当前位置:首页 > 报告详情

控制平面上的蛇:利用紫队攻击 Azure IAM 进行威胁检测.pdf

上传人: 可*** 编号:991868 2025-12-07 28页 1.94MB

1、Snakes on a(Control)Plane:Purple-Teaming Azure IAM for Threat DetectionLYDIA GRASLIE THREAT DETECTION ENGINEEREDWARD JONESAbout MeThreat Detection Engineer at Edward JonesTA for SANS SEC 541 Former English teacherWorked on helpdeskEngineering is radLikes:home labs,comedy,gardening,hockey,musicWhat W

2、ell LearnWhy Azure IAM is tricky to monitorWhat to considerHow to stay organizedWhy Purple Team?Microsoft Cloud is a big,complex product-as are many cloudsIts easy to miss things!Settings and log events are often not intuitivePurple teaming helps us make sure were coveredEnsures we have the logs we

3、need and the events show up as we expectHelps us build the right detections for the resources/environment we haveEnsures robust detections that cover multiple attack paths/procedures of a techniqueInforms thorough and helpful documentation for respondersPurple Teaming Threat Detection tldr;Doing a m

4、alicious thing(safely)Recording that malicious thingExamining the logs produced by the malicious thingAzure IAMIAM 101“IAM gives secure access to company resourceslike emails,databases,data,and applicationsto verified entities,ideally with a bare minimum of interference.The goal is to manage access

5、so that the right people can do their jobs and the wrong people,like hackers,are denied entry.”-MicrosoftAzure IAMSource:MicrosoftWhy is it Hard?Not everything important is logged by defaultAzure resources dont automatically export log all log activity Log settings are everywhereNeed to set up diagn

6、ostic settings to collect logsLogs in the portal=/=Logs in your SIEMLots of unanticipated things can happen between the GUI and your SIEMDiagnostic SettingsWhat Isnt Logged by Default?Key Vault ActivitiesGap example:Cannot see who creates or deletes keys/secrets,or who is looking at keys/secretsKube

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
本文主要讨论了Azure身份及访问管理(IAM)的监控难题以及如何通过紫队(Purple Teaming)策略来提高威胁检测。关键点如下: 1. Azure IAM监控复杂:由于默认不记录所有重要活动,日志设置分散,且端到端的日志导出可能遇到问题,导致监控困难。 2. 紫队策略重要性:通过模拟恶意行为并记录、分析日志,确保必要的日志存在,事件按预期展现,从而构建有效的威胁检测。 3. 日志不完整性:例如,密钥保管库活动、Kubernetes设置更改、虚拟机内部日志等默认不记录。 4. 端口日志与SIEM差异:Azure门户中的日志与安全信息与事件管理(SIEM)系统中的日志可能不同。 5. 操作方法与日志差异:在Microsoft Cloud中,不同的操作方法可能导致生成不同的事件序列。 6. 许可更新影响日志记录:2024年,微软为E3许可更新了云日志功能,但日志记录仍然因许可级别不同而有差异。 7. 组织与记录:使用表格记录操作的时间、方法、URL、日志记录位置及SIEM表现,有助于保持组织并分析结果。 文章强调了理解Azure IAM日志的复杂性和采用系统性的记录方法对于维护安全环境的重要性。
"Azure IAM监控难题揭秘" Azure IAM威胁检测技巧" 如何避免误判?"
客服
商务合作
小程序
服务号
折叠