Continuing our video tutorials on cloud incident response and forensics, our next video is on forensics in Azure:
We’ve built a for automating forensics and incident response in Azure — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in Azure.
How can you prepare for an incident in Azure?
Know Your Data
Identify your crown jewels. Do you have particularly sensitive information, like Personally Identifiable Information (PII) or Payment Card Industry (PCI) data?
If so, you need to know exactly where it lives and what systems process the data. This also includes any backups or logs that might shadow the original data.
Have Backups, And Test They Work
A disaster recovery plan can mitigate not just security incidents like ransomware, but also other likely events such as data center hardware failure. Ransomware is a high risk due to both high impact and relatively high likelihood of occurrence.
Restrict Administrative Accounts
In general, follow the principle of least privilege. In particular, Microsoft provides detailed advice on how to secure administrative accounts in Azure AD.
Require Multi-Factor Authentication for all User Accounts
How can you prepare for an incident in Azure?
Review Azure Security Center Settings
Azure Security Center is a centralized view of both security issues and configuration options. Unfortunately, many of the most useful features need to be enabled (at cost) in advance of any breach.
Limit Network and Remote Access
Limit any connectivity to the internet from your machines as much as possible. A common security issue in Azure is Windows machines with RDP accessible from the internet. This can put you at particular risk of brute-force ransomware attacks.
The general advice is to ensure data is always encrypted at rest and in transit. There are open discussions around how useful encrypting data at rest is with some cloud services. However, you may have particular requirements here if you are in a regulated industry such as finance or healthcare.
“Forensic readiness” will help you not only detect incidents earlier but also make investigations more thorough and efficient. As you can imagine, the more useful data you have, the more likely you will be able to find the root cause of an incident. Ensuring you have the right logs enabled can make all the difference.
Understand the Environment
It is important to gain an understanding of the environment in which the incident occurred.
If you are an internal SOC, you may already know the answers to these questions in advance of an incident:
- Where is sensitive data stored?
- How are users connected to Azure Active Directory?
- Who are the administrators?
- Where are logs stored?
- What Azure Products and Services are in use?
- Is Active Directory connected to On-Premise or Microsoft 365?
Investigating Active Directory
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It combines core directory services, application access management, and identity protection into a single solution. It enables single sign-on and multi-factor authentication to help protect users from password fatigue and phishing attacks. It also provides group management and device management capabilities.
When responding to an incident:
- Identify highly privileged users by using the Azure Portal and Azure Graph
- Identify which applications AD provides authentication for
- Identify and deactivate potentially compromised user accounts
- Identify and disable legacy authentication methods
Will Oram has made a great guide on how to specifically respond to incidents involving Azure Active Directory.
Logging in Azure
Azure has a number of different logs, including:
- Activity Logs: Management events against your subscription e.g., creating a Virtual Machine. Retrieve from the Azure Monitor>Activity Log Service.
- Resource Logs: Data plane events, for example, retrieving a key from a store. Enabled from Diagnostic settings.
- Azure Active Directory Logs: User events and other things generally operated by AD. Enabled from AD > Diagnostic Settings.
- Windows Azure Diagnostics: Logs collected from inside the host. These can be forwarded to your SIEM.
- Application Logs: General application health and performance.
- Storage Analytics Logs: Specific to the storage service.
- Network Security Group Flow Logs: Typical minimal flow logs
- Security Center: Alarms from potentially malicious events
Open Source Tools
The community has created a number of tools that may be of use when responding to incidents in Azure:
- Azure AD Incident Response PowerShell Module
- Sparrow (Identifies compromised accounts in AD)
- Mandiant Azure AD Investigator
- Azure Hound (Collects data from Azure)
- Hawk (Retrieves data for 365 Investigations)
- CrowdStrike Reporting Tool for Azure (Identifies possible issues)
- Cloud Forensic Utils (Retrieves forensic data from Virtual Machines)
Native Azure Tools
Microsoft provides advice on how to use the following platforms to investigate security incidents: