While the utilization of Cloud computing can enhance your overall secure posture, it is also important to mention that the weaponization of the Cloud to gain access to resources is also something that is taking place in many situations and in many different types of attacks.

The diagram that you see represents an attacker gaining access to VMs located in the Cloud provider. It could be any Cloud provider. By leveraging computer resources from VMs that are hosting this Cloud provider they can attack on premises resources. So, the advantage of that attack is that you use the power of Cloud computing resources to send an attack to the limited amount of power that you have on premises. This is one typical scenario. Another one is DDoS attack. Many DDOS distributed denial services attacks  are leveraging Cloud resources.

Another potential attack that it happens is also taking advantage of failures in configuration. There was a flaw in the configurations, a failure in the DevOps process. Public keys, were not stored securely in a Cloud. This event took place in 2015 and there were bots scanning GitHub to steal Amazon EC2 keys. Problem is that those keys were stored in a public Cloud provider and those keys were not encrypted, and were widely open. It was definitely a failure in configuration.

Nowadays, attackers are shifting the efforts to evade detection controls that are provided by Cloud Workload Protection Platforms. Most of the Cloud Workload Protection Platforms utilize agent installed on their ISVM. And one way to evade detection is to kill the agents. Hackers trying to compromise the agent so you don’t have that sensor running. The first occurrence of this type of attack took place in January 2019 and it was reported by Palo Alto networks. It was malware called Rocke, which was uninstalling the agents from CWPP.


It is imperative that before adopting any Cloud computing solution, organizations understand the general security considerations that are already held by the Cloud computing model you should have a Cloud Workload Protection in place as part of your design, it should be part of your design considerations for not only Cloud workloads, but hybrid scenarios as well. Sometimes, customers are not fully aware that if you have a hybrid scenario, it means that you have some sort of computing power running in the Cloud, and you have interaction between you public Cloud provider and computer infrastructure on premises. When thinking about Cloud security considerations, you should think of the following items:

  • Compliance
  • Risk management
  • Identity and access management
  • operational security
  • Endpoint protection
  • Data protection.

When the subject is compliance, you should think of the migration process. Organizations need to retain their own compliance obligations and they need to dictate how those resources that are going to be migrated to the Cloud need to be compliant. Some workloads might need to be PCI compliant. Some other workloads might need to be NIST compliant, HIPAA compliant. You need to evaluate this from different angles from the Cloud workload migration process. Different Cloud workloads might require different compliance mechanisms and you need to take those in to consideration. Usually, most of the cloud solutions provider will give you more details about their compliance platform.

The second consideration is risk management. Customers must be able to trust their Cloud solution providers. Cloud runs on trust, basically. And that’s something that Microsoft says a lot, that Microsoft runs on trust. Cloud solution providers, in general, should have policy and programs in place to manage online security risks. These policy and programs may vary depending on how dynamic the environment is. And customers should work very closely with their Cloud solution providers to demand full transparency to understand the risk decisions.

In regards to identity and access management, this is a very important subject because identity management is a pivotal point in today’s  security. It allows you manage not only your access to the portal for the Cloud provider, but also your entire identity perspective to access resources in the Cloud. So, make sure that your Cloud provider offer different options and also use multi factor authentication which is very important now a days.

Operational security, when you are migrating to the Cloud, you should adjust your internal processes to the Cloud. Do not bring old processes from on premises scenario and try to just fit it into your Cloud deployment. Make sure that your secure monitoring, your auditing, instant response, your forensics, everything is adapted to the Cloud environment. And when I say adapt to the Cloud environment, many times it means re-engineering some of the aspects. For example, forensics in the Cloud is different from forensic on premises.

Endpoint protection. Endpoint protection is about how you gonna access those Cloud resources because, in a share responsibility model, which is what the Cloud providers will always tell you, the endpoint, the machine that is accessing the Cloud resource might be compromised. And that’s not up to the Cloud provider to secure. That’s your responsibility to secure. So you are going to continue to monitor your endpoint solution to not compromise your Cloud resources. You must ensure that you have that in place. You need to ensure that you have some sort of EDR (endpoint detection and response) in place.

And last but not least, data protection which is very important. Most of the attacks, most of the threat actors, are going after the data itself. So, you need to ensure that you have protection for data at rest on the user device, which is very common in BYOD scenarios that user is accessing a Cloud data from their mobile device. You need to make sure the data is secure at rest. In other words, that you have encryption at rest on the user’s device. You have to be sure that the data is encrypted in transit between the user device and the Cloud provider. The data is encrypted at rest from the Cloud provided data center itself. So, you need to have fully awareness of how this process work. You must think about data entrance points between the Cloud and on computers premises. All these points have to be encrypted


*This article is based on Microsoft Press media, Pearson Education materials and Yury Doigines lectures

In order to understand the Azure security infrastructure first of all you have to step back and think outside of Azure itself, you have to look at a multi layer approach, so called defense in depth. This approach is critical for the modern security.

Think about large enterprise where you have to protect the entire platform that consists of the data center, the multi-tenancy network, the data encryption, the key management.

Then we have the operations on top of the platform. You have to have secure controls in place for the operations which includes the access policies and control, and ensuring that you are developing software using the security development lifecycle approach, operations security assurance, patch management, configuration management, anti malware application, and vulnerability scanning. These are part of the operational security layer.

And then you go to a higher layer, to the strategic standpoint, which is what we call the advanced cyber defense, security monitoring and analytics, and cyber defense operations center or SOC. It’s important to understand that at some point your system will be compromised. So you need to have in place a strategy and written procedures for rapidly response to that breach, because if you think that you have enough security controls in place and you create that false idea that you are so secure that no one will ever be able to penetrate in your environment, then you are creating a mentality that if something bad happens, you really don’t know what to do first, and second, you don’t even know why it happened because you don’t have the detection controls in place to identify potential breach.

Now let’s talk about the different controls. Let’s say you have a subscription, and you start to onboard some resources in your subscription. The first resource that you might onboard is the virtual machine. So when you are deploying virtual machine, you gotta think about the different security controls that you need to put in place for the virtual machine. You need to configure monitoring and export events for analysis. Events that are happening on that machine needs to be gathered so you can have analytics on top of those events.

The very first thing to achieve it is to enable Security Center. Second thing is make sure you configure a Microsoft anti malware solution, or anti malware solution from a partner. If you don’t have endpoint protection Azure Security Center will warn you about that. Then you should apply a corporate firewall using site-to-site VPN and configure endpoints.

This is applicable to situations where you have endpoints that are on-premise and they need to have connectivity to the cloud, or if you are deploying a VM to the cloud and that VM needs to have continued access to a different location, obviously then you need to have a VPN to protect that communication.

Make sure that you define access control between tiers and provide additional protection via the OS firewall. Do not think that only the network-level firewall is enough, you should also hardening the ports of communication from the host itself. And make sure that based on those analytics, that you are collecting, those events are being sent to your monitoring system.

After this part is done we can continue to the next layer, which is the network protection. We need to ensure that our network topology is secure, which a lot of customers miss, because they do not have the habit of hardening the Azure Virtual Network.

Unfortunately I’ve seen many scenarios where the network is not well-designed, it’s fully exposed to the Internet, so make sure that when you’re talking about networking that you can apply some important practices, which include hardening network traffic for Internet facing endpoints. You don’t want to leave your network widely open to the Internet.

  • Properly configure network security groups.
  • Use a network firewall, such as Azure Firewall. Ensure that if you need to expose services to the Internet that are available in Azure, that they are protected by Azure Firewall.
  • Isolate network segments, make sure that you use some of the principles that are very well-established over the years, and network isolation is one of those.
  • Ensure that you have NSGs between subnets.
  • Ensure that you have isolated networks for different assets, for different level of privilege.
  • Create your VLANs to operate in isolation mode.
  • Use Azure Security Center Network Map to have full visibility of your Azure network topology.

Remember that one of the most common attacks against cloud resources is a DDoS, so make sure that you are utilizing the Azure DDoS.By default, Azure provides continuous protections against DDoS attacks as part of the Azure DDoS Basic, which is free of charge.

It’s very important that when you plan and you design your Azure security infrastructure, you take into consideration those different layers, and that you are applying those things that are built in Azure. Leverage those things. Protection of the data at rest is very important, and this can be accomplished via Azure protection of the storage via encryption.

So, ensure that you are using Azure Disk Encryption when you are encrypting the VM disk for your Azure VMs. Ensure that you also leverage Azure Storage Service Encryptions for the data at rest on the Azure Storage perspective, and that you are using Advanced Threat Protection for Azure Storage.

If you have storage accounts, and you want to make sure that you are monitoring against threats that are trying to take advantage of your storage account, you should enable advanced threat protection, ATP. If you want to do that for the entire subscription, the best way to do is your Azure Security Center. Identity is a part of Azure that is extremely important. You should be monitoring your identity very closely, and leveraging the capability that you have in Azure, which includes the Azure Identity Protection part of Azure AD. Make sure to use that, because it will give you some extremely useful analytics in threat protection for identity. Azure Identity Protection has a series of capabilities to detect potential identity-related vulnerabilities, suspicious actions related to users, related to the access, to the authentication pattern.

Azure AD Identity Protection will also stream the alerts to Azure Security Center, so there is a native integration there. Last but not least, logging. Well, logging is a very interesting subject, because throughout the years it has become more and more important to always have logs available, and when you are migrating to the cloud, you realize that the amount of logs can be gigantic, because there are so different dimensions, so it’s very important to understand what you are looking for.

This diagram here explains the different levels of logging, so let’s start from bottom to top. At he bottom there is the Azure Active Directory logs, this is a tenant-level log. That’s where you’re gonna obtain that information, from the tenant itself. Then you have a subscription, because remember, within a tenant you can have multiple subscriptions, so within the subscription itself, you have logs related to the resource manager, you have logs related to service health, and you have the Azure Security Center logs, which are based on the threat detections and prevention.

You go a little bit higher on the Azure resource itself, then you have the VMs that you are deploying, the storage accounts, the network security groups, and each one of those will have also its own series of logs. Now when you go inside the VM, which is the guest operating system, which could be Linux or Windows, then you have the logs within the VM itself. If you go even higher on this stack, on the application layer, then you have telemetry of the application, have the application logs.

Azure provides different sets of logs, and these logs will reflect different types of actions. Do not ever think that because you are collecting, let’s say, the Azure Security Center logs, that you cover all the scenarios. No, you will also have things that are happening on a different layer.

One question that is very common is, hey, “I would like to see who changed my Azure Security Center policy, which log should I look at”?

Well, the answer is that in this particular case we’re gonna look to the activity log that is looking to things on the subscription level.


*This article is based on Microsoft Press media, Pearson Education materials and Yury Doigines lectures


When we are talking about Incident Response, the first and probably the most important standard that comes to mind is Computer Security Incident Handling Guide from NIST. And in this guide, there are a series of events and actions that comprise the incident response life cycle.

 We have number one, preparation. That leads into detection and analysis, which then is followed by containment eradication and recovery, but possibly used in a cycle with detection analysis. And finally, we have post-incident activity, which is really just a mixture of Sections Three and going back to Section One, Preparation.

The first section of the Incident Response Life Cycle, is Preparation. And within Preparation, there are a number of different tasks that you’re going to want to know about from a security perspective. And we’re gonna start with Limiting the Blast Radius. And for this particular step, there are a couple of different concepts that are pretty straightforward and that you can associate with this. First of these, is deploying your accounts using AWS Organizations. Next, is to deploy your networks using multiple VPCs. Both of these can help you when there is a security event and you need to restrict the amount of resources that the actor can possibly have access to. Next, is Self-Documenting Infrastructure. And AWS gives you a couple of different ways to go about this. There are different services and features that can help you document your infrastructure without having to explicitly open a text editor. First of these is AWS Config. This is great from an inventory perspective. CloudFormation, where you’re actually defining infrastructure elements using text files and then creating them from those text files. And third, AWS SSM. The system’s manager service gives a number of features for inventorying at a deeper level including, network information, installed software, and license usage. The next step is creating Procedures and Run Books.

Our next task is to generate a Normal Behavior Baseline, and AWS provides a couple of ways to make this happen. The first of these is pretty straightforward. Just using the monitoring service, called CloudWatch. GuardDuty is an excellent tool and can be used to identify an abnormal behavior in your account.

There are three specific services that are going to be very helpful to the AWS customer in Assessing Risks. The first of these is Amazon Inspector. Next, we have GuardDuty, and the last one Amazon Macie. This is a service that can help you assess whether or not permissions on S3 buckets are too permissive.

Next we have Network Security.There are a number of different features that you can use to help improve the security from a network perspective. You can you Network Access Control Lists, Security Groups, both of these are going to be part of the VPC context and used together. You can use VPC Flow Logs for auditing the network traffic flow within VPC. And finally, you can use the AWS Web Application Firewall service. This is used in conjunction with CloudFront, and applies to web traffic, where you have the ability to identify and potentially drop abnormal requests.

Our next step, is the ability to Store Relevant Event Information. This is absolutely a proactive step that should be done as part of your strategic planning for security in AWS. And there are a range of features that you can use here as well. CloudWatch Logs is a great way to store log files durably with excellent ways of accessing them for analysis purposes. You have AWS Config streams, where you can create snapshots of the metadata configuration for your resources. You can use CloudWatch Events to keep track of what’s happening in your AWS account. You can store access logs in S3 in addition to CloudWatch Logs. And you can use CloudTrail Logs, that are stored in either Cloudwatch Logs or S3 to help correlate between behavior and actions that were taken to create that behavior.



*This article is based on Pearson IT Education materials and Chad Smith lectures

In this article I would like to discuss Abuse Notice Strategies. Let’s assume you need to evaluate the suspected compromised instance. Where should we start? If your account has a suspected compromise, either at the key level or at the EC2 level, AWS will send an email with some details around that suspected compromise activity. From a customer perspective, it is up to you to then evaluate that compromised resource, such as an EC2 instance, to see if you can figure out whether or not you are truly being subject to a security event. You can start with GuardDuty, there’s a feature called VPC flow logs that allows you to view the incoming and outgoing traffic at different contexts. You can isolate your resource from the network using features like security groups. And you can even launch a replacement using backups in the form of an AMI.

If it is an access key that has been compromised, you have different strategies for mitigating this. You can look at the access advisor reports to determine which services have been accessed using that key and at what time.You can look at GuardDuty, or CloudTrail logs. Just these two options are going to provide a full audit trail of everything that’s happening in your AWS account. And you can take action in a form of disabling keys or creating new keys that replicate the functionality.


*This article is based on Pearson IT Education materials and Chad Smith lectures

In this article we will discuss how to build a strong cyber defense through the enhancement of your secure posture, and understanding the different phases of the cyber kill chain. To build a strong defense, you need to understand the different stages of an attack. It is very important to understand those stages, because you want to add detection in the different areas and different moments of the attack. The core idea is that you can and should mitigate an attack early in the cyber kill chain phase. Ideally you should be able to detect that there is something happening in the reconnaissance phase, because the attacker was not able to perform a lot of malicious activity inside of network yet. Let’s go through some of the main aspects of each one of those phases.

The reconnaissance phase, as the name says is the phase in which the attacker gathers information about the target before the attack actually takes place. This is a very important phase, because it’s understanding the target that they build the campaign to perform malicious activity. That can be scam phishing email or phishing email, something along those lines.

Which leads us to the weaponization. This is the stage then you are already using the information that you gathered in the reconnaissance, and weaponizing that information. You can utilize that information in a malicious way. So it’s basically creating the artifact that will be used to compromise the victim. Which goes to the next phase, which is the delivery phase. Which is the transmission of the attack itself to the victim. In this case, you gather information, you create your phishing campaign, and now it is time to send it out to the victim.

But maybe the phishing email is just the entry point to something else that is going to happen in the next phase, which is the exploitation. So in the exploitation, something is going to happen, for example, let’s say that the phish email has a link to download a piece of malicious code. And that piece of malicious code is going to try to exploit the build. So that is already part of the exploitation phase, and when it is doing that then it is time to move on to the next phase, which is now I’m going to install that exploit into the destination computer. So you see that very smoothly, the attackers gain more and more access to the target’s system, and that is what the attacker wants.

When the attacker is already there then he can start doing other things such as contacting the command and control, which is the C2 phase. At this stage he will try to extract more information or perhaps to even download more malicious codes and install on private systems. Between the C2 and the actions on the objectives, there will be some other things that they will try to accomplish.

Stronger Defense

Microsoft created variation of the cyber kill chain to put in practice, which puts a slightly different amount of steps. Here it is:

Because we start with the external recon, which is basically the reconnaissance. Then we compromise the machine via some sort of exploitation, taking advantage of a vulnerability. Then we start internal reconnaissance, notice that there’s the external reconnaissance and the internal reconnaissance. That’s very common because once hacker establishes his footprint in the target machine, then he can start doing some internal recon in the network because now he has access to that internal machine. Then he is going to do some malicious actions such as, lateral movement, local privilege escalation, harvesting domain credentials until he gets to the point where he has full domain dominance.

Most likely that during C2 stage hacker is going to place Trojan.

What you really need to do is to build a better security posture, and this is not only for cloud, but on premise infrastructure as well. Security posture consist of three stages. Detect→Response→Protect.


*This article is based on Microsoft Press media, Pearson Education materials and Yury Doigines lecture

The days of hacking for status and pride are way behind us. Nowadays the main motivation behind cyber attacks is financials gains. Of course there are other reasons, nation state, threat actors, and things like that. But from the commercial perspective, attackers are going towards the money. The data that will generate money, the identity which can be exchanged by money, ransomware, these type of things. Hackers almost always looking for financial gains. This is the main motivation nowadays.

It’s important to understand that company of any size can be a target. The rationale that only large organizations will be the target is completely untrue. Attackers often go towards mid and small-sized companies, because it easier to hack into their system and hijack and they don’t have the security controls in place. For example in 2017 companies losses related to tech support fraud raised to 15 million. The number of losses related to ransomware attacks raised to 2.3 million. And if we look at the cost prediction from 2015 to 2021, we’re gonna to double the amount of cost with cyber crime.  It is important that every single customer that is migrating to the cloud, have this mindset that they need to leverage cloud resources to enhance their secure portion overall.

In this slide you have a structure of a criminal infrastructure that can be used globally. These guys shouldn’t be in the same physical location, usually they don’t even know each other, for the most part they communicate through the dark web, different criminals have different activities and responsibilities. For example the developer is the one that we are creating malware, this guy has a very specific skill. He knows programming language and he will pieces of malicious code and then sell to hacker that will buy that malware. Sometimes hacker buy a whole kit and this kit can be used to perform a series of actions not just steal a credentials or perform a brute force attack. And then there is cyber criminal himself which will buy from the hacker the credentials that were stolen. This guy for the most part is the one that is going to receive the cash from the organization that hired him to do this whole thing.

Now it is a global enterprise, it is not one single person that it used to be 20 years ago. That’s why it’s so hard track it down. Stolen data is very inexpensive, compromised accounts come in bulk and in very large blocks, prices can as ow as $1 per account.

So, as more and more sophisticated cyber threats come along, the best approach is constant vigilance. You should assume that most likely you will be the victim of a big data breach or major hack attack.



*This article is based on Microsoft Press media, Pearson Education materials and Yury Doigines lecture