GetThEhub915
commented
5 days ago Lets move foward into protecting our network
Open GetThEhub915 opened 5 days ago
GetThEhub915
commented
5 days ago Lets move foward into protecting our network
Step-by-Step Explanation of How I used to Azure to recognize the attacks and the steps I will later take to slow down/prevent such attacks:
Identify the Logs:
In Azure, most security events and attacks are logged in various services, including: Azure Security Center: Provides an overview of security alerts and recommendations. Azure Monitor Logs: Captures detailed logs about your virtual machines and network. Azure Sentinel (SIEM): For advanced threat detection and investigation. NSG (Network Security Group) Flow Logs: For detailed network traffic flow data.
Locate the Source of the Attack: You can look for abnormal activity in logs related to IP addresses, suspicious users, unexpected network traffic, or failed login attempts. Network Security Group (NSG) Flow Logs can help identify unauthorized access attempts. Check Sign-in Logs for unusual login patterns, especially failed logins or logins from unexpected locations. Analyze Security Alerts:
Azure Security Center will show alerts on detected vulnerabilities or attacks. Each alert typically provides: Attack source (IP address or hostname). Attack vector (e.g., SSH brute force, SQL injection, etc.).
Recommended mitigation steps. Review the severity of each alert to prioritize your response.
Correlate Attack Details: Review the logs for common attack indicators, such as: Multiple failed login attempts from unfamiliar IP addresses. Unexpected geographic locations for login attempts. Large amounts of traffic from specific IPs or regions. Unusual access patterns (e.g., access during off-hours or to critical systems).
Investigate the Source of the Attack: Once you identify the source (e.g., an IP address or geographic location), you can: Perform a WHOIS lookup to determine ownership of the IP address. Use geolocation tools to track the IP address's location and origin. Investigate if the IP address is part of a known botnet or attack group by referencing threat intelligence databases.
Take Preventive Actions: Based on the identified attack source, you can: Block the IP addresses involved in the attack through NSG or firewall rules. Enable multi-factor authentication (MFA) for users who were targeted. Update firewall and NSG rules to limit access to critical services. Increase monitoring and set up automated alerts for suspicious activities.
Example Results of the Analysis: If the attack was detected through Azure Security Center, here’s what you might typically find: Security Alert: "Brute-force attack detected on your virtual machine." Source IP: 192.168.1.100 (Geolocated to a specific country/region). Target Resource: Virtual machine (VM-001) in Azure. Failed Login Attempts: 200 attempts over 5 minutes from an unfamiliar IP address. Recommended Action: Block the IP, enable MFA, patch the vulnerable services.
Similarly, if using Azure Sentinel: Incident: Correlation of multiple failed login attempts followed by data exfiltration attempts. Attack Vector: SSH brute force followed by suspicious file transfers. Attacker Location: IP address geolocated to [Country X]. Action: Block the IP, monitor related network traffic, and investigate compromised credentials.
Image
