February 12, 2025February 22, 2025 Defender for Cloud – Part 6: Attack Path Analysis Table of Contents I wrote first time of Attack Path analysis when Defender CSPM plan was in public preview in January 2023. The Attack paths are The attack path is a series of steps a potential attacker uses to breach your environment and access your assets.An attack path starts at an entry point, such as a vulnerable resource. The attack path follows available lateral movement within your multicloud environment, such as using attached identities with permissions to other resources.The attack path continues until the attacker reaches a critical target, such as databases containing sensitive data. Click to enlarge The attack path analysis for this case is:An Azure virtual machine has high severity vulnerabilities which allows remote code execution. The Azure VM can authenticate as an Azure Managed Identity. The managed identity has permissions to read data from the key vault. 1- Attacker with network access to the VM can exploit the vulnerabilities and gain control on it2- Attacker can authenticate as the managed identity3- Attacker can use the identity to steal keys & secrets from the key vault4- Attacker can steal keys & secrets from the Azure Key Vault The Attack path analysis is The Attack path analysis is a graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers may use to breach your environment to reach your high-impact assets. Attack path analysis exposes those attack paths and suggests recommendations as to how best remediate the issues that will break the attack path and prevent successful breach.By taking your environment’s contextual information into account such as internet exposure, permissions, lateral movement, and more, attack path analysis identifies issues that may lead to a breach on your environment, and helps you to remediate the highest risk ones first.By default attack paths are organized by risk level. The risk level is determined by a context-aware risk-prioritization engine that considers the risk factors of each resource. The overlook If we overlook the previous image we see three nodes in the attack path which are virtual machine, managed identity and the key vault. The Entry point: virtual machine In this case the virtual machine has vulnerabilities in its OS and application level which allow attacker to use certain vulnerability to enter to the virtual machine. Click to enlarge Click to enlarge By remediating those vulnerabilities on entry point virtual machine this attack path is remediated. The target: key vault Key vault has tagged as Critical Asset. Of course it has it’s own security remediations like “use private endpoint” to access it.And because key vault is tagged as Critical asset, it’s more interesting to attacker.In this case the attacker have the the straight route from virtual machine to the kev vault using the lateral movement (TA0008) method. (the link goes to mitre attack framework) Click to enlarge Conclusion It’s essential to the cloud security to fix those software vulnerabilities or other configuration mistakes because they expose systems to the possible attackers.I have seen many times that this is kind of bottleneck in companies with or without using service provider.This should be prioritized job and it can be automated if you are really interested. But of course it costs money to build the management but after that it works like trains wc (finnish saying). The parts of the MDC blog series Part 0: Microsoft Defender for Cloud – The EPIC blog series – introductionPart 1: Getting started aka Setup Part 2: The Asset Inventory Part 3: Security posturePart 4: Security recommendationsPart 5: Security alertsPart 6: Attack path analysisPart 7: Cloud security explorerPart 8: WorkbooksPart 9: Regulatory compliancePart 10: Workload protectionsPart 11: Data and AI securityPart 12: Firewall managerPart 13: DevOps securityPart 14: Environment settingsPart 14A: Defender PlansPart 14B: Security policiesPart 14C: Email notifications, Workflow automation and Continuous Export, Security solutionsPart 15: Community Jussi Metso Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe DEFENDER FOR CLOUD
CSPM Cloud Security Posture Management (CSPM) and some of it’s features January 11, 2023January 16, 2023 Table of Contents What is Cloud Security Posture Management in Azure? Cloud Security Posture Management… Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 1: Getting Started January 25, 2024February 22, 2025 Table of Contents Getting started with Defender for Cloud When you first time open Microsoft… Read More
DEFENDER FOR CLOUD Microsoft Defender for DevOps December 21, 2022December 30, 2022 Table of Contents What is Microsoft Defender for DevOps? Microsoft Defender for DevOps adds additional security capabilities to… Read More