NETWORK PEN TESTING IN THE CLOUD
Internal network-layer penetration tests
The landscape of how companies deploy servers and consume IT infrastructure is changing as companies are moving workloads to cloud environments such as AWS, GCP, and Azure.
As our clients who are required to comply with PCI-DSS move to the cloud, we are frequently asked “how are we going to do the internal network layer penetration test? We can’t plug your pentest system into the cloud”. We also hear that “the cloud provider is doing internal testing for us” which usually is not the case. The confusion is that since you cant plug a system into the internal network, an internal network pentest is not necessary, this is also not true.
There are many ways to perform an internal network layer penetration test in cloud environments. One of the most common methods we see is to deploy a Linux system in the cloud environment and allow the pentester access to that system to perform testing from. The pentester can decide what subnet or security group would be the best to deploy the system on and then determine a realistic set of testing scenarios. At MegaplanIT, we usually advise our clients to deploy the testing server in the DMZ to simulate what could happen if a web server were compromised and the type of systems and information a hacker would be able to exploit.
Another common way to simulate an internal network penetration test would be to provide the penetration tester with VPN credentials and access to the cloud environment. The level of access you grant the penetration tester should be discussed between the organization and the tester to determine how it could simulate a real-world hacker scenario.
Now that we have determined how internal network penetration testing in the cloud could be performed we will discuss why it should be performed. The most convincing reason why you should perform internal network penetration testing is that if you are subject to PCI-DSS requirements, it is a requirement under PCI-DSS 11.2. The most obvious risk that could be understood by performing internal testing is seeing what an attacker can do once an external-facing server in your cloud environment is compromised. The compromise could stem from malware, un-patched software, misconfigured services, or a web server with OS command injection vulnerabilities. Once an attacker has compromised an external-facing system, the next step is to see what other systems can be compromised and what data can be stolen. Internal network testing can also help an organization identify additional controls and vulnerabilities that need to be remediated on additional or nearby systems and create a repeatable process to prevent these types of issues from surfacing.