Comprehensive Cybersecurity Lab:

Building, Testing, and Securing a Network Environmentwith Microsoft Azure

Portfolio Project

Clicking on a link opens the video in YouTube at the related timestamp.

Lab Overview

0:00 - Intro

0:23 - Cybersecurity Lab Description

Building and Testing the Environment

5:10 - Create Azure Resources

6:40 - Create Insecure Inbound Rule in NSG

8:02 - RDP into Windows VM

8:49 - Turn Off Windows Defender Firewall

9:51 - Install SQL Server

13:23 - Install SQL Server Management Studio & Enable Logging

16:22 - Generate Failed Logins to SQL Server

16:44 - View Logs in Event Viewer

17:24 - Create Linux VM

18:21 - Create Vulnerable Inbound Rule in NSG

19:13 - Create Attacker VM in a Separate Virtual Network

21:03 - Generate Failed Login Attempts to Windows VM

23:16 - Simulate Brute Force Attack to SQL Server

24:20 - Simulate Brute Force SSH Attack to Linux VM

25:34 - View Logs in Event Viewer

27:21 - View Logs in Syslog

28:20 - Create Users in Entra ID

31:56 - Create Storage Account

32:45 - Create Log Analytics Workspace

33:24 - Create Workspace & Watchlist in Azure Sentinel

34:27 - Enable Microsoft Defender for Cloud & Enable Logging

36:48 - Create Flow Logs in NSGs

37:40 - Create Data Collection Rules

40:18 - Install Monitoring Agent on Windows VM

42:33 - Install Monitoring Agent on Linux VM

43:50 - Configure Log Export for Entra ID

44:22 - Create & Test User Accounts

47:05 - Simulate Successful Brute Force Log-In Attack to Azure

47:44 - Configure Log Export for Activity Log

48:21 - Create/Delete Resource Groups

49:40 - Create/Delete NSG Rule

50:29 - Configure Log Export for Storage Account

51:08 - Create Key Vault & Secrets

52:20 - Configure Logging for Key Vault

52:51 - Test Key Vault Logging & Log Export

53:39 - Test Storage Container Logging & Log Export

54:46 - Add Workbooks to Sentinel

58:03 - Configure Scheduled Query Rule

59:42 - Simulate Brute Force Attack to Windows VM

1:00:45 - Query Logs in Log Analytics Workspace

1:01:07 - Examine Sentinel Incident

1:02:07 - Import Analytics Rules into Sentinel

TRIGGER INCIDENTS:

1:02:41 - Brute Force to Entra ID [Success]

1:03:49 - Brute Force to MSSQL [Attempt]

1:05:08 - Malware Outbreak

1:06:33 - Possible Privilege Escalation

1:07:24 - Windows Host Firewall Tampering

1:08:25 - Excessive Password Resets

VULNERABILITY SCANNER:

1:09:44 - Prepare Vulnerability Management Scanner

1:11:45 - Install Vulnerable Software

1:12:55 - Configure OpenVAS & Run Uncredentialed Scan

1:14:12 - Examine Report of Uncredentialed Scan

1:15:50 - Configure OpenVAS & Run Credentialed Scan

1:18:58 - Examine Report of Credentialed Scan

1:20:42 - Delete Vulnerable Software[Remediation]

1:21:27 - Run Credentialed Scan[After Remediation]

1:21:44 - Examine Report of Credentialed Scan[After Remediation]

1:22:43 - Gather Baseline Metrics

1:24:03 - Assess a 24-Hour Unsecured Environment

1:24:57 - View Incident Maps - 4 Days Unsecured

1:25:59 - Adhere to NIST SP 800-61 for Incident Response

1:27:23 - Incident Investigation Playbook

INCIDENT INVESTIGATION: "Brute Force Success- Windows"

1:28:16 - Known False Positive

INCIDENT INVESTIGATION: "Brute Force Attempt - Windows"

1:29:03 - Sentinel Data & Visualization

1:33:10 - External Resources: IP Investigation Tools

1:34:25 - Log Analytics Workspace: Time Range Configuration

1:35:13 - Retrieve All Successful Logins

1:35:43 - Retrieve Account Names Associated w/ Successful Logins

1:36:06 - Retrieve Security Events From a Specific IP Address & w/ Successful or Failed Logins

1:37:06 - Retrieve Security Events w/ Successful Logins & From a Specific IP Address

1:37:19 - Retrieve All Failed Logins

1:37:40 - Count Events By User Account

1:38:12 - Find External IP Addresses w/ Most Logins Both Successful/Failed

1:38:40 - Events w/ Administrative Privileges

1:38:59 - Retrieve Account Names w/ Events & Administrative Privileges

1:39:17 - Failed Login Types

1:39:31 - Time Trend Analysis for Patterns or Specific Time Frames

1:40:17 - Document & Close Out Incident

1:41:45 - Harden the Environment: Secure NSGs

INCIDENT INVESTIGATION: "Possible Privilege Escalation"

1:43:31 - Sentinel Data & Visualization

1:44:08 - LOG ANALYTICS WORKSPACE: Time Range Configuration

1:44:18 - Examine Audit Events for Azure Key Vault

1:45:05 - Sign-In Attempts Made by a Specific User

1:45:29 - Investigate Visualization

INCIDENT INVESTIGATION: "Malware Detected"

1:45:50 - Sentinel Data & Visualization

1:47:08 - Examine Sentinel Analytics Rule Query

1:47:42 - Examine Rule Query Logs

1:48:51 - Microsoft Defender For Cloud Security Posture & Recommendations

1:49:20 - Track NIST SP 800-53 Security Control Framework in the Compliance Dashboard

1:50:15 - Review NIST SP 800-53 Regulatory Compliance Dashboard

REMEDIATION: NIST SP 800-53

1:50:35 - NIST SP 800-53: Access Control AC-2(12)

1:51:27 - NIST SP 800-53: Incident Response IR-6(2)

1:52:32 - NIST SP 800-53: System & Communications Protection SC-7

1:53:04 - Enable Key Vault Built-In Firewall

1:53:29 - Create Key Vault Private Endpoint Connection

1:54:09 - Enable Storage Account Built-In Firewall

1:54:35 - Create Storage Account Private Endpoint Connection

1:55:09 - View Topology in Network Watcher

1:55:58 - Confirm Private Endpoint & Firewall Are Working Using PowerShell

1:57:52 - Secure Subnet With New NSG

1:58:41 - View New Topology In Network Watcher

1:59:21 - Gather Baseline Metrics - 24-Hour Secured Environment

2:00:51 - View Incident Maps

2:01:28 - Outro

In this Comprehensive Cybersecurity Lab, I demonstrate building, testing, investigating, and securing a network environment using Microsoft Azure. I cover various aspects of cybersecurity, including creating virtual resources, setting up virtual networks, configuring security controls, monitoring and analyzing logs, investigating security incidents, vulnerability scanners, and implementing security measures. The lab demonstrates insights and practical skills relevant to the field of cybersecurity.

Below is a summary of some of the general contents of the above video.

Establishing and Virtual Networks in Azure

I begin with a local computer and progress to building resources in Azure, including two virtual networks. The first network, designed for testing, comprises Linux and Windows virtual machines equipped with vulnerable software for realistic simulations. The second network serves as an attacker VM, testing the security of the first network.

It's important to note that, in addition to the simulated attacks, the target network experiences real-world attacks that I analyze and remediate.

In this initial phase, I employ various Azure tools, such as an analytics workspace for log data analysis, Azure Sentinel as the SIEM tool, Entra ID, Blob Storage, Key Vault, and Windows Defender for Cloud. Additionally, I create a VM hosting the Greenbone Vulnerability Assessment Scanner tool.

I want to emphasize that while my virtual environment is deliberately configured with minimal security controls to simulate vulnerability, it remains an experimental setup, isolated within Azure. I utilize unique and complex passwords for all accounts. The absence of external network connectivity to my local machines ensures that this cybersecurity demonstration is a safe, controlled experiment, solely for educational purposes.

Accordingly, the lab setup involves creating Azure resources and installing software with intentional vulnerabilities. These include disabling Windows Defender Firewall, setting insecure network rules, and using legacy software to create realistic testing scenarios. I also install Microsoft SQL Server and Microsoft SQL Server Management Software as additional potential targets for attackers.

Diagnostic Configuration and Security Testing

I then transition to setting up diagnostics for sign-in activities and Azure activity logs. This involves simulating brute force attacks and managing resource groups, including their creation and deletion.

Additionally, I configure diagnostics for Blob Storage and Key Vault to assess their log capture capabilities. Following this, I implement and verify various Azure Sentinel features. These include establishing analytics rules and developing incident investigation playbooks.

Conducting and Analyzing Vulnerability Scans with Greenbone Vulnerability Assessment Scanner

I utilize the Greenbone Vulnerability Assessment Scanner to perform comprehensive uncredentialed and credentialed scans. The process includes explaining the necessary steps for a successful credentialed scan, which encompasses configurations on a Windows VM. This also involves running specific queries to analyze logins and detect brute force attacks. Subsequently, I address and remediate the identified vulnerabilities.

Data Collection and Analysis in an Insecure Environment

I expose my deliberately insecure environment to the internet for a 24-hour period to capture baseline data. This data serves as a point of comparison for subsequent information gathered after securing the environment. A significant part of my analysis includes displaying a map that pinpoints the origins of the attacks. This is achieved by correlating attacker IP addresses with geolocation data. The results crucially aid in identifying real attacks, thereby distinguishing them from the simulated ones.

Incident Management and Response Using Azure Sentinel and NIST Framework

In this phase, I leverage Azure Sentinel for incident tracking and management, adhering to the NIST SP 800-61 guidelines for incident response. I provide a detailed explanation of the incident investigation process in cybersecurity, encompassing stages such as preparation, detection, analysis, containment, eradication, recovery, and post-incident activities. The use of Azure Sentinel SIEM is emphasized for monitoring alerts, analyzing incidents, and managing responses effectively.

Additionally, I integrate external resources like VirusTotal, Cisco Talos Reputation Center, and AbuseIPDB to conduct a comprehensive investigation.

Specific incidents investigated include Successful and Attempted Brute Force Attacks, Possible Privilege Escalation, and Malware Detection. To manage these incidents, I employ both an Incident Investigation Playbook and an Incident Response Playbook, demonstrating practical application and analysis.

Network Hardening and Remediation Post-Incident

After addressing the incident, I focus on hardening the network in line with the NIST SP 800-53 standards. To assist in this process, I utilize Microsoft Defender for Cloud, leveraging its capabilities to apply robust security controls.

My remediation efforts include the creation and testing of private endpoints for Key Vault and storage accounts. I enhance network security by adjusting Network Security Group (NSG) settings and adding an additional NSG to safeguard resources within a specific subnet. Throughout these changes, I employ Network Watcher to vigilantly monitor and verify the network alterations.

This approach not only strengthens the network's defenses but also ensures adherence to recognized cybersecurity frameworks.

Evaluating Network Security Post-Hardening: A 24-Hour Internet Exposure Test

After implementing the system hardening measures, I once again expose the network to the internet for a 24-hour period to assess the effectiveness of these changes. During this phase, I closely review the metrics and observe significant improvements in the network's security posture.

Notably, there is a drastic reduction in Windows security events and a complete elimination of security incidents and malicious flows. These observations conclusively demonstrate the effectiveness of the cybersecurity measures I have implemented. This test serves as a practical validation of the enhanced security and resilience of the network against malicious activities.