At 2nd Sight Lab, we focus on helping you improve security - not just finding some obscure way to attack your systems. We do more than use a tool to scan your systems and generate an automated report. We do leverage tools and automation and have a set process for performing penetration tests on cloud accounts. By using the same approach each time, we can dive deeper faster and provide more value. We execute a combination of assessment and penetration activities to determine the overall security of your account and the applications running in it. We provide analysis of each finding to offer mitigation steps your team can use to fix the problem and additional resources for those who want to dive deeper.

Qualifications and Certifications

Teri Radichel, principle penetration tester has three of the certifications recommended by PCI: GCIH, GPEN, GXPN and is a SANS GSE. She also holds a certification in reverse engineering and teaches cloud penetration testing in the 2nd Sight Lab Cloud Security Architecture and Engineering class. She also has a master of software engineering, master of information security engineering, and has over 25 years of programming and security experience. Teri is also an AWS Hero and runs the Seattle AWS Architects & Engineers Meetup which has close to 3,000 members. She is a member of Infragard and formerly worked for companies like F5, Nordstrom, and Capital One, either as an employee or as a consultant. Teri was on the original team that helped Capital One move production workloads to the cloud. She is also an IANS Faculty Member and SANS Institute awarded her the SANS Difference Makers Award for her innovative work in cloud security. Teri hires only highly qualified contractors and partner penetration testing companies whom she knows personally to assist with penetration tests as required.

Scope

We perform the following activities during a pentest of your AWS, Azure, or GCP account:

• Web application testing to see if vulnerable applications provider access.
• Assess cloud configuration in AWS, Azure, or GCP.
• Tests include some reverse engineering and limited code review
• Cloud architecture reviews are also available upon request and will require system documentation
• We perform fuzzing for maximum coverage since the time for testing is limited

Engagement

• Tests are performed part-time at random times over 3 to 4 week period
• The testing period is a defined period with a start and end date
• We perform tests from an AWS region, and network access must be available
• We test in non-production environments and can verify in production
• Rate limiting needs to be turned off for fuzzing to work
• Contacts must be available who can help restore access as needed
• We report in as desired by the client
• We require the approval of a C-Level executive to perform the test
• Customers need to provide appropriate credentials and respond in a timely manner

Cloud Penetration Testing Process

The cloud penetration process is different due to dynamic nature ephemeral resources and limitations on certain types of testing. Testers must understand cloud technologies and cloud provider-specific requirements related to scope. We request cloud credentials with a specific role and domain names, URLs, and an AWS account number instead of IP addresses. We test from dynamic IP addresses in an AWS region. We help customers understand the process further in the setup phase of the penetration test. We aim for coverage over stealth.

High-level penetration testing steps:

1. Define scope and rules of engagement with the customer
2. Set up and Reconnaissance
3. Scan web applications, network, and cloud account
4. Exploitation
5. Validation of findings by various tools
6. Report Writing and Delivery

Penetration Testing Report

Our reports include high-level and detailed prioritized findings, steps to reproduce, recommended remediation, and additional resources related to each finding.


To request a penetration test, connect with Teri on LinkedIn, or Twitter or call 206.909.8374 to request a meeting to discuss further.