The role of penetration testing

As cybersecurity professionals, we are aware of the role that penetration testing plays as part of a comprehensive security program. One of the main benefits is finding vulnerabilities and identifying potential security gaps that exist within our systems, as well as validating that security controls have been properly implemented and are operating in an effective manner.

As more entities adopt cloud technology, the way we execute penetration testing changes. It’s important to take into consideration new challenges that are introduced with IT services delivered via cloud technologies.

Challenge #1: Understanding Ownership of Resources

One of the challenges that arise revolves around the ownership of resources. Just because we subscribe to a cloud service, doesn’t mean we have unlimited permission to test the providers’ systems and try to discover vulnerabilities that could potentially affect other tenants.

The first step as cloud consumers is to understand what level of testing the cloud provider allows. Contracts are the element that defines exactly what we can and can’t do within our cloud service provider. A good contract should specify what level of testing we can perform. It then becomes our responsibility to make sure we adhere to these limits or, if we subcontract penetration testing services, make sure that our vendor understands what our contract says.

Depending on the cloud model, there may be different levels of flexibility to scope and conduct penetration testing activities. For example, under infrastructure as a service (IaaS) we have more control because we own the IT infrastructure resources that are being tested. If a system is affected, the impact is usually limited to systems that we own. However, under software as a service (SaaS), the scenario changes. Since we operate under shared infrastructure, providers may impose strict limitations on the testing activity that we can perform.

After all, if every customer decided to run a penetration test on any given day, the provider could end up with extremely high utilization, potentially leading to a denial-of-service condition that could affect multiple tenants.

To avoid this, some providers in this delivery model require advance notification of testing and will impose specific conditions on how to run those tests. A typical scenario is to limit the scope of testing to a subdomain assigned to your tenant.

Challenge #2: Choosing an Offensive Security Technique

Once you understand the rules of engagement that govern penetration testing against your provider, consider how you can use one of the below listed offensive security techniques to attempt to gain access to your systems.

1. Scan online code repositories for cloud credentials or access keys: Unfortunately, leaking secrets on these platforms is a problem that shows no signs of stopping anytime soon.
2. Engage social engineering: You can try to attack your cloud engineers and other personnel in charge of your cloud platform to gain access to their credentials.
3. Think like an attacker: One way to understand how bad actors are executing their nefarious activities and penetrating systems in the cloud is by leveraging the MITRE ATT&CK framework. This is a catalogue of adversary tactics and techniques that attackers use to compromise systems. The value is that it has been derived from analyzing real intrusions. The findings on how those attacks were executed were catalogued in a matrix that presents what techniques were used in different phases of the attack.

These tools allow penetration testers and other defenders to understand how to build detection for different use cases as well as how to mitigate weaknesses that exist in your environment. From a penetration testing perspective, we can use this information to attack our own cloud platforms and identify potential weak spots that need to be corrected.

Challenge #3: Selecting the Right Tools

If you are able to gain access, you will need some tools to help you conduct reconnaissance, scanning, exploitation and exfiltration on your target. Cloud penetration testing tools have evolved considerably, and selecting the right tool depends on your cloud provider.

Cloud Penetration Testing Tools

Amazon Web Services (AWS)

If you are operating under Amazon Web Services (AWS) you can use PACU. This tool is an open-source AWS exploitation framework based on Python that allows you to conduct attacks via modules. For example, you can target different services like Lambda, S3 and EC2 individually.

Worried about affecting your production systems? The developers of PACU have also created a utility named CloudGoat that can help you stand up vulnerable AWS resources that you can use as a target for PACU.

Microsoft Azure

If your cloud systems live in Microsoft Azure, you can find great tools like MicroBurst. This is a collection of scripts based on PowerShell that can be leveraged to attack your Azure environment. Some of the key features include service enumeration, password and key dumping, and many others.

Another useful tool is Azucar. This tool allows you to conduct a security assessment against your Azure subscription and outputs a lot of detailed information about your resources and their configuration.

Google Cloud

Initially, Google Cloud was not as popular as AWS and Azure, but it has been consistently gaining ground. If you are using their services, you can also find open-source tooling to help you conduct penetration testing. For example, you can use GCPBucketBrute to enumerate buckets, list permissions and attempt privilege escalation.

The cloud is here to stay, and it’s redefining the way IT services are deployed and delivered. It is essential that all penetration testing professionals enhance their skillset by understanding the nuances that the cloud introduces to penetration testing. Understanding ownership of resources, choosing an offensive security technique and selecting the right tools will help you help your organization identify vulnerabilities and provide better protection from cyberthreats.

Security vulnerabilities and exploits are more common than ever. Organizations must develop vigorous security postures that protect assets through penetration testing. This testing of an organization’s information systems can help in determining the resiliency of their security postures and highlight how resistant they are to unauthorized access. Stakeholders must agree to the bounds of the testing, and a report including the data collected with recommended mitigation strategies must be formed.

This CompTIA certification reflects this and addresses all stages of the penetration testing process.

Frequently Asked Questions

Why Should I Get the New CompTIA PenTest+?

This cybersecurity certification endorses your intermediate-level cybersecurity skills with a credential that’s respected industry-wide across the globe:

• CompTIA PenTest+ is the only exam on the market to include all aspects of vulnerability management – not only hands-on vulnerability assessment, scanning and analysis, but also planning, scoping and managing weaknesses, not just exploiting them.
• CompTIA PenTest+ is the most current penetration testing exam covering the latest techniques against expanded attack surfaces – a unique exam that requires a candidate to demonstrate the most relevant pen testing skills for the cloud, hybrid environments, web applications, Internet of Things (IoT) devices, embedded systems and traditional on-premises.
• CompTIA PenTest+ fulfills the U.S. Department of Defense (DoD 8570) compliance and National Initiative for Cybersecurity Education (NICE) work roles.

Why Is There a New Version of CompTIA PenTest+?

Every three years, CompTIA PenTest+ gets updated to meet the needs of the industry and ensure that IT pros have the skills necessary for today’s cybersecurity jobs. Like its predecessor PT0-001, CompTIA PenTest+ (PT0-002) is still designed for cybersecurity professionals tasked with penetration testing and vulnerability management.

The updates to CompTIA PenTest+ qualify penetration testers tasked with assessing the most up-to-date penetration testing, vulnerability assessment and management skills necessary to determine the resiliency of the network against attacks.

People who have CompTIA PenTest+ are able to do the following:

• Plan and scope a penetration testing engagement
• Understand legal and compliance requirements
• Perform vulnerability scanning and penetration testing using appropriate tools and techniques, and then analyze the results
• Produce a written report containing proposed remediation techniques, effectively communicate results to the management team and provide practical recommendations

Other penetration testing exams only cover a portion of the stages with essay and hands-on questions. CompTIA PenTest+ is the most comprehensive exam covering all penetration testing stages, with both performance-based and knowledge-based questions.

What’s on the Latest Version of CompTIA PenTest+?

The latest version of CompTIA PenTest+ (PT0-002) includes performance-based and multiple-choice exam questions across five domains:

• Planning and Scoping (14%)
• Information Gathering and Vulnerability Scanning (22%)
• Attacks and Exploits (30%)
• Reporting and Communication (18%)
• Tools and Code Analysis (16%)

These domains relate back to the primary responsibilities of a penetration tester or a security consultant. Someone in this role will have the intermediate-level skills tasked with identifying vulnerabilities and remediation techniques across broader attack surfaces.

Read – Pen Testing in the Cloud: The New Challenges