.
As part of the DisruptOps platform, the team built a chatbot that integrates with Slack and Microsoft Teams. The chat sends an alert of any security concerns, along with any actions the team needs to take. Alerts can also be delayed by a set time window, such as 15 minutes or an hour, if a team member doesn’t have time to address the issue right away. Human-integrated automation puts power in the hands of decision-makers.
Top Down Meets Bottom Up
The decision technology, chatbots, and ability to have humans involved in the process can help increase team members’ comfort with automation. This is an example of when top-down meets bottom-up. Steps include:
Identify the issue
Remediate once
Automate
Continuous assessment
Secure Cloud Environments with NetSPI Cloud Penetration Testing
As cloud environments continue to evolve and expand, and cybercriminals become more sophisticated, organizations are at risk of vulnerabilities, configuration issues, and other threats.
NetSPI’s Cloud Penetration Testing services can help identify vulnerabilities in cloud infrastructure, reduce organizational risk, and improve cloud security. Our expert cloud pentesters follow manual and automated penetration testing processes and focus on configuration review, external cloud pentesting, and internal network pentesting.
[post_title] => Securing The Cloud: Top Down and Bottom Up
[post_excerpt] => As organizations continue to move to the cloud for hosting applications and development, security teams must protect multiple attack surfaces, including the applications and cloud infrastructure.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => securing-the-cloud-top-down-and-bottom-up
[to_ping] =>
[pinged] =>
[post_modified] => 2023-10-05 17:23:13
[post_modified_gmt] => 2023-10-05 22:23:13
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?post_type=webinars&p=18419
[menu_order] => 78
[post_type] => webinars
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[1] => WP_Post Object
(
[ID] => 18039
[post_author] => 88
[post_date] => 2020-04-02 07:00:24
[post_date_gmt] => 2020-04-02 07:00:24
[post_content] =>
It all starts innocently enough. You engage with a trusted provider to perform a penetration test of your shiny, new cloud-native application. And the penetration testers find stuff. Of course, they find stuff. They always find stuff because that's what they do. Sure, you try to make it harder for them to find stuff, and sometimes you're somewhat successful in that, but they'll still find stuff.
Sigh. That means you have to fix stuff, right? Now you have a decision, and it can be a pretty tough decision. Do you fix things once and move onto the next thing? Or do you try to be a little more strategic and address the root cause of the issue, which is typically a human error committed by a well-meaning operations person? Our pals at Gartner believe that 99% of all cloud security failures will be the customer's fault. Ouch.
You probably look at your to-do list and then make the quick fix to move onto the next thing. To be clear, I'm not judging that choice. It's reality given the number of items on your plate and the amount of time it'll take to really fix the problem.
Unfortunately, you are now on the cloud security hamster wheel of pain. This concept was coined back in 2005 by Andy Jaquith and highlighted the challenge of doing security correctly. No matter what you did, you ended up in the same place – breached and having to respond to the incident. Yeah, those were fun times. But I guess I shouldn't speak of that in past tense because far too many folks are still on their hamster wheel.
So, what is a better approach to dealing with these cloud infrastructure security issues that provide the avenues for our trusted penetration testers to gain access to your cloud environment? It's to implement a security operations platform that both responds to attacks and enforces a set of policy guardrails around your infrastructure.
Let's start with the guardrails concept, as you may already be familiar with that term – since it's taken on a life of its own in security marketing circles. We're referring to the ability to assess against a set of security best practices continually (for instance, the CIS Benchmarks) and automatically remediate if a change is made that violates the policies. The guardrails moniker is apropos, as you don't want anyone to drive your cloud application off the proverbial road, and the automated security guardrails keep you there without slowing anyone down.
But risks to your systems are not always security policy violations, as there are times where an attacker gains access to your cloud environment and starts making changes. You likely have all sorts of detection technologies and monitors (like AWS CloudTrail and GuardDuty, or Microsoft Security Center) checking on your cloud, but what happens when an alert fires from one of those tools? In some environments, nothing happens. Yeah, that's the wrong answer. If you had a pre-designed set of playbooks to take actions depending on the attack, you'd already have addressed the attack before too much damage is done. We call this capability Cloud Detection and Response (CDR), but we're not particular about the name – rather just that you can respond to a cloud attack at the speed of cloud.
Now, we're all too aware that you may have broken into hives at the mere mention of automated remediation. We get it, many of us came from operations backgrounds as well, and we know (all too well) the downside of an automation run awry. So, we believe that humans should be in the process where needed. Thus, your cloud security operations platform should have logical points where an administrator can approve an automation before it takes action. Being able to make a "decision" about an automated action goes a long way toward gaining comfort with the tool and the changes required.
I'd be lying if I told you that cloud security (or any security discipline, for that matter) is easy. There is nothing easy about it. But staying on the cloud security hamster wheel of pain of making tactical fixes over and over again is an even harder path. Building internal cloud security operations capabilities is certainly an option, as we have many friends who carry around their own "suitcase full of scripts and Lambdas" to automate remediation.
But we don't think DIY (do it yourself) is a long-term answer either. The solution is deploying a cloud security operations platform, as we've described above. If you'd like to learn more about this concept and how to gracefully address the issues found by your penetration testing team, check out our webinar on April 16.
And then you'll have the confidence that you'll have addressed the issues once and for all, or at least until the next time NetSPI penetration testers go after your application because they'll find different stuff. That's what they do...
As organizations continue to move to the cloud for hosting applications and development, security teams must protect multiple attack surfaces, including the applications and cloud infrastructure. Additionally, attackers are automated and capable. While these attackers continuously probe and find access or vulnerabilities on many different levels, their success usually results from human error in code or infrastructure configurations, such as open admin ports and overprivileged identity roles.
Learn how to better secure both the application layer and cloud infrastructure, using both automated tools and capable penetration testers to uncover logic flaws and other soft spots. Karl Fosaaen, Practice Director at NetSPI, and Mike Rothman, President at DisruptOps, share how to find and remediate your own vulnerabilities more efficiently before attackers do.
Cloud adoption has seen a notable increase over the past five to 10 years and continues to accelerate. From an application pentesting perspective, a business may already have standard application pentesting requirements as part of the development process.
Here’s an overview of common pentesting requirements:
Application Testing
Recently ported legacy applications
New applications
Recent or upcoming code pushes
Web/mobile/thick client
Network Testing
Internal network
External network
Segmentation testing (PCI)
Now, a lot of legacy applications are being ported up into cloud environments. This opens a variety of potential vulnerabilities because of the cloud infrastructure that's being used, in addition to the fact that a lot of new applications are being built native in the cloud.
As new applications are built, security concerns emerge that may not necessarily be taken into consideration. Because of this, pentesting is an effective method to help identify potential security concerns.
Every time new code pushes come up or new developments are made to cloud applications, pentesting those applications as they’re being deployed is important to identify new issues that may arise from an application standpoint. One consideration to keep in mind is that not only are web applications involved in the cloud, but also many mobile applications and thick client applications are hosted in the cloud, allowing new security issues to emerge.
On the network side, more external IPs and internal infrastructure are also being hosted in the cloud, which requires network pentesting.
How do we Pentest “The Cloud?”
When it comes to pentesting the cloud, a best practice is to complete application and network pentesting, as has been the case in the past, and add in a cloud configuration review to take a deeper dive into how services are being configured and used.
Steps to pentest the cloud:
With permission, including read access for configurations with the cloud provider to have an in-depth view of networks and applications hosted in the cloud environment
Traditional network/app testing
Traditional vulnerability/port scanners
Nessus, Nmap, Burp Suite, etc.
Cloud configuration review
Automated tools to dump configurations and find issues
Manual review of console/portal interfaces
Focus Services in Cloud Pentesting
From a pentesting and configuration review perspective, some of the most important services include:
Virtual machines
Virtual machine infrastructure as a service is one of the key services that’s seeing issues from as long as 10 years ago that are reemerging with cloud environments. Understanding how these services are configured and making sure everything is properly set up is critical.
Serverless code
Serverless code is something worth diving deeper into to learn how the code is executed and run. Similar problems appear across all the different cloud providers from a serverless code perspective and it’s important to see how permissions are applied across different services.
Platform users and groups
How permissions are applied (IAM)
Integrations with identity providers (IDPs/Federation/SSO)
(Potentially) public-facing PaaS services
Web application services
Database services
Data storage
How to Scope your Cloud Pentest
The next step is understanding how to effectively plan or scope your cloud pentest to secure cloud assets. Some steps to consider include:
Gather counts of resources in your environment
Numbers of:
Virtual machines
Public IPs
PaaS services
Include public-facing IPs in your external ranges
Beware of dynamic IPs
Include application testing as part of your scope
Complete a separate cloud environment pentest
Scope should cover app/network/configuration
The Security Hamster Wheel of Pain
Many businesses are stuck on an endless hamster wheel of pain from a risk management perspective. This is an endless cycle of the following stages:
Ignorance is bliss
Am I hosed?
Yes, the vendor’s tools prove it
Sheer panic
“Fix” problems
Rather than being stuck on this wheel, businesses need to think more strategically about security operations and understand the reality that the environment is a lot more complicated, and developments are happening a lot faster.
Why is Cloud Security at Scale Hard?
Cloud security is challenging to scale due to several factors, including:
Complexity: Hundreds of cloud services and tens of thousands of resources spread across multiple cloud accounts.
Speed of change:DevOps and agile approaches have led to frequent and even continuous change.
Human error: Lack of human expertise and tools leaves issues undetected and unresolved.
Automated attackers: Exposed cloud resources are rapidly discovered and exploited by automated attacks.
Capabilities to Look for in a Cloud SecOps Platform
A Cloud SecOps platform can help your organization get off the security hamster wheel of pain and improve your overall cloud security.
Top capabilities to look for in a Cloud SecOps platform include:
Serverless: DisruptOps is fully cloud-native and serverless for cloud-scale support.
Event-driven: Internal architecture is completely event-driven for both internal and external events.
Software-as-a-Service (SaaS): DisruptOps is a fully multi-tenant SaaS application.
Secure by design: Security is baked in, including an advanced least-privilege provisioning system.
The Key to Automation: Decisions
In the past, automation was often a security concern because there were many instances of automation running awry and taking down half a network – or similar examples. However, automation has since become more widely adopted.
As part of the DisruptOps platform, the team built a chatbot that integrates with Slack and Microsoft Teams. The chat sends an alert of any security concerns, along with any actions the team needs to take. Alerts can also be delayed by a set time window, such as 15 minutes or an hour, if a team member doesn’t have time to address the issue right away. Human-integrated automation puts power in the hands of decision-makers.
Top Down Meets Bottom Up
The decision technology, chatbots, and ability to have humans involved in the process can help increase team members’ comfort with automation. This is an example of when top-down meets bottom-up. Steps include:
Identify the issue
Remediate once
Automate
Continuous assessment
Secure Cloud Environments with NetSPI Cloud Penetration Testing
As cloud environments continue to evolve and expand, and cybercriminals become more sophisticated, organizations are at risk of vulnerabilities, configuration issues, and other threats.
NetSPI’s Cloud Penetration Testing services can help identify vulnerabilities in cloud infrastructure, reduce organizational risk, and improve cloud security. Our expert cloud pentesters follow manual and automated penetration testing processes and focus on configuration review, external cloud pentesting, and internal network pentesting.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Test
test.com
Testing
7 days
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.
