Cloud cybersecurity is of paramount importance in today's digital landscape, as organizations increasingly rely on cloud services to store and manage sensitive data, applications, and infrastructure. Attacks on cloud infrastructure pose severe risks to organizations such as data theft, ransomware attacks, crypto mining attacks, and service disruption.
During a cyber-attack, after gaining initial access to the target network, the attacker begins to move deeper into the network in search of sensitive data and other high-value assets. This stage, called lateral movement, is critical, as it enables threat actors to explore and expand their presence within a target network, increasing the potential for further compromise of critical systems.
One of the most common techniques used by hackers to move laterally in a network is credential theft. This technique involves the exploitation of exposed secrets such as passwords, keys, tokens, and connection strings to gain access to additional assets in the network. Secrets are often found on files, stored on the disks of virtual machines (VMs) or containers running on various cloud platforms.
The exposed secrets challenge:
Having exposed secrets can happen due to the following reasons:
Defender for cloud's Agentless secret scanning for virtual machines:
The agentless secret scanning is designed to assist in mitigating the risk of lateral movement. It broadens the coverage of cloud assets, enabling quick detection, prioritization, and remediation of exposed secrets.
Utilizing cloud APIs, it captures snapshots of your disks and conducts an out-of-band analysis, ensuring no impact on your virtual machines' performance. In addition, it identifies a variety of secrets across Azure, AWS, and GCP and provides practical suggestions for the following mitigations:
Onboarding:
Knowing that assets’ coverage plays crucial roles, we created a straightforward, easy onboarding experience – just one click, and all assets under the specified subscription is covered by our agentless scanning capability
Agentless scanning configuration within the Defender for Servers settings
Detection and prioritization:
Microsoft’s secrets detection engine can identify a wide range of secret types, such as tokens, passwords, keys, or credentials, that are stored in different file types within the OS file system. After collecting the necessary file and secrets’ metadata from the disk, it sends them to the Defender for cloud portal.
Prioritizing secrets can be a daunting task. You may wonder which secrets are the riskiest and require immediate attention. To evaluate the severity and urgency of each secret we detected, we provide:
Security Recommendations:
Enhanced recommendation experience aggregated by secret type
The security recommendations for secrets offer a consolidated view of the detected secrets, including details such as the file location of the secrets, the last access time, an indicator if the target resource that the secret provides access to exists, and more.
Attack Path:
In this attack scenario, our scanner identified an AWS access key on the disk of an GCP VM instance. It was then able to pinpoint the AWS S3 bucket that the key could authenticate to. Leveraging the capabilities of Microsoft Defender CSPM, the attack path revealed that the initial GCP VM instance has a critical vulnerability and is exposed to the internet. This comprehensive context equips you with the necessary information for effective risk assessment and prioritization.
Cloud Security Explorer:
Use the cloud security explorer to search for plaintext secrets
Secret’s tab (inventory):
Use the secret's tab to view all secrets detected for a specified virtual machine
We are thrilled to announce that the Agentless secret scanning for virtual machines is now GA for Defender CSPM and Defender for Servers P2 plans. To start using this new feature, ensure that agentless scanning under the environment settings is enabled for the relevant subscriptions. For customers who have already enabled the agentless scanning, there’s no further action needed.
To learn more regarding the prerequisites, detection, capabilities and more, please refer the following documentation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.