-
- 2FA (Two Factor Authentication), 78
- A
- AAD (Azure AD), 113–114, 157
- B2B, 215
- B2C, 215
- Conditional Access, 210–211
- Domain Services, 114
- External Identities, 115–116
- Identity Governance, 215–216
- Identity Protection, 114, 212–213
- Kerberos/NTLM authentication, 114
- LDAP (Lightweight Directory Access Protocol), 114
- PIM (Privilege Identity Management), 114, 213–214
- Zero Trust Access Architecture, 113
- access control
- application access tokens, 462–463
- AWS IAM (Identity and Access Management), 337–338
- AWS RAM (Resource Access Manager), 351–353
- Azure
- conditional access, 123–127
- Conditional Access, 210–211
- Credential Access, 73–74
- application access tokens, stealing, 462–463
- brute force, 461
- detection, 270
- TTP detection, 137–139
- unsecured credentials, 464
- web credential forgery, 462
- web session cookie stealing, 463–464
- CSF, 324
- GCP (Google Cloud Platform)
- Access Approval API, 380
- Cloud Identity & Access Management, 377, 378, 382
- Context Aware Access, 378
- Initial Access
- drive-by compromise, 447–450
- phishing, 450–451
- public-facing application exploit, 450
- trusted relationship, 451
- valid accounts, 452
- Initial Access TTP protection, 116–118
- LDAP (Lightweight Directory Access Protocol), 114
- Microsoft 365 Security, 187
- unauthorized access detection, 277–280
- Zero Trust Access Architecture, 113
- account creation, 453
- active defense, 28
- AD (Active Directory), 456, 458
- Advanced eDiscovery, 223–224
- adversary, 479
- AI (artificial intelligence), 479
- deep learning, 394
- definitions, 393–394
- ML (maching learning) and, 393–394
- AIP (Azure Information Protection), Data Exfiltration TTP detection, 148–153
- ALB (Application and Load Balancer), 342
- alerts, 479
- AWS Security Hub, 254–255
- Alibaba Cloud, 388–389
- Amazon CloudWatch, 251–252, 360–361
- Amazon Detective, 356–357
- Amazon DynamoDB, 247
- Amazon EBS (Elastic Block Store), snapshots, 306
- Amazon EC2, 247
- automated response, 292
- AWS Shield and, 340
- Command and Control server communication and, 281–282
- Amazon Elastic Compute Cloud. See Amazon EC2
- Amazon EventBridge, 302–304
- Amazon Glacier, 366
- Amazon GuardDuty, 253–254, 277–280, 328, 354
- AWS Security and, 355
- CloudTrail logging disable and, 310–317
- Amazon Inspector, 328, 358–359
- Amazon Macie, 270–276, 328, 357–358
- Amazon Route 53, 363–364
- Amazon S3, 247
- Amazon S3 Glacier Vault Lock, 307
- Amazon VPC (Virtual Private Cloud), 94, 342, 347–348
- Amazon VPC Flow Logs, 252–253
- AMI (Amazon Machine Images), container images, 454
- analysts, 480
- anomalies
- Antimalware, 19
- API Gateway, SQL injection and, 256–263
- API Management, 115
- APN (AWS Partner Network), 328
- application access tokens, 462–463
- APT (advanced persistent threat), 47, 479
- ASC (Azure Security Center), 113, 205
- automated response, 170–172
- versus Azure Defender, 105–108
- versus Azure Sentinel, 105
- Command and Control TTP detecting, 146–147
- Credential Access TTP detection, 137–139
- CSPM (Cloud Security Posture Management), 106
- CWP (Cloud Workload Protection), 106
- Data Exfiltration TTP detection, 153–154
- Lateral Movement TTP and, 144–145
- prerequisites, 106–107
- Privilege Escalation TTP, 128–131
- asset inventory, 37
- asset management
- CSF (Cybersecurity Framework), 323
- Microsoft 365 Security, 186
- assets, 480
- assume breach mentality, 15, 51
- ATT&CK, tags, 69
- attachments, 480
- attack operators, 485
- attack paths, 480
- attack patterns, 480
- attack surfaces, 480
- attackers, 480
- attacks, 480
- denial of service attack, 482
- IoT and, 402–403
- malicious user profiling, 394
- poisoning attacks, 486
- threat-hunting activities after compromise, 394
- watering hole attack, 449
- authentication, 480
- alternate authentication material, 460, 470–471
- CSF, 324
- IoT and, 402
- Microsoft 365 Security, 187
- multi-factor, 338
- authorization, 480
- GCP (Google Cloud Platform) binary authorization, 380
- multi-cloud environments, 38
- unauthorized access detection, 277–280
- automation
- Amazon GuardDuty, 354
- Azure Sentinel, 90
- Exfiltration (TA0010), 79
- Microsoft Flow security response automation, 166–169
- MITRE ATT&CK Exfiltration (TA0010), 79
- SOAR (Security Orchestration, Automation, and Response), 86, 487
- availability, 480
- Avast, GCP (Google Cloud Platform) and, 374–375
- AVG, GCP (Google Cloud Platform) and, 374–375
- awareness and training, CSF, 324
- AWS Athena, 94
- AWS Certificate Manager, 346
- AWS Cloud Adoption Framework, 322
- AWS CloudFormation, 366–367
- AWS CloudHSM, 343–344
- AWS CloudTrail, 93, 249–251, 359–360
- logging, disabled
- auto recovery, 310–317
- response, 295–304
- trails, creating, 296–299
- AWS CloudWatch, 93
- AWS Config, 329–330, 335
- AWS Config Rules, automated response, 292
- AWS Control Tower, 331–332
- AWS Direct Connect, 349–350
- AWS DRT (DDoS Response Team), 340
- AWS ElasticSearch Service, 93
- AWS Firewall Manager, 328, 342–343
- AWS GuardDuty, 94
- AWS IAM (Identity and Access Management), 328, 337–338, 483
- Credential Access detection, 270
- AWS IoT Device Defender, 347
- AWS KMS (Key Management Service), 343, 345–346
- AWS Lambda, 93, 361–362
- AWS Management and Governance services, 335
- AWS OpsWorks, 368–369
- AWS Organizations, 330–331
- AWS Personal Health Dashboard, 364–365
- AWS PrivateLink, 349
- AWS RAM (Resource Access Manager), 331
- AWS Reference Architecture
- Amazon CloudWatch, 360–361
- Amazon Detective, 356–357
- Amazon Glacier, 366
- Amazon GuardDuty, 354–356
- Amazon Inspector, 358–359
- Amazon Macie, 357–358
- Amazon Route 53, 363–364
- Amazon VPC, 347–348
- AWS Certificate Manager, 346
- AWS CloudFormation, 366–367
- AWS CloudHSM, 343–344
- AWS CloudTrail, 359–360
- AWS Config, 329–330
- AWS Control Tower, 331–332
- AWS Direct Connect, 349–350
- AWS Firewall Manager, 342–343
- AWS IAM (Identity and Access Management), 337–338
- AWS IoT Device Defender, 347
- AWS KMS (Key Management Service), 345–346
- AWS Lambda, 361–362
- AWS OpsWorks, 368–369
- AWS Organizations, 330–331
- AWS Personal Health Dashboard, 364–365
- AWS PrivateLink, 349
- AWS RAM (Resource Access Manager), 351–353
- AWS Secrets Manager, 345
- AWS Security Hub, 328–329
- AWS Service Catalog, 334–335
- AWS Shield, 340
- AWS SSO (Single Sign-On), 338–339
- AWS Step Functions, 362–363
- AWS Systems Manager, 335–337
- AWS Transit Gateway, 350–351, 352
- AWS Trusted Advisor, 332–333
- AWS WAF, 340–341
- AWS Well-Architected Tool, 333–334
- CloudEndure Disaster Recovery, 367–368
- Detect and Respond
- Amazon CloudWatch, 360–361
- Amazon Detective, 356–357
- Amazon GuardDuty, 354–356
- Amazon Inspector, 358–359
- Amazon Macie, 357–358
- Amazon Route 53, 363–364
- AWS CloudTrail, 359–360
- AWS Lambda, 361–362
- AWS Personal Health Dashboard, 364–365
- AWS Step Functions, 362–363
- Identify function, 326–328
- Recover, 365
- Amazon Glacier, 366
- AWS CloudFormation, 366–367
- AWS OpsWorks, 368–369
- CloudEndure Disaster Recovery, 367–368
- AWS Secrets Manager, 345
- AWS Security Hub, 254–255, 311–317, 328–329
- Amazon GuardDuty and, 355
- AWS Security of the Cloud, 247
- AWS Service Catalog, 334–335
- AWS Shield, 340
- AWS SSO (Single Sign-On), 338–339
- AWS Step Functions, 362–363
- AWS Systems Manager, 328, 335–337
- AWS Transit Gateway, 350–351, 352
- AWS Trusted Advisor, 332–333
- AWS VPC (Virtual Private Cloud), 94
- AWS WA Tool (AWS Well-Architected Tool), 244
- AWS WAF (Web Application Firewall), 115, 200, 340–341
- configuring, 259–263
- Initial Access TTP protection, 116–118
- SQL injection and, 256–263
- AWS Well-Architected Framework, 244–245, 322
- Cost Optimization, 245–246
- Operational Excellence, 245–246
- Performance Efficiency, 245–246
- Reliability, 245–246
- Security, 245–246
- AWS Well-Architected Labs, 244
- AWS Well-Architected Tool, 333–334
- Azure
- conditional access, 123–127
- DevOps, 115
- WAF (Web Application Firewall), Initial Access TTP, 116–118
- Azure AIP File Scanner, 222–223
- Azure Application Gateway, 115
- Azure Defender
- versus ASC (Azure Security Center), 105–108
- dashboard, 108
- IoT (Internet of Things), 229
- plans, 109
- Azure Defender for IoT, IoT (Internet of Things), 230
- Azure Defender for SQL, 107
- Azure Firewall, 114, 198–199
- Azure Front Door, 114
- Azure Identity Protection, Credential Access TTP detection, 132–137
- Azure Information Protection, 115
- Azure IoT Reference Architecture, 230–233
- Azure Defender for IoT
- agent-based solutions, 234–235
- agentless solutions, 233
- Azure Key Vault, 114, 201–202
- Azure Lighthouse, 197–198
- Azure Marketplace, 194–195
- Azure Monitor, 156–157
- Azure Private Links, 114–115
- Azure Purview, 220–221
- Azure Recovery, 204
- Azure Secure Score, 205–206
- Azure Sentinel, 105
- analytics, 88–89
- automation, 90
- Azure Logic Apps, 90
- Azure Monitor Workbooks, 88
- Command and Control TTP detection, 146–147
- community, 92–93
- data collection, 86–87
- data connectors, 88
- Data Connectors gallery, 111
- Data Exfiltration TTP detection, 153–154
- enabling, 110–111
- incidents, 89
- investigation, 91
- Lateral Movement TTP detection, 144–145
- overview, 108–112
- Privilege Escalation TTP, 128–131
- search, 110
- search-and-query tools, 92
- SIEM and, 108–109
- SOAR, 108–109
- workspace, 110
- Azure Service Bus, 115
- Azure Sphere, IoT (Internet of Things), 229
- Azure Storage Service Encryption, 115
- Azure WAF (Web Application Firewall), 200
- AzureArc, 196–197
- AzureBackup, 115
- AzureBastion, 202–204
- AzureConfidential Computing, 115
- AzureDatabricks ML, 174–181
- AzureDDoS protection, 200–201
- AzureDDoS Protection Standard, 114
- B
- banking Trojan, 480
- BEC (business email compromise), 481
- blast radius, 481
- BLI (Breach Level Index), 407
- blockchain, 406–407
- Bot Control (AWS WAF), 341
- botnets, 7, 481
- breaches, 481
- brownfields, 481
- brute force, 481
- brute force methods, 461
- business email compromise, 119
- business environment, CSF, 323
- C
- C2 (command and control). See Command and Control (MITRE ATT&CK)
- CASB (Cloud Asset Security Broker), 85, 216, 463, 481
- castle defenses, 80
- Chronicle (Google Cloud Platform)
- analytics, 375
- Avast, 374–375
- AVG, 374–375
- Security Command Center, 375
- VirusTotal Enterprise, 374
- CI/CD (Continuous Integration and Continuous Delivery), 466
- CIDRs (Classless Inter-Domain Routing), 349
- ciphertext, 481
- CISO (Chief Information Security Officers), 5, 27
- cleartext, 481
- cloud matrix
- Collection
- cloud storage objects, 471
- email, 473–474
- information repositories, 471–472
- staged data, 472–473
- Credential Access
- application access tokens, stealing, 462–463
- brute force, 461
- unsecured credentials, 464
- web credential forgery, 462
- web session cookie stealing, 463–464
- Defense Evasion
- alternate authentication material, 460
- cloud compute infrastructure, 459
- cloud regions, unused/unsupported, 459–460
- defenses, impairing, 458–459
- domain policy, 457–458
- valid accounts, 461
- Discovery
- account discovery manipulation, 464–465
- cloud infrastructure discovery manipulation, 465
- cloud service dashboards, 466
- cloud service discovery, 466
- network service scanning, 467
- permission groups, 467
- software, 468
- system information, 468
- system network connections, 469
- Exfiltration, detecting, 474–475
- Impact
- defacement, 475
- Endpoint DoS, 475–477
- resource hijacking, 477
- Initial Access
- drive-by compromise, 447–450
- phishing, 450–451
- public-facing application exploit, 450
- trusted relationship, 451
- valid accounts, 452
- Lateral Movement
- alternate authentication material, 470–471
- spear phishing, internal, 469–470
- Persistence
- account creation, 453
- account manipulation, 452–453
- container image implantation, 454
- office application startup, 454–455
- valid accounts, 455
- Privilege Escalation
- domain policy modification, 456
- valid accounts, 457
- CloudEndure Disaster Recovery, 367–368
- CMS (Content Management Systems), 341
- CNG (CryptoNG) libraries, 343
- COBIT (Control Objectives for Information and Related Technology), 322
- Collection (MITRE ATT&CK), 52, 414
- cloud storage objects, 471
- email, 473–474
- information repositories, 471–472
- staged data, 472–473
- Command and Control, 8, 53, 77–78, 414, 435–442
- case study, 77–78
- connection proxy, 77
- detecting, 145–147, 280–284
- one-way communication, 77
- ports, non-standard, 77
- compliance
- AWS Config, 330
- shared responsibility model, 246–248
- confidentiality, 481
- container images, implanting, 454
- controls, shared responsibility model, 248
- cookies, stealing, 463–464
- Cost Optimization, AWS Well-Architected Framework, 245–246
- Credential Access, 52, 73–74, 414, 421–429
- Amazon Macie, 269–276
- application access tokens, stealing, 462–463
- brute force, 461
- case study, 74
- credential dumping, 73
- detecting, 131–139, 269–276
- MiTM, 74
- password cracking, 73
- unsecured credentials, 464
- web credential forgery, 462
- web session cookie stealing, 463–464
- credential phishing, 8
- credentials, unsecured, 464
- critical infrastructure, 482
- cryptography
- public-key, breaking, 398
- random number generators, 397
- CSF (Cybersecurity Framework), 321
- core, 322
- Detect function, 325
- GCP (Google Cloud Platform) and
- Detect function, 380–382
- Identify function, 376–378
- Protect function, 378–380
- Recover function, 383–384
- Respond function, 382–383
- Identify function, 323–324
- informative references, 322
- MCRA comparison, 184–185
- profiles, 322
- Protect function, 324
- Recover function, 325–326
- Respond function, 325
- tiers, 322
- CSPM (Cloud Security Posture Management), 105
- ASC (Azure Security Center), 106
- CSPs (cloud service providers), 36–37
- Alibaba Cloud, 388–389
- Google Cloud Platform, 374–375
- IaaS (Infrastructure as a Service), 373–374
- IBM Cloud
- IBM Cloud Pak for Security, 385
- IBM Cloud Security Advisor, 386
- IBM QRadar, 385–386
- IBM Security Data Explorer, 385
- Security and Compliance Center, 386
- Oracle Cloud
- CASB (Cloud Access Security Broker), 387
- continuous protection, 387
- Guard, 388
- Oracle Cloud Infrastructure, 386
- SCS (SaaS Cloud Security), 387–388
- PaaS (Platform as a Service), 373–374
- SaaS (Software as a Service), 373–374
- CTI (CyberThreat Intelligence), 26
- Customer Access, AAD (Azure AD), External Identities, 115–116
- CVE (Common Vulnerabilities and Exposures), 341
- CWP (Cloud Workload Protection), ASC (Azure Security Center), 106
- cyber resiliency, organizational culture and, 53–54
- cyber risk awareness, 28
- cybercrime
- increases in, 4–6
- WEF (World Economic Forum), 4
- cybercriminals, 4
- cybersecurity, 482
- Cybersecurity Ventures, 4
- cyberthreats. See threats
- D
- dark web, 482
- Data & Application
- API Management, 115
- Azure Backup, 115
- Azure Confidential Computing, 115
- Azure DevOps, 115
- Azure Information Protection, 115
- Azure Storage Service Encryption, 115
- data collection, 57
- data estate, 482
- data exfiltration. See Exfiltration
- data protection, 219
- Advanced eDiscovery, 223–224
- Azure, AIP File Scanner, 222–223
- Azure Purview, 220–221
- Microsoft Compliance Manager, 224–225
- MIP (Microsoft Information Protection), 221–222
- data security
- CSF, 324
- Microsoft 365 Security, 187
- data-driven methods, 57
- DDoS (distributed DoS), 476
- AWS DRT (DDoS Response Team), 340
- AWS Shield and, 340
- AzureDDoS protection, 200–201
- AzureDDoS Protection Standard, 114
- IoT and, 402
- decision trees, 305
- deep learning, 394
- Defacement, 475
- Defense Evasion (MITRE ATT&CK), 52, 414
- alternate authentication material, 460
- cloud compute infrastructure, 459
- cloud regions, unused/unsupported, 459–460
- defenses, impairing, 458–459
- domain policy, 457–458
- valid accounts, 461
- defense-in-depth
- assume breach mentality, 84–86
- external cloud security, 85
- internal cloud security, 85
- denial of service attack (DoS), 482
- Detect function (CSF), 325
- Detect function (Microsoft 365 Security), 188
- detection features, 263
- devices
- AWS IoT Device Defender, 347
- heterogeneity, 226
- IoT and, 401
- DevOps, AWS CloudFormation and, 366
- digital estate, 482
- digital signing, AWS KMS, 346
- Director's Handbook on Cyber-Risk Oversight (NACD), 29
- Discovery (MITRE ATT&CK), 52, 414
- account discovery manipulation, 464–465
- cloud infrastructure discovery manipulation, 465
- cloud service dashboards, 466
- cloud service discovery, 466
- network service scanning, 467
- permission groups, 467
- software, 468
- system information, 468
- system network connections, 469
- DLL (Dynamic Link Library), 482
- DLP (Data Leakage Prevention), 19
- DLP (data loss prevention), 482
- DNS (Domain Name System), Amazon Route 53, 363
- DNS protocol, Command and Control detection, 280–284
- domains, Rogue Domain Controller, 456
- DoppelPaymer, 10
- Dridex, 10
- drive-by compromise, 447–450
- drop accounts, 482
- E
- EDR (Endpoint Detection Response), 19, 407
- ELB (Elastic Load Balancing), AWS Shield and, 340
- email, data collection, 473–474
- encrypted data, 481
- encryption, 483
- AWS KMS, 345
- Azure Storage Service Encryption, 115
- GCP (Google Cloud Platform)
- CSEK (Customer Supplied Encryption Keys), 379
- Encryption at Rest, 379
- Encryption in Transit, 379
- RSA encryption, 397, 398
- end-to-end integrated security, Microsoft, 103
- Endpoint DoS (Denial of Service), 475–476
- EPP (Endpoint Protection Platform), 207–208
- EternalBlue tool, 16
- event IDs, 456
- events, 483
- Execution (MITRE ATT&CK), 52, 413
- Exfiltration, 53, 79–80, 414, 443–445, 483
- automation, 79
- case study, 79–80
- detecting, 147–155, 284–289, 474–475
- Exfiltration Over Alternative Protocol, 79
- Transfer Data to Cloud Account, 79
- exploits, 483
- exposure, 483
- external cloud security, 85
- Eye Pyramid campaign, 470
- F
- federated users, AWS IAM, 338
- Firewall, 19
- firewalls, 449–450, 483
- fusion, 483
- G
- GCP (Google Cloud Platform)
- Access Approval API, 380
- Admin Console, 376, 378
- Android Enterprise, 381
- autoscaling, 379, 384
- BigQuery, 383
- binary authorization, 380
- Chronicle
- analytics, 375
- Avast, 374–375
- AVG, 374–375
- Security Command Center, 375
- VirusTotal Enterprise, 374
- Cloud Adoption Framework, 377, 379
- Cloud Armor, 377, 380, 383
- Cloud CDN, 384
- Cloud Data Catalog, 377
- Cloud Disaster Recovery, 383
- Cloud Functions, 382
- Cloud HSM, 379
- Cloud Identity, 376, 378
- Cloud Identity & Access Management, 377, 378, 382
- Cloud Load Balancing, 384
- Cloud Operations Suite, 381, 383
- Cloud Private Catalog, 377
- Cloud Pub/Sub, 382
- Cloud Resource Manager, 376, 379
- Cloud Security Scanner, 377, 381, 383
- Cloud Status Dashboard, 384
- Cloud Training, 379
- Cloud VPC, 378, 380
- Contact Center AI, 384
- container images, 454
- Container Registry Vulnerability Scanner, 377, 381, 383
- Context Aware Access, 378
- CSCC (Cloud Security Command Center), 377, 381, 382
- CSEK (Customer Supplied Encryption Keys), 379
- CSF (Cybersecurity Framework) and
- Detect function, 380–382
- Identify function, 376–378
- Protect function, 378–380
- Recover function, 383–384
- Respond function, 382–383
- Deployment Manager, 384
- DLP (Data Loss Prevention), 379
- Encryption at Rest, 379
- Encryption in Transit, 379
- Event Threat Detection, 382, 383
- Forseti Security, 376, 378, 383
- G Suite Phishing & Malware Protection, 381
- G Suite Security Center, 381, 382
- GCP Quotas, 379
- Google Admin Console, 382
- Google Security & Trust Center, 381
- IDaaS (Identity as a Service), 378, 382
- Identity Aware Proxy, 378
- Identity Platform, 377, 378, 382
- Incident Response Management, 381, 382, 384
- Key Management Service, 379
- Log Exports, 383
- network telemetry, 381
- Phishing Protection, 378, 380, 383
- Policy Intelligence, 382
- Professional Services, 377, 379
- reCAPTCHA, 380
- Security & Trust Center, 377
- Security Command Center, 375
- Shielded VMs, 380
- Titan Security Key, 380
- Traffic Director, 380
- VPC Service Controls, 378, 380
- GDPR (General Data Privacy Regulation), Amazon Macie and, 357
- GitHub
- AWS CloudFormation and, 366
- Azure Sentinel, 92–93
- maintainers, 485
- npm, 485
- secrets, 486
- governance
- AAD (Azure AD)
- Identity Governance, 215–216
- AWS Management and Governance services, 335
- CSF, 323
- Identity Governance, 209
- Microsoft 365 Security, 186
- GPOs (Group Policy Objects), 456, 458
- graphs, Azure Sentinel, 91
- greenfield, 483
- GSOC (Global Security Operations Center), 43
- GuardiCore honeypots, 394
- H
- HIPAA (Health Insurance Portability and Accountability Act), Amazon Macie and, 357
- HMM (Hunting Maturity Model), 23
- Level 0 (Initial), 25
- Level 1 (Minimal), 25
- Level 2 (Procedural), 25
- Level 3 (Innovative), 25
- Level 4 (Leading), 25
- organization, 23–26
- homoglyphs, 7
- honeypot, 483
- HSM (hardware security module), 343
- human-operated ransomware, 483
- HUMINT (Human Intelligence), 26–27
- hunting, 483
- hypothesis-based methods, 57
- I
- IaaS (Infrastructure as a Service), 104, 373–374
- IBM Cloud
- IBM Cloud Pak for Security, 385
- IBM Cloud Security Advisor, 386
- IBM QRadar, 385–386
- IBM Security Data Explorer, 385
- Security and Compliance Center, 386
- ICS (Industrial Control Systems), 405
- ID Quantique, 397
- Identify function (CSF), 323–324
- Identify function (Microsoft 365 Security), 186–187
- Identity & Access Management
- AAD (Azure Active Directory), 113–114
- ASC (Azure Security Center), 113
- CSF, 324
- Microsoft 365 Security, 187
- identity protection
- AAD (Azure AD), 209, 211
- Azure MFA, 211–212
- Conditional Access, 209, 210–211
- Defender for Identity, 209
- Identity Governance, 209, 215–216
- Identity Protection, 212–213
- Microsoft Defender for Identity, 214–215
- Multi-Factor Authentication, 209
- PIM (Privilege Identity Management), 213–214
- IDPS (Intrusion Detection and Prevention Systems), 47
- IDS (Intrusion Detection Systems), 19, 484
- immutable storage, 307
- Impact (MITRE ATT&CK), 53, 414
- defacement, 475
- Endpoint DoS, 475–477
- resource hijacking, 477
- incident response
- Amazon EC2, 292
- automating, 290–294
- AWS Config Rules, 292
- AWS Fargate, 292
- AWS Lambda, 292
- AWS Step Functions, 292
- costs, scanning methods, 293
- event-driven responses, 294–304
- foundations, 289–290
- SSM Agent, 292
- information repositories, data collection, 471–472
- Infrastructure & Network
- Azure Application Gateway, 115
- Azure DDoS Protection Standard, 114
- Azure Firewall, 114
- Azure Front Door, 114
- Azure Key Vault, 114
- Azure Private Links, 114–115
- Azure Service Bus, 115
- Key Vault Managed HSM, 114
- VPN Gateway, 114
- WAF (Web Application Firewall), 115
- Initial Access (MITRE ATT&CK), 52, 413
- Azure Conditional Access, 123–127
- Microsoft Defender for Endpoint, 121–123
- Microsoft Defender for Office 365, 118–121
- preventing, 256
- WAF and, 116–118
- insider threats, 483
- integrity, 484
- internal cloud security, 85
- intrusion, 484
- intuition-based analysis, machine intelligence and, 394
- investigation and remediation
- Microsoft Defender for Endpoint, 157–158
- Microsoft Threat Experts, 159–166
- IOC (indicators of compromise), 23, 47, 483
- IOC-based methods, 57
- IoT (Internet of Things), 225, 399–401
- attacks, 402–403
- Azure Defender, 229
- Azure Defender for IoT, 230
- Azure Sphere, 229
- denial of service, 228
- devices, cybersecurity and, 401
- elevation of privilege, 229
- information disclosure, 228, 229
- legacy devices, 227
- OWASP (Open Web Application Security Project) and, 400–401
- preparedness, 403–404
- risk growth, 401–403
- security concerns, 226–227
- spoofing, 228
- threat models, 227–229
- IPFIX (IP Flow Information Export), 394
- IPS (Intrusion Prevention Systems), 484
- ISO (International Organization for Standardization), 484
- ITSM (IT Service Management), 335
- ITSM/ITOM, AWS Control Tower and, 335
- J
- JCE (Java Cryptography Extensions), 343
- Jira Service Desk, 335
- JIT (just in time), 484
- Lateral Movement TTP and, 139–144
- K
- key management, AWS KMS, 346
- Key Vault Managed HSM, 114
- keylogging, 484
- keypairs, 484
- kill chains, 484
- KPIs (key performance indicators), 25, 58
- KRIs (key risk indicators), 58
- L
- Lambda functions, response and recovery, 314
- Lateral Movement, 52, 75–76, 414, 431–434
- alternate authentication material, 470–471
- application access token, 75
- case study, 75–76
- detecting, 139–145, 276–280
- pass the hash, 75
- PtT (pass the ticket), 75
- spear phishing, internal, 469–470
- LDAP (Lightweight Directory Access Protocol), 114
- lifecycle
- phishing, 9
- ransomware, 11
- logging
- Amazon CloudWatch, 251–252
- AWS CloudTrail, 249–251, 295–304
- CloudTrail logging disable and, 310–317
- VCP Flow Logs, 252–253
- M
- machine intelligence. See ML (machine learning)
- Machine Intelligence, 26
- machine learning, 484. See also ML (machine learning)
- macro viruses, 485
- maintainers, 485
- maintenance
- CSF, 324
- Microsoft 365 Security, 188
- malicious user profiling, 394
- malware, 485
- Antimalware, 19
- detection, ML and, 395–396
- G Suite Phishing & Malware Protection, 381
- MCAS (Microsoft Cloud App Security), 147, 157, 216–218
- dashboard, 148
- Microsoft Flow and, 166–169
- MCRA (Microsoft Cybersecurity Reference Architecture), 184
- hybrid infrastructure
- ASC (Azure Security Center), 205
- Azure Arc, 196–197
- Azure Bastion, 202–204
- Azure DDoS protection, 200–201
- Azure Firewall, 198–199
- Azure Key Vault, 201–202
- Azure Lighthouse, 197–198
- Azure Marketplace, 194–195
- Azure Recovery, 204
- Azure Secure Score, 205–206
- Azure WAF, 200
- Private Link support, 195–196
- people security, 236
- attack simulator, 237
- Communication Compliance, 239–240
- IRM (Insider Risk Management), 237–239
- SDL (Security Development Lifecycle), 193–194
- Service Trust Portal, 192–193
- threat intelligence, 190–192
- Microsoft
- end-to-end integrated security, 103
- Investigate and Response services, 156–172
- security and prevention services, 112–127
- Microsoft 365
- Defender, treat detection, 154–155
- Security
- Detect function, 188
- Identify function, 186–187
- NIST CSF and, 185
- Protect function, 187–188
- Recover function, 189–190
- Respond function, 189
- threat kill chain protection, 112
- Microsoft Compliance Manager, 224–225
- Microsoft Defender for Endpoint
- attack surface reduction, 121
- enabling, 122–123
- Initial Access TTP protection, 121–123
- investigation and remediation, 157–158
- Microsoft Defender for Office 365, 119–121
- Initial Access TTP protection, 118–121
- Microsoft Detect services, 127–128
- Microsoft Endpoint Manager, 206
- configuration manager, 207–208
- EPP (Endpoint Protection Platform), 207–208
- Intune, 208–209
- Microsoft Flow
- Cloud App security, 169
- MCAS and, 166–169
- security response automation, 166–169
- Microsoft Intune, 208–209
- Microsoft SDL (Security Development Lifecycle), 193–194
- Microsoft Threat Experts
- alerts, 165, 166
- experts on demand, 161–165
- machine compromise, 165
- Targeted Attack Notification, 159–161
- threat intelligence, 166
- migration, AWS PrivateLink, 349
- MIP (Microsoft Information Protection), 221–222
- mitigation, CSF, 325
- MITRE ATT&CK
- Collection (TA0009), 52, 67, 414
- Command and Control (TA0001), 53, 77, 414, 435–442
- case study, 77–78
- connection proxy, 77
- detecting, 145–147
- one-way communication, 77
- ports, non-standard, 77
- Credential Access (T0006), 52, 73, 414, 421–429
- case study, 74
- credential dumping, 73
- detecting, 131–139
- MiTM, 74
- password cracking, 73
- Defense Evasion (TA0005), 52, 67, 414
- Discovery, 52, 414
- Execution (TA0002), 52, 67, 413
- Exfiltration (TA0010), 53, 67, 79, 414, 443–445
- automation, 79
- case study, 79–80
- detecting, 147–155
- Exfiltration Over Alternative Protocol, 79
- Transfer Data to Cloud Account, 79
- framework, 22
- Impact, 53, 414
- Initial Access (TA0001), 52, 67, 116–127, 413
- Lateral Movement (TA0008), 52, 67, 75, 414, 431–434
- application access token, 75
- case study, 75–76
- detecting, 139–145
- pass the hash, 75
- PtT (pass the ticket), 75
- matrix, sub-techniques, 66
- Persistence (TA0003), 52, 67, 413
- New Service (T1050), 67–68
- Privilege Escalation (TA0004), 52, 71–72, 128–131, 414, 415–419
- access token manipulation, 72
- case study, 72–73
- DLL search order hijack, 72
- New Service (T1050), 68
- UAC bypassing, 72
- reconnaissance, 413
- resource development, 413
- Tactic (TA0003), 67
- tactics, 67, 70
- techniques, 67–69, 70
- AppInt (T1103), 67
- New Service (T1050), 67
- Spear Phishing Link, 68
- Spear Phishing via Service, 68
- testing, 65
- threat modeling, 21–23
- TTPs (Tactics, Techniques, and Procedures), 413–414
- uses, 64–65
- ML (machine learning), 172–173
- AI and, 393–394
- Azure Databricks ML, 174–181
- deep learning, 394
- false positives and, 395
- fusion detections, 173–174
- intuition-based analysis and, 394
- malware detection and, 395–396
- risk scoring and, 396
- versus traditional approach, 395
- unsupervised learning, 394
- model inversion, 485
- model stealing, 485
- monitoring
- Amazon GuardDuty, 253–254, 354
- AWS Config, 329–330
- Azure Monitor, 156–157
- Azure Monitor Workbooks, 88
- continuous, CSF, 325
- MSSP (Managed Security Service Providers), 392
- multi-cloud environment, 35–37
- asset inventory, 37
- authentication, 38
- authorization, 38
- configuration management, 37
- CSPs (cloud service providers), 36–37
- cyber resiliency, 53–54
- multi-tenant environment, 38–40
- SOC (Security Operations Center), 41–46
- solutions, 38
- threat modeling
- assume breach mentality, 51
- components, 19
- hypothesis development, 52–53
- methodologies, 20
- MITRE ATT&CK, 21–23
- proactive hunting team, 50–51
- SDL (Security Development Lifecycle), 20–21
- SOC and, 50–53
- multi-factor authentication, AWS AIM, 338
- multi-tenant environments, 38–40
- N
- NACD (National Association of Corporate Directors), 29
- nation states
- activity group, 485
- threats, 10–14
- actors, 14
- adversaries list, 13
- VPNs (virtual private networks), 11
- NGOs (non-governmental organizations), 11
- NIST (National Institute of Standards and Technology), 485. See also CSF (Cybersecurity Framework)
- npm, 485
- O
- OAuth, 462–463
- obfuscation, 485
- Operational Excellence, AWS Well-Architected Framework, 245–246
- operations, attack operators, 485
- operators, 485
- Oracle Cloud
- CASB (Cloud Access Security Broker), 387
- continuous protection, 387
- Guard, 388
- Oracle Cloud Infrastructure, 386
- SCS (SaaS Cloud Security), 387–388
- organizations, cyber resiliency and, 53–54
- OSINT (Open-Source Threat Intelligence), 26
- OT (operational technology), 225, 405–406
- ICS (Industrial Control Systems), 405
- IoT and, 225–227
- legacy devices, 227
- SCADA (Supervisory Control and Data Acquisition) system, 405
- OWASP (Open Web Application Security Project), 341
- IoT (Internet of Things) and, 400–401
- P
- PaaS (Platform as a Service), 104, 373–374
- password spray, 485
- PAW (Privilege Access Workstation), 139
- Performance Efficiency, AWS Well-Architected Framework, 245–246
- permissions, AWS IAM, 338
- Persistence, 52, 413
- account creation, 453
- account manipulation, 452–453
- container image implantation, 454
- New Service (T1050), 67–68
- office application startup, 454–455
- valid accounts, 455
- phishing, 7–8, 450–451, 485
- credential phishing, 8
- lifecycle, 9
- spear phishing, 6, 8, 118
- phishing kit, 485
- PID (process IDs), 454
- PII (personally identifiable information), Amazon Macie and, 357
- PIM (Privileged Identity Management), 114
- playbook, 485–486
- poisoning attacks, 486
- policy management, AWS Control Tower, 331
- PPID (parent process IDs), 454
- Private Link support, 195–196
- Privilege Escalation, 52, 71–73, 414, 415–419
- access token manipulation, 72
- case study, 72–73
- detecting, 128–131, 263–268
- DLL search order hijack, 72
- domain policy modification, 456
- IoT, 229
- New Service (T1050), 68
- UAC bypassing, 72
- valid accounts, 457
- Protect function (CSF), 324
- Protect function (Microsoft 365 Security), 187–188
- protective technology
- CSF, 324
- Microsoft 365 Security, 188
- public-facing application exploit, 450
- Q
- quantum computing, 396
- challenges, 398–399
- entanglement, 397
- future, 399
- quantum-secure communications, 398
- qubits, 396
- Shor's algorithm, 397
- Quantum Dice, 397
- Quantum Exchange, 397
- qubits, 396
- R
- random number generators, cryptography and, 397
- ransomware, 8–10, 486
- human-operated ransomware, 483
- lifecycle, 11
- threats, 8–10
- Ransomware-as-a-Service, 10
- RDP (remote desktop protocol), 486
- reconnaissance, 413
- Recover function (CSF), 325–326
- Recover function (Microsoft 365 Security), 189–190
- recovery. See response and recover
- red team, 486
- red team exercise, 486
- red team testing, 486
- regulatory issues, 408
- Reliability, AWS Well-Architected Framework, 245–246
- resilience, 486
- resource development, 413
- Resource Hijacking, 477
- Respond function (CSF), 325
- Respond function (Microsoft 365 Security), 189
- response and recover
- AI (artificial intelligence and), 317–319
- alternative accounts, 305–306
- Amazon EBS snapshots, 306
- automating response, 290–294
- CloudEndure Disaster Recovery, 367–368
- CloudWatch log sharing, 306–307
- copying data, 306
- CSF, 325–326
- decision trees, 305
- event-driven responses, 294–304
- forensic workstations, 309
- immutable storage, 307
- incident response foundations, 289–290
- instances and, 309–310
- Lambda functions, 314
- ML (machine learning and), 317–319
- resource isolation, 308
- resource launch, 307–308
- viewing data, 306
- reverse engineering, 486
- risk assessment
- CSF, 324
- Microsoft 365 Security, 186
- risk awareness, 28
- risk management
- CSF, 324
- cybersecurity and, 28
- Microsoft 365 Security, 187
- Rogue Domain Controller, 456
- ROSI (Return of Security Investment), 58
- RSA encryption, 397, 398
- S
- S3 bucket, 270
- SaaS (Software as a Service), 104, 373–374
- SCS (SaaS Cloud Security), 387–388
- SAML (Simple Access Mark-up Language), 14
- SAW (Secure Access Workstation), 139
- SCADA (Supervisory Control and Data Acquisition) system, 405
- SCPs (service control policies), 331
- SDL (Security Development Lifecycle), 20–21, 486
- SEA (Syrian Electronic Army), 470
- SecOps, 47–48
- secrets, 486
- security, shared responsibility model, 246–248
- Security in the Cloud (customer), 247
- Security of the Cloud (AWS), 247
- Security section, AWS Well-Architected Framework, 245–246
- service health, 364–365
- ServiceNow, 335
- shared responsibility model, 102–104
- AWS, 247–248
- controls, 248
- customer, 247–248
- IaaS (Infrastructure as a Service) solutions, 104
- on-premises solutions, 104
- PaaS (Platform as a Service) solutions, 104
- SaaS (Software as a Service) solutions, 104
- security and compliance, 246–248
- SIEM (Security Information and Event Management), 41–42, 94–95, 408, 487
- SIGINT (Signals Intelligence), 26
- skillset requirements, 54
- analytical mindset, 56
- data analysis, 56
- outsourcing, 56–57
- programming languages, 56
- security analysis, 55
- soft skills, 56
- SLAs (Service Level Agreements), 25
- SMiShing (SMS phishing), 487
- SNS, email topics, 299–301
- SOAR (Security Orchestration, Automation, and Response), 86, 487
- SOC (Security Operations Center), 41, 487
- Azure Defender, 236
- Azure Sentinel, 235
- GSOC (Global Security Operations Center), 43
- hypothesis development, 52–53
- Microsoft DART (Detection and Response Team), 236
- Microsoft Defender XDR, 236
- Microsoft Threat Experts, 236
- model, 43–44
- MSSP/MDR providers, 236
- reference architecture, 48
- scope, 43
- services, 43
- SIEM (Security Information and Event Management), 41–42
- teams
- incident management, 45
- proactive hunting team, 50–51
- SOC analysts, 45
- specialized, 45–46
- threat intelligence, 45
- technologies, 44–45
- threat management, process, 44
- threat modeling, 50–53
- three-tier approach, 51
- tooling, 44–45
- type, 43
- SOC analysts, 392
- SolarWinds breaches, 391
- Solorigate, 11
- spear phishing, 6, 8, 118
- spoofing, 487
- SQL injection protection, 256–263
- SREs (site reliability engineers), 360
- SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates, 346
- SSM Agent, automated response, 292
- storage objects, data collection, 471
- storage, immutable, 307
- supply chain, 487
- Microsoft 365 Security, 187
- risk management, 487
- T
- testing, MITRE ATT&CK, 65
- threat detection, 46–48
- legacy-based systems, 392
- threat hunting, 6–7
- active defense, 28
- areas of study, 16
- board of directors, 27–30
- CISO (Chief Information Security Officers), 27
- data collection steps, 57
- desired outcome, 16
- foundational metrics
- functionality, 59
- scope, 58
- visibility, 58
- goals, 49–50
- human elements, 26–33
- hunter's role, 31–33
- methods
- data-driven, 57
- hypothesis-based, 57
- IOC-based, 57
- TTPS-based, 57
- multi-cloud environments, 35–37
- asset inventory, 37
- authentication, 38
- authorization, 38
- configuration management, 37
- multi-tenant environment, 38–40
- SOC (Security Operations Center), 41–46
- solutions, 38
- need for, 14–18
- objectives, 49–50
- operational metrics, 59–61
- organization size, 17–18
- program effectiveness, 61–62
- skillset requirements, 54
- analytical mindset, 56
- data analysis, 56
- outsourcing, 56–57
- programming languages, 56
- security analysis, 55
- soft skills, 56
- teams
- combined/hybrid team, 30
- dedicated internal team, 30
- periodic hunt teams, 30–31
- threat hunting as a service, 407
- threat intelligence, Zero Trust model and, 83
- threat kill chain, Microsoft 365, 112
- threat management, SOC, process, 44
- threat modeling
- assume breach mentality, 51
- components, 19
- hypothesis development, 52–53
- IoT cybersecurity, 227–229
- methodologies, 20
- MITRE ATT&CK, 21–23
- SDL (Security Development Lifecycle), 20–21
- SOC and, 50–53
- teams, proactive hunting team, 50–51
- threat variants, 487
- threats
- nation state, 10–14
- phishing, 7–8
- ransomware, 8–10
- Trojans, banking Trojans, 480
- trusted relationships, 451
- TTPs (Tactics, Techniques, and Procedures), 6, 70, 413–414, 487
- tactics, 67
- techniques, 67–69
- TTPS-based methods, 57
- U
- UEBA (user and entity behavior analytics), 109–110, 236–240, 487
- V
- VCP Flow Logs, 252–253
- viruses, macro viruses, 485
- VirusTotal Enterprise, 374
- vishing (voice phishing), 488
- VM (virtual machine)
- compromised, 394
- malicious user profiling, 394
- VPN Gateway, 114
- VPNs (virtual private networks), nation state threats, 11
- W
- WannaCry, 10
- watering hole attack, 449
- WEF (World Economic Forum), 4
- whaling attacks, 119
- WRM (write once, read many), 307
- X
- XDR (extended detection and response), 408
- Z
- Zapier, 166
- Zero Trust, 488
- Zero Trust Access Architecture, AAD (Azure Active Directory), 113
- Zero Trust model, 80–83
- threat intelligence and, 83
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.