4min chapter

The Evolution Exchange Cyber Security Podcast cover image

Evo Cyber Security #41 - The Art of Penetration Testing - Techniques, Tools, and Best Practices

The Evolution Exchange Cyber Security Podcast

CHAPTER

The Benefits of Cloud Environments for Pen Testers

Most people I see are just you know for the external testing. Spinning up cloud services. Linux machines, Kali Linux. Most of the tools you want to use are open source freely available at least. The only kind of commercial thing in my opinion that you kind of need for the network testing is a commercial standard. It's hard for me to justify doing a paid for scan for a client and trying to use just free scanners that are going to be as good as something like Nessus or Qualus or something like that.

00:00
Speaker 2
I
Speaker 3
like Shane's yeah there's there's so much that you can be set about the the infrastructure. I think Kurt a lot of the points there. Kind of from a foundation. Most people I see are just you know for the external testing. Spinning up cloud services. Linux machines, Kali Linux. Most of the tools you want to use are open source freely available at least. So that's pretty straightforward. I've seen some very nice and use some very nice like internal pen testing frameworks where if you're not doing the kind of get your own command and control but trying to. You know kind of demonstrate or simulate a foothold. Kind of building a Kali box that calls home to a VPN that you can remote into that has the tools you need. The only kind of commercial thing in my opinion that you kind of need for the network testing is a commercial standard. It's hard for me to justify doing a paid for scan for a client and trying to use just free scanners that are going to be as good as something like Nessus or Qualus or something like that. But beyond that as Kurt
Speaker 2
said you're going to use the tools that
Speaker 3
the hackers are using and they're using the free ones or
Speaker 2
they're using cracked versions of cobalt strike or something like that which there's there's free things that can simulate a lot of that stuff too. So Kurt do you feel
Speaker 1
like cloud environments kind of address a lot of your concerns about the redundancy or do you think the bets not good enough. I think you
Speaker 2
know they do I did not fact I the cloud environment adds a whole it is a whole new aspect for looking good but you and the best part is actually mirroring them spinning things up as you can. That's phenomenal. But again how many times have I need to come again it's the idea you have to look at the actual consumer that the consumer the companies are paying a lot of money. And putting a lot of assets and resources to doing these projects in any pen tester whether they're a massive firm or even more likely the smaller firms they want to look like they want to look like the professional they want to look like they can produce those those outstanding you know pen test and then produce your products that are super professional at that again it's it's the simple things that trip people up I mean you think about it yeah we have all this online but if you're it's something happens and your system goes down or people working out of their homes which how many pen tester to do that now and all of a sudden you find out that there's you know power going out for one or people don't have connections. That stuff matters because a lot of times you have a massive company that is that has you know how many people could be out be you know the blue teaming and you know working with pen testers. They're spending the resources so you want to make sure you give them that quality and boy does it make you look good that's the you know the companies that could do it well. I mean that that is what matters and it would be a lot of companies do it well but don't necessarily look present themselves as well as they do it and I think that's important and you not only do it well but you know. You know you're not only do it well but you
Speaker 1
present yourself well and then your product is firm. Yeah that that makes sense. Yeah my team moved pretty much we started off on laptops and testing from like VMs on laptops but a few years ago we moved to AWS pretty much exclusively to avoid a lot of the outages stuff but then also not that AWS doesn't have outages as well I suppose but yesterday right right exactly and then also the liability of having all those laptops out there with customer data on it I set a goal to my team into my technical lead I was like I want to hear someday that one of my testers lost their laptop at the airport and not care about it because there's nothing important on it. And so we moved to kind of that model and I'm fortunate enough to have a few developers on my team that built up this infrastructure as code thing using Terraform and Packer and Ansible to code everything out deploy things from Slack integration it's pretty it's pretty awesome. But at the end of the day I'm able to have at least the eight of the redundancy of AWS and not worried about the liability of laptops.

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.
App store bannerPlay store banner

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode