Index

2FA (Two Factor Authentication), 78

A
AAD (Azure AD), 113–114, 157
- B2B, 215
- B2C, 215
- Conditional Access, 210–211
- Domain Services, 114
- External Identities, 115–116
- Identity Governance, 215–216
- Identity Protection, 114, 212–213
- Kerberos/NTLM authentication, 114
- LDAP (Lightweight Directory Access Protocol), 114
- PIM (Privilege Identity Management), 114, 213–214
  - audit history, 157
- Zero Trust Access Architecture, 113
access control
- application access tokens, 462–463
- AWS IAM (Identity and Access Management), 337–338
- AWS RAM (Resource Access Manager), 351–353
- Azure
  - conditional access, 123–127
- Conditional Access, 210–211
- Credential Access, 73–74
  - application access tokens, stealing, 462–463
  - brute force, 461
  - detection, 270
  - TTP detection, 137–139
  - unsecured credentials, 464
  - web credential forgery, 462
  - web session cookie stealing, 463–464
- CSF, 324
- GCP (Google Cloud Platform)
  - Access Approval API, 380
  - Cloud Identity & Access Management, 377, 378, 382
  - Context Aware Access, 378
- Initial Access
  - drive-by compromise, 447–450
  - phishing, 450–451
  - public-facing application exploit, 450
  - trusted relationship, 451
  - valid accounts, 452
- Initial Access TTP protection, 116–118
- LDAP (Lightweight Directory Access Protocol), 114
- Microsoft 365 Security, 187
- unauthorized access detection, 277–280
- Zero Trust Access Architecture, 113
account creation, 453
active defense, 28
AD (Active Directory), 456, 458
Advanced eDiscovery, 223–224
adversary, 479
AI (artificial intelligence), 479
- deep learning, 394
- definitions, 393–394
- ML (maching learning) and, 393–394
AIP (Azure Information Protection), Data Exfiltration TTP detection, 148–153
ALB (Application and Load Balancer), 342
alerts, 479
- AWS Security Hub, 254–255
Alibaba Cloud, 388–389
Amazon CloudWatch, 251–252, 360–361
- log sharing, 306–307
Amazon Detective, 356–357
Amazon DynamoDB, 247
Amazon EBS (Elastic Block Store), snapshots, 306
Amazon EC2, 247
- automated response, 292
- AWS Shield and, 340
- Command and Control server communication and, 281–282
Amazon Elastic Compute Cloud. See Amazon EC2
Amazon EventBridge, 302–304
Amazon Glacier, 366
Amazon GuardDuty, 253–254, 277–280, 328, 354
- AWS Security and, 355
- CloudTrail logging disable and, 310–317
Amazon Inspector, 328, 358–359
Amazon Macie, 270–276, 328, 357–358
Amazon Route 53, 363–364
Amazon S3, 247
Amazon S3 Glacier Vault Lock, 307
Amazon VPC (Virtual Private Cloud), 94, 342, 347–348
- Amazon VPC Flow Logs, 252–253
AMI (Amazon Machine Images), container images, 454
analysts, 480
anomalies
- CSF, 325
- detecting, 394
Antimalware, 19
API Gateway, SQL injection and, 256–263
API Management, 115
APN (AWS Partner Network), 328
application access tokens, 462–463
APT (advanced persistent threat), 47, 479
ASC (Azure Security Center), 113, 205
- automated response, 170–172
- versus Azure Defender, 105–108
- versus Azure Sentinel, 105
- Command and Control TTP detecting, 146–147
- Credential Access TTP detection, 137–139
- CSPM (Cloud Security Posture Management), 106
- CWP (Cloud Workload Protection), 106
- Data Exfiltration TTP detection, 153–154
- Lateral Movement TTP and, 144–145
- prerequisites, 106–107
- Privilege Escalation TTP, 128–131
asset inventory, 37
asset management
- CSF (Cybersecurity Framework), 323
- Microsoft 365 Security, 186
assets, 480
assume breach mentality, 15, 51
- defense-in-depth, 84–86
ATT&CK, tags, 69
attachments, 480
attack operators, 485
attack paths, 480
attack patterns, 480
attack surfaces, 480
attackers, 480
attacks, 480
- denial of service attack, 482
- IoT and, 402–403
- malicious user profiling, 394
- poisoning attacks, 486
- threat-hunting activities after compromise, 394
- watering hole attack, 449
authentication, 480
- alternate authentication material, 460, 470–471
  - theft detection, 277–280
- CSF, 324
- IoT and, 402
- Microsoft 365 Security, 187
- multi-factor, 338
authorization, 480
- GCP (Google Cloud Platform) binary authorization, 380
- multi-cloud environments, 38
- unauthorized access detection, 277–280
automation
- Amazon GuardDuty, 354
- Azure Sentinel, 90
- Exfiltration (TA0010), 79
- Microsoft Flow security response automation, 166–169
- MITRE ATT&CK Exfiltration (TA0010), 79
- SOAR (Security Orchestration, Automation, and Response), 86, 487
  - Azure Sentinel, 108–109
availability, 480
Avast, GCP (Google Cloud Platform) and, 374–375
AVG, GCP (Google Cloud Platform) and, 374–375
awareness and training, CSF, 324
AWS Athena, 94
AWS Certificate Manager, 346
AWS Cloud Adoption Framework, 322
AWS CloudFormation, 366–367
AWS CloudHSM, 343–344
AWS CloudTrail, 93, 249–251, 359–360
- logging, disabled
  - auto recovery, 310–317
  - response, 295–304
- trails, creating, 296–299
AWS CloudWatch, 93
AWS Config, 329–330, 335
AWS Config Rules, automated response, 292
AWS Control Tower, 331–332
AWS Direct Connect, 349–350
AWS DRT (DDoS Response Team), 340
AWS ElasticSearch Service, 93
AWS Firewall Manager, 328, 342–343
AWS GuardDuty, 94
AWS IAM (Identity and Access Management), 328, 337–338, 483
- Credential Access detection, 270
AWS IoT Device Defender, 347
AWS KMS (Key Management Service), 343, 345–346
AWS Lambda, 93, 361–362
- automated response, 292
AWS Management and Governance services, 335
AWS OpsWorks, 368–369
AWS Organizations, 330–331
- service health, 365
AWS Personal Health Dashboard, 364–365
AWS PrivateLink, 349
AWS RAM (Resource Access Manager), 331
AWS Reference Architecture
- Amazon CloudWatch, 360–361
- Amazon Detective, 356–357
- Amazon Glacier, 366
- Amazon GuardDuty, 354–356
- Amazon Inspector, 358–359
- Amazon Macie, 357–358
- Amazon Route 53, 363–364
- Amazon VPC, 347–348
- AWS Certificate Manager, 346
- AWS CloudFormation, 366–367
- AWS CloudHSM, 343–344
- AWS CloudTrail, 359–360
- AWS Config, 329–330
- AWS Control Tower, 331–332
- AWS Direct Connect, 349–350
- AWS Firewall Manager, 342–343
- AWS IAM (Identity and Access Management), 337–338
- AWS IoT Device Defender, 347
- AWS KMS (Key Management Service), 345–346
- AWS Lambda, 361–362
- AWS OpsWorks, 368–369
- AWS Organizations, 330–331
- AWS Personal Health Dashboard, 364–365
- AWS PrivateLink, 349
- AWS RAM (Resource Access Manager), 351–353
- AWS Secrets Manager, 345
- AWS Security Hub, 328–329
- AWS Service Catalog, 334–335
- AWS Shield, 340
- AWS SSO (Single Sign-On), 338–339
- AWS Step Functions, 362–363
- AWS Systems Manager, 335–337
- AWS Transit Gateway, 350–351, 352
- AWS Trusted Advisor, 332–333
- AWS WAF, 340–341
- AWS Well-Architected Tool, 333–334
- CloudEndure Disaster Recovery, 367–368
- Detect and Respond
  - Amazon CloudWatch, 360–361
  - Amazon Detective, 356–357
  - Amazon GuardDuty, 354–356
  - Amazon Inspector, 358–359
  - Amazon Macie, 357–358
  - Amazon Route 53, 363–364
  - AWS CloudTrail, 359–360
  - AWS Lambda, 361–362
  - AWS Personal Health Dashboard, 364–365
  - AWS Step Functions, 362–363
- Identify function, 326–328
- Recover, 365
  - Amazon Glacier, 366
  - AWS CloudFormation, 366–367
  - AWS OpsWorks, 368–369
  - CloudEndure Disaster Recovery, 367–368
AWS Secrets Manager, 345
AWS Security Hub, 254–255, 311–317, 328–329
- Amazon GuardDuty and, 355
AWS Security of the Cloud, 247
AWS Service Catalog, 334–335
AWS Shield, 340
AWS SSO (Single Sign-On), 338–339
AWS Step Functions, 362–363
- automated response, 292
AWS Systems Manager, 328, 335–337
AWS Transit Gateway, 350–351, 352
AWS Trusted Advisor, 332–333
AWS VPC (Virtual Private Cloud), 94
AWS WA Tool (AWS Well-Architected Tool), 244
AWS WAF (Web Application Firewall), 115, 200, 340–341
- configuring, 259–263
- Initial Access TTP protection, 116–118
- SQL injection and, 256–263
AWS Well-Architected Framework, 244–245, 322
- Cost Optimization, 245–246
- Operational Excellence, 245–246
- Performance Efficiency, 245–246
- Reliability, 245–246
- Security, 245–246
AWS Well-Architected Labs, 244
AWS Well-Architected Tool, 333–334
Azure
- conditional access, 123–127
- DevOps, 115
- WAF (Web Application Firewall), Initial Access TTP, 116–118
Azure AIP File Scanner, 222–223
Azure Application Gateway, 115
Azure Defender
- versus ASC (Azure Security Center), 105–108
- dashboard, 108
- IoT (Internet of Things), 229
- plans, 109
Azure Defender for IoT, IoT (Internet of Things), 230
Azure Defender for SQL, 107
Azure Firewall, 114, 198–199
Azure Front Door, 114
Azure Identity Protection, Credential Access TTP detection, 132–137
Azure Information Protection, 115
Azure IoT Reference Architecture, 230–233
- Azure Defender for IoT
  - agent-based solutions, 234–235
  - agentless solutions, 233
Azure Key Vault, 114, 201–202
Azure Lighthouse, 197–198
Azure Marketplace, 194–195
Azure Monitor, 156–157
Azure Private Links, 114–115
- PaaS Services, 114
Azure Purview, 220–221
Azure Recovery, 204
Azure Secure Score, 205–206
Azure Sentinel, 105
- analytics, 88–89
- automation, 90
- Azure Logic Apps, 90
- Azure Monitor Workbooks, 88
- Command and Control TTP detection, 146–147
- community, 92–93
- data collection, 86–87
- data connectors, 88
- Data Connectors gallery, 111
- Data Exfiltration TTP detection, 153–154
- enabling, 110–111
- incidents, 89
- investigation, 91
- Lateral Movement TTP detection, 144–145
- overview, 108–112
- Privilege Escalation TTP, 128–131
- search, 110
- search-and-query tools, 92
- SIEM and, 108–109
- SOAR, 108–109
- workspace, 110
Azure Service Bus, 115
Azure Sphere, IoT (Internet of Things), 229
Azure Storage Service Encryption, 115
Azure WAF (Web Application Firewall), 200
AzureArc, 196–197
AzureBackup, 115
AzureBastion, 202–204
AzureConfidential Computing, 115
AzureDatabricks ML, 174–181
AzureDDoS protection, 200–201
AzureDDoS Protection Standard, 114

B
banking Trojan, 480
BEC (business email compromise), 481
blast radius, 481
BLI (Breach Level Index), 407
blockchain, 406–407
Bot Control (AWS WAF), 341
botnets, 7, 481
breaches, 481
brownfields, 481
brute force, 481
brute force methods, 461
business email compromise, 119
business environment, CSF, 323

C
C2 (command and control). See Command and Control (MITRE ATT&CK)
CASB (Cloud Asset Security Broker), 85, 216, 463, 481
castle defenses, 80
Chronicle (Google Cloud Platform)
- analytics, 375
- Avast, 374–375
- AVG, 374–375
- Security Command Center, 375
- VirusTotal Enterprise, 374
CI/CD (Continuous Integration and Continuous Delivery), 466
CIDRs (Classless Inter-Domain Routing), 349
ciphertext, 481
CISO (Chief Information Security Officers), 5, 27
cleartext, 481
cloud matrix
- Collection
  - cloud storage objects, 471
  - email, 473–474
  - information repositories, 471–472
  - staged data, 472–473
- Credential Access
  - application access tokens, stealing, 462–463
  - brute force, 461
  - unsecured credentials, 464
  - web credential forgery, 462
  - web session cookie stealing, 463–464
- Defense Evasion
  - alternate authentication material, 460
  - cloud compute infrastructure, 459
  - cloud regions, unused/unsupported, 459–460
  - defenses, impairing, 458–459
  - domain policy, 457–458
  - valid accounts, 461
- Discovery
  - account discovery manipulation, 464–465
  - cloud infrastructure discovery manipulation, 465
  - cloud service dashboards, 466
  - cloud service discovery, 466
  - network service scanning, 467
  - permission groups, 467
  - software, 468
  - system information, 468
  - system network connections, 469
- Exfiltration, detecting, 474–475
- Impact
  - defacement, 475
  - Endpoint DoS, 475–477
  - resource hijacking, 477
- Initial Access
  - drive-by compromise, 447–450
  - phishing, 450–451
  - public-facing application exploit, 450
  - trusted relationship, 451
  - valid accounts, 452
- Lateral Movement
  - alternate authentication material, 470–471
  - spear phishing, internal, 469–470
- Persistence
  - account creation, 453
  - account manipulation, 452–453
  - container image implantation, 454
  - office application startup, 454–455
  - valid accounts, 455
- Privilege Escalation
  - domain policy modification, 456
  - valid accounts, 457
CloudEndure Disaster Recovery, 367–368
CMS (Content Management Systems), 341
CNG (CryptoNG) libraries, 343
COBIT (Control Objectives for Information and Related Technology), 322
Collection (MITRE ATT&CK), 52, 414
- cloud storage objects, 471
- email, 473–474
- information repositories, 471–472
- staged data, 472–473
Command and Control, 8, 53, 77–78, 414, 435–442
- case study, 77–78
- connection proxy, 77
- detecting, 145–147, 280–284
- one-way communication, 77
- ports, non-standard, 77
compliance
- AWS Config, 330
- shared responsibility model, 246–248
confidentiality, 481
container images, implanting, 454
controls, shared responsibility model, 248
cookies, stealing, 463–464
Cost Optimization, AWS Well-Architected Framework, 245–246
Credential Access, 52, 73–74, 414, 421–429
- Amazon Macie, 269–276
- application access tokens, stealing, 462–463
- brute force, 461
- case study, 74
- credential dumping, 73
- detecting, 131–139, 269–276
- MiTM, 74
- password cracking, 73
- unsecured credentials, 464
- web credential forgery, 462
- web session cookie stealing, 463–464
credential phishing, 8
credentials, unsecured, 464
critical infrastructure, 482
cryptography
- public-key, breaking, 398
- random number generators, 397
CSF (Cybersecurity Framework), 321
- core, 322
- Detect function, 325
- GCP (Google Cloud Platform) and
  - Detect function, 380–382
  - Identify function, 376–378
  - Protect function, 378–380
  - Recover function, 383–384
  - Respond function, 382–383
- Identify function, 323–324
- informative references, 322
- MCRA comparison, 184–185
- profiles, 322
- Protect function, 324
- Recover function, 325–326
- Respond function, 325
- tiers, 322
CSPM (Cloud Security Posture Management), 105
- ASC (Azure Security Center), 106
CSPs (cloud service providers), 36–37
- Alibaba Cloud, 388–389
- Google Cloud Platform, 374–375
  - NIST CSF and, 376–384
- IaaS (Infrastructure as a Service), 373–374
- IBM Cloud
  - IBM Cloud Pak for Security, 385
  - IBM Cloud Security Advisor, 386
  - IBM QRadar, 385–386
  - IBM Security Data Explorer, 385
  - Security and Compliance Center, 386
- Oracle Cloud
  - CASB (Cloud Access Security Broker), 387
  - continuous protection, 387
  - Guard, 388
  - Oracle Cloud Infrastructure, 386
  - SCS (SaaS Cloud Security), 387–388
- PaaS (Platform as a Service), 373–374
- SaaS (Software as a Service), 373–374
CTI (CyberThreat Intelligence), 26
Customer Access, AAD (Azure AD), External Identities, 115–116
CVE (Common Vulnerabilities and Exposures), 341
CWP (Cloud Workload Protection), ASC (Azure Security Center), 106
cyber resiliency, organizational culture and, 53–54
cyber risk awareness, 28
cybercrime
- increases in, 4–6
- WEF (World Economic Forum), 4
cybercriminals, 4
cybersecurity, 482
Cybersecurity Ventures, 4
cyberthreats. See threats

D
dark web, 482
Data & Application
- API Management, 115
- Azure Backup, 115
- Azure Confidential Computing, 115
- Azure DevOps, 115
- Azure Information Protection, 115
- Azure Storage Service Encryption, 115
data collection, 57
- Azure Sentinel, 86–87
data estate, 482
data exfiltration. See Exfiltration
data protection, 219
- Advanced eDiscovery, 223–224
- Azure, AIP File Scanner, 222–223
- Azure Purview, 220–221
- Microsoft Compliance Manager, 224–225
- MIP (Microsoft Information Protection), 221–222
data security
- CSF, 324
- Microsoft 365 Security, 187
data-driven methods, 57
DDoS (distributed DoS), 476
- AWS DRT (DDoS Response Team), 340
- AWS Shield and, 340
- AzureDDoS protection, 200–201
- AzureDDoS Protection Standard, 114
- IoT and, 402
decision trees, 305
deep learning, 394
Defacement, 475
Defense Evasion (MITRE ATT&CK), 52, 414
- alternate authentication material, 460
- cloud compute infrastructure, 459
- cloud regions, unused/unsupported, 459–460
- defenses, impairing, 458–459
- domain policy, 457–458
- valid accounts, 461
defense-in-depth
- assume breach mentality, 84–86
- external cloud security, 85
- internal cloud security, 85
denial of service attack (DoS), 482
Detect function (CSF), 325
Detect function (Microsoft 365 Security), 188
detection features, 263
- CSF, 325
devices
- AWS IoT Device Defender, 347
- heterogeneity, 226
- IoT and, 401
  - legacy devices, 227
DevOps, AWS CloudFormation and, 366
digital estate, 482
digital signing, AWS KMS, 346
Director's Handbook on Cyber-Risk Oversight (NACD), 29
Discovery (MITRE ATT&CK), 52, 414
- account discovery manipulation, 464–465
- cloud infrastructure discovery manipulation, 465
- cloud service dashboards, 466
- cloud service discovery, 466
- network service scanning, 467
- permission groups, 467
- software, 468
- system information, 468
- system network connections, 469
DLL (Dynamic Link Library), 482
DLP (Data Leakage Prevention), 19
DLP (data loss prevention), 482
DNS (Domain Name System), Amazon Route 53, 363
DNS protocol, Command and Control detection, 280–284
domains, Rogue Domain Controller, 456
DoppelPaymer, 10
Dridex, 10
drive-by compromise, 447–450
drop accounts, 482

E
EDR (Endpoint Detection Response), 19, 407
ELB (Elastic Load Balancing), AWS Shield and, 340
email, data collection, 473–474
encrypted data, 481
encryption, 483
- AWS KMS, 345
- Azure Storage Service Encryption, 115
- GCP (Google Cloud Platform)
  - CSEK (Customer Supplied Encryption Keys), 379
  - Encryption at Rest, 379
  - Encryption in Transit, 379
- RSA encryption, 397, 398
end-to-end integrated security, Microsoft, 103
Endpoint DoS (Denial of Service), 475–476
EPP (Endpoint Protection Platform), 207–208
EternalBlue tool, 16
event IDs, 456
events, 483
- CSF, 325
Execution (MITRE ATT&CK), 52, 413
Exfiltration, 53, 79–80, 414, 443–445, 483
- automation, 79
- case study, 79–80
- detecting, 147–155, 284–289, 474–475
- Exfiltration Over Alternative Protocol, 79
- Transfer Data to Cloud Account, 79
exploits, 483
exposure, 483
external cloud security, 85
Eye Pyramid campaign, 470

F
federated users, AWS IAM, 338
Firewall, 19
firewalls, 449–450, 483
fusion, 483

G
GCP (Google Cloud Platform)
- Access Approval API, 380
- Admin Console, 376, 378
- Android Enterprise, 381
- autoscaling, 379, 384
- BigQuery, 383
- binary authorization, 380
- Chronicle
  - analytics, 375
  - Avast, 374–375
  - AVG, 374–375
  - Security Command Center, 375
  - VirusTotal Enterprise, 374
- Cloud Adoption Framework, 377, 379
- Cloud Armor, 377, 380, 383
- Cloud CDN, 384
- Cloud Data Catalog, 377
- Cloud Disaster Recovery, 383
- Cloud Functions, 382
- Cloud HSM, 379
- Cloud Identity, 376, 378
- Cloud Identity & Access Management, 377, 378, 382
- Cloud Load Balancing, 384
- Cloud Operations Suite, 381, 383
- Cloud Private Catalog, 377
- Cloud Pub/Sub, 382
- Cloud Resource Manager, 376, 379
- Cloud Security Scanner, 377, 381, 383
- Cloud Status Dashboard, 384
- Cloud Training, 379
- Cloud VPC, 378, 380
- Contact Center AI, 384
- container images, 454
- Container Registry Vulnerability Scanner, 377, 381, 383
- Context Aware Access, 378
- CSCC (Cloud Security Command Center), 377, 381, 382
- CSEK (Customer Supplied Encryption Keys), 379
- CSF (Cybersecurity Framework) and
  - Detect function, 380–382
  - Identify function, 376–378
  - Protect function, 378–380
  - Recover function, 383–384
  - Respond function, 382–383
- Deployment Manager, 384
- DLP (Data Loss Prevention), 379
- Encryption at Rest, 379
- Encryption in Transit, 379
- Event Threat Detection, 382, 383
- Forseti Security, 376, 378, 383
- G Suite Phishing & Malware Protection, 381
- G Suite Security Center, 381, 382
- GCP Quotas, 379
- Google Admin Console, 382
- Google Security & Trust Center, 381
- IDaaS (Identity as a Service), 378, 382
- Identity Aware Proxy, 378
- Identity Platform, 377, 378, 382
- Incident Response Management, 381, 382, 384
- Key Management Service, 379
- Log Exports, 383
- network telemetry, 381
- Phishing Protection, 378, 380, 383
- Policy Intelligence, 382
- Professional Services, 377, 379
- reCAPTCHA, 380
- Security & Trust Center, 377
- Security Command Center, 375
- Shielded VMs, 380
- Titan Security Key, 380
- Traffic Director, 380
- VPC Service Controls, 378, 380
GDPR (General Data Privacy Regulation), Amazon Macie and, 357
GitHub
- AWS CloudFormation and, 366
- Azure Sentinel, 92–93
- maintainers, 485
- npm, 485
- secrets, 486
governance
- AAD (Azure AD)
  - Identity Governance, 215–216
- AWS Management and Governance services, 335
- CSF, 323
- Identity Governance, 209
- Microsoft 365 Security, 186
GPOs (Group Policy Objects), 456, 458
graphs, Azure Sentinel, 91
greenfield, 483
GSOC (Global Security Operations Center), 43
GuardiCore honeypots, 394

H
HIPAA (Health Insurance Portability and Accountability Act), Amazon Macie and, 357
HMM (Hunting Maturity Model), 23
- Level 0 (Initial), 25
- Level 1 (Minimal), 25
- Level 2 (Procedural), 25
- Level 3 (Innovative), 25
- Level 4 (Leading), 25
- organization, 23–26
homoglyphs, 7
honeypot, 483
- GuardiCore, 394
HSM (hardware security module), 343
human-operated ransomware, 483
HUMINT (Human Intelligence), 26–27
hunting, 483
hypothesis-based methods, 57

I
IaaS (Infrastructure as a Service), 104, 373–374
IBM Cloud
- IBM Cloud Pak for Security, 385
- IBM Cloud Security Advisor, 386
- IBM QRadar, 385–386
- IBM Security Data Explorer, 385
- Security and Compliance Center, 386
ICS (Industrial Control Systems), 405
ID Quantique, 397
Identify function (CSF), 323–324
Identify function (Microsoft 365 Security), 186–187
Identity & Access Management
- AAD (Azure Active Directory), 113–114
  - Identity Protection, 114
- ASC (Azure Security Center), 113
- CSF, 324
- Microsoft 365 Security, 187
identity protection
- AAD (Azure AD), 209, 211
  - B2B, 209, 215
  - B2C, 209, 215
  - Privilege Identify Management, 209
- Azure MFA, 211–212
- Conditional Access, 209, 210–211
- Defender for Identity, 209
- Identity Governance, 209, 215–216
- Identity Protection, 212–213
- Microsoft Defender for Identity, 214–215
- Multi-Factor Authentication, 209
- PIM (Privilege Identity Management), 213–214
IDPS (Intrusion Detection and Prevention Systems), 47
IDS (Intrusion Detection Systems), 19, 484
immutable storage, 307
Impact (MITRE ATT&CK), 53, 414
- defacement, 475
- Endpoint DoS, 475–477
- resource hijacking, 477
incident response
- Amazon EC2, 292
- automating, 290–294
- AWS Config Rules, 292
- AWS Fargate, 292
- AWS Lambda, 292
- AWS Step Functions, 292
- costs, scanning methods, 293
- event-driven responses, 294–304
- foundations, 289–290
- SSM Agent, 292
information repositories, data collection, 471–472
Infrastructure & Network
- Azure Application Gateway, 115
- Azure DDoS Protection Standard, 114
- Azure Firewall, 114
- Azure Front Door, 114
- Azure Key Vault, 114
- Azure Private Links, 114–115
- Azure Service Bus, 115
- Key Vault Managed HSM, 114
- VPN Gateway, 114
- WAF (Web Application Firewall), 115
Initial Access (MITRE ATT&CK), 52, 413
- Azure Conditional Access, 123–127
- Microsoft Defender for Endpoint, 121–123
- Microsoft Defender for Office 365, 118–121
- preventing, 256
- WAF and, 116–118
insider threats, 483
integrity, 484
internal cloud security, 85
intrusion, 484
intuition-based analysis, machine intelligence and, 394
investigation and remediation
- Microsoft Defender for Endpoint, 157–158
- Microsoft Threat Experts, 159–166
IOC (indicators of compromise), 23, 47, 483
IOC-based methods, 57
IoT (Internet of Things), 225, 399–401
- attacks, 402–403
- Azure Defender, 229
- Azure Defender for IoT, 230
- Azure Sphere, 229
- denial of service, 228
- devices, cybersecurity and, 401
- elevation of privilege, 229
- information disclosure, 228, 229
- legacy devices, 227
- OWASP (Open Web Application Security Project) and, 400–401
- preparedness, 403–404
- risk growth, 401–403
- security concerns, 226–227
- spoofing, 228
- threat models, 227–229
IPFIX (IP Flow Information Export), 394
IPS (Intrusion Prevention Systems), 484
ISO (International Organization for Standardization), 484
ITSM (IT Service Management), 335
ITSM/ITOM, AWS Control Tower and, 335

J
JCE (Java Cryptography Extensions), 343
Jira Service Desk, 335
JIT (just in time), 484
- Lateral Movement TTP and, 139–144

K
key management, AWS KMS, 346
Key Vault Managed HSM, 114
keylogging, 484
keypairs, 484
kill chains, 484
KPIs (key performance indicators), 25, 58
KRIs (key risk indicators), 58

L
Lambda functions, response and recovery, 314
Lateral Movement, 52, 75–76, 414, 431–434
- alternate authentication material, 470–471
- application access token, 75
- case study, 75–76
- detecting, 139–145, 276–280
- pass the hash, 75
- PtT (pass the ticket), 75
- spear phishing, internal, 469–470
LDAP (Lightweight Directory Access Protocol), 114
lifecycle
- phishing, 9
- ransomware, 11
logging
- Amazon CloudWatch, 251–252
- AWS CloudTrail, 249–251, 295–304
- CloudTrail logging disable and, 310–317
- VCP Flow Logs, 252–253

M
machine intelligence. See ML (machine learning)
Machine Intelligence, 26
machine learning, 484. See also ML (machine learning)
macro viruses, 485
maintainers, 485
maintenance
- CSF, 324
- Microsoft 365 Security, 188
malicious user profiling, 394
malware, 485
- Antimalware, 19
- detection, ML and, 395–396
- G Suite Phishing & Malware Protection, 381
MCAS (Microsoft Cloud App Security), 147, 157, 216–218
- dashboard, 148
- Microsoft Flow and, 166–169
MCRA (Microsoft Cybersecurity Reference Architecture), 184
- hybrid infrastructure
  - ASC (Azure Security Center), 205
  - Azure Arc, 196–197
  - Azure Bastion, 202–204
  - Azure DDoS protection, 200–201
  - Azure Firewall, 198–199
  - Azure Key Vault, 201–202
  - Azure Lighthouse, 197–198
  - Azure Marketplace, 194–195
  - Azure Recovery, 204
  - Azure Secure Score, 205–206
  - Azure WAF, 200
  - Private Link support, 195–196
- people security, 236
  - attack simulator, 237
  - Communication Compliance, 239–240
  - IRM (Insider Risk Management), 237–239
- SDL (Security Development Lifecycle), 193–194
- Service Trust Portal, 192–193
- threat intelligence, 190–192
Microsoft
- end-to-end integrated security, 103
- Investigate and Response services, 156–172
- security and prevention services, 112–127
Microsoft 365
- Defender, treat detection, 154–155
- Security
  - Detect function, 188
  - Identify function, 186–187
  - NIST CSF and, 185
  - Protect function, 187–188
  - Recover function, 189–190
  - Respond function, 189
- threat kill chain protection, 112
Microsoft Compliance Manager, 224–225
Microsoft Defender for Endpoint
- attack surface reduction, 121
- enabling, 122–123
- Initial Access TTP protection, 121–123
- investigation and remediation, 157–158
Microsoft Defender for Office 365, 119–121
- Initial Access TTP protection, 118–121
Microsoft Detect services, 127–128
Microsoft Endpoint Manager, 206
- configuration manager, 207–208
- EPP (Endpoint Protection Platform), 207–208
- Intune, 208–209
Microsoft Flow
- Cloud App security, 169
- MCAS and, 166–169
- security response automation, 166–169
Microsoft Intune, 208–209
Microsoft SDL (Security Development Lifecycle), 193–194
Microsoft Threat Experts
- alerts, 165, 166
- experts on demand, 161–165
- machine compromise, 165
- Targeted Attack Notification, 159–161
- threat intelligence, 166
migration, AWS PrivateLink, 349
MIP (Microsoft Information Protection), 221–222
mitigation, CSF, 325
MITRE ATT&CK
- Collection (TA0009), 52, 67, 414
- Command and Control (TA0001), 53, 77, 414, 435–442
  - case study, 77–78
  - connection proxy, 77
  - detecting, 145–147
  - one-way communication, 77
  - ports, non-standard, 77
- Credential Access (T0006), 52, 73, 414, 421–429
  - case study, 74
  - credential dumping, 73
  - detecting, 131–139
  - MiTM, 74
  - password cracking, 73
- Defense Evasion (TA0005), 52, 67, 414
- Discovery, 52, 414
- Execution (TA0002), 52, 67, 413
- Exfiltration (TA0010), 53, 67, 79, 414, 443–445
  - automation, 79
  - case study, 79–80
  - detecting, 147–155
  - Exfiltration Over Alternative Protocol, 79
  - Transfer Data to Cloud Account, 79
- framework, 22
- Impact, 53, 414
- Initial Access (TA0001), 52, 67, 116–127, 413
- Lateral Movement (TA0008), 52, 67, 75, 414, 431–434
  - application access token, 75
  - case study, 75–76
  - detecting, 139–145
  - pass the hash, 75
  - PtT (pass the ticket), 75
- matrix, sub-techniques, 66
- Persistence (TA0003), 52, 67, 413
  - New Service (T1050), 67–68
- Privilege Escalation (TA0004), 52, 71–72, 128–131, 414, 415–419
  - access token manipulation, 72
  - case study, 72–73
  - DLL search order hijack, 72
  - New Service (T1050), 68
  - UAC bypassing, 72
- reconnaissance, 413
- resource development, 413
- Tactic (TA0003), 67
- tactics, 67, 70
- techniques, 67–69, 70
  - AppInt (T1103), 67
  - New Service (T1050), 67
  - Spear Phishing Link, 68
  - Spear Phishing via Service, 68
- testing, 65
- threat modeling, 21–23
- TTPs (Tactics, Techniques, and Procedures), 413–414
- uses, 64–65
ML (machine learning), 172–173
- AI and, 393–394
- Azure Databricks ML, 174–181
- deep learning, 394
- false positives and, 395
- fusion detections, 173–174
- intuition-based analysis and, 394
- malware detection and, 395–396
- risk scoring and, 396
- versus traditional approach, 395
- unsupervised learning, 394
model inversion, 485
model stealing, 485
monitoring
- Amazon GuardDuty, 253–254, 354
- AWS Config, 329–330
- Azure Monitor, 156–157
- Azure Monitor Workbooks, 88
- continuous, CSF, 325
MSSP (Managed Security Service Providers), 392
multi-cloud environment, 35–37
- asset inventory, 37
- authentication, 38
- authorization, 38
- configuration management, 37
- CSPs (cloud service providers), 36–37
- cyber resiliency, 53–54
- multi-tenant environment, 38–40
- SOC (Security Operations Center), 41–46
- solutions, 38
- threat modeling
  - assume breach mentality, 51
  - components, 19
  - hypothesis development, 52–53
  - methodologies, 20
  - MITRE ATT&CK, 21–23
  - proactive hunting team, 50–51
  - SDL (Security Development Lifecycle), 20–21
  - SOC and, 50–53
multi-factor authentication, AWS AIM, 338
multi-tenant environments, 38–40

N
NACD (National Association of Corporate Directors), 29
nation states
- activity group, 485
- threats, 10–14
  - actors, 14
  - adversaries list, 13
  - VPNs (virtual private networks), 11
NGOs (non-governmental organizations), 11
NIST (National Institute of Standards and Technology), 485. See also CSF (Cybersecurity Framework)
npm, 485

O
OAuth, 462–463
obfuscation, 485
Operational Excellence, AWS Well-Architected Framework, 245–246
operations, attack operators, 485
operators, 485
Oracle Cloud
- CASB (Cloud Access Security Broker), 387
- continuous protection, 387
- Guard, 388
- Oracle Cloud Infrastructure, 386
- SCS (SaaS Cloud Security), 387–388
organizations, cyber resiliency and, 53–54
OSINT (Open-Source Threat Intelligence), 26
OT (operational technology), 225, 405–406
- ICS (Industrial Control Systems), 405
- IoT and, 225–227
- legacy devices, 227
- SCADA (Supervisory Control and Data Acquisition) system, 405
OWASP (Open Web Application Security Project), 341
- IoT (Internet of Things) and, 400–401

P
PaaS (Platform as a Service), 104, 373–374
- Azure Private Links, 114
password spray, 485
PAW (Privilege Access Workstation), 139
Performance Efficiency, AWS Well-Architected Framework, 245–246
permissions, AWS IAM, 338
Persistence, 52, 413
- account creation, 453
- account manipulation, 452–453
- container image implantation, 454
- New Service (T1050), 67–68
- office application startup, 454–455
- valid accounts, 455
phishing, 7–8, 450–451, 485
- credential phishing, 8
- lifecycle, 9
- spear phishing, 6, 8, 118
  - internal, 469–470
phishing kit, 485
PID (process IDs), 454
PII (personally identifiable information), Amazon Macie and, 357
PIM (Privileged Identity Management), 114
playbook, 485–486
poisoning attacks, 486
policy management, AWS Control Tower, 331
PPID (parent process IDs), 454
Private Link support, 195–196
Privilege Escalation, 52, 71–73, 414, 415–419
- access token manipulation, 72
- case study, 72–73
- detecting, 128–131, 263–268
- DLL search order hijack, 72
- domain policy modification, 456
- IoT, 229
- New Service (T1050), 68
- UAC bypassing, 72
- valid accounts, 457
Protect function (CSF), 324
Protect function (Microsoft 365 Security), 187–188
protective technology
- CSF, 324
- Microsoft 365 Security, 188
public-facing application exploit, 450

Q
quantum computing, 396
- challenges, 398–399
- entanglement, 397
- future, 399
- quantum-secure communications, 398
- qubits, 396
- Shor's algorithm, 397
Quantum Dice, 397
Quantum Exchange, 397
qubits, 396

R
random number generators, cryptography and, 397
ransomware, 8–10, 486
- human-operated ransomware, 483
- lifecycle, 11
- threats, 8–10
Ransomware-as-a-Service, 10
RDP (remote desktop protocol), 486
reconnaissance, 413
Recover function (CSF), 325–326
Recover function (Microsoft 365 Security), 189–190
recovery. See response and recover
red team, 486
red team exercise, 486
red team testing, 486
regulatory issues, 408
Reliability, AWS Well-Architected Framework, 245–246
resilience, 486
resource development, 413
Resource Hijacking, 477
Respond function (CSF), 325
Respond function (Microsoft 365 Security), 189
response and recover
- AI (artificial intelligence and), 317–319
- alternative accounts, 305–306
- Amazon EBS snapshots, 306
- automating response, 290–294
- CloudEndure Disaster Recovery, 367–368
- CloudWatch log sharing, 306–307
- copying data, 306
- CSF, 325–326
- decision trees, 305
- event-driven responses, 294–304
- forensic workstations, 309
- immutable storage, 307
- incident response foundations, 289–290
- instances and, 309–310
- Lambda functions, 314
- ML (machine learning and), 317–319
- resource isolation, 308
- resource launch, 307–308
- viewing data, 306
reverse engineering, 486
risk assessment
- CSF, 324
- Microsoft 365 Security, 186
risk awareness, 28
risk management
- CSF, 324
- cybersecurity and, 28
- Microsoft 365 Security, 187
Rogue Domain Controller, 456
ROSI (Return of Security Investment), 58
RSA encryption, 397, 398

S
S3 bucket, 270
SaaS (Software as a Service), 104, 373–374
- SCS (SaaS Cloud Security), 387–388
SAML (Simple Access Mark-up Language), 14
- AWS SSO and, 339
SAW (Secure Access Workstation), 139
SCADA (Supervisory Control and Data Acquisition) system, 405
SCPs (service control policies), 331
SDL (Security Development Lifecycle), 20–21, 486
SEA (Syrian Electronic Army), 470
SecOps, 47–48
- SOC, 235+236
secrets, 486
security, shared responsibility model, 246–248
Security in the Cloud (customer), 247
Security of the Cloud (AWS), 247
Security section, AWS Well-Architected Framework, 245–246
service health, 364–365
ServiceNow, 335
shared responsibility model, 102–104
- AWS, 247–248
- controls, 248
- customer, 247–248
- IaaS (Infrastructure as a Service) solutions, 104
- on-premises solutions, 104
- PaaS (Platform as a Service) solutions, 104
- SaaS (Software as a Service) solutions, 104
- security and compliance, 246–248
SIEM (Security Information and Event Management), 41–42, 94–95, 408, 487
SIGINT (Signals Intelligence), 26
skillset requirements, 54
- analytical mindset, 56
- data analysis, 56
- outsourcing, 56–57
- programming languages, 56
- security analysis, 55
- soft skills, 56
SLAs (Service Level Agreements), 25
SMiShing (SMS phishing), 487
SNS, email topics, 299–301
SOAR (Security Orchestration, Automation, and Response), 86, 487
- Azure Sentinel, 108–109
SOC (Security Operations Center), 41, 487
- Azure Defender, 236
- Azure Sentinel, 235
- GSOC (Global Security Operations Center), 43
- hypothesis development, 52–53
- Microsoft DART (Detection and Response Team), 236
- Microsoft Defender XDR, 236
- Microsoft Threat Experts, 236
- model, 43–44
- MSSP/MDR providers, 236
- reference architecture, 48
- scope, 43
- services, 43
- SIEM (Security Information and Event Management), 41–42
- teams
  - incident management, 45
  - proactive hunting team, 50–51
  - SOC analysts, 45
  - specialized, 45–46
  - threat intelligence, 45
- technologies, 44–45
- threat management, process, 44
- threat modeling, 50–53
- three-tier approach, 51
- tooling, 44–45
- type, 43
SOC analysts, 392
SolarWinds breaches, 391
Solorigate, 11
spear phishing, 6, 8, 118
- internal, 469–470
spoofing, 487
- homoglyphs, 7
SQL injection protection, 256–263
SREs (site reliability engineers), 360
SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates, 346
SSM Agent, automated response, 292
storage objects, data collection, 471
storage, immutable, 307
supply chain, 487
- Microsoft 365 Security, 187
- risk management, 487
  - CSF, 324

T
testing, MITRE ATT&CK, 65
threat detection, 46–48
- legacy-based systems, 392
threat hunting, 6–7
- active defense, 28
- areas of study, 16
- board of directors, 27–30
- CISO (Chief Information Security Officers), 27
- data collection steps, 57
- desired outcome, 16
- foundational metrics
  - functionality, 59
  - scope, 58
  - visibility, 58
- goals, 49–50
- human elements, 26–33
- hunter's role, 31–33
- methods
  - data-driven, 57
  - hypothesis-based, 57
  - IOC-based, 57
  - TTPS-based, 57
- multi-cloud environments, 35–37
  - asset inventory, 37
  - authentication, 38
  - authorization, 38
  - configuration management, 37
  - multi-tenant environment, 38–40
  - SOC (Security Operations Center), 41–46
  - solutions, 38
- need for, 14–18
- objectives, 49–50
- operational metrics, 59–61
- organization size, 17–18
- program effectiveness, 61–62
- skillset requirements, 54
  - analytical mindset, 56
  - data analysis, 56
  - outsourcing, 56–57
  - programming languages, 56
  - security analysis, 55
  - soft skills, 56
- teams
  - combined/hybrid team, 30
  - dedicated internal team, 30
  - periodic hunt teams, 30–31
threat hunting as a service, 407
threat intelligence, Zero Trust model and, 83
threat kill chain, Microsoft 365, 112
threat management, SOC, process, 44
threat modeling
- assume breach mentality, 51
- components, 19
- hypothesis development, 52–53
- IoT cybersecurity, 227–229
- methodologies, 20
- MITRE ATT&CK, 21–23
- SDL (Security Development Lifecycle), 20–21
- SOC and, 50–53
- teams, proactive hunting team, 50–51
threat variants, 487
threats
- nation state, 10–14
- phishing, 7–8
- ransomware, 8–10
Trojans, banking Trojans, 480
trusted relationships, 451
TTPs (Tactics, Techniques, and Procedures), 6, 70, 413–414, 487
- tactics, 67
- techniques, 67–69
TTPS-based methods, 57

U
UEBA (user and entity behavior analytics), 109–110, 236–240, 487

V
VCP Flow Logs, 252–253
viruses, macro viruses, 485
VirusTotal Enterprise, 374
vishing (voice phishing), 488
VM (virtual machine)
- compromised, 394
- malicious user profiling, 394
VPN Gateway, 114
VPNs (virtual private networks), nation state threats, 11

W
WannaCry, 10
- EternalBlue tool, 16
watering hole attack, 449
WEF (World Economic Forum), 4
whaling attacks, 119
WRM (write once, read many), 307

X
XDR (extended detection and response), 408

Z
Zapier, 166
Zero Trust, 488
Zero Trust Access Architecture, AAD (Azure Active Directory), 113
Zero Trust model, 80–83
- threat intelligence and, 83

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Index

Create new playlist

Sign In

Sign Up

Table of Contents for
Index