Microsoft Sentinel Security Testing Ground Rules
Keeping test incidents from being actual incidents.
Cybersecurity testing is important for ensuring that the security controls that your organization is implementing are working. Cloud cybersecurity testing takes on the same level of importance, but in the cloud your security testing faces some unique challenges because of the constraints placed by the cloud services providers (CSP).
In this blog, we show how setting some ground rules can help prevent running afoul of CSPs’ policies for security testing in cloud environments. The rules discussed in this article are what CyberMSI uses to reduce the risk of unintentionally violating cloud services terms during our security testing.
Discuss Testing Before Starting
One of the easiest ways to prevent unintended consequences from security testing is by peer-reviewing tests before running them. An analyst may believe they have found a good way to test their cloud security controls, but they need to discuss it with more senior analysts and team leads to understand all the effects of the testing method being used.
No Cloud or VM Escapes
VM and cloud escapes are both ways that security testers could potentially gain access to the devices hosting the cloud service. This would be a noticeable breach in security for Microsoft, and the CSP would not be happy with whichever organization made a breach like this. It is better not to use these types of tests to avoid affecting the relationship with CSPs.
No Breaking into Other AAD Identities
Breaking into other accounts registered with AD may be appropriate for security testing in some environments, but in the cloud that changes. If Microsoft notices that the security controls for identity management on their platform are being broken, they may view that activity as attempting to move laterally. To avoid showing indications of lateral movement, do not break into other AAD identities, even in your own test subscriptions.
No Deleting Microsoft-Specific Logs
Your organization is not the only one that needs logs from your cloud platform, Microsoft needs them as well. If a security tester manages to delete security logs that are specific to Microsoft such as the Microsoft Activity or Resource logs, you may hinder investigations for unrelated cybersecurity incidents. Just remember that platform logs should not be removed during security testing because they may be needed for reasons beyond your security testing.
Approval is Needed Before Using Some Logic Apps
There are some Microsoft Logic App action components have significant capabilities in Microsoft. For this reason, the following action components have been restricted and need approval before they can be used during security feature testing.
AAD Components That Change User Access:
Some of the Microsoft Active Directory action components can take actions like change group membership or disable accounts. These action components need approval before being used because they can disrupt vital business functions.
Runbook and Microsoft Automation Components:
These action components allow users to create any custom action they can write with PowerShell. This can have an enormous number of unintended consequences which is why they need approval before being tested.
Components that Create a Paid Resource:
There are some action components that create paid resources like the “create container” action component. These need approval because they could potentially create resources that do not fit in the budget.
We will continue to share best practices and lessons learned in future posts on security testing in cloud environments. The list of controls for security testing will likely continue to expand as the security testers come up with new ways to get around security controls.
In closing, consider these three questions when doing cloud security testing in your organization:
- Do we have any security testing controls?
- What are some of the risks associated with security testing in the cloud?
- Which team members should perform security testing to ensure that they do not cause unintended effects in the cloud environments?