Our information gathering process remains the same whether we are testing your network or your web application in AWS. The first difference you will notice is that for internal network testing, rather than using a RedTeam Security provided device (a NUK) to gain access to the network, we might use a virtual machine, VPN, SSH, and appropriately provisioned IAM user. To review IAM policy misconfigurations and other services’ security, an IAM user will be necessary.
Threat modeling is a multi-step process. Initial threat modeling will be done through discussions with the client to identify their most important assets to protect. For some companies, this could be financial data; for others, Intellectual Property. A nonprofit organization, in contrast, may see the most critical asset as something as fundamental as donor trust. RedTeam Security looks out for ways these “crown jewels” could be compromised and other assets that might get overlooked but is vital to the business.
Then, as additional information is collected, the threat model is continually refined. Security testing can then transition to identifying vulnerabilities affecting internally facing systems and those “crown jewels.” This begins with automated scans and is followed by using manual testing techniques to dig deeper, uncover, and validate potential vulnerabilities. During the threat-modeling step, assets are identified and categorized into threat categories. These may involve sensitive documents, trade secrets, or financial information but more commonly apply technical details found during the previous phase.
Because there are more role-based access capabilities in the AWS environment than in a typical Active Directory environment, misconfigured roles and policies for users, groups, and services can become a significant liability. Our knowledgeable testers understand the risks associated with overly permissive or misconfigured policies and recommend best practices to maintain a secure identity and access management services. This includes checks to ensure that your organization’s IAM policies follow principles of least privilege.
The vulnerability analysis step involves documentation and risk analysis of vulnerabilities discovered during the previous stages. This includes analyzing results from the output of various automated and manual testing techniques.
Categories of vulnerabilities found on-premises and in the cloud can be similar. As part of our testing process, we attempt to connect seemingly low-risk vulnerabilities into a more dangerous attack chain to provide better leverage within both the cloud and on-premises networks. However, some vulnerabilities that may be considered a lower risk in an on-premises network could be viewed as a high or critical impact, depending on the system in AWS. Our teams know how to classify risks appropriately while considering the unique differences between AWS and on-premises environments.
Unlike a vulnerability assessment, a pentest dives deeper by seeking to validate vulnerabilities through active exploitation, employing a real-world threat actor’s mindset. Exploitation involves establishing access to a system through the bypassing/exploitation of security controls to determine their real-world risk. During a RedTeam Security penetration test, this phase consists of concerted manual testing efforts that are often quite time intensive.
Within the AWS account, RedTeam Security will evaluate S3 bucket configurations. Since access to S3 buckets can be controlled in many ways, RedTeam Security will carefully review both IAM policies and S3 bucket policies. When reviewing S3 buckets, we’ll check for listable buckets, world-readable buckets, and world-writable buckets to prevent unintended disclosure of sensitive information.
We will also examine EC2 instances, APIs, and Lambda functions during web application penetration tests, looking for opportunities to exploit vulnerabilities throughout the full stack of offerings in the AWS ecosystem.
At RedTeam Security, we consider the reporting phase to be the most important. We take great care to ensure we've thoroughly communicated the total value of our service and findings to our Clients.