Cloud Penetration Test
The cloud penetration testing targets design, deployment, and configuration flaws in environments hosted in the cloud. Penetration testers utilize a wide range of tools, techniques and procedures to assess an organization’s stance from both an external and internal perspective. Misconfigurations and flawed access policies have played major roles in recent security breaches.
Cloud Execution Methodology
Pen testers follow the best practices and attack methodologies to provide a complete and comprehensive cloud security assessment. The process includes various means for searching misconfigured storage services such as AWS S3 buckets or Azure Storage Blobs, enumeration of Azure Active Directory units, privilege escalation using Azure Runbooks and automation accounts, data exfiltration and mining.
Reconnaissance:
• Discovering and leveraging publicly available information
• Searching for leaked access keys in public GitHub repositories
• Discovering misconfigured storage services
Discovery:
• Port scanning
• System fingerprinting
• Services enumeration
Vulnerability Analysis:
• Exploit research
Exploitation:
• Manual vulnerability testing and verification of identified vulnerabilities
• Firewall and intrusion detection/prevention system testing
• Password spraying with common and weak passwords
Exploitation:
• Local system enumeration
• Network Enumeration and Pivoting
• Sensitive data identification and mining
• Exfiltration
