In a series of articles I am planning to write, one of them will be on how to “ethically” pen-test Microsoft Azure architectures. From my experience, it is not that difficult to pen-test but doing it in a sense of respecting the rules of engagement, state rules, etc. can be very challenging.
First of all, we need to define the scope of our penetration testing. From my experience, scope says it all and is 80% of the job well done however, asking the right questions isn’t that easy. I prefer a “white box” testing approach for cloud environments. Why? Simple, cloud architectures can be complex, resources can be shared among other customers (IaaS), all together, risky to accidentally target more than alone your customer.
Most of the time, my baseline requires a list of target subscription(s), a list of service types in the targeted subscriptions that map to an IP address, a list of any IP address(es) or host names of the service(s) that you are planning to test. Sometimes your customer will tell you almost nothing, could be because their IT-team knows nothing about cloud, or the customer thinks his environment is built out of fortune cookies, in any way, it will limit your scope significantly, you will have limit or no knowledge at all of the services that you will need to target. Best is to push the customer to tell you at least the baseline. Once you have the lists, as a last step, I will try to define the goals we need to attend and the desired outcome of the pen testing. Don’t forget your customer to sign a contract with you outlining what I have been suggesting as a preparation to your assignment, you need to have authorization for your vulnerability assessment and penetration testing. One other thumb rule when working with large companies, most of them have internal policies outlining what is allowed and what is not in terms of security testing.
Ok, so you have everything you need from your customer. What’s next?
Notify Microsoft. Yes, you need to notify Microsoft before starting any pen-tests! Check out this website from Microsoft where you can find all the latest information on the do’s and don’ts: https://portal.msrc.microsoft.com/en-us/engage/pentest. It’s also the place where you will register your pen-test through a “notification” form. If you are performing a scan using known platforms such as Qualys, Nessus (Tenable), … or if you are planning to exercise a few port scans, scanning for vulnerabilities like OWASP (Open Web Application Security Project), there’s no need for a formal registration. For all other pen-tests, it’s advised to let Microsoft know in advance.
Example of the “notification” form:
Read Microsoft’s Cloud Unified Penetration Testing Rules of Engagement: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement?rtc=1
For people pen-testing AWS (Amazon Web Services), you can find the form here: https://aws.amazon.com/security/penetration-testing/
If you discover a flaw in Microsoft, let them know. The Microsoft Online Services Bounty Program will tell you about it: https://www.microsoft.com/en-us/msrc/bounty-microsoft-cloud?rtc=1
- only test the subscription(s) you have been authorized to do so
- don’t perform any tests that are not described in your agreement
- do not target other customers and/or Microsoft