UPCOMING IN-PERSON EVENTS: The Schellman team will be around the country at events the week of June 5th
While this test type does include common pen test attack vectors, it also involves techniques unique to cloud environments such as the exploitation of misconfigured serverless components and privilege escalation paths within native cloud services.
Our cloud penetration testing methodology involves the following steps:
1. Provision (Seed) Initial Access: With your help, we’ll create users, or API keys that have the same rights as a standard employee, developer, or an account with read-only access to the environment to be tested.
2. Identify Best Practices: Then, we’ll identify common best practices that are abused by attackers. (NOTE: Despite our efforts, this phase will likely not identify as many best practice-related items as might be found during an audit due to the latter’s focus on manual processes and review.)
3. Privilege Escalation: Finally, we’ll begin searching through accessible services (e.g., compute, storage, IAM, etc.) in your cloud environment and identify credentials and misconfigurations that might help us gain additional access beyond that which has been granted. Each time we gain access to a new principal or service within the cloud environment we’ll pinpoint just how much new access to resources was obtained and how these resources can be abused further to gain additional access and/or compromise your additional resources.
Schellman does perform cloud penetration testing—our Penetration Testing Team continues to grow and is currently comprised of individuals from different backgrounds including former developers, system administrators, and lifelong security professionals. Our team is incredibly experienced, and collectively holds the following professional certifications, among others: