SlideShare a Scribd company logo
7 Dangerous Ways To
Cyberattack Azure
By Abdul khan
Author
• Abdul Khan
• IT Consultant based in Manchester, UK
• Engineering Lead, Executive, Technologist, Architect
• IT experience, within the private and public sectors (Retail, Banking, Digital, Insurance, M.O.D., HMRC, Aviation, Telecommunication,
Housing Associations, Education, Travel, and Pharmaceutical companies). Excellent architectural and strong DevOps experience with
proven-track record of delivering E2E, B2B and B2C solution on regional and global programs.
• SME in specializing in providing integration, data migration, digital transformations to the cloud solutions (Azure and AWS)
• Wealth of experience in global projects across EMEA, ASPAC and LATAM
• Liked in profile https://www.linkedin.com/in/abdul-khan-uk/
Accreditations
Thank you to my brother, good friends and colleagues for reviewing, adding value, sharing their vast experience
and knowledge.
• Samad Khan (IT Manager), specialising in enterprise solution in finance and wealth Management
• Steve Lampton (IT Consultant, Cloud SME) specialising in NetOps, DevOps and SecOps
Audience
Main Audience
• The top cyberthreats may find a wider group of potential stakeholders who are interested in
understanding the threat landscape in general or deepen their understanding to cover particular
threats.
• This document for decision makers, security architects, risk managers, auditors and end-users
who wish to be informed about the where-about of various cyberthreats may find this material
useful.
Assumptions
• Reader has some knowledge of cloud platforms technologies.
Content
1.0 Think Like A Hacker
1.1 Introduction
1.2 Hacker Perspective
1.3 The Top Most Dangerous Cyberattacks
1.4 Account Storage – Architecture
1.5 Account Storage – Storage Stamp
3.0 Final Thoughts
3.1 Considerations & Best Practices
2.0 Cyberattacks and Countermeasures
2.1 Attack01 – Access using account keys
2.2 Attack02 – Ransomware attack and encryption
2.3 Attack03 – Attack VMs and Disks
2.4 Attack04 – Storage Tampering attack
2.5 Attack05 – A Phishing attack
2.6 Attack06 – Attack to Blob and resource using anonymous access
2.7 Attack07 – Attacks To The Public and Private IP Addresses in Azure
1.0 Think Like
A Hacker…
“everything and anything is hackable and vulnerable in some ways”
1.1 Introduction
• Microsoft Azure offers many types of tool and technology to manage and handle threats and
security. This can be from the classical firewall, encryption, network security group, MOMS,
Security Centre, Audit Logging, GDPR and much more.
• To identify the most important risks and threats and how to manage them we need to choose the
right platform that provides the best features and tools.
• In Cloud, any resources can be linked with security or related to hacking and should be assessed
for vulnerabilities. Therefore, few basic questions that should always be asked :-
• Is the functionality secure or vulnerable?
• If yes, how can it be exploited and how much damage could it cause?
1.2 Hacker Perspective (1/2)
• From a hacker perspective, a DNS provides very important data, this includes :
• The Account name is extremely important because it is used by Azure to locate the
primary storage cluster and the datacentre where the storage is located, all the
requests for this account are directed to this location, an application can use a
different account for different locations.
• The Partition name identifies the storage node of the cluster and it is used to scale-
out access to the data, the ObjectName is the specific object in the partition, the
transactions are atomic and managed across the different objects inside the same
PartitionName.
1.2 Hacker Perspective (2/2)
• The Account Storage architecture has been organized to provide the maximum
capacity and scaling, the let see the most important components and how it works.
• The Storage Stamp is a cluster of N racks of storage nodes, and each rack is a
separate fault domain, the challenge is to maintain the storage provisioned in
production as highly utilized as possible if a rack reach lower then 70% the account is
migrated in another rack
• The Location Service manages the account namespace across all stamps and all the
storage stamps, it is also responsible for disaster recovery and load balancing, the LS
updates the DNS and allow the requests from the name
https://AccountName.service.core.windows.net to that storage stamp’s virtual IP
(VIP, an IP address the storage stamp exposes for external traffic).
1.3 The Top Most Dangerous Cyberattacks (1/2)
• There are three most essential areas in Microsoft Azure, RBAC, Storage and
Networking, everything in Azure depends on these three main pillars, and
considering these areas. The 3 topmost dangerous cyberattacks, below the TOP
Parade:
• Privilege escalation to Azure PIM and the Global Admin Account;
• Ransomware Attack;
• Attack to the public and private IP addresses;
• All these attacks are extremely dangerous and effective. However, the privilege
escalation is the most dangerous because it can escalate a top-level, which
means no more control in the entire cloud and company.
• Internal attacks are much more dangerous and effective than the externals, and
companies often underestimate that. Cloud is more secure than on-premise, we
can rely on a much more solid infrastructure but we know cloud has weaknesses.
1.3 The Top Most Dangerous Cyberattacks (2/2)
• RBAC is used to provide access to the storage account to a specific user. Hacker use this
approach to obtain access storage accounts. This is a classic method used to manage
the storage account by people through the Azure Portal.
• There are 3 major areas of Azure, also these are the weak points, most critical and
vulnerable areas for hackers to exploit, they are:-
• Authentication and Authorization (Azure AD and RBAC),
• Microsoft Azure Storage
• Networks(Azure Infrastructure).
1.4 Account Storage - Architecture
Access Blobs, Tables
and Queues for
Accounts
Location Service
DNS
Front-Ends
Stream Layers
Stream Layers
Intra-Stamp
Replication
Storage Stamp
VIP
Front-Ends
Stream Layers
Stream Layers
Intra-Stamp
Replication
Storage Stamp
VIP
Account Management
Inter-Stamp
Replication
https://AccountName.service.core.windows.net
1.5 Account Storage - Storage Stamps
• The three layers in the Storage Stamps:
• Stream Layer is like a distributed file system layer within the stamps, it understands
files, called streams, and it manages how to store, replicate them and more but it
doesn’t have any clue about the data or the semantics.
• The Partition Layers manages and understands the high data abstraction layer (Blob,
Table, Queues, and Files), caching objects, and storing objects on top of the
streaming.
• The Front-End layer manages the authentication and authorizations for the account
though SAS token or Access Key, and it governs the relations between account and
partitions.
2.0 Cyberattacks and
Countermeasures
2.1 Attack01 – Access Using Account Keys
Attack
• Developers use account keys everywhere, they send by email, they write in the code and often they take
notes in files and there are different techniques to use.
• Google Dorks are used by a hacker to collect any type of information on the internet, it is a very powerful
technique, especially if used is a smart way
• The query will search in all Google database for any file indexed of type config, containing the world
accountkey in the web sites githup.com and sourceforge.net
• The githup is not a typo, google may filter some query types, using this technique you can evade them.
Countermeasures
• Create Azure policy to block any unauthorize key vault creation (use a dedicated AD group/user)
• Set less permission privilege to the Key Vault, monitor any access and notify by email any change
• Store any sensitive information in Key Vaults and force developers on using this practice.
• Execute automation source code scanning with Azure DevOps
2.2 Attack02 – Ransomware Attack And Encryption
Attack
• Azure encrypts any data in the storage account, key requirement for certifications ISO 27001, ISO 9001,
GDPR and others. But Is there a real risk of a ransomware attack in the cloud?, Answer is Yes. So what can a
hacker do? Answer, there is real potentially the entire storage account, all virtual machines, and disks can be
encrypt.
• A hacker could achieve a privilege escalation attack to the cloud or find the account keys and access to the
storage account. If this is achieved, then a hacker has different choices, One quick and very dangerous attack
is on the encryption keys, an attacker is able to encrypt the entire storage account. Azure uses two
mechanisms to encrypt the data:
• one using the internal encryption key;
• and the second is using an arbitrary key created by the customer.
• Attack simulation to the encryption keys, Hacker only required a basic knowledge of Storage Account and
Key Vault, a hacker can :-
• To execute a privilege escalation attack to Azure, (contributor access to the resource group re required)
• The attacker now will delete the key from the key vault, enter the key vault and delete the key.
2.2 Attack02 – Ransomware Attack And Encryption
Countermeasures
• The best option is using policies and blocks any unauthorized usage, especially creation.
• Create Azure policy to block any unauthorize key vault creation (use a dedicated AD
group/user)
• Set less permission privilege to the Key Vault, monitor any access and notify by email any
change
• Use Multi-Factor Authentication in any sensitive location of the company.
2.3 Attack03 – Attack VMs and Disks
Attack
• Another option is encrypting the content of the storage account, for example, all disks,
this is a procedure that we can achieve using Powershell and remotely
Countermeasures
• Create Azure policy to block any unauthorize encrypting operation (use a dedicated AD
group/user)
• Set less permission privilege to the resources
• Use Multi-Factor Authentication in any sensitive location of the company.
2.4 Attack04 – Storage Tampering attack
Attack
• This is an extremely effective and dangerous attack, the hacker found the storage
account keys and will execute a scan in the account, below an example to list Blobs using
Azure CLI :
• The attacker has now a clear idea about the content and they may will inject in the
storage account-specific malicious content. The hacker could upload malicious scripts,
PDF files tampered and more.
• Developers and IT administrators use the queues to execute specific infrastructure tasks
and execution following a specific FIFO order, the hacker could inject messages in the
queue and execute arbitrary code and script.
• This Azure storage tampering is usually used in conjunction with the phishing attack.
2.4 Attack04 – Storage Tampering attack
Countermeasures
• The prevention is the best countermeasure, we must prevent access to the resource.
• Create Azure policy to block any unauthorized usage (use a dedicated AD group/user)
• Set less permission privilege to the storage account and to the specific resource, monitor
any access and notify by email any change
• Refer to Attack01 regarding the protection of the keys
• Use Multi-Factor Authentication in any sensitive location of the company.
2.5 Attack05 – A Phishing attack
Attack
• This is a very used attack because able to be combined in many different combinations, the concept is very
simple.
• trusted web site, the attacker can send email using this URL without being intercepted or blocked, and it
looks a legitimate URL. The hacker can simulate an internal communication and an employee could click on
the URL and open a malicious file hosted in the blob.
• This is a very simple example, in the future we will examine some nasty phishing attacks using a blob storage
account.
Countermeasures
• Robust email security solutions are actually the best option, also filtering any email containing the
windows.net domain.
• Educate employees about recognizing different types of phishing attacks and avoid clicking any link.
• Use multi security layers, scanning email, antivirus and use the red team to test malicious attack.
• Educate everybody in the companies, also the very top management.
• Use Multi-Factor Authentication in any sensitive location of the company.
2.6 Attack06 – Attack To Blob And Resource Using
Anonymous Access
Attack
• We can set the reading access type of the container and blob as anonymous. We may need to use this
setting because we want to provide public access to our content, hackers use this setting for phishing
attacks.
• Black hats daily scan the public internet and they check the contents of these blobs by: -
• Option 1 – Using Shodan - Login with a free account to Shodan.io and use the search string
• Option 2 – Using scripting - This is the most productive and effective way to collect anonymous blob
storages, we can use any script type technique, the concept is quite simple.
• During an HTTP GET to request the anonymous blob storage responds in a different way from a private one,
this is the discriminant
• A program or script to created any possible combination of the account name and check for any possible
public blob on the internet. The procedure is a simple representation of what criminal companies do using
very high calculation power.
• The program used by these companies is specifically designed to check the content and they use Artificial
intelligence to quickly understand if the content can be something useful or not.
2.6 Attack06 – Attack To Blob And Resource Using
Anonymous Access
Countermeasures
• Don’t publish any sensitive information in public storage.
Important Note
• The usage of public blobs can be a good honey trap, criminals will be focused on that specific area
of attack, you may also put false and misleading information.
• The honey trap is an interesting strategy and it can be extremely effective if well planned, we can
also make the criminal think what we want and discourage them from continuing any more
investigation to the company.
2.7 Attack07 – Attacks To The Public and Private IP
Addresses In Azure
Attack
• A public IP is attacked by a hacker after the first five minutes of life on the internet, this is a standard procedure, these
people are criminal organizations looking for information to use against the company and employee. You can find public IP
exposed in Azure very easily. The entire Azure infrastructure can be scanned for ay public IP’s, open RDP ports with one
command : . By this hacker can download the entire Azure IP range by scanning the service,
these are all public information.
• Never underestimate the internal threats, if a hacker penetrates a VM, he will also have access to the internal network, at
least in the subnet, and if the VM is in the domain then the escalation of the damage is not measurable, it depends by the
Azure experience of the hacker.
Countermeasures
• Option 1 – The basic solution is avoid using public IP’s and if you really need then lock it and masquerade.
• Option 2 – Control the creation of new Public IP
• Option 3 – Use Azure Bastion
• Option 4 – Use VPN
• VPN is the best option and we avoid exposure to the internet however we still need to handle the private IPs because we
can face an internal attack.
3.0 Final Thoughts
3.1 Considerations & Best Practices
• Centralize the security control and access using a good subscription structure and firewalling appliance.
• Create a Base subscription, install ExpressRoute and firewalling and propagate the connectivity to the other
subscriptions, this will give you a lot of control.
• Use a proper segmentation of the network and organize your IP Schemas and VNet by Regions.
• Create Azure policies and force your network rules
• Use Zero trust approach and limit any access
• This presentation has highlights some of the most important and dangerous attacks to the Storage Account,
prevention is always the best practice and in order to achieve that we need to use Azure Policies.
• Azure Policies are the first line of defense, the first opportunity to stop the attack. This is what we need to
achieve, we need to stop the attack from the beginning and not in the during.
• the most dangerous attack always starts from the internal, we need to make our home secure from any risk.
• Don’t trust anybody, even yourself, if you are not sure about something, better ask and discuss it in the team.
- END OF DECK
By Abdul Khan – https://www.linkedin.com/in/abdul-khan-uk/

More Related Content

What's hot

Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Himani Singh
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
Security Innovation
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing
Reza Pahlava
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
Falgun Rathod
 
Cloud security
Cloud securityCloud security
Cloud security
Adeel Javaid
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
Nithin Raj
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
أحلام انصارى
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
Shankar Subramaniyan
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
Giovanni Mazzeo
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
Devyani Vaidya
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
Keet Sugathadasa
 
Guide to CASB Use Cases
Guide to CASB Use CasesGuide to CASB Use Cases
Guide to CASB Use Cases
Sachin Yadav
 
Best-Practices-Web-Usability
Best-Practices-Web-UsabilityBest-Practices-Web-Usability
Best-Practices-Web-Usability
Larry Wilson
 
(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional
Hatem ElSahhar
 
Security issue in Cloud computing
Security issue in Cloud computingSecurity issue in Cloud computing
Security issue in Cloud computing
Seema Kumari
 
Cloud university intel security
Cloud university intel securityCloud university intel security
Cloud university intel security
Ingram Micro Cloud
 
Data security in cloud environment
Data security in cloud environmentData security in cloud environment
Data security in cloud environment
Shivam Singh
 
Cloud security
Cloud securityCloud security
Cloud security
Tushar Kayande
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
IBM Security
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
Joseph Holbrook, Chief Learning Officer (CLO)
 

What's hot (20)

Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Security on Cloud Computing
Security on Cloud Computing Security on Cloud Computing
Security on Cloud Computing
 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
Cloud Security
Cloud Security Cloud Security
Cloud Security
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
Cyber Security and Cloud Computing
Cyber Security and Cloud ComputingCyber Security and Cloud Computing
Cyber Security and Cloud Computing
 
Guide to CASB Use Cases
Guide to CASB Use CasesGuide to CASB Use Cases
Guide to CASB Use Cases
 
Best-Practices-Web-Usability
Best-Practices-Web-UsabilityBest-Practices-Web-Usability
Best-Practices-Web-Usability
 
(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional
 
Security issue in Cloud computing
Security issue in Cloud computingSecurity issue in Cloud computing
Security issue in Cloud computing
 
Cloud university intel security
Cloud university intel securityCloud university intel security
Cloud university intel security
 
Data security in cloud environment
Data security in cloud environmentData security in cloud environment
Data security in cloud environment
 
Cloud security
Cloud securityCloud security
Cloud security
 
Data security in the cloud
Data security in the cloud Data security in the cloud
Data security in the cloud
 
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals WebinarCloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
 

Similar to 7 Ways To Cyberattack And Hack Azure

Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
MarlboroAbyad
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWS
Shane Peden
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
Amazon Web Services LATAM
 
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
001 - Get acquainted with the AWS platform  --  hide01.ir.pptx001 - Get acquainted with the AWS platform  --  hide01.ir.pptx
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
nitinscribd
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
David Rowe
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
siti829412
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hacking
begmohsin
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
MarketingArrowECS_CZ
 
Security Design Principles.ppt
 Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
DrBasemMohamedElomda
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
Amazon Web Services
 
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Jürgen Ambrosi
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
Pradeep Kapkoti
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
FredBrandonAuthorMCP
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
Pyingkodi Maran
 
Challenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanChallenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y Chan
Ken Chan
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL:  Busting Buzzwords & Building BetterPlatform Security IRL:  Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
 

Similar to 7 Ways To Cyberattack And Hack Azure (20)

Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWS
 
AWS Cloud Security
AWS Cloud SecurityAWS Cloud Security
AWS Cloud Security
 
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
001 - Get acquainted with the AWS platform  --  hide01.ir.pptx001 - Get acquainted with the AWS platform  --  hide01.ir.pptx
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Creating a fortress in your active directory environment
Creating a fortress in your active directory environmentCreating a fortress in your active directory environment
Creating a fortress in your active directory environment
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Enumeration and system hacking
Enumeration and system hackingEnumeration and system hacking
Enumeration and system hacking
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
 
Security Design Principles.ppt
 Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
Webinar Fondazione CRUI - Microsoft: La Cyber Security nelle Università
 
Active Directory 2019 v2.pptx
Active Directory 2019 v2.pptxActive Directory 2019 v2.pptx
Active Directory 2019 v2.pptx
 
SC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and IdentitySC-900 Concepts of Security, Compliance, and Identity
SC-900 Concepts of Security, Compliance, and Identity
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
Challenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y ChanChallenges with Cloud Security by Ken Y Chan
Challenges with Cloud Security by Ken Y Chan
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL:  Busting Buzzwords & Building BetterPlatform Security IRL:  Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 

Recently uploaded

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 

Recently uploaded (20)

GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 

7 Ways To Cyberattack And Hack Azure

  • 1. 7 Dangerous Ways To Cyberattack Azure By Abdul khan
  • 2. Author • Abdul Khan • IT Consultant based in Manchester, UK • Engineering Lead, Executive, Technologist, Architect • IT experience, within the private and public sectors (Retail, Banking, Digital, Insurance, M.O.D., HMRC, Aviation, Telecommunication, Housing Associations, Education, Travel, and Pharmaceutical companies). Excellent architectural and strong DevOps experience with proven-track record of delivering E2E, B2B and B2C solution on regional and global programs. • SME in specializing in providing integration, data migration, digital transformations to the cloud solutions (Azure and AWS) • Wealth of experience in global projects across EMEA, ASPAC and LATAM • Liked in profile https://www.linkedin.com/in/abdul-khan-uk/
  • 3. Accreditations Thank you to my brother, good friends and colleagues for reviewing, adding value, sharing their vast experience and knowledge. • Samad Khan (IT Manager), specialising in enterprise solution in finance and wealth Management • Steve Lampton (IT Consultant, Cloud SME) specialising in NetOps, DevOps and SecOps
  • 4. Audience Main Audience • The top cyberthreats may find a wider group of potential stakeholders who are interested in understanding the threat landscape in general or deepen their understanding to cover particular threats. • This document for decision makers, security architects, risk managers, auditors and end-users who wish to be informed about the where-about of various cyberthreats may find this material useful. Assumptions • Reader has some knowledge of cloud platforms technologies.
  • 5. Content 1.0 Think Like A Hacker 1.1 Introduction 1.2 Hacker Perspective 1.3 The Top Most Dangerous Cyberattacks 1.4 Account Storage – Architecture 1.5 Account Storage – Storage Stamp 3.0 Final Thoughts 3.1 Considerations & Best Practices 2.0 Cyberattacks and Countermeasures 2.1 Attack01 – Access using account keys 2.2 Attack02 – Ransomware attack and encryption 2.3 Attack03 – Attack VMs and Disks 2.4 Attack04 – Storage Tampering attack 2.5 Attack05 – A Phishing attack 2.6 Attack06 – Attack to Blob and resource using anonymous access 2.7 Attack07 – Attacks To The Public and Private IP Addresses in Azure
  • 6. 1.0 Think Like A Hacker…
  • 7. “everything and anything is hackable and vulnerable in some ways”
  • 8. 1.1 Introduction • Microsoft Azure offers many types of tool and technology to manage and handle threats and security. This can be from the classical firewall, encryption, network security group, MOMS, Security Centre, Audit Logging, GDPR and much more. • To identify the most important risks and threats and how to manage them we need to choose the right platform that provides the best features and tools. • In Cloud, any resources can be linked with security or related to hacking and should be assessed for vulnerabilities. Therefore, few basic questions that should always be asked :- • Is the functionality secure or vulnerable? • If yes, how can it be exploited and how much damage could it cause?
  • 9. 1.2 Hacker Perspective (1/2) • From a hacker perspective, a DNS provides very important data, this includes : • The Account name is extremely important because it is used by Azure to locate the primary storage cluster and the datacentre where the storage is located, all the requests for this account are directed to this location, an application can use a different account for different locations. • The Partition name identifies the storage node of the cluster and it is used to scale- out access to the data, the ObjectName is the specific object in the partition, the transactions are atomic and managed across the different objects inside the same PartitionName.
  • 10. 1.2 Hacker Perspective (2/2) • The Account Storage architecture has been organized to provide the maximum capacity and scaling, the let see the most important components and how it works. • The Storage Stamp is a cluster of N racks of storage nodes, and each rack is a separate fault domain, the challenge is to maintain the storage provisioned in production as highly utilized as possible if a rack reach lower then 70% the account is migrated in another rack • The Location Service manages the account namespace across all stamps and all the storage stamps, it is also responsible for disaster recovery and load balancing, the LS updates the DNS and allow the requests from the name https://AccountName.service.core.windows.net to that storage stamp’s virtual IP (VIP, an IP address the storage stamp exposes for external traffic).
  • 11. 1.3 The Top Most Dangerous Cyberattacks (1/2) • There are three most essential areas in Microsoft Azure, RBAC, Storage and Networking, everything in Azure depends on these three main pillars, and considering these areas. The 3 topmost dangerous cyberattacks, below the TOP Parade: • Privilege escalation to Azure PIM and the Global Admin Account; • Ransomware Attack; • Attack to the public and private IP addresses; • All these attacks are extremely dangerous and effective. However, the privilege escalation is the most dangerous because it can escalate a top-level, which means no more control in the entire cloud and company. • Internal attacks are much more dangerous and effective than the externals, and companies often underestimate that. Cloud is more secure than on-premise, we can rely on a much more solid infrastructure but we know cloud has weaknesses.
  • 12. 1.3 The Top Most Dangerous Cyberattacks (2/2) • RBAC is used to provide access to the storage account to a specific user. Hacker use this approach to obtain access storage accounts. This is a classic method used to manage the storage account by people through the Azure Portal. • There are 3 major areas of Azure, also these are the weak points, most critical and vulnerable areas for hackers to exploit, they are:- • Authentication and Authorization (Azure AD and RBAC), • Microsoft Azure Storage • Networks(Azure Infrastructure).
  • 13. 1.4 Account Storage - Architecture Access Blobs, Tables and Queues for Accounts Location Service DNS Front-Ends Stream Layers Stream Layers Intra-Stamp Replication Storage Stamp VIP Front-Ends Stream Layers Stream Layers Intra-Stamp Replication Storage Stamp VIP Account Management Inter-Stamp Replication https://AccountName.service.core.windows.net
  • 14. 1.5 Account Storage - Storage Stamps • The three layers in the Storage Stamps: • Stream Layer is like a distributed file system layer within the stamps, it understands files, called streams, and it manages how to store, replicate them and more but it doesn’t have any clue about the data or the semantics. • The Partition Layers manages and understands the high data abstraction layer (Blob, Table, Queues, and Files), caching objects, and storing objects on top of the streaming. • The Front-End layer manages the authentication and authorizations for the account though SAS token or Access Key, and it governs the relations between account and partitions.
  • 16. 2.1 Attack01 – Access Using Account Keys Attack • Developers use account keys everywhere, they send by email, they write in the code and often they take notes in files and there are different techniques to use. • Google Dorks are used by a hacker to collect any type of information on the internet, it is a very powerful technique, especially if used is a smart way • The query will search in all Google database for any file indexed of type config, containing the world accountkey in the web sites githup.com and sourceforge.net • The githup is not a typo, google may filter some query types, using this technique you can evade them. Countermeasures • Create Azure policy to block any unauthorize key vault creation (use a dedicated AD group/user) • Set less permission privilege to the Key Vault, monitor any access and notify by email any change • Store any sensitive information in Key Vaults and force developers on using this practice. • Execute automation source code scanning with Azure DevOps
  • 17. 2.2 Attack02 – Ransomware Attack And Encryption Attack • Azure encrypts any data in the storage account, key requirement for certifications ISO 27001, ISO 9001, GDPR and others. But Is there a real risk of a ransomware attack in the cloud?, Answer is Yes. So what can a hacker do? Answer, there is real potentially the entire storage account, all virtual machines, and disks can be encrypt. • A hacker could achieve a privilege escalation attack to the cloud or find the account keys and access to the storage account. If this is achieved, then a hacker has different choices, One quick and very dangerous attack is on the encryption keys, an attacker is able to encrypt the entire storage account. Azure uses two mechanisms to encrypt the data: • one using the internal encryption key; • and the second is using an arbitrary key created by the customer. • Attack simulation to the encryption keys, Hacker only required a basic knowledge of Storage Account and Key Vault, a hacker can :- • To execute a privilege escalation attack to Azure, (contributor access to the resource group re required) • The attacker now will delete the key from the key vault, enter the key vault and delete the key.
  • 18. 2.2 Attack02 – Ransomware Attack And Encryption Countermeasures • The best option is using policies and blocks any unauthorized usage, especially creation. • Create Azure policy to block any unauthorize key vault creation (use a dedicated AD group/user) • Set less permission privilege to the Key Vault, monitor any access and notify by email any change • Use Multi-Factor Authentication in any sensitive location of the company.
  • 19. 2.3 Attack03 – Attack VMs and Disks Attack • Another option is encrypting the content of the storage account, for example, all disks, this is a procedure that we can achieve using Powershell and remotely Countermeasures • Create Azure policy to block any unauthorize encrypting operation (use a dedicated AD group/user) • Set less permission privilege to the resources • Use Multi-Factor Authentication in any sensitive location of the company.
  • 20. 2.4 Attack04 – Storage Tampering attack Attack • This is an extremely effective and dangerous attack, the hacker found the storage account keys and will execute a scan in the account, below an example to list Blobs using Azure CLI : • The attacker has now a clear idea about the content and they may will inject in the storage account-specific malicious content. The hacker could upload malicious scripts, PDF files tampered and more. • Developers and IT administrators use the queues to execute specific infrastructure tasks and execution following a specific FIFO order, the hacker could inject messages in the queue and execute arbitrary code and script. • This Azure storage tampering is usually used in conjunction with the phishing attack.
  • 21. 2.4 Attack04 – Storage Tampering attack Countermeasures • The prevention is the best countermeasure, we must prevent access to the resource. • Create Azure policy to block any unauthorized usage (use a dedicated AD group/user) • Set less permission privilege to the storage account and to the specific resource, monitor any access and notify by email any change • Refer to Attack01 regarding the protection of the keys • Use Multi-Factor Authentication in any sensitive location of the company.
  • 22. 2.5 Attack05 – A Phishing attack Attack • This is a very used attack because able to be combined in many different combinations, the concept is very simple. • trusted web site, the attacker can send email using this URL without being intercepted or blocked, and it looks a legitimate URL. The hacker can simulate an internal communication and an employee could click on the URL and open a malicious file hosted in the blob. • This is a very simple example, in the future we will examine some nasty phishing attacks using a blob storage account. Countermeasures • Robust email security solutions are actually the best option, also filtering any email containing the windows.net domain. • Educate employees about recognizing different types of phishing attacks and avoid clicking any link. • Use multi security layers, scanning email, antivirus and use the red team to test malicious attack. • Educate everybody in the companies, also the very top management. • Use Multi-Factor Authentication in any sensitive location of the company.
  • 23. 2.6 Attack06 – Attack To Blob And Resource Using Anonymous Access Attack • We can set the reading access type of the container and blob as anonymous. We may need to use this setting because we want to provide public access to our content, hackers use this setting for phishing attacks. • Black hats daily scan the public internet and they check the contents of these blobs by: - • Option 1 – Using Shodan - Login with a free account to Shodan.io and use the search string • Option 2 – Using scripting - This is the most productive and effective way to collect anonymous blob storages, we can use any script type technique, the concept is quite simple. • During an HTTP GET to request the anonymous blob storage responds in a different way from a private one, this is the discriminant • A program or script to created any possible combination of the account name and check for any possible public blob on the internet. The procedure is a simple representation of what criminal companies do using very high calculation power. • The program used by these companies is specifically designed to check the content and they use Artificial intelligence to quickly understand if the content can be something useful or not.
  • 24. 2.6 Attack06 – Attack To Blob And Resource Using Anonymous Access Countermeasures • Don’t publish any sensitive information in public storage. Important Note • The usage of public blobs can be a good honey trap, criminals will be focused on that specific area of attack, you may also put false and misleading information. • The honey trap is an interesting strategy and it can be extremely effective if well planned, we can also make the criminal think what we want and discourage them from continuing any more investigation to the company.
  • 25. 2.7 Attack07 – Attacks To The Public and Private IP Addresses In Azure Attack • A public IP is attacked by a hacker after the first five minutes of life on the internet, this is a standard procedure, these people are criminal organizations looking for information to use against the company and employee. You can find public IP exposed in Azure very easily. The entire Azure infrastructure can be scanned for ay public IP’s, open RDP ports with one command : . By this hacker can download the entire Azure IP range by scanning the service, these are all public information. • Never underestimate the internal threats, if a hacker penetrates a VM, he will also have access to the internal network, at least in the subnet, and if the VM is in the domain then the escalation of the damage is not measurable, it depends by the Azure experience of the hacker. Countermeasures • Option 1 – The basic solution is avoid using public IP’s and if you really need then lock it and masquerade. • Option 2 – Control the creation of new Public IP • Option 3 – Use Azure Bastion • Option 4 – Use VPN • VPN is the best option and we avoid exposure to the internet however we still need to handle the private IPs because we can face an internal attack.
  • 27. 3.1 Considerations & Best Practices • Centralize the security control and access using a good subscription structure and firewalling appliance. • Create a Base subscription, install ExpressRoute and firewalling and propagate the connectivity to the other subscriptions, this will give you a lot of control. • Use a proper segmentation of the network and organize your IP Schemas and VNet by Regions. • Create Azure policies and force your network rules • Use Zero trust approach and limit any access • This presentation has highlights some of the most important and dangerous attacks to the Storage Account, prevention is always the best practice and in order to achieve that we need to use Azure Policies. • Azure Policies are the first line of defense, the first opportunity to stop the attack. This is what we need to achieve, we need to stop the attack from the beginning and not in the during. • the most dangerous attack always starts from the internal, we need to make our home secure from any risk. • Don’t trust anybody, even yourself, if you are not sure about something, better ask and discuss it in the team.
  • 28. - END OF DECK By Abdul Khan – https://www.linkedin.com/in/abdul-khan-uk/