Safer network scans. Using a zero trust model for security… | by Teri Radichel | Cloud Security | December 2023


Use a zero trust model for security analytics software

This is my random thought for the day as I complete a penetration test. I like the granularity you can get with cloud networking and the detail you can get to perform more secure penetration testing on AWS.

The first thing I do before performing network scans is to run a query all IP addresses in the AWS account I’m testing. This includes IP addresses of Lambda functions, NAT instances, etc.

Once I have all the IP addresses, I can build a very specific network for an NMAP scan to scan any port and IP without exposing my scanner to the entire Internet for all of those IP addresses and ports.

You can create a NACL it allows menbound and outbound for all traffic to or from any IP address in range more inbound and outbound for your remote access to your scanner on the specific port and protocol you use to access the scanner.

If you stop there, any compromised hosts on the network you are scanning may be able to attack your scanner and a compromised scanner could potentially attack your remote access host, so don’t stop there.

The next step is to create a security group this only allows your Remote IP in your host And allow output only to IP addresses you scan.

Let’s say one of the hosts you are scanning is compromised. Well, it can’t initiate traffic through the security group to your scanner, even though you’ve allowed all inbound and outbound traffic through your stateless NACL. If you stop there, the hosts you are scanning could turn around and attack your scanner using inbound rules and exfiltrate data, for example.

However, when you add the security group:

  • The scanner can initiate traffic to the hosts it scans, but not to any other host on the Internet, including the one you use to connect to the scanner.
  • Let’s say the scanning software is compromised and removes credentials. How will it pass these credentials to another host? It cannot initiate traffic from your scanner to send credentials to an attacker-controlled server. Anything is possible, but you’ve made it quite difficult and limited the ability to steal scanner credentials…
Leave a comment