These days, many organizations have migrated at least some of their IT services to a cloud environment.
Cloud adoption could be as basic as the use of Microsoft Office 365 on some workstations. It could also be much more comprehensive, such as the use of a fully integrated Microsoft Azure or Amazon Web Services infrastructure.
One of the main reasons for cloud migration is the redundancy and reliability of the platform. What this means is that organizations often have a lot of their most important information and systems stored in the cloud, such as email and database servers.
With this increased importance comes an increased level of risk, which needs to be taken into account when allocating resources to security tasks. Regular penetration testing and vulnerability scanning have been critical parts of comprehensive security policies for decades now and, with the shift of critical data and systems toward the cloud, the focus of these services also needs to change.
Cloud reconnaissance and enumeration
When it comes to penetration testing and vulnerability scanning, knowledge is everything. The more information an attacker has about a targeted organization, the easier it is for the system to be compromised. From a defensive perspective, the more information the security administrator has about the network and the systems connecting to it, the better the organization can protect and monitor them. There are many ways to gather this information, both passively, through cloud reconnaissance, and actively, through cloud enumeration.
The use of standardized cloud services has brought some challenges and some new opportunities that both offensive and defensive parties need to keep in mind. A cloud environment is generally better protected, but the services are often standardized, well-documented and publicly accessible.
The first step in public cloud reconnaissance is to identify whether the target is using any cloud services and, if so, which services they are using. As was covered in Gerald Steere and Sean Metcalf's "Hacking the Cloud" session at DEFCON 2017, the best way to do this is to query specific domain name system (DNS) records.
DNS MX records are used to direct email to a company's email servers for processing, which means they hold important information. If the records point to Outlook.com for instance, the target is likely using Office 365 for email services.
Also, during the setup of an Office 365 service, Microsoft requires the creation of a DNS TXT record in order to prove that the domain is indeed owned and managed by the requester. This record can be removed afterward, but this is rarely done.
Many other service providers require the same type of authentication. If there is a DNS TXT record named amazonses, for instance, the target is likely to use Amazon Simple Email Service. More information is available via CNAME, SPF and DFS records.
There are a lot of tools available for cloud reconnaissance that can easily extract the required DNS information. Nmap is a widely known tool that can extract a lot of DNS information via specific command switches. Dnsenum and DIG -- Domain Information Groper -- are other tools that can be used for DNS enumeration. All of these come preinstalled with Kali Linux.
Network and application scanning
Scanning the cloud perimeter is nothing new from a technical perspective. Traditional network monitoring tools, such as Nmap and Kismet, will work without any issues. What is new, however, is that a cloud target is located within a shared network owned by the cloud service provider (CSP).
To avoid any impact to other customers and any defensive or legal action from the CSP, always ask for written approval prior to starting broad and comprehensive scans, both to and from a cloud instance. Request forms should be easily accessible on the provider's support page. Of course, an actual attacker would skip this administrative step, but they are more likely to target their scan better anyway, to generate less noise and fewer alerts.
Cloud specialized tools
Development of new and adapted reconnaissance, enumeration and exploitation tools, specialized for targeting public cloud providers, has been limited. There are a few useful cloud reconnaissance tools, though.
One of these tools is Azurite. This is a reconnaissance and visualization tool that offers a good understanding of which Azure services are in use and how they are connected. It does need subscription credentials so, understandably, its use is limited to cloud account owners and white box penetration testers.
An interesting development from the offensive side is the use of bots that search sites like GitHub for uploaded code containing cloud account access API keys. The impact of such a leak could be enormous to account owners, so it is important for any organization to place security controls around the use of these sites -- for instance, via data loss prevention services.
The importance of cloud reconnaissance
It is incredibly important for any company to know what network and security information is publicly accessible. After proactively gathering this information, like an attacker would, actions can be taken to limit exposure and security risks. Regular scans of the perimeter, analysis and cleanup of DNS records, taking obsolete services and cloud instances offline are all things an organization can do in order to be proactive from a security perspective.
In the end, it is critical to know what company data is out there so it can be best protected from malicious entities.
Learn how to choose and manage a cloud storage service
Read about how to navigate the minefield of cloud contracts
Find out how to manage data in multicloud environments