--- GA: UA-7042909-2 --- # Cloud Security Engineer Learning Path [TOC] ## AZ-500 Courses :::spoiler :::info * **Pluralsight** - [Microsoft Azure Security Technologies (AZ-500)](https://app.pluralsight.com/paths/certificate/microsoft-azure-security-technologies-az-500) > :exclamation: **Please Note** that some courses appear as "Comming Soon" in the path page, but actually are already available on the site and can be accessed by using search. * **Udemy** - [AZ-500: Microsoft Azure Security Technologies](https://www.udemy.com/course/exam-azure-2/) * **Microsoft Learn** > :exclamation: **Please Note** that this document is based in part on the learning paths listed below. The links for the path themselves are provided for completeness sake, but it's recommended to complete the different Microsoft Learn modules that are a part of the below paths in the order outlined here :::spoiler Learning Paths * [Threat Modeling Security Fundamentals](https://docs.microsoft.com/en-us/learn/paths/tm-threat-modeling-fundamentals/) * [Manage identity and access in Azure Active Directory](https://docs.microsoft.com/en-us/learn/paths/manage-identity-and-access/) * [Implement resource management security in Azure](https://docs.microsoft.com/en-us/learn/paths/implement-resource-mgmt-security/) * [Implement network security in Azure](https://docs.microsoft.com/en-us/learn/paths/implement-network-security/) * [Implement virtual machine host security in Azure](https://docs.microsoft.com/en-us/learn/paths/implement-host-security/) * [Manage security operations in Azure](https://docs.microsoft.com/en-us/learn/paths/manage-security-operations/) * [Secure your cloud applications in Azure](https://docs.microsoft.com/en-us/learn/paths/secure-your-cloud-apps/) ::: ## Microsoft Cloud for Enterprise Architects Series #### Identity {%pdf https://download.microsoft.com/download/2/3/8/238228E6-9017-4F6C-BD3C-5559E6708F82/MSFT_cloud_architecture_identity.pdf %} #### Security {%pdf https://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security.pdf %} #### Networking {%pdf https://docs.microsoft.com/en-us/office365/enterprise/Media/Network-Poster/MSFT_cloud_architecture_networking.pdf %} #### Hybrid Cloud {%pdf https://docs.microsoft.com/en-us/office365/enterprise/Media/Hybrid-Poster/MSFT_cloud_architecture_hybrid.pdf %} ## :one: Azure Fundamentals - [x] [Cloud Concepts - Principles of cloud computing](https://docs.microsoft.com/en-us/learn/modules/principles-cloud-computing/) - 1 hr 2 min - [x] [Create an Azure account](https://docs.microsoft.com/en-us/learn/modules/create-an-azure-account/) - 39 min - [x] [Core Cloud Services - Introduction to Azure](https://docs.microsoft.com/en-us/learn/modules/welcome-to-azure/) - 36 min - [x] [Core Cloud Services - Azure architecture and service guarantees](https://docs.microsoft.com/en-us/learn/modules/explore-azure-infrastructure/) - 45 min - [x] [Core Cloud Services - Manage services with the Azure portal](https://docs.microsoft.com/en-us/learn/modules/tour-azure-portal/) - 1 hr 13 min - [x] [Core Cloud Services - Azure compute options](https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-compute/) - 38 min - [x] [Core Cloud Services - Azure data storage options](https://docs.microsoft.com/en-us/learn/modules/intro-to-data-in-azure/) - 25 min - [x] ~~[Core Cloud Services - Azure networking options](https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-networking/) - 28 min~~ - [x] [Security, responsibility, and trust in Azure](https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/) - 1 hr 16 min - [x] [Apply and monitor infrastructure standards with Azure Policy](https://docs.microsoft.com/en-us/learn/modules/intro-to-governance/) - 46 min - [x] [Control and organize Azure resources with Azure Resource Manager](https://docs.microsoft.com/en-us/learn/modules/control-and-organize-with-azure-resource-manager/) - 46 min - [x] [Predict costs and optimize spending for Azure](https://docs.microsoft.com/en-us/learn/modules/predict-costs-and-optimize-spending/) - 1 hr 14 min ## :one: Implement resource management security in Azure - [x] [Secure your Azure resources with role-based access control (RBAC)](https://docs.microsoft.com/en-us/learn/modules/secure-azure-resources-with-rbac/) - 37 min - [x] [Manage access to an Azure subscription by using Azure role-based access control (RBAC)](https://docs.microsoft.com/en-us/learn/modules/manage-subscription-access-azure-rbac/) - 21 min - [x] [Create custom roles for Azure resources with role-based access control (RBAC)](https://docs.microsoft.com/en-us/learn/modules/create-custom-azure-roles-with-rbac/) - 30 min :::info ### Additional Reading - [ ] [RBAC](https://docs.microsoft.com/en-us/azure/role-based-access-control/overview) - [ ] [Azure Policy](https://docs.microsoft.com/en-us/azure/governance/policy/overview) ::: ## :one: Architect secure infrastructure in Azure - [x] [Resolve security threats with Azure Security Center](https://docs.microsoft.com/en-us/learn/modules/resolve-threats-with-azure-security-center/) - 44 min - [x] [Secure your Azure virtual machine disks](https://docs.microsoft.com/en-us/learn/modules/secure-your-azure-virtual-machine-disks/) - 59 min - [x] [Manage secrets in your server apps with Azure Key Vault](https://docs.microsoft.com/en-us/learn/modules/manage-secrets-with-azure-key-vault/) - 46 min - [x] [Introduction to securing data at rest on Azure](https://docs.microsoft.com/en-us/learn/modules/secure-data-at-rest/) - 30 min - [x] ~~[Secure your Azure SQL Database](https://docs.microsoft.com/en-us/learn/modules/secure-your-azure-sql-database/) - 1 hr 7 min~~ - [x] [Monitor and report on security events in Azure AD](https://docs.microsoft.com/en-us/learn/modules/monitor-report-aad-security-events/) - 35 min :::info ### Additional Reading - [ ] [Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-intro) - [ ] [Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/basic-concepts) - [ ] Data Protection - [ ] [Secure and use policies on virtual machines in Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/security-policy) - [x] [Azure Storage encryption for data at rest](https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption) - [ ] [Data Protection](https://go.microsoft.com/fwlink/?LinkID=398382&clcid=0x409) {%pdf https://go.microsoft.com/fwlink/?LinkID=398382&clcid=0x409 %} - [ ] [Isolation in the Azure Public Cloud](https://docs.microsoft.com/en-us/azure/security/fundamentals/isolation-choices) - [ ] [Virtual machine isolation in Azure](https://docs.microsoft.com/en-us/azure/virtual-machines/windows/isolation) - [ ] [Guarded fabric and shielded VMs](https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms) - [ ] [Nested Virtualization in Azure](https://azure.microsoft.com/en-us/blog/nested-virtualization-in-azure/) ::: ## :three: Secure your cloud data - [x] ~~[Top 5 security items to consider before pushing to production](https://docs.microsoft.com/en-us/learn/modules/top-5-security-items-to-consider/) - 45 min~~ - [x] ~~[Configure security policies to manage data](https://docs.microsoft.com/en-us/learn/modules/configure-security-policies-to-manage-data/) - 39 min~~ - [x] [Secure your Azure Storage account](https://docs.microsoft.com/en-us/learn/modules/secure-azure-storage-account/) - 45 min - [x] ~~[Configure and manage secrets in Azure Key Vault](https://docs.microsoft.com/en-us/learn/modules/configure-and-manage-azure-key-vault/) - 25 min~~ #### Secure Key Management in the Cloud - [x] Completed - 53 min > As workflows scale out to the cloud, key management strategies are also being updated to take advantage of cloud based key management services such as Azure KeyVault, Cloud KMS and AWS Key Management Service (KMS). Using cloud based key managed service allows corporate to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the their keys all in a centralized cloud environment. This is a radical shift from on premise model where key manager were locked and device level HSM were employed. This talk discusses the pros/cons, use-cases from the industry (e.g. media and entertainment), reference architectures, and strategic/tactical recommendations on how to secure cloud based key management implementation. > {%youtube 1_Cy0BdcP_Q %} --- :::info ### Additional Reading ::: ## :one: Architect network infrastructure in Azure - [x] [Connect your on-premises network to Azure with VPN Gateway](https://docs.microsoft.com/en-us/learn/modules/connect-on-premises-network-with-vpn-gateway/) - 39 min - [x] [Connect your on-premises network to the Microsoft global network by using ExpressRoute](https://docs.microsoft.com/en-us/learn/modules/connect-on-premises-network-with-expressroute/) - 40 min - [x] [Secure and isolate access to Azure resources by using network security groups and service endpoints](https://docs.microsoft.com/en-us/learn/modules/secure-and-isolate-with-nsg-and-service-endpoints/) - 43 min - [x] ~~[Distribute your services across Azure virtual networks and integrate them by using virtual network peering](https://docs.microsoft.com/en-us/learn/modules/integrate-vnets-with-vnet-peering/) - 42 min~~ - [x] ~~[Enhance your service availability and data locality by using Azure Traffic Manager](https://docs.microsoft.com/en-us/learn/modules/distribute-load-with-traffic-manager/) - 29 min~~ - [x] ~~[Improve application scalability and resiliency by using Azure Load Balancer](https://docs.microsoft.com/en-us/learn/modules/improve-app-scalability-resiliency-with-load-balancer/) - 47 min~~ - [x] ~~[Load balance your web service traffic with Application Gateway](https://docs.microsoft.com/en-us/learn/modules/load-balance-web-traffic-with-application-gateway/) - 1 hr 32 min~~ - [x] [Manage and control traffic flow in your Azure deployment with routes](https://docs.microsoft.com/en-us/learn/modules/control-network-traffic-flow-with-routes/) - 50 min - [x] ~~[Design an IP addressing schema for your Azure deployment](https://docs.microsoft.com/en-us/learn/modules/design-ip-addressing-for-azure/) - 37 min~~ - [x] [Design a hybrid network architecture on Azure](https://docs.microsoft.com/en-us/learn/modules/design-a-hybrid-network-architecture/) - 47 min - [x] [Centralize your core services by using hub and spoke Azure virtual network architecture](https://docs.microsoft.com/en-us/learn/modules/hub-and-spoke-network-architecture/) - 36 min - [x] [Monitor and troubleshoot your end-to-end Azure network infrastructure by using network monitoring tools](https://docs.microsoft.com/en-us/learn/modules/troubleshoot-azure-network-infrastructure/) - 37 min :::info ### Additional Reading - [ ] [Application Gateway](https://docs.microsoft.com/en-us/azure/application-gateway/overview) - [ ] [VPN Gateway](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways) - [ ] [ExpressRoute](https://docs.microsoft.com/en-us/azure/expressroute/expressroute-introduction) - [ ] [Hub-Spoke Topology](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) - [ ] [Secure Hybrid Network](https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/dmz/secure-vnet-dmz) - [ ] [Site to Site VPN over Microsoft peering](https://docs.microsoft.com/en-us/azure/expressroute/site-to-site-vpn-over-microsoft-peering) - [ ] [Network Watcher](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview) - [x] [Azure Private Link vs Azure Service Endpoints](https://sameeraman.wordpress.com/2019/10/30/azure-private-link-vs-azure-service-endpoints/) - [ ] [Virtual Network service endpoints](https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-service-endpoints-overview) - [x] [Private Link](https://docs.microsoft.com/en-us/azure/private-link/private-link-overview) ::: ## :one: Implement network security in Azure - [ ] [Configure the network for your virtual machines](https://docs.microsoft.com/en-us/learn/modules/configure-network-for-azure-virtual-machines/) - 1 hr 34 min - [ ] [Encrypt network traffic end to end with Azure Application Gateway](https://docs.microsoft.com/en-us/learn/modules/end-to-end-encryption-with-app-gateway/) - 1 hr 17 min :::info ### Additional Reading - [ ] [Azure Security Fundamentals](https://docs.microsoft.com/en-us/azure/security/fundamentals/overview) - [ ] [Network Security Groups](https://docs.microsoft.com/en-us/azure/virtual-network/security-overview) - [ ] Secure Access - [ ] [Bastion](https://docs.microsoft.com/en-us/azure/bastion/bastion-overview) - [x] [Why A Bastion Host Is Necessary For Remote VM Administration](https://aidanfinn.com/?p=21748) - [ ] [How to Manage Windows Virtual Desktop Azure Virtual Machines secure with Azure Bastion](https://christiaanbrinkhoff.com/2019/07/11/manage-windows-virtual-desktop-virtual-machines-easy-and-secure-with-the-new-azure-bastion-platform-service/) - [ ] [Windows Virtual Desktop](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) - [x] ~~[Windows Virtual Desktop (WVD) vs. traditional RDS or VDI](https://www.itpromentor.com/what-is-wvd/)~~ - [ ] Network Isolation - [ ] [Network Isolation Options for Machines in Windows Azure Virtual Networks](https://azure.microsoft.com/en-us/blog/network-isolation-options-for-machines-in-windows-azure-virtual-networks/) ::: ## :one: Azure Core #### Inside Microsoft Azure datacenter hardware and architecture - [ ][Slides](https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!3026&ithint=file%2cpptx&authkey=!AMPEqhHkZ71-ByM) {%youtube Lv8fDiTNHjk %} --- #### Don’t Let Your Virtualization Fabric Become the Attack Vector - [ ] Completed > Witness a whipper-snapper of an admin conduct a series of progressively more sneaky attacks against unsuspecting & ill-prepared virtualized workloads. Little did the whipper-snapper know, this was a guarded Hyper-V host--and guarded hosts come pre-loaded with anti-whipper-snapper technology. Stated another way: watch as Hyper-V defends itself against a series of fabric-level attacks by leveraging Windows Server 2016's remoteattestation, key protection/release, hypervisor-enforced code integrity and shielded virtual machine technologies. > {%slideshare MSbluehat/dont-let-your-virtualization-fabric-become-the-attack-vector %} :::spoiler video recording {%youtube 5dxdNkbPMmA %} ::: --- #### Born Secure. How to Design A Brand New Cloud Platform With A Strong Security Posture - [ ] Completed > What if you could design a sealed, cloud infrastructure starting from a clean slate? What security posture would you adopt? This is the opportunity we had with Azure Stack! Starting from the assumption that the first "enemy" to protect from is the Administrator, we designed a tightly constrained management experience, protected by a military-grade OS security baseline, multiple levels of network ACLs and the latest encryption standards. In this talk, we discuss the security posture of Azure Stack and how we built the security principles of Assume Breach and Hardened by Default directly into the architecture of the cloud infrastructure. We will also describe the security assumptions we took, and how those heavily impacted the overall design of the on-prem cloud platform that analysts defined as the Microsoft’ secret weapon in the cloud war. > {%slideshare MSbluehat/born-secure-how-to-design-a-brand-new-cloud-platform-with-a-strong-security-posture %} :::spoiler video recording {%youtube faBdhyZjAZ4 %} ::: :::info ### Additional Reading - [ ] [Azure infrastructure security](https://docs.microsoft.com/en-us/azure/security/fundamentals/infrastructure) - [ ] Azure secure foundation - [ ] [Azure’s layered approach to physical security](https://azure.microsoft.com/en-us/blog/azure-layered-approach-to-physical-security/) - [ ] [The 3 ways Azure improves your security](https://azure.microsoft.com/en-us/blog/the-3-ways-azure-improves-your-security/) - [ ] [3 reasons why Azure’s infrastructure is secure](https://azure.microsoft.com/en-us/blog/3-reasons-why-azure-s-infrastructure-is-secure/) - [ ] [Four operational practices Microsoft uses to secure the Azure platform](https://azure.microsoft.com/en-us/blog/four-operational-practices-microsoft-uses-to-secure-the-azure-platform/) - [ ] Azure Stack - [ ] [Custom Data Sovereignty & Data Gravity Requirements](https://docs.microsoft.com/en-us/azure/architecture/solution-ideas/articles/data-sovereignty-and-gravity) - [ ] [Data Residency and Sovereignty in Azure](https://dzone.com/articles/data-residency-and-sovereignty-in-azure) - [ ] Azure Stack: An extension of Azure {%pdf https://azure.microsoft.com/en-us/resources/azure-stack-an-extension-of-azure/ %} - [ ] [Stack HCI](https://docs.microsoft.com/en-us/azure-stack/hci/overview) - [ ] [Stack Hub](https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-overview?view=azs-2002) - [ ] [Service Fabric](https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-overview) - [ ] [Azure Government](https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-welcome) ::: ## :one: P1 Cloud Vulnerabilities & Attacks #### Hacking the Cloud > You know the ins and outs of pivoting through your target's domains. You've had the KRBTGT hash for months and laid everything bare. Or have you? > > More targets today have some or all of their infrastructure in the cloud. Do you know how to follow once the path leads there? Red teams and penetration testers need to think beyond the traditional network boundaries and follow the data and services they are after. This talk will focus on how to take domain access and leverage internal access as a ticket to your target's cloud deployments. > > We will also discuss round trip flights from cloud to on-premises targets and what authorizations are required to access your target's cloud deployments. While this talk is largely focused on Microsoft Azure implementations, the concepts can be applied to most cloud providers. > {%pdf https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Gerald-Steere-and-Sean-Metcalf-Hacking-the-Cloud-UPDATED.pdf %} :::spoiler video recording {%youtube LufXEPTlPak %} ::: --- #### Hybrid Cloud Seeding {%youtube uMeKogRyOPQ %} > TODO: Add summary > --- #### Insane in the Mainframe Taking Control of Azure Security {%youtube sNZXV2Jb-RE %} > TODO: Add summary > --- #### Security in AWS, Azure, Google, Oracle and IBM is cloudy {%youtube m31v38JOrn8 %} > TODO: Add summary > --- #### Detecting Malicious Cloud Account Behavior: A Look at the New Native Platform Capabilities :::spoiler Abstract > Until recently, major public cloud providers have offered relatively basic toolsets for identifying suspicious activity occurring inside customer accounts that may indicate a compromise. Some organizations have invested significant resources to build their own tools or have leveraged industry vendor offerings to provide this visibility. The reality is, that barrier has meant that a large number of organizations haven't dedicated those resources to this problem and therefore operate without sufficient detection and response capabilities that monitor their cloud accounts for compromise. > > Amazon Web Services, Google Cloud Platform, and Microsoft Azure have recently launched a new set of native platform threat and anomalous behavior detection services to help their customers better identify and respond to certain issues and activities occurring inside their cloud accounts. From detecting crypto-currency mining to identifying bot-infected systems to alerting on suspicious cloud credential usage to triggering on cloud-specific methods of data exfiltration, these new services aim to make these kinds of detections much easier and simpler to centrally manage. > > But what new and unique insights do they offer? What configuration is required to achieve the full benefits of these detections? What types of activities are not yet covered? What attack methods and techniques can avoid detection by these systems and still be successful? What practical guidelines can be followed to make the best use of these services in an organization? > > Follow along as we attempt to answer these questions using practical demonstrations that highlight the real threats facing cloud account owners and how the new threat detection capabilities perform in reducing the risks of operating workloads in the public cloud. > ::: {%pdf http://i.blackhat.com/us-18/Thu-August-9/us-18-Geesaman-Detecting-Malicious-Cloud-Account-Behavior-A-Look-At-The-New-Native-Platform-Capabilities.pdf %} :::spoiler video recording {%youtube MEnsL_qsbfE %} ::: --- {%speakerdeck tweekfawkes/blue-cloud-of-death-red-teaming-azure-saintcon %} > TODO: Add summary > --- #### I'm In Your Cloud... Pwning Your Azure Environement > After having compromised on-premise for many years, there is now also the cloud! Now your configuration mistakes can be accessed by anyone on the internet, without that fancy next-gen firewall saving you. With this talk I'll share my current research on Azure privileges, vulnerabilities and what attackers can do once they gain access to your cloud, or how they can abuse your on-premise cloud components. We start with becoming Domain Admin by compromising Azure AD Sync, sync vulnerabilities that allow for Azure admin account takeover and insecure Single Sign On configurations. Up next is cloud roles and privileges, backdooring Azure AD with service accounts, escalating privileges as limited admin and getting past MFA without touching someone's phone. Then we finish with cloud integrations, also known as "how a developer can destroy your whole infrastructure with a single commit": Exploring Azure DevOps, backdooring build pipelines, dumping credentials and compromising Azure Resource Manager through connected services. Besides all the fun we'll also look into how this translates into the questions you should ask yourself before moving things to the cloud and how this differs from on-premise. > {%pdf https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Dirk-jan-Mollema-Im-in-your-cloud-pwning-your-azure-environment.pdf %} :::spoiler video recording {%youtube xei8lAPitX8 %} ::: --- #### I'm in your cloud: A year of hacking Azure AD > How does one research the cloud? With solutions such as Azure AD and Office 365, the underlying platform architecture and designs are not publicly documented or accessible in the same way as on-premise. This makes analyzing the security of the platform harder for external researchers. In this talk I will explain the journey and discoveries of a year of trying to understand Azure AD, including the vulnerabilities discovered in the process. This ranges from gathering information about Azure AD via undocumented APIs to installing invisible backdoors and escalating privileges via limited roles or via the link with on-premise. While some of these vulnerabilities have been resolved, several of these are unintended consequences of Azure AD's architecture and thus are important to consider when evaluating the security of your Azure AD environment. A basic understanding of Azure AD, Office 365 and its terminology is assumed for this talk. > {%slideshare MSbluehat/bluehat-seattle-2019-im-in-your-cloud-a-year-of-hacking-azure-ad %} :::spoiler video recording {%youtube fpUZJxFK72k %} ::: --- #### A Penetration Tester's Guide to the Azure Cloud > The wide adoption and the benefits of cloud computing has led many users and enterprises to move their applications and infrastructure towards the Cloud. However, the nature of the Cloud introduces new security challenges, therefore organizations are required to ensure that such hosted deployments do not expose them to additional risk. Auditing cloud services has become an essential task and, in order to carry out such assessments, familiarization with certain components of the target environments is required. This talk will provide insight into the Microsoft Azure Cloud service and present practical advice on performing security assessments on Azure-hosted deployments. More specifically, it will demystify the main components of a cloud service and dive further into Azure-specific features. The main security controls and configurations associated with each of the mainstream Azure components will also be explored. Areas that will be covered include role-based security, secure networking features, perimeter security, encryption capability, auditing, and monitoring of activities within the Azure Cloud environment. Additionally, the talk will include the demonstration of a new tool that uses the Azure PowerShell cmdlets to collect verbose information about the main components within a deployment. The tool also provides functionality to visualize the components within a network infrastructure using an interactive representation of the topology and the associations between the deployment's components. > {%pdf https://labs.f-secure.com/assets/BlogFiles/mwri-a-penetration-testers-guide-to-the-azure-cloud-v1.2.pdf %} :::spoiler video recording {%youtube ge6gJkb3nXE %} ::: --- #### Adventures in Azure Privilege Escalation > With the increase in hybrid cloud adoption, that extends traditional active directory domain environments into Azure, penetration tests and red team assessments are more frequently bringing Azure tenants into the engagement scope. Attackers are often finding themselves with an initial foothold in Azure, but lacking in ideas on what an escalation path would look like. This talk will cover some of the common initial access vectors in Azure, along with a handful of escalation paths for getting full control over an Azure tenant. In addition to this, we will cover some techniques for maintaining that privileged access after an initial escalation. Finally, we will cover some of the tools that will help identify and exploit the issues outlined in this talk. > {%pdf https://notpayloads.blob.core.windows.net/slides/Azure-PrivEsc-DerbyCon9.pdf %} :::spoiler video recording {%youtube EYtw-XPml0w %} ::: --- #### Azure Sentinel - A first look at Microsoft's SIEM Solution > A fun walk-through of what's great and what's not-so great about the brand new Azure Sentinel SIEM.This will be based on my real-world experience deploying this solution into my organization's hybrid-cloud infrastructure. I'll show you what it was like to set up data collection, security alerts, and automation. What did Microsoft get right and what did they get wrong?Let's talk about it. > [Slides](https://drive.google.com/file/d/1kshd6Qq1fhdvKmIrrS6tGpwc7AgMPP_Y/view) {%youtube hejkFDTdLRs %} --- #### NSA CSI - Mitigating Cloud Vulnerabilities Guidance :::spoiler Abstract > While careful cloud adoption can enhance an organization’s security posture, cloud services can introduce risks that organizations should understand and address both during the procurement process and while operating in the cloud. Fully evaluating securityimplications when shifting resources to the cloud will help ensure continued resource availability and reduce risk of sensitive informationexposures. To implement effective mitigations, organizations should consider cyber risks to cloud resources, just as they would in an on-premises environment. > > This document divides cloud vulnerabilities into four classes (misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities) that encompass the vast majority of known vulnerabilities. Cloud customers have a critical role in mitigating misconfiguration and poor access control, but can also take actions to protect cloud resources from the exploitation of shared tenancy and supply chain vulnerabilities. Descriptions of eachvulnerability class along with the most effective mitigations are provided to help organizations lock down their cloud resources. By taking a risk-based approach to cloud adoption, organizations can securely benefit from the cloud’s extensive capabilities. > > This guidance is intended for use by both organizational leadership and technical staff. Organizational leadership can refer to the Cloud Components section, Cloud Threat Actors section, and the Cloud Vulnerabilities and Mitigations overview to gain perspective on cloud security principles. Technical and security professionals should find the document helpful for addressing cloud security considerations during and after cloud service procurement. > ::: {%pdf https://media.defense.gov/2020/Jan/22/2002237484/-1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF %} --- - [ ] [BlackDirect: Microsoft Azure Account Takeover](https://www.cyberark.com/threat-research-blog/blackdirect-microsoft-azure-account-takeover/) - [ ] [I Know What Azure Did Last Summer](https://www.cyberark.com/threat-research-blog/i-know-what-azure-did-last-summer/) --- #### Remote Cloud Execution – Critical Vulnerabilities in Azure Cloud Infrastructure * [Part 1](https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-i/) * [Part 2](https://research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-ii/) --- {%youtube https://www.youtube.com/watch?v=zzP3HSWyu4M %} --- [From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path](https://adsecurity.org/?p=4277) > While Azure leverages Azure Active Directory for some things, Azure AD roles don’t directly affect Azure (or Azure RBAC) typically. This article details a known configuration (at least to those who have dug into Azure AD configuration options) where it’s possible for a Global Administrator (aka Company Administrator) in Azure Active Directory to gain control of Azure through a tenant option. This is “by design” as a “break-glass” (emergency) option that can be used to (re)gain Azure admin rights if such access is lost. In this post I explore the danger associated with this option how it is currently configured (as of May 2020). > > :::spoiler More details >The key takeaway here is that if you don’t carefully protect and control Global Administrator role membership and associated accounts, you could lose positive control of systems hosted in all Azure subscriptions as well as Office 365 service data. > > The customer is hosting on-premises Active Directory Domain Controllers in the Azure cloud.The customer also has Office 365 with admin accounts that are not appropriately protected. > > The attacker password sprays the company’s accounts and identifies the password for an Office 365 Global Administrator. With this account, the attacker pivots to Azure and runs PowerShell on the Azure VM which hosts the company’s on-prem Active Directory Domain Controllers. The PowerShell command can update the domain Administrators group in Active Directory or event dump the krbtgt password hash which enables the attacker to create Kerberos Golden Tickets offline and then use forged Kerberos TGT authentication tickets against the on-prem AD environment to access any resource. > ::: > --- ## :one: Threat Modeling Fundamentals - [x] [Introduction to threat modeling](https://docs.microsoft.com/en-us/learn/modules/tm-introduction-to-threat-modeling/) - 25 min - [x] [Create a threat model using foundational data-flow diagram elements/](https://docs.microsoft.com/en-us/learn/modules/tm-create-a-threat-model-using-foundational-data-flow-diagram-elements/) - 42 min - [x] [Provide context with the right depth layer](https://docs.microsoft.com/en-us/learn/modules/tm-provide-context-with-the-right-depth-layer/) - 26 min - [x] [Approach your data-flow diagram with the right threat model focus](https://docs.microsoft.com/en-us/learn/modules/tm-approach-your-data-flow-diagram-with-the-right-threat-model-focus/) - 8 min - [x] [Use a framework to identify threats and find ways to reduce or eliminate risk](https://docs.microsoft.com/en-us/learn/modules/tm-use-a-framework-to-identify-threats-and-find-ways-to-reduce-or-eliminate-risk/) - 57 min - [x] [Prioritize your issues and apply security controls](https://docs.microsoft.com/en-us/learn/modules/tm-prioritize-your-issues-and-apply-security-controls/) - 14 min - [x] [Use recommended tools to create a data-flow diagram](https://docs.microsoft.com/en-us/learn/modules/tm-use-recommended-tools-to-create-a-data-flow-diagram/) - 18 min :::info ### Additional Reading - [ ] [Threat Modeling: What, Why, and How?](https://misti.com/infosec-insider/threat-modeling-what-why-and-how) - [ ] Threat Modeling in the Enterprise - [ ] [Part 1: Understanding the Basics](https://securityintelligence.com/threat-modeling-in-the-enterprise-part-1-understanding-the-basics/) - [ ] [Part 2: Understanding the Process](https://securityintelligence.com/threat-modeling-in-the-enterprise-part-2-understanding-the-process/) - [ ] [Part 3: Understanding the Context](https://securityintelligence.com/threat-modeling-in-the-enterprise-part-3-understanding-the-context/) - [ ] [DNS Security: Threat Modeling DNSSEC, DoT, and DoH](https://www.netmeister.org/blog/doh-dot-dnssec.html) - [ ] [Threat Modeling: 12 Available Methods](https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html) ::: ## :two: Implement virtual machine host security in Azure - [ ] [Design for security in Azure](https://docs.microsoft.com/en-us/learn/modules/design-for-security-in-azure/) - 1 hr 2 min - [ ] [Create security baselines](https://docs.microsoft.com/en-us/learn/modules/create-security-baselines/) - 1 hr - [ ] [Create a Linux virtual machine in Azure](https://docs.microsoft.com/en-us/learn/modules/create-linux-virtual-machine-in-azure/) - 1 hr 26 min - [ ] [Create a Windows virtual machine in Azure](https://docs.microsoft.com/en-us/learn/modules/create-windows-virtual-machine-in-azure/) - 51 min - [ ] [Protect your servers and VMs from brute-force and malware attacks with Azure Security Center](https://docs.microsoft.com/en-us/learn/modules/secure-vms-with-azure-security-center/) - 44 min :::info ### Additional Reading - [ ] [ATP](https://docs.microsoft.com/en-us/azure-advanced-threat-protection/what-is-atp) ::: ## :two: P2 Cloud Vulnerabilities & Attacks #### Secure Use of Cloud Storage > Cloud storage systems like Microsoft's Windows Azure Storage and Amazon's Simple Storage Service allow web sites and services to cheaply store large amounts of data and make it available in a controlled manner. However, as with traditional methods of data storage and retrieval (such as SQL-based relational databases), application authors must take care to use cloud storage systems correctly to avoid unauthorized data access or tampering. This presentation will cover a variety of attacks on applications using cloud storage, such as enumeration and REST/SOAP injection, to show how the same effects as a SQL injection attack may be realized on an application using a cloud storage system, as well as how developers can protect themselves from these attacks. > {%pdf https://media.blackhat.com/bh-us-10/presentations/Bugher/BlackHat-USA-2010-Bugher-Secure-Use-of-Cloud-Storage-slides.pdf %} :::spoiler Whitepaper {%pdf https://media.blackhat.com/bh-us-10/whitepapers/Bugher/BlackHat-USA-2010-Bugher-Secure-Use-of-Cloud-Storage-wp.pdf %} ::: --- :::spoiler Hardening AWS Environments and Automating Incident Response for AWS Compromises :::info #### Hardening AWS Environments and Automating Incident Response for AWS Compromises > Incident Response procedures differ in the cloud versus when performed in traditional, on-premise, environments. The cloud offers the ability to respond to an incident by programmatically collecting evidence and quarantining instances but with this programmatic ability comes the risk of a compromised API key. The risk of a compromised key can be mitigated but proper configuration and monitoring must be in place. > > The talk discusses the paradigm of Incident Response in the cloud and introduces tools to automate the collection of forensic evidence of a compromised host. It highlights the need to properly configure an AWS environment and provides a tool to aid the configuration process. > > Cloud IR How is it Different? > > Incident response in the cloud is performed differently than when performed in on-premise systems. Specifically, in a cloud environment you can not walk up to the physical asset, clone the drive with a write-blocker, or perform any action that requires hands on time with the system in question. Incident response best practices advise following predefined practiced procedures when dealing with a security incident, but organizations moving infrastructure to the cloud may fail to realize the procedural differences in obtaining forensic evidence. Furthermore, while cloud providers produce documents on handling incident response in the cloud, these documents fail to address the newly released features or services that can aid incident response or help harden cloud infrastructure. (1.) > > A survey of AWS facilities for automation around IR > > The same features in cloud platforms that create the ability to globally deploy workloads in the blink of an eye can also add to ease of incident handling. An AWS user may establish API keys to use the AWS SDK to programmatically add or remove resources to an environment, scaling on demand. A savvy incident responder can use the same AWS SDK, or (the AWS command line tools) to leverage cloud services to facilitate the collection of evidence. For example, using the AWS command line tools or the AWS SDK, a user can programmatically image the disk of a compromised machine with a single call. However, the power of the AWS SDK introduces a new threat in the event of an API key compromise. > > Increased Attack Surface via Convenience ( Walk through some compromise scenarios to illustrate ) > > There are many stories of users accidentally uploading their AWS keys to GitHub or another sharing service and then having to fight to regain control of the AWS account while their bill skyrockets. (2. 3.) And while these stories are sensational, they are preventable by placing limits on a cloud account directly. More concerning is the risk of a compromised key being used to access private data. A compromised API key without restrictions could access managed database, storage, or code repository services, to name a few. (4.) While the API key itself may not be used to access a targeted box, it is possible to use that key to clone a targeted box, and relaunch it with an attacker's SSH key, giving the attacker full access to the newly instantiated clone. While the consequences of a compromised API key can be dire, the risks can be substantially mitigated with proper configuration and monitoring. > > Hardening of AWS Infrastructure AWS environments can be hardened by following traditional security best practices and leveraging AWS services. AWS Services like CloudTrail and Config should be used to monitor and configure an AWS environment. CloudTrail provides logging of AWS API invocations tied to a specific API key. AWS Config provides historical insight into the configuration of AWS resources including users and the permissions granted in their policies. > > API keys associated to AWS accounts should be delegated according to least privilege and therefore have the fewest number of permissions granted in its policy as possible. Furthermore, API keys should be tightened to restrict access only to the resources they need. Managing of these policies is made easier by the group and role constructs provided by AWS IAM, but it still leaves to the user having to understand each of the 195 policies currently recognized by IAM. > > Introduction of Tools We present custom tooling so the entire incident response process can be automated based on certain triggers within the AWS account. With very little configuration users could detect a security incident, acquire memory, take snapshots of disk images, quarantine, and have it presented to an examiner workstation all in the time it takes to get a cup of coffee. > > Additional tooling is presented to aid in the recovery of an AWS account should a AWS key be compromised. The tool attempts to rotate compromised keys, identify and remove rogue EC2 instances and produce a report with next steps for the user. > > Finally, we present a tool that examines an existing AWS environments and aides in configuring that environment to a hardened state. The tool recommends services to enable, permissions to remove from user accounts, and metrics to collect. > > We discuss Incident Response in the cloud and introduce tools to automate the collection of forensic evidence of a compromised host. We highlight the need to properly configure an AWS environment and provide tools to aid the configuration process. > {%pdf https://www.blackhat.com/docs/us-16/materials/us-16-Krug-Hardening-AWS-Environments-And-Automating-Incident-Response-For-AWS-Compromises.pdf %} :::spoiler Extras (video recording, whitepaper, DerbyCon version, BSides PDX version) ##### Video recording {%youtube Y9cAHxd0kW4 %} ##### Whitepaper {%pdf https://www.blackhat.com/docs/us-16/materials/us-16-Krug-Hardening-AWS-Environments-And-Automating-Incident-Response-For-AWS-Compromises-wp.pdf %} ##### [BSides PDX slides](https://github.com/ThreatResponse/threatresponse-bsides/slides.rst) :::spoiler DerbyCon ##### [Slides](http://threatresponse-derbycon.s3-website-us-west-2.amazonaws.com/) <iframe width="100%" height="500" src="http://threatresponse-derbycon.s3-website-us-west-2.amazonaws.com/" frameborder="0"></iframe> ##### Video {%youtube cmEUxxYFjK8 %} ::: --- #### Hacking Serverless Runtimes: Profiling AWS Lambda, Azure Functions, and More > Serverless technology is getting increasingly ubiquitous in the enterprise and startup communities. As micro-services multiply and single purpose services grow, how do you audit and defend serverless runtimes? The advantages of serverless runtimes are clear: increased agility, ease of use, and ephemerality (i.e., not managing a fleet of "pet" servers). There is a trade off for that convenience though - reduced transparency. In this talk, we will deep dive into both public data and information unearthed by our research to give you the full story on serverless, how it works, and attack chains in the serverless cloud(s) Azure, AWS, and a few other sandboxes. Who will be the victor in the great sandbox showdown? > {%pdf https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes.pdf %} :::spoiler whitepaper {%pdf https://www.blackhat.com/docs/us-17/wednesday/us-17-Krug-Hacking-Severless-Runtimes-wp.pdf %} ::: :::spoiler video recording {%youtube GZBiz-0t5KA %} ::: --- #### Covert Attack Mystery Box: A few novel techniques for exploiting Microsoft “features” > Does the blue team got you feeling down because they are on you like Windows Defender on a Mimikatz binary? Have you lost sleep at night because their logging and alerting levels are so well tuned that if they were vocals, auto-tune couldn’t make them any better? Do you like surprises? Well you are in luck! > > Over the last few months we’ve been doing a bit of research around various Microsoft “features”, and have mined a few interesting nuggets that you might find useful if you’re trying to be covert on your red team engagements. This talk will be “mystery surprise box” style as we’ll be weaponizing some things for the first time. There will be demos and new tools presented during the talk. So, if you want to win at hide-n-seek with the blue team, come get your covert attack mystery box! > {%slideshare dafthack/covert-attack-mystery-box-a-few-novel-techniques-for-exploiting-microsoft-features %} :::spoiler video recording {%youtube XFk-b0aT6cs %} ::: --- ## :three: Manage identity and access in Azure Active Directory - [ ] [Manage users and groups in Azure Active Directory](https://docs.microsoft.com/en-us/learn/modules/manage-users-and-groups-in-aad/) - 50 min - [ ] [Create Azure users and groups in Azure Active Directory](https://docs.microsoft.com/en-us/learn/modules/create-users-and-groups-in-azure-active-directory/) - 41 min - [ ] [Secure your application by using OpenID Connect and Azure AD](https://docs.microsoft.com/en-us/learn/modules/secure-app-with-oidc-and-azure-ad/) - 50 min - [x] [Secure Azure Active Directory users with Multi-Factor Authentication](https://docs.microsoft.com/en-us/learn/modules/secure-aad-users-with-mfa/) - 38 min - [ ] [Allow users to reset their password with Azure Active Directory self-service password reset](https://docs.microsoft.com/en-us/learn/modules/allow-users-reset-their-password/) - 31 min - [ ] [Add custom domain name to Azure Active Directory](https://docs.microsoft.com/en-us/learn/modules/add-custom-domain-name-azure-active-directory/) - 18 min :::info ### Additional Reading - [ ] [Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) - [ ] [Active Directory Federation Services](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs) - [ ] [Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks) ::: ## :three: Manage security operations in Azure - [ ] [Identify security threats with Azure Security Center](https://docs.microsoft.com/en-us/learn/modules/identify-threats-with-azure-security-center/) - 43 min - [ ] [Analyze your Azure infrastructure by using Azure Monitor logs](https://docs.microsoft.com/en-us/learn/modules/analyze-infrastructure-with-azure-monitor-logs/) - 34 min - [ ] [Improve incident response with alerting on Azure](https://docs.microsoft.com/en-us/learn/modules/incident-response-with-alerting-on-azure/) - 53 min - [ ] [Capture Web Application Logs with App Service Diagnostics Logging](https://docs.microsoft.com/en-us/learn/modules/capture-application-logs-app-service/)- 55 min :::info ### Additional Reading - [ ] [Azure Monitor](https://docs.microsoft.com/en-us/azure/azure-monitor/overview) - [ ] [Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/overview) - [ ] [Introducing Microsoft Azure Sentinel](https://azure.microsoft.com/en-in/blog/introducing-microsoft-azure-sentinel-intelligent-security-analytics-for-your-entire-enterprise/) :::