Cloud Service Reconnaissance
Securing a Cloud deployment
These days many organizations have migrated at least some of their IT services to a cloud environment. Cloud adaptation could be as basic as the use of Microsoft Office 365 on some workstations, or it could be much more comprehensive, such as the use of a fully integrated Azure or Amazon AWS infrastructure. One of the main reasons for cloud migration is the redundancy and the reliability of the platform. What this means is that organizations quite often have a lot of their most important information and systems stored in the cloud, such as e-mail and database servers. With this increased importance comes an increased level of risk as well, which needs to be taken into account when allocating resources to security tasks. Regular penetration testing and vulnerability scanning have been a critical part of a comprehensive security policy for decades now, and with the shift of critical data and systems towards the cloud, the focus of these services will also need to change.
Reconnaissance and enumeration
When it comes to penetration testing and vulnerability scanning, knowledge is everything. The more information an attacker has about a targeted organization, the easier and further the system can be compromised. From a defensive perspective, the more information the security administrator has about the network; the better an organization can protect and monitor it. There are many ways to gather this required information, both passively (reconnaissance) and actively (enumeration). The use of standardized cloud services has brought some challenges and some new opportunities which both offensive and defensive parties need to keep in mind. The cloud environment is better protected, but the services are often standardized, well documented and publicly accessible.
Learn Cloud Security
DNS Records
The first step in (public) cloud reconnaissance is to identify whether the target is using any cloud services and if so, which services they are. As covered at the "Hacking the Cloud" talk at DEFCON 2017, the best way to do this is to query specific DNS records.
DNS MX Records are used to direct email to a company's e-mail servers for processing, which means they hold important information. If the records point to for instance outlook.com, the target is likely using Office 365 for e-mail services. Also, during the setup of an Office 365 service, Microsoft requires the creation of a DNS TXT record in order to prove that the domain is indeed owned and managed by the requester. This record can be removed afterward, but this is rarely done. Many other service providers require the same type of authentication. If there is a DNS TXT record named amazonses for instance, the target is likely to use Amazon Simple Email Service. More information is available as well via CNAME, SPF and DFS records.
There are a lot of tools available that can easily extract the required DNS information. Nmap is a widely known tool which can extract a lot of DNS information via specific command switches. DNSEnum and DIG are some other tools that could be used for DNS enumeration. All of these come pre-installed with Kali Linux.
Network and Application Scanning
Scanning the cloud perimeter is nothing new from a technical perspective. Traditional tools such as NMAP and Kismet will work without any issues. What is new, however, is that a cloud target is located within a shared network, owned by the Cloud Service Provider (CSP). To avoid any impact on other customers and any defensive or legal action from the CSP, always ask for written approval before starting broad and comprehensive scans, both to and from a cloud instance. Request forms are easily accessible on the provider's support pages.
Cloud Specialized Tools
Development of new and adapted reconnaissance, enumeration and exploitation tools, specialized in targeting public cloud providers has been limited. Because most levels of cloud adaptions, from IaaS all the way up to SaaS, look similar from the outside (where the reconnaissance originates), there has been no need for a new approach and new tools. There are a few useful cloud specific reconnaissance tools though.
For instance, Azurite is a reconnaissance and visualization tool that gives a good understanding of which Azure services are in use and how they are connected. It does need subscription credentials, so understandably, its use is limited to cloud account owners and white box penetration testers.
An interesting development from the offensive side is the use of bots that search sites like GitHub for uploaded code, accidentally containing cloud account access (API) keys. The impact of such a leak could be enormous to the account owner, so it is important for any organization to place security controls around the use of these sites (for instance via Data Leak Prevention solutions).
Vulnerability scanning
Finally, by far the most comprehensive, but also the noisiest method or network reconnaissance is the use of a vulnerability scanner. Such a scanner simply runs through a standard or customized profile of passive and active scans and lists the detected vulnerabilities, sometimes combined with suggested remediation actions. Such a scanner could be placed inside the cloud instance, such as the Qualys Virtual Scanner Appliance for Amazon AWS. Another option is to use the security services of the Cloud Service Provider, for instance in the form of Amazon Inspector. A vulnerability scan could also still be sourced from outside the network by using a fully self-managed tool or a 3rd party cloud based solution. Because of the generated noise, broad vulnerability scanning would only be a practical tool for the cloud instance owner. As with network scanning, prior written authorization from the Cloud Service Provider is required.
Learn Cloud Security
Conclusion
It is incredibly important for any company to know what network and security information is publicly accessible via the internet. After proactively gathering this information (like an attacker would also do), actions can be taken to limit the exposure and with that, the security risks. Regular scans of the perimeter, analysis, and clean-up of DNS records, taking obsolete services and cloud instances offline; there is much an organization could do to be proactive from a security perspective. In the end, it is critical to know what company data is out there so it can be best protected from malicious entities.
Learn Cloud Security
Build your cloud security skills and get hands-on experience in Infosec Skills. What you'll learn:- Cloud architecture
- Cloud management
- Cloud pentesting
- CSP security features
- And more
In this Series
- Cloud Service Reconnaissance
- The rise of cloud computing: Trends and predictions
- Understanding the basics of cloud infrastructure: What you need to know
- How cloud security, data privacy, and cybersecurity convergence drives successful careers
- Secure cloud computing: What you need to know
- Working across multiple cloud service providers: CSP security learning path
- Securing cloud-based applications training: What you need to know
- Security risks of cloud migration
- DevSecOps in the Azure Cloud
- Amazon Athena Security: 6 essential tips
- Securing cloud endpoints: What you should know
- AWS security and compliance overview
- CloudGoat walkthrough series: IAM privilege escalation by attachment
- CloudGoat walkthrough series: EC2 server-side request forgery (SSRF)
- CloudGoat walkthrough series: Remote code execution
- CloudGoat walkthrough series: Lambda Privilege Escalation
- Information security strategy for the hybrid and multi-cloud
- CloudGoat walkthrough series: Cloud Breach S3
- CloudGoat walkthrough series: IAM privilege escalation by rollback
- Working with CloudGoat: The “vulnerable by design” AWS environment
- Malicious Amazon Machine Images (AMIs)
- Key findings from Ponemon’s State of Vulnerability Management in the Cloud and On-Premises report
- Cloud Pentesting Certification Boot Camp: The ultimate guide
- Cloud Based IDS and IPS Solutions [Updated 2019]
- AWS Security Monitoring Checklist [Updated 2019]
- Amazon Inspector: A cloud-based vulnerability assessment tool
- System administrator vs. cloud administrator
- 5 key cloud security use cases
- Deep Packet Inspection in the Cloud
- Honeypots in the Cloud
- Biometrics in the Cloud
- Open-Source Intelligence Collection in Cloud Platforms
- How to Safeguard Against the Privacy Implications of Cloud Computing
- AWS Cloud Security for Beginners — Part 2
- AWS Cloud Security for Beginners — Part 1
- AWS Security Monitoring Checklist — Part 2
- Rise of the Rogue Cloud: The Fundamental Security Mistake Enterprises Make and How to Correct It
- Controlling the Risks of Cloud-Enabled End-Point Security Products
- The Ultimate Guide to CCSP Certification
- Five Reasons Why Security Professionals Need the Cloud
- Amazon S3 Buckets-Hardening
- Cloud Computing Security: Be Secure Before Moving to Cloud
- Cloud Technology Bringing New Possibilities in Threat Management
- Attacking the Cloud
- Man in the Cloud Attacks: Prevention and Containment
- Cloud originated DDoS attacks
- Where Is Your Data Safer? In the Cloud Or On Premise?
- DDOS Protection for Public Cloud Customers
- Security Barriers in the Adaptation of Cloud Technology
- SIEM as a Service
- Cloud Security Incident Compensation
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Cloud security
Cloud security