The growing use of public cloud infrastructure not only expands the attack surface, but it also increases the management complexity and risk. As demonstrated with the Sunburst attack, the adversary is looking to take advantage of the human error and misconfigurations that can be common with cloud deployments. Leveraging CrowdStrike’s wealth of cloud experience, Falcon Horizon provides cloud security posture management to help organizations identify those security issues and indicators of misconfiguration.
Cloud Security Posture Management
As part of Falcon Horizon, CrowdStrike has developed policies for various cloud services that can be monitored and reported in the Falcon user interface. The filter quickly highlights services by provider including the Azure Identity service.
For each registered account, there are options to enable the different policies and configure a custom severity. Enabled policies are then included in regularly scheduled assessments. When applicable, the policies also include details around CIS benchmarking. The link provides specifics about the guideline including a description, rationale and audit procedure.
In addition to being able to assess different services and policies, CrowdStrike provides pre-configured dashboards specific to Azure Identity. The Application Registration dashboard consolidates information from various Azure configurations and presents it on one, easy to reference page. The pull down menus can be used to filter the applications by delegated or application permissions to help ensure that applications do not have more permissions than required. The checkboxes are available to highlight where privileged permissions have been granted.
In this example, there is one application that has two associated certificates and different three secrets. While that is not prohibited, it is unusual and could be used as a backdoor or persistence mechanism. The dashboard also reports the lifespan associated with certificates and secrets. An unusually long life may indicate a backdoor as attackers would want their access to persist as long as possible. Identity Analyzer makes it possible to easily monitor and investigate these types of anomalies.
Similarly, the Users dashboard provides insight into the Active Directory and subscription roles applied to each user. Pull down menus reveal every assigned role for the subscription and enable quick filtering of the supporting user list. Like before, checkboxes are available to highlight users with privileged permissions.
The supporting list includes summary information for each user including status and authentication method. The sort option is available to quickly find outliers. In this example, there are two users without multi factor authentication enabled.
Attacks that leveraged misconfigurations are on the rise. Falcon Horizon and Identity Analyzer provide the visibility and assessment needed to quickly identify potential exposures and take action to improve overall cloud security.