Cloud Security Newsletter
Posts
Microsoft Azure Security: From Incident Response to Proactive Defense

Microsoft Azure Security: From Incident Response to Proactive Defense

Whether you're managing a hybrid environment, responding to incidents, or building security controls, understanding Azure's distinct security model is crucial for effective cloud security. This issue contains practical insights on navigating the complexities of Azure identity, implementing proactive security measures, and building effective incident response capabilities.

Shilpi Bhattacharjee
February 19, 2025

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter Topic is Azure Security: From Incident Response to Proactive Defense! (continue reading)

Azure Security: From Incident Response to Proactive Defense (Image Credit - Dalle)

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI CyberSecurity Podcast every week.

Welcome to this week's edition of the Cloud Security Newsletter!

This week, we're diving deep into Azure Security - specifically focusing on identity complexities, security gaps in azure, incident response and proactive security measures. We'll explore real-world insights from security practitioners who have been in the trenches dealing with Azure security incidents and architecting secure Azure environments.

Featured Experts This Week 🎤

Katie Knowles - Security Researcher at Datadog, former Azure Incident Response specialist
Sam Kirkman - Penetration Tester and Security Architect
Sai Gunaranjan - Cloud Architect at Allscripts Healthcare
Karl Fosaaen - VP of Research at NetSPI, Author of "Pentesting Azure for Ethical Hackers"

Definitions and Core Concepts 📚

Before we dive into the insights, let's clarify some key terms that will be referenced throughout:

Active Directory: The traditional on-premises directory service used by organizations for managing Windows domain networks. It handles authentication, authorization, and directory services within an enterprise network.
Microsoft Entra ID (formerly Azure AD): The core identity service for Azure that manages authentication and authorization. As Katie Knowles explains: "Microsoft Entra is your top level business identity and permissions management. It sits at the very top and dictates who all the people are inside your organization, how they access everything from their email accounts to every application."
Service Principals: Service identities in Azure that represent “non-human” accounts used for automation and application access. These can be some examples of service principals:
- Managed Identities: Automatically managed by Azure
- Application Registrations: Used for application authentication
- Enterprise Applications: The implementation of service principals in your tenant
Azure RBAC vs Entra ID Permissions:
- Azure RBAC: Controls access to Azure resources (VMs, storage, etc.)
- Entra ID Permissions: Manages access to directory operations and data
Conditional Access:
- Policy engine that combines signals to make real-time access decisions
- Can enforce MFA, location-based access, device compliance
- Applies to both cloud and on-premises applications through Entra ID
Resource Graph Explorer: A powerful Azure service that allows querying of resources across subscriptions using KQL (Kusto Query Language).

        This week's Issue is sponsored by Varonis

Redefining Data Security Strategies for a Gen AI World? 

AI is transforming how we work — but is your data security keeping up?

Learn from our Data Security experts to better understand the AI risk landscape, how to protect your data without slowing down company progress, and better yet - how to use AI to your advantage for even better data protection.

Sign up today for our free session and get access to a free Generative AI risk assessment when you attend.

PS - You earn +1 CPE for attending this Data Security session.

💡Our Insights from these Practitioners 🔍

1. The Complex World of Azure Identity

Katie Knowles highlights how Azure's identity landscape is more intricate than other cloud providers due to its integration with enterprise identity:

"The blast radius with Azure is a lot more significant than maybe AWS or even Google in some environments... because there's a lot of attacks that can be used from on-prem, especially for the Active Directory Microsoft side to get to Azure."

This creates several key considerations:

Hybrid environments present unique challenges where compromises can move bidirectionally between on-premises and cloud
Service identities (service principals) can have both Azure RBAC and Entra ID permissions
Token theft and persistence techniques are becoming more sophisticated

2. Azure vs On-Premises Security Differences

The transition from on-premises to Azure security requires a mindset shift. Sai Gunaranjan highlights this evolution:

"If you look at it from a compliance point of view, like some services, we just alternate can't use at all, like they're not secure enough for us to use. They don't have the logging capabilities that an organization can actually use in their environment."

Key differences include:

Distributed Control Plane: Unlike traditional firewalls where you have centralized control, Azure resources have individual security controls
Identity Complexity: The relationship between on-premises Active Directory and Entra ID creates new attack paths
Logging Challenges: Different services require different logging configurations and costs

3. Common Security Gaps in Azure

Several experts highlighted recurring gaps in Azure environments:

Identity Management Gaps: Sam Kirkman notes:

"From organizations that haven't implemented conditional access policies, they'll often find that the defaults are very open."

Logging and Monitoring: Katie Knowles emphasizes:

"You likely won't have logs yet on things like who accessed secrets in a key vault, who accessed or changed storage in a storage account. For those you need diagnostic or resource logs. Those are gonna be resource specific. They're gonna be costly to implement."

Integration expands the Blast Radius:

Hybrid environment misconfigurations
Third-party application permissions
Service principal oversight

4. Building Security with Azure Policies

Sai Gunaranjan shares insights on using Azure's native security controls:

"The first thing is to actually enable defender and defender for cloud these services get baked into the subscription itself to the tenant itself. And then every resource that's actually coming up on top of it actually will be monitored based on how you do, how we configure the policies."

Key components for effective policy implementation:

Foundational Policies:
- Enable Microsoft Defender for Cloud
- Configure diagnostic settings
- Implement RBAC strategies
Policy Hierarchy:
- Management group level policies
- Subscription level controls
- Resource group specific rules
Monitoring and Enforcement:
Sai Gunaranjan further adds "Everything must be logged, everything, you know, data is very important for us. You know, it kind of leads into a lot of compliance requirements that you have, you know, be HIPAA SOC or whatever."

5. Common Attack Vectors and Incidents

Several common attack patterns emerge from our experts' experiences:

Resource Exposure:

Karl Fosaaen notes: "Public storage accounts. That's an easy win for us. And given there's APIs for every cloud provider, it's very easy to just pull all of that information, scrape it and double check."

LLM Jacking:

Katie Knowles highlights a newer threat: "There's been a lot of what they call LLM jacking going around recently... if they have the token... they can basically slap this into a large infrastructure they have that creates a back end pool of AI resources that they can send queries to."

Identity-Based Attacks: Examples Include:

OAuth illicit consent grants
Token theft and reuse
Privilege escalation through misconfigured permissions

6. Approaching Azure Pentesting

Karl Fosaaen shares a methodical approach to Azure pentesting:

"It depends on the environment because with every environment, you've got different kinds of resources that you're working with. A lot of times we'll run into very IaaS or infrastructure as a service heavy environments where it's all virtual machines... Or the opposite end of it. Platform as a service."

Key considerations for Azure pentesting:

Scope Definition:
- Understand which parts of Microsoft's ecosystem are in scope
- Review Microsoft's rules of engagement for Azure pentesting
- Confirm ownership of resources before testing
Initial Enumeration:
Karl Fosaaen adds "Really depends at the baseline. It's really just getting a rough idea of what's in the environment, situational awareness, right? Identifying where your attack paths might be, and additionally, where the identities are."
Common Entry Points:
- Public storage accounts
- Deployment templates with exposed credentials
- OAuth consent grants
- Service principal misconfigurations

7. Incident Response in the Azure World

The complexity of Azure environments requires a specialized approach to incident response. Katie Knowles, drawing from her hands-on experience, emphasizes the importance of proper preparation:

"You likely won't have logs yet on things like who accessed secrets in a key vault or storage accounts. For those you need diagnostic or resource logs... start those battles now for your key resources."

Three critical areas shape effective incident response in Azure:

Logging Foundation: Unlike traditional environments, Azure requires multiple logging layers:
- Control plane logs for resource changes
- Entra ID activity monitoring
- Resource-specific diagnostic logs
- Cross-service activity tracking
Common Attack Patterns: Modern Azure attacks often focus on:
- Resource abuse (cryptomining, LLM jacking)
- Identity-based attacks
- OAuth consent exploitation

Katie highlights an emerging threat:

"OAuth illicit consent grants... it's very popular right now as an alternative to phishing. If I get somebody to click yes on my application... they're adding more protections around this in Microsoft."

Response Readiness: Effective response requires:
- Proper access levels for IR teams
- Documentation of resource relationships
- Understanding of identity interconnections
- Familiarity with Azure-specific investigation tools

An important technical consideration Katie emphasizes:

"Writing down what GUID corresponds to what... there's going to be these long strings that represent object IDs and which object ID relates to what part of an identity can be really complicated."

8. Proactive Security Measures

Sam Kirkman emphasizes the importance of proactive security over reactive measures:

"Organizations are often dealing with an incident of some kind... and then they'll start implementing controls in response to that. Proactive security is about getting ahead of that."

Key proactive measures include:

Implementing Conditional Access Policies
Using Privileged Identity Management (PIM) for just-in-time access
Setting up proper monitoring and logging
Understanding your attack surface through regular assessment

9. CSPM and Continuous Security Assessment

Cloud Security Posture Management(CSPM) in Azure requires a balanced approach between automated tooling and security expertise. Karl Fosaaen notes:

"The scalability is kind of tough when you start getting into the thousands of subscriptions because at that point you're bordering on becoming a CSPM and it's kind of like, okay, well, how much of this is like CSPM activity or just doing a pentest?"

Key Components for Effective CSPM:

Enable Native Cloud Security Integration Sai Gunaranjan emphasizes:

"The first thing is to actually enable defender and defender for cloud these services get baked into the subscription itself... And then every resource that's actually coming up on top of it actually will be monitored based on how you configure the policies."

Start a Continuous Monitoring Action Plan

Resource Graph for asset discovery and assessment
Defender for Cloud for threat detection
Automated policy enforcement
Regular compliance checks

Common Focus Areas Sam Kirkman highlights the importance of comprehensive monitoring:

"Attack surface management is about knowing what you've got, what vulnerabilities affect it at all times. So the next time something is raised as an issue you can log on to your ASM platform and you know what you've got, whether it's vulnerable and how to fix it."

Priority areas should include:

Storage configurations
Network security rules
Identity management
Resource organization
Cross-subscription policies

Early Exclusive for newsletter audience interested in CSPM, CNAPP - We are running a Mind the CNAPP Original series that will do deeper into what CNAPP doesn’t cover and why a lot of organization have gone beyond what a CSPM can help with. As a Newsletter subscriber you get Early Exclusive Access to the Original and downloads that come with it. Fill out this form to be notified when the series goes live.

Practical Action Items based on the above for Azure Security Assessment 🎯

Immediate Actions:
- Review your current Conditional Access Policies
- Check for public storage accounts using Resource Graph Explorer
- Audit service principal permissions
Short-term Projects:
- Implement diagnostic logging for key resources
- Review and update Azure RBAC assignments
- Document your Azure security baseline