# Cyber Security on Azure: An IT Professional's Guide to Microsoft Azure Security #### 2021 - Marshall Copeland, Matthew Jacobs **Link**: **DOI**: **Links**: **Tags**: #books ###Abstract ``` ``` ### Notes # Annotations (5/26/2022, 2:53:51 PM) “let us consider the problem of VNets used in multiple Azure regions. IP traffic to name resolution creates at least two network engineering issues: • Cross-VNet name resolution. • DNS suffix cannot be customized (for a domain). One way to solve the DNS cross-VNet name resolution is with the configuration of a site-to-site VPN connection from Azure to your on-premises data center. Once the VPN is created, you can add a custom DNS server IP address into each VM in the VNet. Each VM will register with your customized DNS server and support name to IP address resolution. If you do not have a VPN connection from Azure to on-premises, you can create a VM and install DNS from inside an Azure VNet. This works well for cloud-only businesses or projects, and you can enable DNS forwarding to other DNS servers with the correct ports open in the Azure Network Security Group (NSG). Another way to solve name resolution across VNet isolation is to use Azure DNS.” (Copeland and Jacobs, 2021, p. 49) “IP firewall rules grant or deny access to the databases based on the IP address of the source (similar to Network Security Groups). The source IP address can be from the Internet (if allowed) or from Azure cloud. The firewall supports two levels of rules, the database level and the server level.” (Copeland and Jacobs, 2021, p. 98) “Advanced Threat Protection, part of the ADS offering, can be applied to Azure SQL Database to detect Incidents of Compromise (IOC) and anomalous activities that could exploit data. This level of protection is used to identify • SQL injection • Unusual location access • Access from unfamiliar ID • Harmful application • Brute-force SQL credentials” (Copeland and Jacobs, 2021, p. 99) “the best practice is to enable auditing for one level (server or database) but not both.” (Copeland and Jacobs, 2021, p. 102) “You can send the activity logs from a subscription to up to five azure workspaces to support your monitoring requirements. however, to collect logs across different azure tenants requires the deployment of azure lighthouse.” (Copeland and Jacobs, 2021, p. 125) “Daily cap to enable a hard limit on the log collection” (Copeland and Jacobs, 2021, p. 130) “You now know that the Azure Monitor workspace is undergoing a consolidation of what first appears as redundant views of logs and metrics. The consolidation includes Log Analytics, Azure Application Insights, and Azure diagnostics to be used by Azure Monitor. If you focus the consolidation topic on support for Azure VMs, you are required to have on each VM at least two agents installed, two for each Windows or Linux OS. They are the Log Analytics agent and the Dependency agent. One of the agents you will see running on your VM is the Microsoft Monitoring Agent (MMA) that is installed when you enable Azure Security Center to manage VMs and collect data. Note there are multiple azure Monitor agents; for further details, visit https:// docs.microsoft.com/en-us/azure/azure-monitor/platform/agentsoverview.” (Copeland and Jacobs, 2021, p. 142) “another method to configure azure Monitor for VMs. if you choose to follow this exercise, the VM insights management pack will be added to your analytics workspace.” (Copeland and Jacobs, 2021, p. 142) “The same type of attack surfaces can be seen in the Azure cloud, as shown here: • Impersonation of a user (social media) • Credential theft and elevation of privileges (admin or developer)” (Copeland and Jacobs, 2021, p. 155) “Installing code to enable backdoors • Gaining access to data and data resources (cloud resources) • Azure subscription owners (top-level administration) • Pivot attacks from on-premises to the public cloud • Cloud resource compromises by hijacking or other exploitations • Privilege elevation to move between subscriptions • Public storage secret credential keys (GitHub) • Misconfiguration of credential keys • Imperva “man-in-the-cloud” token synchronized • Side-channel code enablement • Ransomware on cloud resources” (Copeland and Jacobs, 2021, p. 156) “Microsoft has many global cloud services that provide threat intelligence telemetry such as Office 365, Microsoft CRM online, MSN.com, Azure, the Microsoft Digital Crimes Unit (DCU), and the Microsoft Security Response Center (MSRC).” (Copeland and Jacobs, 2021, p. 164) “The ATT&CK data is transferred into products using the current Structured Threat information expression (STiX) version 2, a language to exchange cyber threat intelligence (CTi). ATT&CK, STiX, and Trusted Automated eXchange of intelligence information (TAXii) are integrated in the Microsoft Azure Sentinel service.” (Copeland and Jacobs, 2021, p. 171) “Kubernetes attack matrix you can read more about the Kubernetes threat matrix at www.microsoft.com/security/ blog/2020/04/02/attack-matrix-kubernetes/.” (Copeland and Jacobs, 2021, p. 212) “While ARM is designed to deploy resources to Microsoft Azure, the Terraform tools are platform agnostic; they can be used to deploy to Azure, AWS, GCP, Alibaba Cloud, and other private clouds like VMware.” (Copeland and Jacobs, 2021, p. 244)