In today’s digital age, protecting your organization’s data and assets from cyber threats is paramount. That’s where security solutions like Microsoft Defender for Cloud and Azure Firewall come into play.
A Microsoft Defender for Cloud alert was recently tripped, indicating that a machine within the organization had communicated with a possible Command and Control center. This activity is a severe red flag for cyber attacks, and prompt action must be taken to remediate the situation.
The Security Alert was: Network Communication with a malicious machine detected: Network traffic analysis indicates that your machine (IP x.x.x.x) has communicated with what is possibly a Command and Control center. When the compromised resource is a load balancer or an application gateway, the suspected activity might indicate that one or more of the resources in the backend pool (of the load balancer or application gateway) has communicated with what is possibly a Command and Control center.
The rogue rule had to be deleted to fix the issue, and monitoring was put in place to ensure no further unauthorized traffic was occurring. This is a perfect example of how Microsoft Defender for Cloud and Azure Firewall work together to protect your organization from cyber threats.
Microsoft also makes some suggestions to mitigate the threat as a proactive solution which is very helpful:
When the compromised resource is a load balancer or an application gateway, you may want to trace which resources behind it generated the suspicious traffic:
1. Review the load balancer / application gateway backend pools to find suspicious machines.
https://docs.microsoft.com/en-us/azure/load-balancer/
https://docs.microsoft.com/en-us/azure/application-gateway/
2. To filter the relevant machines, you can:
a. Check the active status of the machine during the suspicious activity using machine logs / current status.
b. Check for additional alerts on the resources during the suspicious activity, which may indicate compromised machines.
c. Check for unfamiliar processes running on the machine.
d. Check for traces in other log sources (if they exist), such as firewall logs, activity logs, WAF and more…
3. Run the following remediation steps for each machine which the suspicious activity might have compromised:
a. Escalate the alert to the information security team.
b. Add x.x.x.x (AttackerIP) to NSG block list for 24 hours (See https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/)
c. Ensure the machine is completely updated and has an updated anti-malware installed.
d. Run a full Anti-Virus scan and verify that the threat was removed.
e. Install and run Microsoft’s Malicious Software Removal Tool. (See https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)
f. Run Microsoft’s Autoruns utility and identify unknown applications configured to run at login. (See https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
g. Process Explorer and try to identify unknown running processes. (See https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
Upon further investigation, it was discovered that a rule had been created in the Azure Firewall, allowing all internet traffic out from one server. This rogue rule was the source of the malicious network communication and had gone unnoticed until the Microsoft Defender for Cloud alert was tripped.
But what if your organization doesn’t have these security solutions in place? Well, there are still steps you can take to protect your tenant.
First and foremost, ensure that all machines within the organization are kept up-to-date with the latest security patches and updates. Next, implement strong access controls and password policies to prevent unauthorized access to systems and data. Finally, regularly back up your critical data and store it securely, off-site.
In addition, consider implementing a security solution like Microsoft Defender for Endpoint ATP, which provides advanced threat protection for devices within your organization. Finally, educate your employees on cyber security best practices, including identifying and reporting suspicious activity.
In conclusion, cyber threats are a serious concern for all organizations. However, with the right security solutions and a focus on best practices, you can protect your organization from potential attacks. Take a proactive approach to security and stay vigilant to ensure your data and assets remain safe.
Thanks,
Dave Kawula MVP