According to Microsoft Threat Intelligence Report, one of the most common attacks against IaaS VMs in Azure is the RDP brute-force attack. This attack usually take places for VMs that are exposing the RDP port (TCP 3389). Although RDP is the primary source, there are also brute-force against SSH (TCP 22).. Nowadays with COVID-19, with more employees working from home more often, threat actors are taking advantage of the increase of management ports open, which includes RDP and SSH. Users with weak passwords and without MFA enabled, are more susceptible to be compromised by and RDP brute force attack.. Keep in mind that compromising a server via RDP brute force is just the initial foothold, once the threat actors gain access to target machine, it will continue conducting malicious activities which may include coin mining and even ransomware type of attack.
One way to reduce the likelihood that your machine will be compromised via RDP brute-force is by reducing the exposure, in other words, limiting the amount of time that a port is open by securing your management ports using Just-in-time access, capability available in ASC Standard Tier.
This blog explain how to leverage automation to block traffic of specific IP to a VM in the NSG as a response to a Brute-force alert detected by Microsoft Defender for Cloud.
How does the automation work?
When Microsoft Defender for Cloud detects a Brute-force attack, it triggers an alert to bring you awareness that a brute force attack took place. The automation uses this alert as a trigger to block the traffic of the IP by creating a security rule in the NSG attached to the VM to deny inbound traffic from the IP addresses attached to the alert. In the alerts of this type, you can find the attacking IP address appearing in the 'entities' field of the alert.
The Logic App uses a system-assigned Managed Identity. You need to assign Contributor permissions or Security Reader and Network Contributor permissions to the Logic App's Managed Identity so it is able to create an NSG rule once there is an attack detected. You need to assign these roles on all subscriptions or management groups you want to monitor and manage resources in using this playbook. Note: You can assign permissions only if your account has been assigned Owner or User Access Administrator roles, and make sure all selected subscriptions registered to Microsoft Defender for Cloud.
Refer to the Readme file in our GitHub Repository for detailed procedure.
Deployment process and details
Navigate to Microsoft Defender for Cloud GitHub repository and select “Deploy to Azure” or “Deploy to Azure Gov”, as shown in Image 1:
Image 1: Git Hub repository
Once you have clicked on ‘Deploy’ option in the screen above, you should automatically be redirected to the Azure portal Custom deployment page where you can fill in the details of requirement as shown in Image 2, as shown below:
Image 2: Azure portal, Custom Deployment
The ARM template will create the Logic App Playbook and an API connection to Office 365, and MDCalert.
You need to authorize the Office 365 API connection so it can access the sender mailbox and send the email notification from there.
Once you review and create from Image 2, you would notice below resources created from the ARM template (Refer Image 3)
Image 3: Summary of the resources created from the ARM template
Define when the Logicapp should automatically run:
Workflow automation feature of Microsoft Defender for Cloud can trigger Logic Apps on security alerts and recommendations. For example, you might want Security Center to email a specific user when an alert occurs. When you add the workflow automation and trigger conditions as show in Image 4, the triggers will initiate this automatic workflow. In this example, you want the Logic App to run when a security alert that contains "bruteforce" is generated.
Note: Read more about workflow automation here
When a Bruteforce attack is detected by Microsoft Defender for Cloud as shown in Image 5, this would automatically apply the automation and blocks the traffic of the IP by creating a security rule in the NSG attached to the VM to deny inbound traffic from the IP addresses attached to the alert as shown in Image 6
Image 5: Brute force attack alert
Image 6: IP blocked by ASC
You would receive an email notification on the alert details as shown in Image 7:
This logic app as well as many other can be found here:
Direct Link to GitHub sample
Microsoft Defender for Cloud GitHub Repo
Most organizations lack the time and expertise required to respond to these alerts so many go unaddressed. Having this type of automation can address the threat immediately. I hope you enjoy reading this article and implementing, testing it as much as I enjoyed writing it.
Special thanks to:
Yuri Diogenes, @Yuri Diogenes, Principal PM Manager, CxE Team