Clarifying the FedRAMP Penetration Test Requirements
As a Third Party Assessment Organization (3PAO), Schellman regularly conducts FedRAMP assessments for Cloud Service Providers (CSPs). Included during these assessments is a penetration test requirement. The FedRAMP Program Management Office (PMO) has issued a document that provides guidelines for CSPs and 3PAOs that perform penetration testing, including procedures for analyzing and reporting on findings. Within this document, the PMO outlines at least six attack vectors that should be considered as part of the penetration test in order to provide a realistic perspective for the most common attacks. Those six detailed vectors provide a framework that allows agencies, CSPs, and 3PAOs to have consistent expectations on what is performed during the penetration test.
Though the guidelines thoroughly describes the six vectors, Schellman personnel still often receive further questions and concerns when working with CSPs during a penetration test. Below is a list of the six vectors and FedRAMP’s official guidance, followed by further clarification on the details and a breakdown of the most common issues we receive from CSPs.
1. External to Corporate – External Untrusted to Internal Untrusted
Social Engineering - Spear Phishing Attack
FedRAMP official guidance: “An internet-based attack attempting to gain useful information about or access the target cloud system through an external corporate network owned and operated by the CSP.”
Schellman clarification: This is the social engineering part of the assessment. During testing, Schellman will act as an external untrusted attacker targeting internal employees that support the CSP environment, which will be hosting agency data (“target system”). Ideally, employees would not be using the same privileged or trusted accounts to perform their daily tasks - such as viewing their e-mail - as they would to manage the target system.
Schellman utilizes Open Source Intelligence (OSINT) tools and techniques to gather a list of internal employees that support the target system. Once the list has been approved by the CSP, Schellman creates a spear phishing campaign that is uniquely designed and personalized to the employees selected. The final payload varies from client to client, but ultimately the goal is to obtain credentials that would allow an attacker to compromise the target system.
Tips for a CSP: In order to limit the amount of people who are aware that a phishing attack will be taking place, do not alert your employees of testing. While user awareness training is always beneficial, waiting until the end of the test to conduct it is a better approach, as it provides a more accurate depiction of employee’s abilities to detect phishing attacks.
2. External to Target System – External Untrusted to External Trusted
Network Penetration Testing - External Internet Based Attack
FedRAMP official guidance: “An internet-based attack as an un-credentialed third party attempting to gain unauthorized access to the target system.”
Schellman clarification: Of the six vectors, CSPs are often most familiar with this type of attack. As an unauthenticated user on the Internet, Schellman will perform active reconnaissance, vulnerability scanning, and manual tests in attempts to exploit vulnerabilities within the CSP environment that is hosting agency data.
Tips for a CSP: Be aware of your environment. While the FedRAMP report templates often require IP addresses, provide hostnames and URLs in addition to IP addresses. Many CSPs host their environment using dynamic IP addressing, which could change during the course of the test. Having the hostnames and URLs will help avoid accidently performing tests on assets that are not in scope.
3. Target System to CSP Management System – External Trusted to Internal Trusted
Application Penetration Testing - Underlying Infrastructure Attack
FedRAMP official guidance: “An external attack as a credentialed system user attempting to access the CSP management system or infrastructure.”
Schellman clarification: Think of this as a malicious user who already has access to the application or platform. As an authenticated user of the application or platform, Schellman will attempt to gain access to the servers and infrastructure supporting the environment.
Tips for a CSP: Schellman will need one account of each user role available. Often Schellman will self-register accounts if the functionality is available within the target system, additionally Schellman may create additional users as needed.
4. Tenant to Tenant – External Trusted to External Trusted
Application Penetration Testing - Lateral Movement Attack
FedRAMP official guidance: “An external attack as a credentialed system user, originating from a tenant environment instance, attempting to access or compromise a secondary tenant instance within the target system.”
Schellman clarification: This is very similar to attack vector number 3. However, instead of looking for weaknesses within the application to gain access to the supporting infrastructure, the goal is to move laterally and gain access to another tenant‘s data.
Tips for a CSP: In order to perform tenant to tenant testing, two different environments are required, even if the application is single tenant residing on isolated instances. This test vector allows Schellman to detect authorization issues, such as insecure direct object references, as well as segmentation if the platform is multi-tenant.
5. Corporate to CSP Management System – Internal Untrusted to Internal Trusted
Internal (Assume Breach) - Employee’s Workstation Compromised
FedRAMP official guidance: “An internal attack attempting to access the target management system from a system with an identified or simulated security weakness on the CSP corporate network that mimics a malicious device.”
Schellman clarification: Out of all the attack vectors, this one generates the most questions and concerns. The goal of this attack is to understand the risk to agency data, should an employee supporting the CSP environment have their workstation compromised. What happens if an attacker has a backdoor into the corporate network? From that point, can the attacker leverage that access to pivot into the CSP environment hosting agency data? The machine selected for testing should be representative of the machines in the environment, and so as to maintain normal and usual circumstances, the user targeted should not be alerted that the payload will be executed on their machine. If the CSP is primarily a macOS shop, the targeted employee should be running a Mac, and vice versa with Windows. Schellman will provide the payload to be executed on the target system.
Tips for a CSP: Do not make one-time changes to a standard laptop or network configuration ahead of the penetration test. Also, do not provide a freshly imaged and fully patched workstation on which to execute the payload, as this is not a realistic attack scenario. Should a newly reimaged workstation be tested, the scenario presented is essentially that a new employee is hired, receives a freshly imaged and fully patched workstation, with no third-party applications installed, and then falls victim to a 0-day exploit that gave an attacker remote access. While theoretically possible, this scenario is highly unlikely, and the sponsoring agency will most likely feel the same way. Similarly, if everyone in the organization is on a domain, the workstation selected should not be in a standalone workgroup. Any such modifications to game the test will be disclosed to the agency in the FedRAMP penetration testing report.
6. Mobile Application – External Untrusted to External Trusted
FedRAMP official guidance: “An attack that emulates a mobile application user attempting to access the CSP target system or the CSP’s target system’s mobile application.”
Schellman clarification: If the CSP has a mobile application and the sponsoring agency is going to use it, then the mobile application is in scope. Typically, the app will be downloaded from the respective app store. If the app requires a special build to connect to the test environment, please have that ready. If the CSP does not offer a mobile app, or the mobile app will not be used by the agency, then this attack vector is not applicable.
The penetration testing requirements for FedRAMP are thorough, and yet there are areas which may need clarification. Though the aforementioned details provide basic breakdowns and tips, when an agency or CSP has questions about the scope of the penetration test, it is best to start with the guidance and check with Schellman, or the other respective 3PAO, on expectations.
About JOSH TOMKIEL
Josh Tomkiel is a Senior Manager and Penetration Tester based in Philadelphia, PA with over 10 years of experience within the Information Technology field. Josh has a deep background in all facets of penetration testing and works closely with Schellman's other service lines to ensure penetration testing requirements are met. Additionally, Josh leads the Schellman's Red Team service offering, which provides an in-depth security assessment focusing on different tactics, techniques, and procedures (TTPs) for clients with mature security programs.