How Identity Analyzer Improves Cloud Security
Introduction
The growing use of public cloud infrastructure not only expands the attack surface, but it also increases the management complexity and risk. As demonstrated with the Sunburst attack, the adversary is looking to take advantage of the human error and misconfigurations that can be common with cloud deployments. Leveraging CrowdStrike’s wealth of cloud experience, Falcon Horizon provides cloud security posture management to help organizations identify those security issues and indicators of misconfiguration.
Video
Cloud Security Posture Management
As part of Falcon Horizon, CrowdStrike has developed policies for various cloud services that can be monitored and reported in the Falcon user interface. The filter quickly highlights services by provider including the Azure Identity service.
For each provider, the policies for each supported service are listed including the default severity and policy type along with links to any relevant compliance information. There are options to enable the different policies and configure a custom severity for each registered cloud account.
Enabled policies are then included in regularly scheduled assessments. The main dashboard illustrates an overview of recent findings across all of the registered cloud accounts and providers. Service misconfigurations are shown on the left, while the behavioral assessment findings on the right focus on activities or patterns that could be malicious.
Azure Identity Analyzer
In addition to being able to assess different services and policies, CrowdStrike provides pre-configured dashboards for each cloud provider. For Azure, the Application Registration dashboard consolidates information from various Azure configurations and presents it on one, easy to reference page. The pull down menus can be used to quickly filter the applications for delegated or application permissions to ensure that applications have the correct permission levels. The checkboxes are available to highlight where privileged permissions have been granted.
In this example, there is one application that has two associated certificates and three different secrets. While that is not prohibited, it is unusual and could be used as a backdoor or persistence mechanism. That kind of anomaly should be monitored and investigated. The dashboard also reports the lifespan associated with certificates and secrets. An unusually long life may indicate a backdoor as attackers would want their access to persist as long as possible. These kinds of anomalies should be monitored and investigated.
Similarly, the Azure Active Directory Users dashboard provides insight into the active directory and subscription roles applied to each user. Pull down menus reveal every assigned role for the subscription and enable quick filtering of the supporting user list. Like before, checkboxes are available to highlight users with privileged permissions.
The supporting list includes summary information for each user including status and authentication method. The sort option is available to quickly find outliers. In this example, there are two users without multi factor authentication enabled.
AWS Identity Analyzer
The AWS IAM User report can be filtered on username, multi-factor authentication status and permissions to quickly assess any compliance issues.
Looking beyond user accounts, the AWS IAM Permission Audit has filter options such as service, action, policy name and group assignment so you permissions issues can be quickly identified and resolved.
In this example, the list has been filtered to only show permissions around the IAM policy with the authority to delete a role.
Conclusion
Attacks that leveraged misconfigurations are on the rise. Falcon Horizon and Identity Analyzer provide the visibility and assessment needed to quickly identify potential exposures and take action to improve overall cloud security.
