控制平面上的蛇：利用紫队攻击 Azure IAM 进行威胁检测.pdf

《控制平面上的蛇：利用紫队攻击 Azure IAM 进行威胁检测.pdf》由会员分享，可在线阅读，更多相关《控制平面上的蛇：利用紫队攻击 Azure IAM 进行威胁检测.pdf（28页珍藏版）》请在三个皮匠报告上搜索。

1、Snakes on a(Control)Plane:Purple-Teaming Azure IAM for Threat DetectionLYDIA GRASLIE THREAT DETECTION ENGINEEREDWARD JONESAbout MeThreat Detection Engineer at Edward JonesTA for SANS SEC 541 Former English teacherWorked on helpdeskEngineering is radLikes:home labs,comedy,gardening,hockey,musicWhat W

2、ell LearnWhy Azure IAM is tricky to monitorWhat to considerHow to stay organizedWhy Purple Team?Microsoft Cloud is a big,complex product-as are many cloudsIts easy to miss things!Settings and log events are often not intuitivePurple teaming helps us make sure were coveredEnsures we have the logs we

3、need and the events show up as we expectHelps us build the right detections for the resources/environment we haveEnsures robust detections that cover multiple attack paths/procedures of a techniqueInforms thorough and helpful documentation for respondersPurple Teaming Threat Detection tldr;Doing a m

4、alicious thing(safely)Recording that malicious thingExamining the logs produced by the malicious thingAzure IAMIAM 101“IAM gives secure access to company resourceslike emails,databases,data,and applicationsto verified entities,ideally with a bare minimum of interference.The goal is to manage access

5、so that the right people can do their jobs and the wrong people,like hackers,are denied entry.”-MicrosoftAzure IAMSource:MicrosoftWhy is it Hard?Not everything important is logged by defaultAzure resources dont automatically export log all log activity Log settings are everywhereNeed to set up diagn

6、ostic settings to collect logsLogs in the portal=/=Logs in your SIEMLots of unanticipated things can happen between the GUI and your SIEMDiagnostic SettingsWhat Isnt Logged by Default?Key Vault ActivitiesGap example:Cannot see who creates or deletes keys/secrets,or who is looking at keys/secretsKube