Cloud penetration testing is different than traditional penetration testing, just like cloud architecture/infrastructure is different than traditional on-premise architecture/infrastructure. Cloud providers like Google Cloud Platform (GCP) offer many features/services, but generally follow the a shared-responsibility model, where the cloud provider is in charge of the security of the cloud, such as security relating to hardware and backend infrastructure, and you are in charge of the security in the cloud, such as configurations of your servers, privileges granted within your environment, and much more.
Cloud environments can be compromised in a variety of ways and misconfigurations that can leave you vulnerable to external attackers. They aren’t the only potential threat though: internal employees should be closely monitored as well for a few reasons, including potential for their own malicious activity, their potential for compromise from an external attacker (separate from a direct cloud environment compromise), or even their potential for making mistakes that open a security hole or perform an unintended action.
GCP pentesting allows you to test the security of whole other level of your applications and infrastructure that usually would not be directly evaluated during a traditional pentest or by external attackers.
GCP pentesting is an authenticated look at an environment that aims to provide a near-simulation of a malicious actor with the same level of access. This includes a variety of methods of exploitation and feature/intended functionality abuse to benefit the attacker.
The assessment will ensure that the security of an organization/environment is the strongest it can be in the unfortunate event that a malicious actor gains unauthorized access.
This blog describes some of the common methods that malicious actors will use to gain access to your cloud environment—although it’s aimed towards the compromise of Amazon Web Services (AWS) credentials, the ideas apply to nearly all cloud providers at a larger scale. Some of these methods include:
Even if you enforce multi-factor authentication (MFA), strong passwords, and strong security policies, most of these methods get around those protections in one way or another. Someone is now in your environment, have you done the proper testing to ensure you have the ability to detect, respond, and react to this scenario? Ideally, the principle of least-privilege should prevent an attacker from expanding their access beyond what is expected, but is that really the case?
In our assessments, we go beyond automated scanning to provide an in-depth assessment of your environment. We check for a variety of different vulnerabilities and misconfigurations, some including:
Rhino provides you with a report at the end of the process that details all vulnerabilities/misconfigurations discovered, as well as attack narratives for any complex attack paths taken while in the environment. We provide up-to-date and contextual risk ratings for each finding, along with guidance to perform effective remediation.
Our reports aim to help you understand the weaknesses within your environment, what risks those weaknesses bring, and how to go about remediating those weaknesses.
If, during our assessment, we discover something with a high priority, such as a critical risk vulnerability or an indication of a prior compromise, we will report it to you as soon as it is found and we will work to help you remediate and learn from the situation in the best way possible.
No, Google does not require any alert ahead of time for GCP pentesting, but we need to follow Google’s Acceptable Use Policy and cannot target resources that don’t belong to you.
We do not perform any testing for vulnerabilities in the category of “denial-of-service” to avoid breaking Google’s AUP, and also to not disrupt any of your operations during our pentest. Clients are typically notified before any potentially disruptive activity is performed.
Make the process from penetration testing your GCP cloud environment as simple and efficient as possible.
We can walk you through the entire process, and it will help us to understand a better idea of your security assessment needs.