November 8, 2021
I'll Tell You What I Want to Make Public
Security blog series By Dwayne Natwick
What are we trying to protect?
In the previous post "The Best Offense is a Good Defense", we discussed having a defense in depth security posture protects our company at all levels of a potential attack. The more controls that we have in place at each level will act as the building blocks of protection within our company to avoid data theft. The focus of this post will be on securing compute resources through network and virtual machine controls. First, we should understand more about our attackers by reviewing the cyber-attack kill chain.
What is the cyber-attack kill chain?
There are many ways that an attacker attempts to access resources within the company. How they gain this access and what they attempt to accomplish once they gain access is the foundation of a cyber-attack. We look at each of these areas and how we protect them as the cyber-attack kill-chain. Figure 1 shows the stages of a cyber-attack in a linear format.
In many cases, an attacker is attempting to enter and do some level of damage at one of these stages. Sophisticated attackers may go through every one of these stages in order to gain full access of resources and increase the amount of damage that they can do to a company. Let's define each of these stages for further understanding.
1. Reconnaissance - this is the planning stage of the attack. The attacker is gathering information that they can find about the company, or companies, that they will be targeting. This may be through social media, websites, phishing, or social engineering of personnel within the company. Another aspect of this stage is port scanning known management ports, such as RDP port 3389 or SSH port 22. The goal at this stage is that they are attempting to find ways to access systems.
2. Intrusion - once the reconnaissance is successful, they have found a way to access a system or systems within the company network. Now they will use that knowledge to get into those systems. One type of intrusion is a brute force attack.
3. Exploitation - the attacker has gained access to a system on the company network, now they want to exploit that system. This is where the attacker begins to show malicious intent. They will begin to use this access to deliver malware across the network.
4. Privilege escalation - once the attacker has gain access to a system, they will want to gain an administrator level access to the current resource as well as additional resources on the network. If they have gained access to a virtual machine on the network, they could have administrative login privileges to other virtual machines and resources on the network.
5. Lateral movement - companies that use the same administrator username and password could allow the attacker to gain access to other systems across the network. This lateral movement could lead the attacker from a system without sensitive information to one that has extremely sensitive information.
6. Obfuscation/Anti-forensics - as is the case with any attack or crime, the person, or people, involved do not want to be found or traced. Therefore, they attempt to keep their access anonymous. If they have gained access through someone's credentials within the company, this could help to decrease their traceability.
7. Denial of Service - when an attacker cuts off access to resources, this is a denial of service. This may be through an attack such as syn flood where they send a large number of requests to a company's public IP address that cannot be processed fast enough. This flood of requests blocks legitimate requests from being able to access resources.
8. Exfiltration - the final aspect of the cyber-attack is exfiltration. This is where the attacker has gained access to sensitive information, and they are able to remove that information to do harm in some way. This could be banking information, personnel, or customer personal identifiable information (PII), and other valuable data.
The ability to protect against each of these aspects of the cyber-attack is our kill-chain. Having a strong defense in depth security posture addresses the areas of the kill-chain.
How do we protect our identity and network perimeter in the cloud?
In reviewing the attacker kill chain, it should be noted that the key points in a successful attack are the ability to access or intrude on our systems and then gain access through having escalated privileges. The importance of securing our identities was discussed in the blog post, "Are You who You say that You are?". In that post, we mentioned that it all starts with having multi-factor authentication on our accounts. This is essential for our administrator accounts. This helps to mitigate the potential of an administrator account being compromised. We will discuss additional options later in this post.
Protecting our network perimeter with controls will add another layer to our defense in depth security posture. Microsoft Azure provides Distributed Denial of Service (DDoS) protection at no additional cost to provide protection at the network perimeter from losing access to resources over the Internet Service Providers (ISP). As consumers, we should also include additional controls at the network perimeter to decrease the attack surface and mitigate vulnerabilities.
Among the controls to protect the network perimeter include having a firewall to direct traffic through allow and deny rules, and avoid potentially damaging packets from being delivered with packet inspection and intrusion detection and protection services. Additional layers of control can be put in place to further protect against intrusive attacks on our compute resources. The next section will highlight these controls.
What options do we have for protecting and securing virtual machines?
As mentioned in the previous section, our challenge is to put multiple controls in place to mitigate our vulnerabilities and decrease the attack surface. One of the potentially vulnerable compute resources within any cloud infrastructure is the IaaS virtual machine. Since there is a level of access needed for these virtual machines to manage the operating system, this creates an attack surface that a bad actor could gain access with elevated privileges and gain access to data. The goal is to decrease this attack surface by limiting access to the public IP address. A firewall, as stated previously, is one option. Other options are to put a load balancer in front of your virtual machines.
A load balancer can route public traffic to virtual machines but, unlike virtual machines, there is no operating system that can be leveraged as an attack surface. Placing a load balancer in front of the virtual machines allow us to remove the public IP address complete from the network interface of the virtual machine, mitigating the virtual machine's exposure to the Internet.
The second layer of defense for the network and virtual machines is the use of Network Security Groups. Network Security Groups (NSG) provide another layer of allow and deny rules beyond those that are found on a firewall. NSGs protect the source and destination port, protocol, and IP address, they do not perform any packet inspection like firewalls. These allow and deny rules can provide privileged access to specific IP addresses which will decrease the available attack surface for attackers. This includes blocking access to management ports, such as RDP and SSH. NSGs can protect at the virtual machine network interface or the entire subnet.
How do we securely manage our virtual machines with Bastion and just-in-time RBAC?
The previous section secured our virtual machines by removing the public IP address behind the load balancer and blocking RDP and SSH management ports. Since access through these ports via the Internet are no longer available, how are we going to be able to access our virtual machines to perform management tasks?
Bastion host was designed to mitigate the attack surface created by opening management ports and operating systems to the Internet. One way to protect against these attacks previously, IT departments would use a "jump box" virtual machine to authenticate and access the virtual network and then "jump" to one of the virtual machines on the virtual network. To reduce the potential exposure of the virtual machines, the usernames and passwords should not be the same to the jump box as they are on the production virtual machines.
Bastion host removes the attack surface by utilizing a user's identity and access control to the Azure portal. The virtual machine contributor role will allow them to access the virtual machines and connect to them through the Bastion connection. The user experience is the same as they would use with RDP or SSH, without exposing the virtual machine to the Internet.
As stated, users that need access to the virtual machine can be assigned the virtual machine contributor role-based access control. If a user only needs to access these virtual machines on a limited basis, then we can create an assignment to this role that is only activated when needed utilizing privileged identity management. This process will be discussed in more detail in the next post, "…But I need Administrator access".
What are the next steps?
We welcome you to explore additional information regarding network and virtual machine protection through Microsoft Learn and live instructor-led training from Opsgility.
In the next post, we will discuss how to protect and manage our administrator accounts with Privileged Identity Management.
Dwayne Natwick Cloud Architect Lead