Post Credit: Ricoh Danielson
While preparing the workspace environment in Azure, setting up an incident response is a daunting task. Incident Responders should always be provided with the flexibility to respond to any given task at any given time.
Conducting incident response usually comes with its own challenges. That too running cloud incident response like the one in Azure can be at your wit’s end!
Our goal here is to simplify and streamline the preparation stage. For that, let’s first get to know the technical details of setting up a security incident response within Azure. The areas we may cover are VN, NSGs, MS Sentinel, Golden Image (Image Bakery), and other security elements that contribute to being prepared in Azure.
Phase 1: Preparing the workspace
Here this works much like real estate, location location location. In Cyber, the direct translation is visibility, visibility visibility. You cannot hit what you cannot see.
In this phase, we need to ensure that the correct security is implemented across the entire environment. If your domain is small or large, appropriate incident response security measures must be implemented.
Logging on MS Azure should be one of the most areas to focus on. The development of Logging with Azure can be done in https://portal.azure.com/
VN (Virtual Network)
Creating a VN (Virtual Network) that fits the business needs is the most important thing to consider when it comes to the VN setup. Default settings of 10. x.x.x.x/ xx may leave the VN wide open to the world.
At the same time setting up these VN controls, we will need to set up Monitoring Alerts to rule to track the alert that may be tripped—defining these alerts will be limited to cover the VN and NSGs logs.
NSG and VN Alerts
Once all the VN and NSG alerts are set up, the Activity Log section can find the centralized location for log correlation. This section can conduct research, investigations, and digital forensics log evidence preservation.
In the below-highlighted area, we can see that metadata can yield a high amount of data. This can capture data such as admin login, configuration changes, data transfer. These critical data points to know and be aware of when it comes to being prepared and the preparedness state of the workspace. Alert can and should be fed or digested into a SIEM. SIEM ingestion and overall process help to streamline logs
Activity monitoring can help during a live investigation. Exerts from the logs provide a high level and a granular look of what may have transpired during the sessions.
The natural settings for the VN creation will be open to the new world. Creating a subnet isolated explicitly to the internal-facing Network would minimize the risk of having a forward-facing application or a forward-facing that works.
Firewall and Network Configuration
By default, these configurations come disabled. Enabling these configurations will set up a more defensive posture that would empower preparedness and readiness of the environment.
By executing well-defined DDOS and firewall protection will allow for an extract layer of protection. Also, further network firewall configuration can block specific IP addresses, which will also give feedback to the AI portion of Security Defender.
Even though these are some of the fundamentals of logging and networking, these will play a critical part in incident response in azure should something arise.
Phase 2: Defining the scope of the workspace
Golden Images and Standardization
As stated above, having network visibility is critical for having visibility in the environment. Only when we can see something can we do something about it. On the other hand, the ability to perform imaging, redeploy imaging, and overall image configuration helps not only recover but also helps to have a reference point of security vulnerabilities.
Being able to hit the kill switch and blow away an infected host or environment is powerful. Only do this when the infected host or devices have been imaged for forensics. Having a preconfigured image with the most recent update and security measures in place will provide a smoother transition when it is time to recover.
Phase 3: Enhancing the visibility and capability
SIEM visibility
Now that we have developed the environment for preparedness another area that will need some attention is the Sentinel location. Sentinel if not configured will not provide any helpful data.
Sentinel workspace configurations are broken down into three areas, “Basic, Tags and Review+Create.” A well-defined subscription, resource groups that provide instant details will add a lot of data that needs to be digested during an incident.
Moreover, setting up the workspace may be the last step after all the other areas have been set up.
Focusing on application group areas, diagnostic configuration, and logs, tagging, and reviewing the final configuration will provide a smooth and reliable area to help respond to incidents in Azure.
Phase 4: Ongoing developmental improvements
Advisor Recommendation
There will always be a need to improve, redefine and enhance. We must investigate one of the areas.
Much like other cloud providers, Azure provides a means to address some of these areas that need to be addressed for a better security posture. Addressing these can lead to a better quality of security in Azure. Some of these just might not be able to be configured due to certain business needs but addressing most of these will help lower the risk rating.
On a high level, these items may seem basic, but they are fundamental areas that Incident Responders should focus on when responding to an incident in Azure. Hope you will keep this in mind when setting up workspaces in Azure. As a parting note, always remember, You are your own first responder.