February 12, 2025May 25, 2025 Defender for Cloud – Part 6: Attack Path Analysis Table of Contents I wrote first time of Attack Path analysis when Defender CSPM plan was in public preview in January 2023. What are the attack paths The attack path is a series of steps a potential attacker uses to breach your environment and access your assets.An attack path starts at an entry point, such as a vulnerable resource. The attack path follows available lateral movement within your multicloud environment, such as using attached identities with permissions to other resources.The attack path continues until the attacker reaches a critical target, such as databases containing sensitive data. Click to enlarge The attack path analysis for this case is:An Azure virtual machine has high severity vulnerabilities which allows remote code execution. The Azure VM can authenticate as an Azure Managed Identity. The managed identity has permissions to read data from the key vault. 1- Attacker with network access to the VM can exploit the vulnerabilities and gain control on it2- Attacker can authenticate as the managed identity3- Attacker can use the identity to steal keys & secrets from the key vault4- Attacker can steal keys & secrets from the Azure Key Vault The Attack path analysis is The Attack path analysis is a graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers may use to breach your environment to reach your high-impact assets. Attack path analysis exposes those attack paths and suggests recommendations as to how best remediate the issues that will break the attack path and prevent successful breach.By taking your environment’s contextual information into account such as internet exposure, permissions, lateral movement, and more, attack path analysis identifies issues that may lead to a breach on your environment, and helps you to remediate the highest risk ones first.By default attack paths are organized by risk level. The risk level is determined by a context-aware risk-prioritization engine that considers the risk factors of each resource. The overlook If we overlook the previous image we see three nodes in the attack path which are virtual machine, managed identity and the key vault. The Entry point: virtual machine In this case the virtual machine has vulnerabilities in its OS and application level which allow attacker to use certain vulnerability to enter to the virtual machine. Click to enlarge Click to enlarge By remediating those vulnerabilities on entry point virtual machine this attack path is remediated. The target: key vault Key vault has tagged as Critical Asset. Of course it has it’s own security remediations like “use private endpoint” to access it.And because key vault is tagged as Critical asset, it’s more interesting to attacker.In this case the attacker have the the straight route from virtual machine to the kev vault using the lateral movement (TA0008) method. (the link goes to mitre attack framework) Click to enlarge Conclusion It’s essential to the cloud security to fix those software vulnerabilities or other configuration mistakes because they expose systems to the possible attackers.I have seen many times that this is kind of bottleneck in companies with or without using service provider.This should be prioritized job and it can be automated if you are really interested. But of course it costs money to build the management but after that it works like trains wc (finnish saying). The parts of the MDC blog series Part 0: Microsoft Defender for Cloud – The EPIC blog series – introductionPart 1: Getting started aka Setup Part 2: The Asset Inventory Part 3: Security posturePart 4: Security recommendationsPart 5: Security alertsPart 6: Attack path analysisPart 7: Cloud security explorerPart 8: WorkbooksPart 9: Regulatory compliancePart 10: Workload protectionspart 10.5: Advanced Workload protectionPart 11: Data and AI security – The end of the series Jussi Metso Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe DEFENDER FOR CLOUD #cloudsecurity#mdcseries
DEFENDER FOR CLOUD Defender for Cloud – Part 1: Getting Started January 25, 2024May 25, 2025 Let’s start with the Defender for Cloud’s UI. There are a lot of different functions which we are going to walk through. Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 9: Regulatory compliance March 13, 2025May 25, 2025 Microsoft Defender for Cloud provides Regulatory Compliance capabilities to help organizations assess and maintain compliance with industry standards, frameworks, and regulatory requirements. It continuously monitors cloud resources and provides insights into security posture, ensuring alignment with compliance benchmarks. Read More
DATA SECURITY Sensitive data & Data Security Dashboard October 3, 2023October 3, 2023 Table of Contents Data-aware security posture in Defender for Cloud Microsoft have brought a new… Read More