Move your VMware and KVM applications to the cloud without making any changes

  • April 17, 2016

Penetration testing on AWS: Think like your attacker

Clarence Chio
Clarence is a Security Research Engineer at Shape Security, working on the system that tackles malicious bot intrusion from the angle of big data analysis. Clarence has presented independent research on Machine Learning and Security at Information Security conferences in several countries, and is also the organizer of the “Data Mining for Cyber Security” meetup group in the SF Bay Area.

In the previous post in the pentest on AWS and Google series, we set up a complete security testing environment to play with. As you have seen, it really isn’t that difficult for an attacker to pwn your network. A lot of what attackers do is observation, trial-and-error, and guesswork. I left most of those parts out of the article, but bad network cleanliness and practices make things a lot simpler for adversaries.

All of the techniques we have discussed above are real techniques that take advantage of real (and sometimes even common) security loopholes that are frequently overlooked. Here are some things that the network administrator could have done to disrupt the attacker’s kill chain:

  • Fine-grained access control for database users, i.e. wordpress@mysql user can only access the WORDPRESS table
  • Don’t let arbitrary users have read permissions to the wp-config.php file.
  • Remove the ability to perform passwordless SSH between nodes, and don’t store any server access keys in the clear (this is by far the top method that attackers use to pivot between nodes)
  • Use firewall rules and thresholds to detect nmap attempts
  • Understand the norm of traffic flow in your network, and immediately alert administrators when anything abnormal is detected

Once again, I strongly encourage you to use the lab to build an environment that allows you to perform vulnerability assessments on your own systems. Ravello’s flexibility allows you to create a close replica of system and network infrastructures within a sandbox that can be repeatedly spun up and destroyed with a few clicks.

Most importantly, keep in mind that breaking into computer systems is illegal. Most system administrators, government agencies, and companies don’t have any sense of humor when it comes to security, and you don’t have to do any real damage to get into a considerable amount of trouble. Just trying to break into a system is a serious offence in many jurisdictions.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.