Cybersecurity architecture use cases

Now that we understand security posture, defense in depth, and shared responsibility as we begin to architect cybersecurity for the cloud, we will discuss the makeup of a security operations team and the levels of a cybersecurity attack.

Security operations

In discussing security operations, you will hear terms such as red team, blue team, yellow team, purple team, white hat, and black hat. Let’s define each of these:

• Red team – This is a team within the cybersecurity operation of the company that will conduct simulated attacks and penetration testing on the company infrastructure.
• Blue team – This team focuses on the defenses and the response to attacks. These are the incident responders within cybersecurity operations.
• Yellow team – These are developers and possibly third-party developers that the blue team should be working with on defenses within the development of controls.
• Purple team – This team focuses on the methodology around the security architecture and protection. The purple team works closely with the red and blue teams to maximize the cybersecurity capabilities of the company. The purple team relies on the continuous feedback and lessons learned from the red and blue teams to improve the effectiveness of controls that are in place for vulnerability assessment, threat hunting and detection, and network monitoring.
• White hat – These are considered ethical hackers. Ethical hackers use the tools of a bad or malicious hacker to attack a company’s systems, but with their permission.
• Black hat – These are malicious hackers that are attempting to gain some level of control and do harm to the company that they are attacking.

Understanding the stages of a cyber attack

There are many ways that an attacker can attempt to access resources within the company. How they gain this access and what they attempt to accomplish once they gain access is the foundation of a cyber attack. Figure 1.2 shows the stages of a cyber attack in a linear format:

Figure 1.2 – Stages of a cyber attack

In many cases, an attacker is attempting to enter and do some level of damage at one of these stages. Sophisticated attackers may go through every one of these stages in order to gain full access to resources and increase the amount of damage that they can do to a company. Let’s define each of these stages for further understanding:

1. Reconnaissance: This is the planning stage of the attack. The attacker is gathering information that they can find about the company or companies that they will be targeting. This may be through social media, websites, phishing, or social engineering of personnel within the company. Another aspect of this stage is port scanning known management ports, such as RDP port 3389 or SSH port 22. The goal at this stage is to attempt to find ways to access systems.
2. Intrusion: Once the reconnaissance is successful, the attacker has found a way to access a system or systems within the company network. Now, they will use that knowledge to get into those systems. One type of intrusion is a brute-force attack.
3. Exploitation: The attacker has gained access to a system on the company network and now they want to exploit that system. This is where the attacker begins to show malicious intent. They will begin to use this access to deliver malware across the network.
4. Privilege Escalation: Once the attacker has gained access to a system, they will want to gain administrator-level access to the current resource, as well as additional resources on the network. If they have gained access to a virtual machine on the network, they could have administrative login privileges to other virtual machines and resources on the network.
5. Lateral Movement: Companies that use the same administrator username and password could allow the attacker to gain access to other systems across the network. This lateral movement could lead the attacker from a system without sensitive information to one that has extremely sensitive information.
6. Obfuscation/Anti-forensics: As is the case with any attack or crime, the person or people involved do not want to be found or traced. Therefore, they attempt to keep their access anonymous. If they have gained access through someone’s credentials within the company, this could help to decrease their traceability.
7. Denial of Service: When an attacker cuts off access to resources, this is a denial of service. This may be through an attack such as an SYN flood where they send a large number of requests to a company’s public IP address that cannot be processed fast enough. This flood of requests blocks legitimate requests from being able to access resources. Another means of denial of service could be a ransomware attack. This is not a typical blocking of information but more the withholding of information through encryption so that a company and its users can no longer access that information. The attacker then extorts the company for payment to make the information accessible.
8. Exfiltration: The final aspect of the cyber attack is exfiltration. This is where the attacker has gained access to sensitive information and they are able to take that information to do harm in some way. This could be banking information, personally identifiable information (PII) about personnel or customers, and other valuable data.

The ability to protect against each of these aspects of the cyber attack is our kill chain. Each of these areas becomes an area to focus on protecting with cybersecurity controls. Understanding vulnerable areas and the potential threats to them will allow you to determine ways to address and create a secure architecture.

Microsoft Defender for Cloud threat protection alert events are categorized based on the MITRE ATT&CK framework to understand and investigate potential attacks. Figure 1.2 shows this framework and the anatomy of an attack.

For more information on the MITRE ATT&CK framework, go to this link: https://attack.mitre.org/

In the next section, you will learn how to address the areas of cybersecurity in the cloud within the areas of shared responsibility and zero trust. You will also learn about some of the common attacks that you should be aware of when building a cybersecurity architecture.