Microsoft Defender for Cloud latest protection against sophisticated abuse of Azure VM Extensions
Introduction Throughout recent years, the IT world has shifted its workloads, management layers, and machines to the cloud, thus introducing a new attack surface, accompanied by new attack vectors. The following introduced a tactic for threat actors to deploy their cyber-attacks against organizations’ cloud environments, gaining strong permissions, operating for financial gain, and more. Upon succeeding in compromising an identity with sufficient permissions in Azure, threat actors often try to abuse existing features within the environment that allow them to deploy their malicious activity stealthily, efficiently, and easily, and one special feature is: Azure VM extensions. Announcing new detections and alerts against extension abuse Azure VM extension abuse has never left Microsoft’s sight since its first appearance, and previous publication has discussed the topic. Today, we continue to deliver customer protection as a result of extensive research and monitoring, thus announcing the new and enhanced protection capabilities that Microsoft Defender for Cloud offers as part of Microsoft Defender for Servers plan 2 offering, against extension abuse, and its importance. Our customers can enjoy the protection capabilities effortlessly, without the need to manually deploy a dedicated agent on the VM. Azure virtual machine extensions Azure virtual machines extensions are small applications that provide post-deployment configuration and automation on Azure VMs, such as software updates, code and script execution, antimalware deployments, and more. VM extensions play an instrumental role in workload management and VM maintenance. Many organizations’ cloud environments are dependent on the extension’s capabilities, such as automation in configuration deployment, security management, continuous monitoring, troubleshooting and log analytics. On the other hand, extensions can be abused as a powerful cloud-native tool by threat actors who gained an initial foothold in the victim’s Azure environment. Solely dependent on Azure RBAC permissions, threat actors can abuse VM extensions to execute operations with high privileges to perform stealthy and destructive cyber-attacks. In this blog, we will discuss the various extensions, their uniqueness, the corresponding MITRE techniques associated with them that are abused in the wild and researched in the security world, and introduce Microsoft Defender for Cloud new series of alerts that combats this abuse. Threat hunting Reconnaissance Network Watcher, Azure Monitor, VMSnapshot extensions The following extensions allow different kinds of data collection and monitoring over network traffic, resources data, diagnostics, analytics and more. Network Watcher allows threat actors to capture network traffic, analyze packets, verify IP flow, and diagnose network security groups (NSGs). The Network Watcher tool can be invaluable for advanced threat actors looking to learn about the environment topology and identify weaknesses in the victim’s cloud environment by: Understanding the structure of the environment’s security framework. Using IP Flow to verify packet allowance to find exposed resources. Analyzing existing NSGs to determine how to manipulate them to gain access and then persistence. Azure Monitor allows threat actors to create data collection rules over resources, in order to capture various kinds of machine logs and events. Capturing Windows events of different kinds like security, system, and applications logs, could be of high importance for threat actors to gather information about the running compute inside the environment. This can be done by creating a dedicated log analytics that will consume the logs from the Azure Monitor agent on the VM. VMSnapshot allows threat actors to capture VM disks snapshots as part of Azure Backup service. Through Microsoft’s extensive research and investigation of recent sophisticated attacks, evidence has shown that not only do threat actors attempt to reset passwords and gain access and persistence to VMs by leveraging the VMAccess extension (which will be discussed later on), they also attempt to capture disk snapshots of VMs that capture their interest during the initial phases, by leveraging Azure Backup service capabilities. Capturing disk snapshots allows threat actors to export critical data from the VM’s disks during a short window of time, to a local or remote location, using a dedicated URL for downloading, or copying the disk to another location in the environment. After that, threat actors will attempt to attach the snapshots of the disks to their own controlled machines, after configuring them to the right format. Execution Azure VM extensions offer a variety of ways for code execution and running scripts as SYSTEM/sudo on your virtual machines, thus providing threat actors with a powerful tool to facilitate deployments of their different attack techniques, at scale: (Managed) Run Command Run Command uses the VM agent to run scripts on the VM, as SYSTEM/sudo. It can be abused in a variety of ways, from running recon commands to learn about the victim’s cloud environment, creating local admin users for persistence, to downloading payloads on the machine, executing crypto miners for impact, and more. Custom Script extension (CSE) The custom script extension allows the user to download and run a script on the VM, as SYSTEM/sudo. CSE can be used to deploy different attack vectors at scale especially when looking to run the same script across different VMs within a virtual machine scale set (unlike Run Command). As an example, Microsoft witnessed the following techniques being abused by a threat actor: Password Spraying campaign Threat actor successfully gains initial access to user accounts in Azure. Mass compute resource creation Threat actor sets up the crypto mining environment with the needed network resources. Mass deployment of XMRig software on all compute using Custom Script Extensions to initiate the crypto mining campaign. Azure Desired State Configuration (DSC) extension The extension uploads and applies a DSC configuration on the VM. Using DSC, threat actors can maliciously deploy scheduled tasks, apply configurations, and execute scripts, resulting in the deployment of a backdoor, connection to a C2 (Command and Control), extracting the VM managed identity, and more. Persistence Virtual Machine Access extension The VMAccess extension allows the user to manage administrative users and reset access on Azure VMs. Threat actors often abuse the VMAccess extension to gain access to VMs inside the victim’s environment, after they gain initial foothold, by resetting passwords, SSH keys, and manipulating the admin users in the VM. As a result, they can choose their target wisely inside the environment and gain access to it, only by using the cloud native RBAC roles needed to execute the extension, thus, discovering sensitive information and disrupting critical workloads inside the environment. We can see that the new user can successfully run commands as sudo: Impact GPU Driver extension The extension provides the ability to install the NVIDIA or AMD GPU drivers on supported compute VMs, which are GPU card equipped, in order to take full advantage of the card capabilities. Threat actors can leverage this capability to deploy a GPU driver on supported Azure VMs in the victim’s Azure environment and follow up with the installation of crypto mining software by leveraging the Custom Script Extension, or any other technique, and move on to the mining phase. Disk Encryption extension Azure Disk Encryption uses BitLocker to provide full disk encryption on Azure virtual machines. Threat actors can abuse this extension by attempting to encrypt the VMs’ disks in the victim’s cloud environment that captures the threat actor’s interest, with the goal to render all data permanently inaccessible by attempting to delete the encryption key or the key vault that contains the key. In such cases, it is crucial for the victim to be aware of purge protection and the protection measures that Microsoft provides to delay/prevent the deletion of the encryption key. Detection After going through the abuse scenarios for the variety of VM extensions, we will dive through Microsoft’s new detection capabilities and techniques, and how we are able to defend our customers through continuous monitoring and analysis of suspicious signals, from the control plane to the endpoint. Microsoft Defender for Cloud is announcing a new series of alerts targeting Azure VM extensions abuse, which are available to the customer through Microsoft Defender for Servers plan 2. Not only does the new series of detections target a wide range of abuse techniques, but it also targets a wide range of extension abuse types, to protect our customers against attack vectors that emerge. Through extensive research, we have been able to single out and identify the suspicious signals for which the likelihood of a breach is high, and as a result of studying the user’s behavior, and monitoring for such signals, we are able to detect suspicious activity, some of the signals are the following: Usage of VM extensions by a user account which hasn’t used any VM extensions recently. A sudden surge in extension usage by a suspicious user account, which might indicate a post-breach reconnaissance, impact, or persistence activity. Code or script execution containing parts that indicate a malicious intent. Usage of a combination of extensions in a short time windows which might indicate a recon attempt. Mitigation Identities in Azure require certain high privileged roles in Azure to be able to use extensions, this is yet another example of how identities and permissions represent the core of the cloud environment’s access controls. As a result, we recommend building a strong framework which is least privileged based, in order to provide the identity with the least permissions needed to perform its dedicated and legitimate operations and prevent imminent attacks. In addition to the above, continuous monitoring and detection efforts are essential to remediate ongoing attacks and prevent possible future ones. Conclusion With the advent and continued growth of cloud computing in Azure, many threat actors rely on techniques that facilitate their deployment of malicious activities, thus targeting Azure VM Extensions. As a result of in-depth research and continued monitoring, Microsoft Defender for Cloud is announcing a detection campaign to provide its customers with strong security measures for sophisticated attack vectors and threat actor campaigns targeting extensions abuse. Learn more about VM extensions: Link Learn more about the new series of alerts: Release Notes, Azure VM extensions alerts table Learn more about Defender for Cloud plans: Link Learn more about Defender for Servers plans: LinkProtect Against OWASP API Top 10 Security Risks Using Defender for APIs
The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we'll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.Announcing Microsoft Defender for Cloud capabilities to counter identity-based supply chain attacks
In this blog, we will demonstrate the mechanisms of identity-based supply chain attacks in the cloud and discuss how service providers’ cloud access can be used by attackers for identity-based supply chain attacks. We will also show how a new alert enrichment in Microsoft Defender for Cloud can help to detect and remediate those threats.
How-to use Microsoft Defender for Cloud Ransomware alerts to preserve Azure Backup recovery points
Credits: This blog post has been co-authored by Chaya Aishwarya. Automation samples developed by Akhil Nampelly, Rajath Ranganath and Vasavi Pasula. Reviewers: Srinath Vasireddy, Anshul Ahuja, Neeraj Jain, Pratik Joshi, Kalyan Karri, Sivasubramanian Narayanan, Yuri Diogenes Introduction Ransomware attacks deliberately encrypt or tamper data to force your organization to pay money to attackers. These attacks can target your data and your backups. The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your organization from every step that attackers take to infiltrate your systems. You can leverage Azure native ransomware protection capabilities and implement the best practices to ensure your organization is optimally positioned to prevent, protect, and detect potential ransomware attacks on your Azure assets. One of the most important steps you can take to protect your data is to have a reliable backup infrastructure. But it's just as important to ensure that your data is backed up in a secure fashion, and that your backups are always protected. Azure Backup provides several security capabilities to help you protect your backup data – Soft Delete is enabled by default, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. Immutable vault can help you protect your backup data by blocking any operations that could lead to loss of recovery points. You can configure Multi-user authorization (MUA) for Azure Backup as an additional layer of protection to critical operations on your Recovery Services vaults. Even if security best practices are not followed and notifications aren't configured for the Recovery Services vault, critical alert for destructive operation (such as stop protection with delete backup data) are still raised and an email is sent to subscription owners, admins, and co-admins (learn more). Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources. Defender for Cloud generates security alerts when threats are identified in your cloud, hybrid, or on-premises environment. It is available when you enable enhanced security features. Each alert provides details of affected resources along with the information you need to quickly investigate the problem and steps to take to remediate an attack. In the event of a malware or a ransomware attack on an Azure Virtual Machine, Microsoft Defender for Cloud detects suspicious activity and indicators associated with ransomware on an Azure VM and generates a Security Alert. Here are the Defender for Cloud Alerts that trigger on a Ransomware detection: Detected Petya ransomware indicators Ransomware indicators detected Behavior similar to Fairware ransomware detected Behavior similar to ransomware detected Defender for Cloud provides threat intelligence reports containing information about detected threats. This helps incident response teams investigate and remediate threats. For more details: Microsoft Defender for Cloud threat intelligence report | Microsoft Learn Solution details Assume Virtual Machine protected by both Defender and Azure Backup is breached. Defender detects the ransomware, raises an alert which includes details of the activity and suggested recommendations to remediate. As soon as a ransomware signal is detected from Defender, ensuring backups are preserved (i.e., paused from expiring) to minimize the data loss is top of our customers’ mind. This sample solution demonstrates integration of Azure Backup with Microsoft Defender for Cloud for detection and response to alerts to accelerate response. Sample illustrates following three uses cases: 1) ability to send email alerts to backup admin 2) SecOps admin triages and manually triggers logic app to secure backups and 3) Workflow to automatically respond to the alert by performing the Disable Backup Policy (Stop backup and retain data) operation. Step-by-Step instructions Prerequisites: Enable Azure Backup for Virtual Machines Enable Microsoft Defender for Servers Plan 2 for the Subscription Note: This sample solution is scoped to Azure Virtual Machines. The logic app can only be deployed at a subscription level, which means that all Azure VMs under the subscription can leverage the logic app for pausing expiry of recovery points in the event of a security alert. Step 1: Deploy the logic app Note: Owner access on the Subscription is needed to deploy the logic app. Visit Github and click on ‘Deploy to Azure’ as shown below: Input the following values in the deployment page: Subscription: Select the Subscription whose Azure VMs the logic app should govern. Name: Input a suitable name for the logic app. Region: Choose the region with which the Subscription is associated. Email: Input the email address of the Backup admin for them to receive alerts when policy is suspended. Resource Group: Logic apps need to be associated with a Resource Group for deployment. Choose any Resource Group for the same. Managed Identity: Create and assign a Managed Identity (for guidance on creating a User-defined Managed Identity, visit here ) with the below minimum permissions for the service to perform the operation of ‘Stop backup and retain data’ on the backup item automatically in the event of a malware alert. Virtual Machine Contributor on the subscription Backup Operator on the subscription Security Reader Note: To further tighten the security, we recommend you create a custom role and assign that to the Managed Identity instead of the above built-in roles. This will ensure that all the calls run with least privileges. For more details on custom role, visit Github article. Managed Identity Subscription: Input the name of a Subscription that the Managed Identity should reside in. Managed Identity Resource Group: Input the name of a Resource Group that the Managed Identity should reside in. Step 2: Authorize Office 365 for email alerts To authorize the API connection to Office 365: Go to the Resource Group you have used to deploy the template resources. Select the Office365 API connection (which is one of the resources you just deployed) and click on the error that appears at the API connection. Press Edit API connection. Press the Authorize button. Make sure to authenticate against Azure AD. Press Save. Step 3: Triggering the logic app The logic app deployed in step 1 can be triggered manually or automatically by leveraging workflow automation. Triggering manually: Visit Microsoft Defender for Cloud and navigate to Security Alerts in the sidebar. Click on the required alert to expand details. Click on ‘Take action’ and choose ‘Trigger automated response’ and click on ‘Trigger logic app’. Search the logic app deployed in step 1 by name and click ‘Trigger’. Note: The minimum RBAC permissions needed for triggering an action for the security alert are as follows: Logic app Operator, Security Admin role Triggering using workflow automation via Azure portal: Workflow automation will ensure that in the event of a security alert, your backups corresponding to the VM facing this issue will automatically reach ‘Stop backup and retain data’ state hence suspending policy and pause recovery point pruning. You can also use Azure Policy to deploy workflow automations. Note: Minimum roles of Logic app Operator and Security Admin are required to deploy the workflow automation. Visit Defender for Cloud's sidebar, select Workflow automation. Select Add workflow automation. The options pane for your new automation opens. Input the following values: Name and Description: Input a suitable name for the automation. Subscription: Define the scope of the automation, this should be the same as the scope of the logic app. Resource Group: Choose the RG in which the automation will reside. Defender for Cloud Data Type: Security Alert Alert name contains: ‘Malware’ or ‘ransomware’ Alert severity: High Logic app: Choose the logic app deployed in step 1 Step 4: Email Alerts Upon disabling the backup policy on the backup item, the logic app also sends an email to the ID entered during deployment. The email ID should ideally be that of the Backup Admin. The alert can then be investigated, and the backups can be resumed once the issue is resolved or if it is a false alarm. Additional Resources: What is Microsoft Defender for Cloud? - Microsoft Defender for Cloud | Microsoft Learn Reference table for all security alerts in Microsoft Defender for Cloud | Microsoft Learn https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-concept https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-how-to-manage https://techcommunity.microsoft.com/t5/azure-storage-blog/how-azure-backup-soft-delete-protects-from... https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud https://learn.microsoft.com/en-us/azure/backup/backup-azure-enhanced-soft-delete-about https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization-concept?tabs=recovery-servic... https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud#frequently-asked-...Validating Microsoft Defender for App Service Alerts
Disclaimer This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. Introduction Microsoft Defender for App Service helps organizations be more secure by providing dedicated security analytics for your App Service resources. The purpose of this article is to provide specific guidance on how to validate Microsoft Defender for App Service alerts, by simulating a suspicious activity on applications running over App Service. Preparation The first step in validating Microsoft Defender alerts for App Service is to ensure that Microsoft Defender for App Service is enabled on the subscription(s) as shown in Figure 1, that you want to use to validate the alert. Enabling Microsoft Defender for App Service provides monitoring and threat detection for a multitude of threats to your App Service resources. Additionally, enabling Microsoft Defender for App Service, surfaces security findings with recommendations on how to harden your resources covered by the App Service plan. To learn more about Microsoft Defender for App Services, watch this video. Microsoft Defender for Cloud plans can be enabled individually. For the purpose of validating the scenario covered in this article, pre-requisite is to solely enable Microsoft Defender for App Service. After enabling Microsoft Defender for App Service, you need to determine the scenario that you want to validate. Common scenarios that can be simulated range from php uploads, to NMAP scanning, or even Content Management System (CMS) fingerprinting. When determining the scenarios for which you would like to validate alerts, you can also consult the reference guide of Alerts for Azure App Service. Microsoft Defender for App Service alerts are mapped to and cover almost the complete MITRE ATT&CK tactics from pre-attack to command and control, which can be useful when deciding which scenario(s) you wish to simulate. In case you wish to solely test that the pipeline is working, there is also a like alert for App Service which can be invoked by making a web request to a “/This_Will_Generate_ASC_Alert” URI. I.e. if your site is named ‘foo’, making a request to https://foo.azurewebsites.net/This_Will_Generate_ASC_Alert, will generate an alert similar to the one shown in Figure 2. In this article, we will simulate the scenario of accessing a suspicious PHP page located in the upload folder, which will generate the “PHP file in upload folder” alert. This type of folder doesn’t usually contain PHP files and its existence might indicate exploitation taking advantage of arbitrary file upload vulnerabilities. Implementing In order to simulate this scenario, you could either use an existing Web App or create a new one. When creating a new Web App, you can deploy a PHP app to Azure App Service on Linux (as a runtime stack select PHP 7.4) The alert that will be generated applies to both App Service on Linux and Windows. Once you’ve created the App Service Plan and the Web App, install Wordpress 5.8 (including creating an Azure Database for MySQL server). To learn more about how to create a PHP Web App in Azure App Service, read this guidance. Note: In most cases, once a new web site is created, it might take up to 12h for alerts related to a newly created web site to appear. To simulate the scenario of accessing a suspicious PHP page located in the upload folder, a PHP page is required. You can use the sample below to create a test PHP page (shown in Figure 3) and save it as a PHP file. Afterwards, navigate to “/wp-content/uploads/2021/08/” and upload the file. Important: After you’ve uploaded the PHP file to this folder, you need to browse to this PHP page using a browser (similarly to Figure 5). Please note that the output on the page, will depend on the code in your test PHP file. Validating Once Microsoft Defender for App Service generates the alert on target subscription(s), you can find it in the “Security alerts” section of the Microsoft Defender for Cloud dashboard. Selecting the generated alert (in this case “PHP file in upload folder”) will open a blade, which provides more context and rich metadata about the alert (similar to Figure 6). When validating the alerts, be sure to consult the full list of App Service alerts. You can also export Microsoft Defender for Cloud alerts to a SIEM (i.e. Azure Sentinel or 3 rd party SIEM). Learn more about how to stream alerts to a SIEM, SOAR or ITSM. Learn more about how to investigate Microsoft Defender for Cloud alerts using Azure Sentinel. Learn more about Analysing Web Shell Attacks with Microsoft Defender for Cloud data in Azure Sentinel - Microsoft Tech Community. Final Considerations Microsoft Defender for App Service is all about providing threat detection and security recommendations for applications running over App Service. This article focuses on validating alerts for Microsoft Defender for App Service, by simulating a specific scenario, namely accessing a suspicious PHP page located in the upload folder. Properly executing the steps outlined in this article generates the security alert “PHP file in upload folder”. This article is not intended to cover all scenarios, but it does provide real value as you get started with validating Microsoft Defender for App Service alerts. Remember to keep an eye out for other article from this series, which can be found on our official ASC Tech Community. Reviewers: @Yuri Diogenes, Principal PM @Tomer Spivak, Senior PM Contributors: Dotan Patrich, Principal Software Engineer, Yossi Weizman, Senior Security Researcher Ram Pliskin, Senior Security Researcher Manager Lior Arviv, Senior PM
Microsoft Defender for Cloud - Elevating Runtime Protection
In today's rapidly evolving digital landscape, runtime security is crucial for maintaining the integrity of applications in containerized environments. As threats become increasingly sophisticated, the demand for more adaptive protection continues to rise. Attackers are no longer relying on generic exploits — they are actively targeting vulnerabilities in container configurations, runtime processes, and shared resources. From injecting malicious code to escalating privileges and exploiting kernel vulnerabilities, their tactics are constantly evolving. Overcoming these challenges requires continuous monitoring, validating container immutability, and detecting anomalies to prevent and respond to threats in real time, ensuring container security throughout their lifecycle. Building on these best practices, Microsoft Defender for Cloud delivers advanced and innovative runtime threat protection for containerized environments, providing real-time defense and adaptive security to address evolving threats head-on. Empowering SOC with real-time threat detection At the heart of our enhanced runtime protection lies our advanced detection capabilities. To stay ahead of evolving threats and offer near real-time threat detection, Microsoft Defender for Cloud is proud to announce significant advancements in its unique eBPF sensor. This sensor now provides Kubernetes alerts, powered by Microsoft Defender for Endpoint (MDE) detection engine in the backend. Leveraging Microsoft’s industry-leading security expertise, we've tailored MDE's robust security capabilities to specifically address the unique challenges of containerized environments. By carefully validating detections against container-specific threat landscapes, adding relevant context, and adjusting alerts as needed, we've optimized the solution for maximum accuracy and effectiveness that is needed for cloud-native environments. By utilizing the MDE detection engine, we offer the following enhancements: Near real-time detection: Our solution provides timely alerts, enabling you to respond quickly to threats and minimize their impact. Expanded threat coverage: We've expanded our detection capabilities to cover a broader range of threats such as binary drift and additional threat matrix coverage. Enhanced visibility: Gain deeper insights into your container environment with detailed threat information and context that is sent to Defender XDR for further investigation. Switching between multiple portals leaves customers with a fragmented view of their security landscape, hindering their ability to investigate and respond to security incidents efficiently. To combat this, Defender for Cloud alerts are integrated with Defender XDR. By centralizing alerts from both solutions within Defender XDR, customers can gain comprehensive visibility of their security landscape and simplify incident detection, investigation, and response effectively. Introducing binary drift detection to maintain optimal security and performance, containerized applications should strictly adhere to their defined boundaries. With binary drift detection in place, unauthorized code injections can be swiftly identified. By comparing the modified container image against the original, the system detects any discrepancies, enabling timely response to potential threats. By combining binary drift detection with other security measures, organizations can reduce the risk of exploitation and protect their containerized applications from malicious attacks. An example of binary drift detection Key takeaways from above illustration: Common Vulnerability and Exposures (CVE) pose significant risks to containerized environments. Binary drift detection can help identify unauthorized changes to container images, even if they result from CVE exploitation. Regular patching and updating of container images are crucial to prevent vulnerabilities. In some customer environments, it's common to deviate from best practices. For example, tasks like debugging and monitoring often require running processes that aren’t part of the original container image. To handle this, we offer binary drift detection along with a flexible policy system. This lets you choose when to receive alerts or ignore them. You can customize these settings based on your cloud environment or by filtering specific Kubernetes resources. Learn more about binary drift detection For a deep dive into binary drift detection and how it can enhance your container security posture, please see Container, Security, Kubernetes. Presenting new scenario-driven alert simulation Simulate real-world attack scenarios within your containerized environments with this innovative simulator, enabling you to test your detection capabilities and response procedures. You can enhance your security posture and protect your containerized environments from emerging threats by leveraging this powerful tool. Examples of some of the attack scenarios that can be simulated using this tool are: Reconnaissance activity: Mimic the actions of attackers as they gather information about your cluster. Cluster-to-cloud: Simulate lateral movement as attackers attempt to spread across your environment. Secret gathering: Test your ability to detect attempts to steal sensitive information. Crypto-mining activity: Simulate the impact of resource-intensive crypto-mining operations. Webshell invocation: Test your detection capabilities for malicious web shells. You can gain valuable insights into your security controls and identify areas for improvement. This tool provides a safe and controlled environment to practice incident response, ensuring that your team is well-prepared to handle real-world threats. Key benefits of scenario-driven alert simulation: Test detection capabilities: Validate your ability to identify and respond to various attack types. Validate response procedures: Ensure your incident response teams are prepared to handle real-world threats. Identify gaps in security: Discover weaknesses in your security posture and address them proactively. Improve incident response time: Practice handling simulated incidents to reduce response times in real-world situations. Alert simulation tool Enhancing Cloud Detection and Response (CDR) From detection to resolution, we've streamlined every step of the process to ensure robust and efficient threat management. By enabling better visibility, faster investigation, and precise response capabilities, SOC teams can confidently address container threats, reducing risks and operational disruptions across multi-cloud environments. Cloud-native response actions for containers Swift and precise containment is critical in dynamic, containerized environments. To address this, we’ve introduced cloud-native response actions in Defender XDR, enabling SOC teams to: Cut off unauthorized pod access and prevent lateral movement by instantly isolating compromised pods. Stop ongoing malicious pod activity and minimize impact by terminating compromised pods with a single click. These capabilities are specifically designed to meet the unique challenges of multi-cloud ecosystems, empowering security teams to reduce Mean Time to Resolve (MTTR) and ensure operational continuity. Response actions Action center view Log collection in advanced hunting Limited visibility in Kubernetes activities, cloud infrastructure changes, and runtime processes weakens effective threat detection and investigation in containerized environments. To bridge this gap, we’ve enhanced Defender XDR’s advanced hunting experience by collecting: KubeAudit logs: Delivering detailed insights into Kubernetes events and activities. Azure Control Plane logs: Providing a comprehensive view of cloud infrastructure activities. Process events: Capturing detailed runtime activity. This enriched data enables SOC teams to do deeper investigations, hunt for advanced threats, and create custom detection rules. With full visibility across AKS, EKS, and GKE, these capabilities strengthen defenses and support proactive security strategies. Advance hunting view Accelerating investigations with built-in queries Lengthy investigation processes can delay incident resolution and can potentially lead to a successful attack attempt. To address this, we’ve equipped go hunt with pre-built queries specifically tailored for cloud and containerized threats. These built-in queries allow SOC teams to: Focus their time in quickly identifying attacker activity and not write custom queries. Gain insights in minutes vs. hours, reducing the investigation time enormously. This streamlined approach enhances SOC efficiency, ensuring that teams spend more time on remediation and less on query development. Go hunt view Bridging knowledge gaps with guided response using Microsoft Security Copilot Many security teams, especially those working in complex environments like containers, may not have deep expertise in every aspect of container threat response. Additionally, security teams might encounter threats or vulnerabilities they haven’t seen before. We are excited to integrate with Security Copilot to bridge this gap. Security Copilot serves as a valuable tool that offers: Step-by-step, context-rich guidance for each incident. Tailored recommendations for effective threat containment and remediation. By leveraging AI-driven insights, Security Copilot empowers SOC teams of varying expertise levels to navigate incidents with precision, ensuring consistent and effective responses across the board. Security copilot recommendations Summary Microsoft Defender for Cloud has introduced significant advancements in runtime protection for containerized environments. By leveraging the Microsoft Defender for Endpoint (MDE) detection engine, this solution now offers near real-time threat detection, enhancing threat visibility and response capabilities. A key feature, binary drift detection, monitors changes in container images to identify unauthorized modifications and prevent security breaches. Additionally, the integration with Defender XDR centralizes alerts, providing comprehensive visibility and simplifying incident detection, investigation, and response. With enhanced cloud-native response actions and advanced hunting capabilities, SOC teams can confidently address container threats, reducing risks and operational disruptions across multi-cloud environments. Learn more Ready to elevate your container security? Experience the power of our new features firsthand with our cutting-edge simulator—test them in your containerized environments and see the difference! Alerts for Kubernetes Clusters - Microsoft Defender for Cloud | Microsoft Learn
