Cobalt’s GCP cloud-based security assessment is an exercise in which our Cobalt Core team of pentesters carry out an assessment to test the GCP-based cloud environment and all of its internal and external components. At Cobalt we follow an industry standard methodology primarily based on Google’s best security practices and additional security testing methodologies, such as the OWASP ASVS and CIS Critical Security Controls. We perform the following steps to ensure full coverage:
Logistics
The pentesters require Auditor role Identity and Access Management (IAM) API credentials for each GCP account the configuration review should be performed on. Use a (service) account with Viewer and Security Reviewer permissions to provide the API credentials.
Targeted scope initial reconnaissance
Initially, testers examine the provided documentation and confirmed scope. Using various tools, testers then confirm the presence of different sets of components and technologies within the environment.
Pentesters then perform external scope discovery exercises within this initial stage to determine the discoverable attack surface and externally exposed landscape, and this step helps to ensure that testers have all the necessary levels of access, that the scope is fully accessible, and that no externally exposed components are unreachable.
This stage also allows pentesters to develop an assessment execution plan they can follow throughout the rest of the assignment.
|
ℹ️ During this phase, testers use multiple reconnaissance scanning tools, such as G-Scout, Security Monkey, GCP-audit, or GCloud. Note: The tools testers use may vary from test to test. |
Component enumeration
During this stage, pentesters perform automated component discovery and enumeration within the GCP environment, while using client-provided GCP access keys.
For this exercise, the key is to gather as much information as possible about components used within the environment, potential impact on the environment itself through utilization of the various tools, and perform basic scans of the existing configuration. This also allows phase pentesters to become familiar with the GCP internal footprint, and to get detailed reports from various tools on current setup of cloud components, such as Google Cloud Storage.
| ℹ️ During this phase, testers use multiple component scanning tools, such as G-Scout, Security Monkey, GCP-audit, or GCloud.
Note: The tools testers use may vary from test to test. |
Automated component configuration assessment
Getting through to the third phase of the GCP cloud security assessment Cobalt pentesters review the reporting to determine risks across the environment. After gathering all the reports from different tools, pentesters analyze them in detail and compare them with any client-defined areas of focus.
We then re-test and confirm any detected anomalies or misconfigurations prior to the risk assessment exercise. Pentesters perform risk assessment exercises based on a CIS industry best practices template, and score all the risks based their impact and likelihood.
| ℹ️ During this phase, testers use multiple component configuration testing tools, such as G-Scout, Security Monkey, GCP-audit, or GCloud.
Note: The tools testers use may vary from test to test. |
Automated and manual assessment of externally exposed services
Based on the scope provided by the client, Cobalt pentesters perform an external manual and automated assessment over all of the externally exposed systems and services. The goal of this assessment phase is to perform basic vulnerability assessment and potentially detect service-related vulnerabilities that were not detected during the internal configuration scans.
Additionally, for any configuration-related findings that could have external impact, pentesters will also confirm these through the public interfaces while using internally gathered endpoint web addresses.
| ℹ️ During this phase, testers use multiple component configuration tools, such as G-Scout, Security Monkey, GCP-audit, or GCPBucketBrute.
Note: The tools testers use may vary from test to test. |
Architectural design analysis
The last stage of an active GCP security assessment is the manual review of the GCP architecture provided by the client. During this stage, pentesters review and assess the current GCP overall layout from the risks perspective and ensure that there are no security-related issues. Design of the GCP infrastructure is crucial to ensure the overall security posture of the environment is satisfactory and able to deter ever-evolving threats.
Cobalt pentesters follow industry best practices when reviewing the architecture and combining the findings with component configuration reports to make sure that risks are assessed realistically.
Additionally, it is also possible, on clients request and to ensure better coverage to gather additional information on internal procedures, CI/CD, patching, access granting etc. That way Cobalt pentesters would be able to fully assess and advise on the overall security posture.
| ℹ️ During this phase, testers use multiple component configuration testing tools, such as G-Scout, Security Monkey, GCP-audit, or GCloud.
Note: The tools testers use may vary from test to test. |
Reporting, triaging, and additional testing
Pentesters report and triage all vulnerabilities during the assessment itself. We provide details on all of the findings discovered by our pentesters through our online platform. Clients have full visibility over discoveries in real-time through the Cobalt platform.
In the findings and final report, pentesters provide detailed remediation steps and advice on further improvements of the security posture.
The client can perform remediation efforts on critical discoveries during and after the testing timeframe, and pentesters can test the updated components and re-test the discovered issues to confirm that there is no residual risk for the client from a security perspective.
Common tools used during these assessments
For more information on the testing tools mentioned above, see the following resources:
-
G-Scout (GitHub - nccgroup/G-Scout: Google Cloud Platform Security Tool): security auditing tool for AWS environments
-
ScoutSuite (GitHub - nccgroup/ScoutSuite: Multi-Cloud Security Auditing Tool): cloud security auditing tool
-
Gcp-audit (GitHub - spotify/gcp-audit: A tool for auditing security properties of GCP projects): auditing tool
-
Gcloud: Command line interface for GCP
-
GCPBucketBrute (GitHub - RhinoSecurityLabs/GCPBucketBrute: A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated): enumerate Google storage buckets
-
Security Monkey: (GitHub - Netflix/security_monkey: Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time. ) AWS / GCP insecure configuration monitoring tool
Comments
0 comments
Please sign in to leave a comment.