Cybersecurity and Azure in Today’s Security Landscape

Cloud security has transitioned from a primary concern to one of the main drivers for cloud migration. Security now is a game-changer, and Microsoft has taken a very active role to inform and protect tenants from thousands of attackers seeking to compromise Azure resources.
According to the latest Microsoft Security Intelligence Report, companies from all sizes and industries faced significant challenges to protect their infrastructures and personnel.
The attacks followed different formats and appeared to users as dirty tricks, such as phishing, malware, coin-mining, and software supply chain attacks, to name a few.

The goal of this post is to provide a comprehensive look at the current security landscape and discuss Microsoft expert’s recommended steps to minimize the impact of existing threads in our organizations.

The Microsoft Security Intelligence Report (MSIR) is a compilation of insights culled from a year of security data analysis and hands-on lessons learned. Data analyzed include the 6.5 trillion threat signals that go through the Microsoft cloud every day and the research and real world experiences from thousands of security researchers and responders around the world. To learn more about this bi-annual report, please follow this link.

Let’s discuss some of the key concepts regarding cybersecurity, the types of cyber threats -including their scope and scale- and consequences of cyber attacks to our personal and professional environment.

What is Cybersecurity, and how can I prevent a cyber attack?

One of the major misconceptions about cybersecurity is that attacks only target credit card institutions.
News around the world reported about the colossal data breach that Equifax , a consumer reporting data company, suffered in 2017 simply because the firm failed to patch an Apache server.
The implications were significant: Forbes published yesterday, that Equifax’s reputation and ratings have downgraded as a result of the cyber attack.

Definition:
I define cybersecurity as a set of practices, policies, and techniques that each organization must follow to protect three core aspects of your business: People, Processes, and Technology.
It requires planning, investment, training, execution, monitoring, and a continuous assessment of the company to protect from attacks, damage, or unauthorized access.
Protection is a constant effort, attackers adapt, and if cyber attackers tried to hack your site unsuccessfully, they would try again in a week, a month, or a year. You need to build a culture of vigilance.

Types of attacks

• Weaponization
  Microsoft acknowledged in his MSIR a significant increase in what they called the “weaponization” of virtual machines. The attacker uses a compromised device to launch attacks against other VM’s.
  The central server called command-and-control (C&C) sends constants instructions to these devices, and a whole suite of infected machines deliver different types of attacks like Phishing and other malicious activities.
  One way to mitigate this risk is by implementing conditional access strategies through Just-In-time tools, part of the Security Center.
• Phishing
  I am sure you remember receiving an email where you were announced that won the lottery, but a fee was required to receive your prize. Those were weak attempts that made us more than once confused, mainly because email systems were new, and the spam filters were not sophisticated.
  These emails were back in 2010 the old version of the modern Phishing.
  The goal of Phishing in 2019 is the same: to make you click open an email, answer a phone call, or respond to a text message. Attempts that come from apparently safe and reliable sources but induce you to provide personal and confidential information to the attacker’s servers.
  A well-crafted phishing email has a success rate of 15%, which means that the more sophisticated the attempt, the higher the success rate.
• Malware
  One of the most famous examples of this type of attack is the ransomware attack.
  Ransomware is malware that locks the infected computer by making the data unreadable and holding it for ransom.
  Luckily, according to the Microsoft Report, this year, the implementation of this dirty trick has decreased, but companies like FedEx ended up paying thousands and thousands and dollars as a result of this weakness.
• Supply Chain breaches
  This attack follows a unique strategy: it hides the malware in software that you acquire from known vendors and spreads itself usually by finding a backdoor in the software updates. Think of the windows/mac updates that you receive frequently.
  An attacker will find a backdoor and infect your devices through any patch, and from there, it follows the weaponization strategy that we discussed above.
• Crypto-mining
  According to Microsoft Security Center, during a crypto-mining attack, “Hackers inject mining software into an unsuspecting user’s or organization’s machine(s) and then use the machine’s compute power to mine for the cryptocurrency. This can cause decreases in system performance. More importantly, the key threat is that now an attacker has a foot in the door. And while they might be using a few extra CPU cycles for mining, they can easily turn that mining software into something with more malicious intentions if needed.”

Best Practices
From a general point of view, I always refer to the formerly called “The White House Cybersecurity Framework” now referred to as the “National Institute of Standards and Technology” (NIST) framework.
This framework encompasses five different modules that can be summarized as follow:

1. The first module is named Identify, and it is the first natural step. The goal is to understand the threats that your organization may be facing.
   How do I know if my organization has experienced a cyber-attack?
   According to IBM’s Cost of a Data Breach Study, “it takes a US company about 206 days to detect a data breach”.
   Two hundred six days is almost 7-months for a company to learn, usually from an external source, that there is a security breach within the organization. The fact that you don’t know if you have been cyber attacked may merely mean that you don’t YET know that you’ve been under a cyber attack.
   “it takes a US company about 206 days to detect a data breach”
2. The second module, Protect, aims to protect the critical resources of the organization in the form of software, hardware, tools, and techniques.
3. Detection, the third module, will identify the occurrence of an undergoing cybersecurity event. Let’s remember the amount of time that it takes even to realize that the organization is under a cyber attack.
4. Respond is the natural consequence of successful detection, the goal is to restore the initial operation, recover data, systems, or software affected by the cyber attack
5. Lastly, the Recovery module helps with the steps an organization must follow to be better prepared for the future and prevent future recurrences

However, this is a site about azure, so in the next post, we will talk about how to use this framework in combination with the Microsoft Azure Security Center.