Gaining Clarity within the Clouds

uh well we'll go ahead and get started then so hey everyone uh out there attending uh of b-sides uh salt lake city uh thanks for having us welcome to our talk this is uh gaining clarity within the cloud sensor response tactics for the untrained and unequipped how's it going everyone my name is david hall i'm a senior cyber security customer engineer at microsoft in a former life i was a signal warrant officer um in the united states army that just means i'm not as cool as nando he was a cyber guy i'm a signal guy i'm also an automation enthusiast so that just means i like powershell things uh arm template type of things bicep if

you don't know what that is ping me and i can walk you through what uh bicep is yeah hey and i'm fernando tomlinson i'm a principal forensics and incident response consultant at mandate i too am a retired army warrant officer shamelessly now i don't want to say i'm a cyber warrant officer but nonetheless focused on cyber i'm an adjunct cyber security professional or professor as well and i'm an avid lover of powershell in the language so we have an aggressive agenda uh here today so to kind of get us started off we're going to talk about kind of level set with what is the cloud and kind of um if you talk to probably six or eight or 12 or 37

different people you may get 37 different answers about what is the cloud so we'll kind of give you our rudimentary definition uh about what is the cloud we'll talk about some common mistakes that we see when we see customers move from um on-prem to hybrid to more cloud-focused assets uh talk about how we respond to incidents that occur as of the uh as a result of those common mistakes some tools we can use to uh do response actions um as a respon as a result of those common mistakes and then kind of what can we do proactively from an operations perspective so i'm an operations guy uh or cis admin kind of background whatever you want to

call it so what can we do proactively to not get ourselves in a situation where we need to to do response actions and then at the very end we'll talk about some quick wins and some resources that you can use to skill up and there it goes so you've all probably seen this meme ooh the cloud it's the it's the cool thing that everybody talks about nowadays and i guess if you're probably as as old as i am it is kind of new relatively speaking when you've been doing this for um what have i been doing this 25 years or so so it's been a while the cloud is relatively new in in those terms

um but the threats are really a lot of the same when you when you look at the ingress points and kind of what we see as threat vectors for cloud assets versus on-prem the cloud really gives you some different capabilities um some different um type of response actions and capabilities that you can use so it's important to understand uh that environment and kind of what it it brings to bear so we'll talk about that a little more in depth here in a minute so kind of what our definition of the cloud is before we get too deep into the uh security and ir type of stuff um i kind of like to look at it as

global infrastructure globally connected infrastructure at your fingertips so if i need to spin up a web application that's globally accessible to to users in australia or china or russia or anywhere across across the globe i can easily do that from the comfort of my home right here in in coastal georgia you know in less than seconds or minutes it's just that easy those are those are things that maybe ten years ago or even three or four or five years ago with on-prem assets you just didn't have access to uh so the cloud gives you access to do that stuff at scale that you we just couldn't we just didn't think was capable of you know

a few years ago that image there at the top right that's the the largest uh vm offering that i could find in in azure so 208 virtual cpus with a little over 11 000 gigs of ram i don't know what the heck you would do with that thing but uh that's a pretty beefy machine that you could play like minecraft or something on i suppose i have no idea what that would cost you but it's probably out of my price range i would guess the cloud is also scalable so and very very scalable very very quickly so if during the holiday season you're on tick tock and you make the latest viral video of whatever selling some kind of

widget uh on your website you could create uh you have your website in the cloud you can very easily scale those services to accommodate that 15 minutes of fame that you uh you realize during the holiday season that you need to accommodate with all that traffic that goes to your your website and then conversely you can very easily scale it back down so you don't have to realize all those expenses you know after january 1st when nobody's really looking at your your website anymore because the holidays are over so it gives you that flexibility uh from a security perspective again i come at this from uh the operations sysadmin side so in certain ways you can eliminate some of the security

burden on your administrator so if i look at this from a software as a service perspective i can spin up a sql management instance where i don't have to have a sql server running i can just run the sql instance and i don't have to worry about patching a vm or patching a server or worry about any of that stuff running on i don't have to worry about the hardware period all i have to worry about is the actual sql piece of it and the application so that's what the cloud gives us access to at this point in time so when we talk about types of clouds public cloud is pretty self-explanatory that's that's what you see at

portal.azure.com at aws ibm oracle that's all the public-facing uh clouds that really anybody has access to private cloud here we're talking about um when you're essentially creating your own data center and hosting services uh privately that are not for public consumption hybrid services this is where we see a lot of customers uh today and are probably gonna be here for a long long time customers have say an active directory instance on prem and they are slowly moving web applications or some piece of that active directory infrastructure to the cloud and you know that's probably not going to change anytime soon organizations are probably going to live in a higher some sort of hybrid state for a long time

community cloud you may not have heard of here we're talking about more of say government specific clouds or health care specific clouds or financial specific clouds like azure government aws has a government specific cloud and there may be others that are missing there so you're the typical uh cloud platform providers this is in no way an exhaustive uh list of course but these are some of the major players um some are much more mature than others of course amazon has been doing this really longer than than anybody else on this list and some of these uh providers are what i would call more full service than others some of them are more uh software as a service focused than

full cloud platform providers you know which is better that's totally up to an organization to to figure out i would encourage you to dip your toe in into a little bit of everything and see what tool works for you the best you know the analogy i make is you go to the grocery store there's probably 37.687 different versions of barbecue sauce on the shelf which one's the best yeah i don't know i mean one of them may be better than the other in your opinion but mine may be one i get maybe better for me so it's just a matter of which tool is better for you and your organization and it may not be the same today

versus tomorrow i think the takeaway here is the landscape is changing very quickly as it does in this kind of ecosystem you know amazon launched in i think 2006 ish if my math is correct that's what 15 years we've only been doing this thing doing this thing for about 15 years so this thing is changing very quickly there are new players coming into the game all the time so kind of buckle your seatbelt i think so we've level set about what the cloud is you know this is a security conference right what are we talking about the cloud what about security how do we um [Music] secure these assets what are some of the tools to do that

so what about security so i have flat my gums about you know the cloud let's get down to the meat and potatoes of why you're here uh if you look at some statistics these are from our friends over at uh mandiant nando grab these for me so if you look at the far left 24 percent of organizations have hosts missing critical patches so what's significant to that for me in relation to the cloud and we see this all the time at microsoft if you have a bad patching program on premise is going to follow you into the cloud if it causes you problems on premise it's going to cause you those same problems in the cloud

so i think that the takeaway with that is uh one fix the problem before you start moving those assets to the cloud so do some inventory there before you start lifting shifting assets and moving them to the cloud the cloud is in no way some sort of um magic elixir to fix all of your uh security woes it's not gonna do that for you all of that stuff that you needed to do on on-premises you're going to need to do that in the cloud as well and more so if you take a look at that second statistic there 95 of the security failure failures that customers is the customer's responsibility so i think that goes to

this is not necessarily fully understanding what is service providers responsibility and what is the uh data owner's responsibility so it's it's incumbent upon the data owner to understand from a securities perspective what is their responsibility versus what is the cloud provider's responsibility uh if we look at the the third one there 84 of organizations say traditional tech doesn't work in the cloud again this goes back to understanding what you're lifting and shifting or what you're moving from on-prem to a hybrid or cloud-only [Music] model so you may have tools security tools specifically on-prem that are not going to reach your assets in the cloud or reach assets that you intend to have in multi-clouds so

that is a big consideration when you think about um going from a specifically on prim model to potentially hybrid or totally cloud facing so understand that your tools need to be able to reach all those assets cloud is not going anywhere so that number on the right-hand side eleven percent have a significant cloud component cloud's not going anywhere out i would expect that number to go up as as time goes on the takeaway here is not all tools are created equal and not all tools are going to cover all assets so do your homework before you lift and shift your assets to the cloud so some common misconfigurations we see now these are azure specific obviously but i would

expect uh to see some commonality commonalities across cloud providers uh with some of these i haven't looked specifically but you trend micro probably has uh some of these same things for other cloud providers in that link below so storage accounts in in azure we see commonly storage accounts left open with [Music] secure transfer not enabled it's very common public access left enabled um v-net access left you know wide open those kinds of things for the vms [Music] extensions just approval for any type of extension running leaving rdp open um those types of things for network security groups specifically just turning on a security group and leaving the default uh rule set there it's just like you know kind of any

any firewall rule set or anything that similar capability you have to pair that rule set down to to make it you know useful so it's just like anything else you have to do your homework um and we're going to talk about some tools that you can use to mitigate some of these things uh right off the bat because a lot of this is you don't know what you don't know before you get in the cloud right so common root cause and i think this is number one right at the top is just lack of understanding it's it's a don't you see you don't know what you don't know um we're all trying to move at the speed

of sound because uh your organization is trying to you know make money or do whatever they do and we're all trying to do it fast and efficiently uh and get it done yesterday so a a move from on-prem to hybrid or to cloud is in no way different uh and having been in you know grown up in the government most of my adult life being in the commercial world is no different you're probably undermanned and understaffed and overworked and you're probably doing more than you are paid to do so lack of understanding of an environment is not uncommon across all customers that that i see on a daily basis everywhere so what can you do

from your sphere of influence to mitigate some of that and i think what we're going to talk about on the next few slides and what nando's going to talk about you have to take a step back and automate things you have to automate what you can to take control of the potential sprawl that you can get from having to deploy these resources so quickly you can quickly go from zero to 60 and then you find yourself in a situation where you're circling back and trying to put some guardrails on it all so you don't want to be in that situation so from an operations support perspective and i kind of lump you know your sysadmins

folks into that kind of mindset what can you do to assist your cyber teams your blue teams your red teams your purple teams whatever color you want you want to throw in there what can you do proactively to assist so we don't have to go through the incident response drill so maybe we can stop some of this before it actually happens i think we can change the way we think we can change our approach and that will change the way that we defend the infrastructure if we assume the attacker is in the network assume on a day-to-day basis that everything that we have put in place has failed you can't uh nowadays think that there is a perimeter defense

there really is no perimeter defense there's no firewall there's you can't really put up a firewall or an ips or an ids or you know a moat and fill it with alligators and think that that is going to keep the threat actor out of the network is just not possible anymore identity is the perimeter that's the ingress point for almost all of these these threats so you're gonna have to think about it in terms of there is no wall in between your infrastructure and the the threat actors the bad guys it's kind of an imaginary line at this point so if we can assume breach we start thinking about all those speed bumps that the fence and

depth all of those things the speed bumps that we can put in front of an attacker and then at the end of the day it's all about increasing the attackers uh or decreasing the the attacker's return on investment we want to make it as hard as possible for an attacker to do what they want to do we want to make it cost as much as possible for them to get in the infrastructure and do what they want to do if it's easy for them to walk in the front door or the back door of the side door uh you know then they just kind of have free reign in to do whatever they want to do and

odds are you probably won't know it until it's too late so we want to assume breach put as many speed bumps in the way as possible uh decrease the attacker's return on investment increase their cost of attack and eventually we want to get to a zero trust model so this is kind of like uh the definition of the cloud you know what the heck is zero trust well if you ask 10 people you're going to get 27 different answers well i figured nist was probably a good source on this so what what is zero trust well if you're a cop basically a comprehensive strategy to secure your organization or organizations enterprise anywhere anytime that's essentially zero trust so whether

your users are accessing your corporate infrastructure from home from b-side salt lake city from inside the corporate network via a mobile device uh via a corporate owned device via a work from home device whatever it is we want to have all the zero trust guardrails and conditional access and all those things in place to be able to protect the network and infrastructure to head off attacks before we get to instant response so what are some uh mechanisms we can use cloud specifically to to do some analysis to do some administration those kinds of things now these are in kind of my order of effectiveness your mileage may vary here this is azure specific obviously but i

think you know aws has some cloud shell equivalent azure cloud shell is essentially powershell built into the azure web interface i like it because it's os agnostic you don't have to if you're using it from uh linux or mac you know no big deal second uh kind of in the list there is powershell because it's command line uh interface it is cross-platform to a degree the the uh the engine is cross-platform some of the tools that that you're trying to use the modules may or may not be so your mileage may vary there there are version there is some versioning and no less considerations uh there with what kind of what versions of powershell you're using

the web ui is good to get started in my opinion it's not sustainable you can't uh efficiently manage cloud infrastructure doing it in the in the web ui you you just can't you don't have access to to do that stuff efficiently you're going to quickly be overwhelmed and it's just not sustainable so take away there get out of the web gui get into the command line so in that kind of same being this is one of the things that you can do from an operations perspective is utilize infrastructure as code methodologies to deploy and maintain your resources so what do i mean by infrastructure as code i want to put all of my i'm going to

deploy my vms i'm going to deploy my web apps as code i know this is what kind of the the infrastructure as code an example looks like on the bottom right there that is actually bicep code if any of you are familiar with uh arm templates azure resource management templates based on json this is kind of the next generation uh language of arm it's a transformation language on top of arm so if you're familiar with json to me it kind of makes your eyes bleed with all the punch light punctuation this is bicep meant to make the barrier to entry for arm templates much less um it's so easy i did this you know i'm not

nando can attest i'm not a very smart guy i actually put one of these things together so you know if i can do it anyway i can do it um anyway infrastructure is code what we're trying to get to is deployment efficiency recoverability so if a ransomware attack happens we can quickly recover all we need to do is pull our resources out of code uh now obviously there's a lot of intricacies and nuance there but you get the idea it enables us to do automated scanning avoid configuration drift we can um dynamic provision so if i have a lab i need to move from my dev test environment over to production i can do that all i need to do is flip a

switch into code it takes 20 seconds i can automate documentation i don't have to spend a bunch of time writing word documents i can do it all in markdown as a part of deployment with infrastructure code methodologies so those are kind of some of the things that you can unblock as you're moving from on-prem to uh in the cloud so think about those kinds of things and i'll pass it over to nando to take us a little further yeah absolutely so you know everything dave is talking about is is truly spot on in things that um you know we kind of deal with on a daily basis if you will so you know due to those things

well the need for incident response is certainly vital it isn't truly a matter of if it's really a matter of when so like this pitcher it's understood that some things just happen right and sometimes we can see it coming and at that point we become reactive in nature and where we don't like to become reactive in nature if you will or try to to limit that well in that case we we try to put together a plan and sometimes that plan doesn't go as desired and we still just have to react in either situation or really case it truly highlights and really strengthens the need for incident response this is more true of the digital environment

especially when we think about how we do it on-prem and even more so as we look at the significant shift to cloud infrastructure so what is this whole incident response well when i look at the how when i look at how three well-known organizations define incident response they all are truly saying something different in terms of words specifically on the screen but they're all truly saying the same thing at the core right one would call incident response the act of maybe responding to something to be able to contain a threat if you will minimize an impact and certainly bring an organization back to steady state and the way we get after that is truly we have some type of framework or a

subset of phases and generally when we think about incident response phases well what comes to mind is nist right national institute of standard technology or sans right sysadmin audit network security most people don't think about it from that perspective but while it looks like they're two different things and they truly are or really that the phases are different um they're largely the same right so the nist one obviously is four steps where sans is is six steps but from the perspective of where they they nest together uh we kind of see it like like that right so from a prep perspective we're thinking about training and exercises and playbooks and you know how are we going to communicate with people

in band and out of band if you will from from an identification standpoint um you know we're thinking about being able to identify malicious activity or really anomalies and being able to look for indicators or maybe behavior based of things we're looking at our perimeter and inside the perimeter or in the case of cloud we're looking at identities and how they typically um flow or or authenticate within the network and what they're truly used for now when we get to the point of actually identifying that something has actually happened well then we certainly need to be able to contain it limit its ability to really go further beyond what it's already uh done and gone in some cases

that's you know affecting acls or nsg within our cloud environment being able to really uh prevent an attacker and actor from being able to leverage what they've been leveraging thus far then you kind of want to look to to eradicate them right right so essentially phase out uh the attacker activities and their ability to certainly come back this could be maybe applying some different firewalls fixing the misconfigurations that that dave has highlighted that are generally set within our cloud environment and it's substantial of other things the recovery aspect well kind of straightforward there we're trying to bring uh our systems um certainly back online monitor them for a period of time uh in a phased approach uh to make sure

we've truly uh rid the adversary of uh of their actions and really what they've done within our network and the lessons learned aspect this is where some of that infrastructure is code that dave talked about um can help us in a sense of hey let's incorporate that in our playbook but certainly from the perspective of of recovery we'd be able to utilize some of that infrastructure as code now that's a lot right but from this perspective we really want to focus on kind of three things as far as what would be a benefit to you that's the identification aspect containment eradication right detection analysis if you will if you're looking from this perspective at large the methodology of

how to do it on prem um in the cloud in some respect is laid out right what what should be done kind of at each step or what the focus area should be is is somewhat fleshed out historically though uh when we look at incident response on premises like on-prem systems um naturally people understood that better because we've had years an essential and substantial amount of time to really perfect that the cloud aspect is where it really gets a little gray for people right as dave talked about having that that firewall that mode right people tend to cut themselves off from the internet if you will um at some point to then remediate it that's a little bit

different when we think about um doing this from a cloud perspective so as we look at some of these tools and capabilities and things to really help you uh this is a good opportun opportunity for us to really share our disclaimer right so for some people this will be tldr i.e too long didn't read or it might be tscr which is too small couldn't read so let me give you kind of the cliff notes if you will associated with this we're not saying that the tools that we'll talk about are the only capabilities that are available for cloud analysis detection response but we're certainly highlighting a couple of things that could be of use to you

if you're a manager or really a an engineer a responsible entity security guy responsible person for a cloud environment

all right so i'm sorry about that i was having a fight with the mute button all right so one of these tools we'll talk about is azure specific but it can reach across different clouds so if you have assets in well even on-prem if you have assets on-prem in azure other clouds uh defender for cloud is a security posture management threat protection product that you can use to maintain a high level of security once you have assets kind of all over the place so defender for cloud will use azure security benchmarks to look at a subset of assets uh and give you secure score and it'll also give you remediation activities that you can take on

uh assets to improve your secure score so as an example we talked about storage accounts are commonly misconfigured in in azure defender for cloud may look at your storage account and see that public access is still enabled for your storage account it'll surface that in defender for cloud and give you the remediation activities to quickly remedy that so just one of the tools that you can use in azure to to get at some of this stuff before it becomes a huge problem down the road

yeah so you know that's very interesting specifically when we look at some of the other things that we can do and one of those other things that we can do are honey tokens right so from an identification standpoint the use of them is certainly great when we think of honey tokens it's really referred to as canary token if you will because they are like a canary in a coal mine but really in reverse but this can be a piece of information that allows you to implant a trap in a system this could be a file could be a fake system itself could be a fake user service account right it's really just something that certainly is enticing so

that being said we want to make sure that it is enticing to an attacker because if not then well it's not going to really be of use to you we want the attacker to find it certainly worthwhile we want them to not only find it but trigger the use of accessing uh that token whatever it is it should be certainly highly uh monitored to be able to illuminate potential adversary activity if the use of the token goes unnoticed well then it certainly starts to defeat uh the purpose right and if these tokens um have some form of value and they get compromised and we're not able to illuminate that well then it could certainly be a bad day

for us now when we look at different capabilities right we'll talk about four specifically uh that's going to be mandiant's eight azure ad investigator uh invoke az explorer hawk and sparrow so what are these things well the mandiant tool capability is really uh used to detect possible unk 2452 activity and if you're not familiar with punk 2452 that's a a cluster of activity that from many a perspective we have linked to um russian actors if you will um and namely this kind of came about when we looked at solar winds right so that was solarwinds moving on to cloud infrastructure and that's where really where they came about so there's a lot of indicators that are in there a

lot of which are a high fidelity meaning when you see them being triggered um there's some high likelihood that it is associated uh likely with this group there are also some indicators that are in there that are dual use in nature so from that perspective if you see them being used it could be adversary activity but it also could be related to legitimate functionality from an admin or some user right so those don't give you such a high fidelity but certainly or worthwhile looking into every capability that's inherent in this tool does a best effort job if you will at identifying indicators of compromise that will certainly require further verification and analysis now with that what it will not do is

certainly identify 100 of the time um you know malicious activity in your environment nor will it always tell you if an artifact is legitimate admin activity or a threat act or activity so it does require some human interaction some analysis from your perspective but it will do a good job of highlighting some of the things that it brings to light for you well signing certificates with an unusual validity period specifically if the certificate has a time frame associated with it longer than a year that may be certainly worth looking into signing certificate mismatches right so when we think about federated domains where the issuer the subject of the signing certificate does not match that may be certainly worth looking into as

well uh azure ad backdoors right thinking about it from a federated domain perspective as well um a list of federated domains maybe you're not fully aware of domains that are federated within your environment or that have a communication with such and then unverified domains right so all of these things are certainly worthwhile for for you to consider and look at and really this tool helps to bring the focus area to a number of things that are a time well spent should you look at invoke a z explorer well this is a capability that i ended up writing during the whole time of solo wins as well so this is going to retrieve vital information that would be useful to you

during an intrusion it's written specifically for azure and o365 environments and some of the information that it retrieves for you are things about the domain the users the groups saml tokens applications and the permissions associated with those applications like the previous tool it's not going to fully give you 100 saying this is bad but it will provide you with a subset of data that is certainly worth your time to do analysis on that could very well be interesting in nature the next tool hawk it provides limited analysis on gathered data it's really there to help you get all the data in a single place it is by no way form a fashion designed to make any

significant conclusions about the data that it gets for you from their perspective it's impossible to know everything about your environment to know what you should be concerned with or not be concerned with to then further on make a legitimate analysis or best guess about the data that seems to be a common theme here is as we move forward right uh hawke's goal is certainly to quickly get you the data that you need to be able to to draw your conclusion and not make the conclusion for you so again everybody's environment is certainly different but being able to get the relevant data in one place in a good pane of glass that you an analyst or somebody can make

sense of very quickly is key and that's what this tool like other two um do for you sparrow well it's yet another powershell script that looks for anomalies and unusual activity by verifying unified azure and 365 audit logs looking for a known list of indicators of compromise it lists azure ad domains and checks azure service principles and their microsoft graph api permissions why because this has been something that has um certainly been of interest to malicious actors in the past and certainly tactics techniques that they look to abuse even today as they have done in the past and likely will continue to do it in the future as well this tool is intended for use by incident responders and was truly

built by the cloud forensics team at sizza their focus is really to help narrow the scope of user and application activity as it uh pertains to identity and authentication based attacks that has been recently uh seen in multiple sectors so yet another tool that was derived based upon first-hand accounts uh in the field and what they're seeing it's not made to be a comprehensive or exhaustive list of available data right because again going back to every environment is different but it is certainly intended to narrow a larger set of data sets um to help you in your investigation and your analysis and really help with the um scalability and really i'm sorry not really scalability up but narrowing of the

telemetry associated with what's happening in your environment so you know when we look at an analysis process right at a very very high level um if you're in your environment and you know you may not fully understand what license you have and and what that enables and affords you to have access to well you can utilize the azure cli as dave mentioned earlier and you can um you know well actually powershell in this case apologies and actually do get a z resource and that'll tell you everything from a resource perspective that's available to you within uh your subscription if you're looking at some hunting queries or reconnaissance queries there's a good list that are already made and developed for azure

and then there's some for m365 certainly appreciate microsoft's uh help with the m365 perspective is it an all-incompetent list probably probably not right depends on your environment but it is certainly a good starting point for you to look at common things that could be abused or accessed by attackers and then build upon them based upon your network and the way things are set up if you're already comfortable with doing analysis from an on-prem perspective in terms of dead box analysis well you could be able um to export uh you know the disc or the vm associated with whatever you have in the cloud so within our our infrastructure we'd be able to go all services compute disk

disk export if we want to be able to export a disk we'd select which one we're concerned with and if we're talking about virtual machines we can do nearly the same thing in that aspect and then once we have that we can utilize things that maybe we're comfortable with maybe ftk or in case or autopsy right or x-waves or something like that but that leads you to leads you back to a a familiar state if you're used to doing it from an on-prem perspective okay so looking at a a scenario of sorts let's say you want to look at investigating specific activity uh within azure right so in this case the main source would be

activity logs and we would utilize the azure cli from that perspective we would list uh any uh events that would be available to us to actually query right and i've listed the command that we could use so that way you walk away with something and then if we have an idea as to what user it was we could then utilize a query to look at events associated with the particular user from there we might say hey well this ip address is interesting where else does it appear in here where are the events that are incorporate that ip address well we would then be able to query specifically for that if we're interested about the last 500 10 events five whatever number

of events within the last hour well we could query and return that as well and if we're worried about events that happen last week the week before or on a particular date so long as the retention period has not passed uh well we could do that as well so from this perspective i'm looking at events that took place on november 12th and subsequently the three days that followed that so november 12th to uh november 15th but again not all incompetent but certainly uh an available capability at a raw perspective to be able to get the data that you need right the way that you would look at this and frame it from an on-prem perspective you're still focused

on a user in this case we're focused on an identity we're still focused on a time frame when we're looking at stuff on prem well this is how we can look to do that from a cloud perspective all right so you know there's not enough time for us to talk about cloud you know at large in a uh one hour talk if you will but here's some easy reading some tangibles that you can take away with you aside from the the couple of tools that we just mentioned in capabilities some easy reading if you will so maybe it produces the white paper will do it pretty periodically in terms of um in a technical nature really more of a

tactical guide talking about remediation and hardening strategies for m365 specifically how do you defend against uh that 2452 that i talked about earlier who again is still very active uh today this is talking about some attack techniques right to be able to then help you understand what they're leveraging but then some things that you could do to kind of deflect that to mitigate that if you will our friends at microsoft well be it that it's their technology that we're talking about today they also produce a very robust report that is certainly easy on the eyes and brain to read talking about cyber crime at large in their tech and focusing on and talking about cloud

and how it's being abused in that manner that also is done periodically as well and certainly worth the read so you have an entity that builds the tech and is certainly stepped up to the plate in terms of defending it and then you have something from an organization that certainly is also on the front lines of uh defending illuminating doing analysis against this tech on a daily basis so great assets and great things to walk away with so what can you do today to to put some uh those speed bumps we talked about earlier in place so maybe we can mitigate some of this before we get to the incident response phase now these are things that we talk about

the customers on a regular basis all day every day uh first one there now these are not in any kind of certain order obviously each organization would have to prioritize these based on a myriad of things time money knowledge base of you know the people that work there all those things uh but use of a privileged access workstation if you don't know what that is there are free documents out there that will basically walk you through how to stand one up but essentially if your administrators are doing any type of privilege access on on-prem assets or cloud assets doesn't really matter they need to be doing it from a clean keyboard to prevent uh cash credentials

and uh credential theft and those kinds of things next one multi-factor authentication uh you've all probably heard of that it's just one of those things you need to enable at the very very least on your administrator accounts but if at all possible on all accounts exclude that break glass account otherwise you won't get into your cloud assets if mfa is not functioning properly conditional access this is one of those things that cloud gives you the capability to do so use it to the fullest capability you can gives you the the possibilities of restricting uh logins from you know certain versions of android or if they come from certain regions of the world all those kinds of things there's so

many things that you can do with conditional access take advantage of it just in time access you want to eliminate as many standing privilege accounts in domain admins and global admins and and all those privileged groups that you can use uh privilege identity management or some other tool there are plenty of tools out there that do this that will allow you to do just-in-time privilege access in your organization be careful if you have a hybrid environment again a lot of organizations are going to be in some form some type of hybrid mode for probably a long long time careful what you're syncing from any type of on-prem directory to the cloud you don't want to sync any type of

privileged user from the on-prem to uh the cloud that just opens up pivot points for uh thread actors some more kind of o365 or m365 uh specific if someone is doing a content search outside of administrators it's probably uh someone that is not wishing you well so let's configure some type of alert activity on that that's number one there again we talked about the ingress points identity uh is essentially your perimeter today who has the identities that's your users what is their primary means of communication today email so turn on all the end of malware spam transport controls all that stuff that you can do to to mitigate all the the normal email you know ingress points

um disable any kind of storage provider you don't need for owa so if you don't need anything additional onedrive or box or dropbox or whatever disable the rest of them auditing i think it goes without saying enable all the auditing you can obviously um auditing is no good unless you can synthesize it and make sense of it and actually action it when you know something pops up in the auditing so it doesn't really do a whole lot of good if you're enabling it and nobody's you know making sense of it but generally speaking more auditing equals more better so some of the things that you can uh some resources here that you can use to

uh skill up learn.microsoft.com has all kinds of free resources that you can use to train up on really any of our technology a lot of it that requires it gives you access to free sandbox tennis so there's really no barrier entry as far as any kind of microsoft technology goes uh if you're not familiar with john savile he does hours and hours and hours of free content on youtube related to automation and powershell and security and azure and all kinds of other things a cloud guru is a uh online training platform similar to like uh pluralsight or others and there are plenty of others but there are a multitude of resources out there uh and if you can't find one you know

our slide with all of our contact information is coming up feel free to to reach out to myself or hernando and we'll do what we can to to hook you up with some sort of resource so kind of synthesizing everything we we talked about here um again the cloud is no silver bullet to securing your assets uh it's no magic elixir anything that you're doing on-prem from a security perspective you should definitely carry that forward as far as policies and procedures go um some defense tactics on-prem are gonna just differ in the cloud because the the threat landscape is a little different uh and we talked about some of that stuff i just talked about logging enable all

of that stuff through all your cloud assets um obviously if you can't synthesize it it doesn't really make a whole lot of sense but you have to take into account all of those cloud assets uh in addition to your on-prem stuff restrict those privilege accounts include all of those privileged accounts that are in your cloud directory as well global admins and security admins and all those and utilize all those tools honey tokens and and all of those those tools that we talked about everything at your disposal and utilize what you can because it's not going to get any easier um and utilize your network like things like this today you can use to grow your network and and

feel free to reach out to to your peers and people like me you know reach out to me if you have questions that maybe i can answer you know like i alluded to earlier i'm not the smartest guy but i know people like nando and and other people that we can put you in in contact with that that do know things that i don't know so uh absolutely feel free to reach out to me if you have a question all right hey and with that we appreciate everybody uh for joining in today um if you want to connect with us we're you know available on twitter we're humans just like you uh specifically if you're into technology we are as well so

we would love to continue the conversation uh dave and i like to produce tools in an array of languages and it does us no good to keep them all bottled up to ourselves so where we can get them outside of our employer we like to post them on github so feel free to connect with us there as well the buffer inside our head is also small so we need to be able to write stuff down that being said we each have a blog and that's where we like to put our our thoughts to paper if you will things that we can't contain inside with that again we sincerely appreciate the opportunity to speak here and be uh

here at uh b-side salt lake city with that we look forward to future conversations and really just looking to increase and really decrease rather our attack surface associated with cloud infrastructure thanks everyone thanks for having us salt lake