Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Breach detection on the cloud - Azure

Breach detection on the cloud - Azure

Presented to Vit University.

Santhosh Kumar

November 08, 2022
Tweet

More Decks by Santhosh Kumar

Other Decks in Technology

Transcript

  1. About me! •Principal Security Engineer at DHL, previously with IBM

    and EY India LLP. •Been in this industry for 7 years now J Played both Attacking and Defending sides in the previous roles J •Spoke at Defcon Las vegas, OWASP Appsec USA toorcon san diego, Bsides las vegas etc…. Patreon for Null Chennai and Owasp Chennai chapters. •Holds industry certs such as OSCP, OSCE, OSWE, Crest CRT , CRTP etc … •B tech from Jerusalem college of engineering (Anna univ). I (re)learned fundamentals under Anita ma'am J J
  2. Tl;Dr about this talk ? This talk will have quick

    introduction to cloud services in our case will be azure. I will try to keep theory part minimal and we will do the hands-on demo for most of the scenarios that is to be discussed in this talk. The talk will revolve around the industry practices and experiences that I have learned over my time working with various organizations facing threats targeting their cloud environment. Incase you have any questions feel free to stop me anytime and I will answer your questions J
  3. When more enterprises move to cloud so is more the

    number of breaches Famous cloud breaches Accenture – 2021 – 6TB data stolen Kaseya – 2021 – Customer data stolen Facebook- 2021 – millions of data stolen Uber 2022 – Entire organization compromise Marriot – 2018 – Passports and Credit card numbers stolen – millions of customer PII data
  4. Incident Response – Why does it matter ? Incident response

    is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. Ideally, incident response activities are conducted by an organization's computer security incident response team (CSIRT), a group that has been previously selected to include information security and general IT staff as well as C-suite level members. The team may also include representatives from the legal, human resources and public relations departments. The incident response team follows the organization's incident response plan (IRP), which is a set of written instructions that outline the organization's response to network events, security incidents and confirmed breaches.
  5. What is azure ad? And what is not? •Azure Active

    Directory (Azure AD or AAD) is "Microsoft’s cloud-based identity and access management service". •Microsoft proposes AAD as Identity as a Service (IDaaS) solution "that span all aspects of identity, access management, and security". •Azure AD can be used to access both – External resources like Azure Portal, Office 365 etc. and – Internal resources like on-premises applications. •Azure AD provides secure remote access for AD-integrated apps, devices and identity governance for AD accounts.
  6. What is Azure Ad ? And what is not ?

    Azure Active Directory is the next evolution of identity and access management solutions for the cloud. Microsoft introduced Active Directory Domain Services in Windows 2000 to give organizations the ability to manage multiple on- premises infrastructure components and systems using a single identity per user. Azure AD takes this approach to the next level by providing organizations with an Identity as a Service (IDaaS) solution for all their apps across cloud and on-premises. https://learn.microsoft.com/en-us/azure/active- directory/fundamentals/active-directory- compare-azure-ad-to-ad
  7. Azure Terminologies •Tenant - An instance of Azure AD and

    represents a single organization. •Azure AD Directory - Each tenant has a dedicated Directory. This is used to perform identity and access management functions for resources. •Subscriptions - It is used to pay for services. There can be multiple subscriptions in a Directory. •Core Domain - The initial domain name <tenant>.onmicrosoft.com is the core domain. It is possible to define custom domain names too. In Azure, resources are divided in four levels – Management Groups – Subscriptions – Resource Groups – Resources
  8. Azure Terminologies Management groups are used to manage multiple subscriptions.

    An Azure subscription is a logical unit of Azure services that links to an Azure account. An Azure AD Directory may have multiple subscriptions but each subscription can only trust a single directory. A resource is a deployable item in Azure like VMs, App Services, Storage Accounts etc. •In Azure, all the resources must be inside a resource group and can belong only to a group. •Azure provides the ability to assign Managed Identities to resources like app service, function apps, virtual machines etc. •Managed Identity uses Azure AD tokens to accesso the resources(like key vaults, storage accounts) that support Azure AD authentication.
  9. Attack Scenarios – Ways to Defend them •XSS •SQL Injection

    •Insecure Direct Object reference •Server Side Request Forgery on App Function Environment •Sensitive Data Exposure and Password Reset •Storage Account Misconfigurations •Identity Misconfigurations
  10. Our goal ? As a attacker – To reach the

    owner of resource group which is game over for nearsecurity Inc. L As a Defender – Find out how the attacker was able to reach the owner of resource group for nearsecurity inc. Azure Defense products ? Azure Resources - Alerts Azure AD Roles - Access Review Privileged Identity Management (PIM) Azure AD Identity Protection Microsoft 365 Defender Microsoft Sentinel