Power Up Your Azure Penetration Testing

As businesses continue to embrace the cloud, the spotlight falls on safeguarding their growing digital environment. At Black Hat, NetSPI VP of Research Karl Fosaaen sat down with the host of the Cloud Security Podcast Ashish Rajan to discuss all things Azure penetration testing. In an era of constantly evolving technology and escalating cyber threats, voices like Karl’s become the bedrock of resilience for today’s cloud security. 

Catch the highlights below and watch the full episode here.

How is Azure pentesting different than AWS pentesting? 

Each cloud provider has its own identity platforms, so working within the platforms will be inherently different. For example, in AWS you might have IAM accounts, policies, roles, and groups, but within Azure, you’ve got a completely separate identity system through Azure Active Directory, soon to be Entra ID. 

“There’s a lot of overlap between the two different cloud providers — or any different cloud provider. When we built up our methodologies for doing cloud pentesting, we tried to make the methodologies vendor agnostic so they’d apply to any cloud vendor we’re working with.” 

Is cloud pentesting just configuration review? 

Configuration review is an important component of cloud pentesting, but from our perspective, we use configuration review as a component that informs the pentesting. Configuration review focuses on seeing what’s exposed to the internet, or what an internal networking looks like from virtual networks. Pentesting takes it to the next level by trying to find application network vulnerabilities and abuses of those misconfigurations that can be used to potentially gain access. 

“I think that’s the key component that might be missing for folks who see cloud pentesting as just config review. To actually pentest it, we have to exploit the vulnerabilities and show the potential impact there.” 

How would you compare cloud pentesting to network pentesting?  

There’s a lot of overlap between cloud pentesting and network pentesting. Karl’s background is in external and internal network pentesting, and a lot of the skills he gained early in his career carry over to cloud pentesting. Many organizations bring their on-prem applications and virtual machines up into the cloud, so the core principles of network security apply to the cloud too.  

“Those same pentesting principles that we had from network pentesting of identifying live services, seeing how we can exploit them, trying to identify vulnerabilities, it’s the same kind of ideas just applied to the cloud context.” 

What’s your thought process when you go down the path of an Azure penetration test? What’s your first step?  

Every engagement is unique, so it depends on the different resources within an environment. Start by establishing a baseline. For example, when looking at AWS versus Azure, the concept of passing a role to an AWS service has a similar counterpart in Azure. You have managed identities that you can pass to a specific service. Start by looking at what managed identities are out there, what roles resources, where things attach, who has rights to what, and try to start formulating that path toward potentially compromising an asset that could allow you to pivot over to something else. When we can start escalating this way, we’re able to build out a mental map that provides a baseline of the environment you’re in. 

“It’s really just getting a rough idea of what’s in the environment, situational awareness, identifying where your attack paths might be, and additionally, where the identities are.”  

Hear Karl and Ashish talk in-depth by listening to the full episode on Cloud Security Podcast’s LinkedIn page. If you’re interested in improving your Azure Penetration Testing skills, then sign up for a chance to win a signed copy of Karl’s book and be the first to know when NetSPI’s Dark Side Ops workshops open!

Discover why security operations teams choose NetSPI.