Prioritize Risk remediation with Microsoft Defender for Cloud Attack Path Analysis
Published Mar 07 2023 05:59 AM 7,378 Views
Microsoft

 

Introduction 

Our previous blogs “A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud,” and “Proacting Hunting with Cloud Security Explorer in Defender for Cloud - Microsoft Community Hubemphasized the importance of proactive security posture management and outlined a successful organizational structure for security teams.  As a follow up article here we walk you through the scenarios how to identify and mitigate the biggest security risk issues while distinguishing them from less risky issues. 

 

Cloud environments are dynamically changing and to support rapidly changing threat and business environments in near real time, security teams need to act rapidly and effectively to mitigate risks and protect sensitive data and critical systems. 

Though cloud security solutions detect vulnerabilities and misconfigurations, growing number of assets can mean hundreds or thousands of security recommendations, overwhelming the security professionals to remediate the risks. 

By using Microsoft Defender for Cloud Attack Path Analysis, organizations can gain a better understanding of the potential attack paths that an attacker may take to compromise their cloud environment. This enables security professionals to prioritize risk remediation efforts and focus their resources on the most critical vulnerabilities and risks, to improve their overall security posture. 

To understand the prerequisites to Identify and remediate attack paths, visit: Identify and remediate attack paths - Defender for Cloud | Microsoft Learn 

Security administrators can use attack path analysis for risk remediation by following these steps: 

  1. Identify the Attack Paths: The first step is to identify the attack paths that an attacker might take to exploit vulnerabilities in the system. This includes mapping out the various components of the system, identifying the entry points, and analyzing the potential paths that an attacker might take. 
  2. Analyze the Risks: After identifying the attack paths, the next step is to analyze the risks associated with each path. This includes evaluating the likelihood and impact of a successful attack and identifying the potential consequences for the organization. 
  3. Prioritize Remediation Efforts: Based on the analysis of the risks, security administrators should prioritize their remediation efforts. This includes focusing on the most critical vulnerabilities and attack paths that present the greatest risk to the organization. 
  4. Develop and Implement Mitigation Strategies: After prioritizing remediation efforts, security administrators should develop and implement mitigation strategies to address the identified vulnerabilities and attack paths.  
  5. Test and Monitor: After implementing mitigation strategies, it is important to monitor the system to ensure that the vulnerabilities have been addressed and the attack paths have been closed. Security administrators need to proactively use the Attack Paths to ensure all critical paths are remediated 

Use case Scenarios: 

 

Scenario 1: 

A developer has created a Kubernetes pod to host a microservice that serves as the frontend for a popular e-commerce website. The pod is configured to use a Docker image that the developer found on a public repository, which they believed to be safe and suitable for their needs. 

However, the Docker image contains a high severity vulnerability in a popular library that is widely used in many web applications. This vulnerability can be exploited by an attacker to execute arbitrary code on the pod, potentially gaining access to sensitive data or taking control of the entire Kubernetes cluster. 

Attack path analysis helps you to address the issue and highlights it as an attack path within your environment.  Go to Defender for Cloud portal and select the Attack Path under Recommendations Blade. And select the attack path “Internet exposed Kubernetes pod is running a container with high severity vulnerabilities” 

 

Vasavi_Pasula_0-1678197201320.png

 

 The Attack path shows the “Entry Point” and the “Target” for the exploitable paths that attackers may use to breach your environment. It also highlights all the resources associated with the attack path in the Description. The CVEs List shows the vulnerabilities allowing remote code execution, on the Container Image. 

 

Vasavi_Pasula_1-1678197201324.png

 

 The Potential Impact helps Security Admins to analyze the risks associated with the attack path and the security administrators should prioritize their remediation efforts. Remediation Steps details the recommendations and mitigation strategies to reduce the likelihood of an attack. In this scenario, the remediation steps includes ‘Resolving the vulnerabilities on the Container Image’ and ‘Harden the internet exposure to the minimum required’ as a mitigation strategy to reduce the likelihood of the similar attacks. 

 

Scenario 2: 

A company has a virtual machine (VM) in the cloud running an SQL database that is exposed to the internet. The company has a user account with a commonly used username (e.g. "admin", “root”) . The VM also has a vulnerability that allows remote code execution. 

In this scenario, an attacker discovers the exposed SQL database and attempts to log in using common usernames and passwords. The use of commonly-used usernames makes it easier for attackers to guess or brute-force the credentials. If an attacker gains access to a user account, can access sensitive data or execute malicious code on the underlying virtual machine (VM). 

 

Vasavi_Pasula_2-1678197201327.png

 

The attack path “Internet exposed SQL on VM has a user account with commonly used username and allows code execution on the VM” shows the Entry point “VM” that is exposed to the internet and the Insights on the VM, displays the network ports exposed to the Internet. 

 

Vasavi_Pasula_3-1678197201330.png

 

 The insights on the “Target” SQL Virtual Machine highlights has user accounts with common usernames which are prone to brute force attacks and SQL server allows executing code on the underlying VM using a built-in mechanism such as xp_cmdshell or running a crypto miner. 

 

Vasavi_Pasula_4-1678197201334.png

 

 The potential Impact is that an attacker with network access to the SQL server can perform a brute force attack on the user account, gain access to the SQL server, and execute arbitrary code on the underlying VM. The remediation steps includes protecting the Internet exposed VMs with Network Security Groups and fix the vulnerabilities on the VM.  

Change the default username and password to something more unique and complex. This will make it harder for attackers to guess or brute-force the credentials needed to gain access to the VM. 

 

Scenario 3: 

An administrator accidentally configures the AWS S3 bucket to allow public access, instead of restricting it to authorized users only. A developer or user mistakenly uploads sensitive data to the AWS S3 bucket, not realizing that it will be publicly accessible. 

In this scenarios, sensitive data could be exposed to the public, potentially leading to data breaches, reputational damage, financial loss, and regulatory penalties. 

Defender for Cloud identifies a resource that contains sensitive data and a public read access is allowed to the data store with no authorization required. Publicly accessible S3 bucket with sensitive data stored are identified and listed under attack path “Internet exposed AWS S3 Bucket with sensitive data is publicly accessible”.  

 

Vasavi_Pasula_5-1678197201336.png

 

 The Attack path shows the “Entry Point” S3 bucket with Public Access and the “Target” Files with sensitive data stored on it. It also highlights the sensitive Info types and the File Names including the path. 

 

Vasavi_Pasula_6-1678197201337.png

 

The Potential Impact helps Security Admins to analyze the risks associated with the sensitive data exposure and they should prioritize their remediation efforts. In this scenario, the remediation steps includes ‘S3 buckets public read access should be removed’  and ‘Harden the internet exposure to the minimum required’ as a mitigation strategy to reduce the likelihood of the similar attacks. 

 

 

 

For more detailed list of the attack paths, connections, and insights you might see in Microsoft Defender for Cloud Reference list of attack paths and cloud security graph components - Defender for Cloud | Microsoft ... 

 

Conclusion 

Proactive security hunting is an essential component of cloud security, providing organizations with valuable insights into the tactics and techniques used by attackers and helping to improve security defenses and incident response capabilities. By adopting a proactive approach to security, organizations can better protect their critical assets and maintain the trust of their customers and stakeholders. 

 

  

 

Additional Resources 

If you are using Attack Path and Cloud Security Explorer and want to share your feedback with the Defender for Cloud Team, please e-mail us directly from here. You can also use the resources below to learn more about these capabilities: 

Reviewers 

Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud 

Meital Taran- Gutman, Principal GPM (Defender for Cloud) 

Denis Mizetski, Principal PM Lead (Defender for Cloud) 

Tal Rosler, Senior PM (Defender for Cloud) 

 

 

 

Co-Authors
Version history
Last update:
‎Mar 07 2023 05:57 AM
Updated by: