Skip links

Incident response with Microsoft Azure – Superior Guide to 1R

Incident response in the cloud

As we’ve already learned, an incident is a service disruption that impacts your customers and end users, regardless of where this is—be it a mobile device or the cloud! We’ve also learned that incidents can come in many different forms, ranging from performance slowdowns to system crashes or difficulties reaching your server or service!

When we look at the top cloud threats, you will notice the list is similar to the non-cloud theaters, since the cloud is, in reality, a data center that is managed by the cloud provider and your organization, depending of the service you are getting.

  • Public Secrets: Leaving secrets in open repositories like GitHub.
  • Misconfiguration: Similar to on-premises, not using the right settings might get your data exposed.
  • Exposed End Points: Open to brute-force attacks.
  • Account Hijacking: Since identity is the new permitter, getting your account hijacked will give your access to the threat actors.
  • Resource Abuse: If you are an Infrastructure as Service customer, having your service hacked can be used for abusing your resources for crypto mining or even hosting the malware command, and even control or attacking other resources with your IP and identity.

Building on these vulnerabilities, the cloud attack kill chain is structured as follows:

  1. Target and Attack, where threat actors can target your organization via inbound brute-force attacks, Remote Desktop Protocol (RDP) connections, and DDoS attacks.
  2. Once they are “in,” they will be at the Install and Exploit phase, which usually involves in-memory malware exploit attempts, process execution, lateral movement into your on-premises resources, or further reconnaissance.
  3. The final phase of the kill chain will be Post-breach, where the communication from the infected device or network will start with the command and control center, though a compromised resource may be used to mount additional attacks.

To be able to stop any kind of attack, like one in your on-premises environment, you will need to enhance your Defense in Depth approach:

B16575 09 12

Figure 1: Defense in Depth cloud approach

As shown in the preceding diagram, this will evolve Platform Security as a foundation supported with data center security, network protection, secure multi-tenancy, and encryption. The second layer is the Operational Security layer. This is where you need to set up access policies, perform your usual patching cycle, install anti-malware, conduct vulnerability scanning, follow operations security assurance, and implement the security development life cycle. The final layer will be the Advanced Cyber Defense layer, where you should be able to prevent breaches with the “assume breach” mentality and implement security monitoring and cyber defence operations.

As long as you know that cloud security is a shared responsibility, you should not fear the cloud but embrace it. The 2020 COVID-19 pandemic showed us the importance of digital transformation and using the cloud, as well as leveraging unique security capabilities, implementing countermeasures for your security concerns, and, of course, incorporating IR measures in your cloud resources. This should give you peace of mind. As we mentioned earlier, security is a shared responsibility between you and your cloud provider.

There are a number of options you and your organization could implement, all of which we will cover in more detail in Chapter 11Incident Response in the Cloud:

  • Infrastructure as a service (IaaS) will provide you with an infrastructure where you can create Virtual Machines (VMs) and virtual networks. Patching and securing your operating systems and software, as well as configuring your network so that it’s secure, will be your responsibility. Beside the operational advantages that come with this service, you don’t have to protect the physical parts of the network.
  • Platform as a service (PaaS) outsources several security concerns. The cloud provider takes care of the operating system and most of the foundational software, like database management systems.
  • Software as a service (SaaS) will allow you to outsource almost everything. SaaS is software that runs with an internet infrastructure. The code is controlled by the vendor but configured to be used by the customer. Microsoft 365 and Google G Suite are just two of many examples.

The following diagram shows the security advantages of the cloud based on ideal security, the traditional approach that the organization takes, and the advantages that the cloud provides:

B16575 09 13

Figure 2: Security in the cloud era

Regardless of the cloud provider you select, ensure they have a solution that fits your organization, ideally with threat intelligence, anomaly detection, behavioral analysis, and penetration testing allowance services.

Microsoft Azure lets you enter security with Azure Security Center (ASC). ASC is a monitoring service that provides threat protection across all of the services both on Azure as well as on-premises. ASC provides:

  • Security recommendations based on the configurations, resources, and networks you choose.
  • Security monitoring across on-premises and cloud workloads, and the capability to automatically apply required security to new services.
  • Automatic security assessments to identify potential vulnerabilities.
  • Machine learning capabilities to detect and block malware from being installed on your virtual machines and services.
  • Analysis and identification of potential inbound attacks.
  • Response to threats and any post-breach activity that might have occurred.
  • Just-in-time access control for ports. (This is a broad topic—you can learn more about this here:
  • ASC provides help during three initial IR stages: the detect, assess, and diagnose stages:

    • Detect: Review the first indication of an event investigation. The ASC dashboard can help you review alerts:
      Incident response with Microsoft Azure

    Figure 3: Microsoft Security Center Alerts

    • Assess: Perform the initial assessment to obtain more information about any suspicious activity. ACS allows you to obtain more information about the security alert:
      B16575 09 15

    Figure 4: Alerts details in Security Center

    • Diagnose: Conduct a technical investigation and identify any containment, mitigation, and workaround strategies. You can use also Azure Sentinel to investigate the case at hand:
      B16575 09 16

    Figure 5 Microsoft Sentinel IR

    More on Microsoft’s IR services and protocols can be found here:

    Information on Azure Sentinel, which can be deployed across the entire Azure product line, can be found here:

Choosing the right IR partner

So, what if your organization does not have any IR capabilities? Or, regardless of your IR team, you might want to have a partner to help you when you are in need? In this section, we will cover some of the partners you can use to help you if you need them.

Most of them provide similar capabilities, so the following are some teams I have worked with in the past and can recommend without hesitation:

To read more