One of the primary methods that threat actors, hackers and state backed adversaries use to initiate their intrusion campaigns is through credential theft.
We know the dark web today provides access to credentials-as-a-service style offerings where attackers can purchase leaked, stolen or socially engineered usernames and passwords, which provides easy access to network services, such as cloud virtual machines.
Two simple and very effective ways of reducing your risk against attack is to enforce multifactor authentication (MFA) adding an additional layer of protection against credential theft and to close access (or ports) to internet facing servers.
However closing access presents a challenge when we need to remotely access those cloud hosted machines for maintenance and administration. Unless we have configured private networks, network security groups, firewall rules and VPNs to provide access to the servers only from approved subnets, as network and security admins, we need to find a way to balance the risk against efficient access. Not every organisation will have cloud connectivity from their corporate LAN. In fact, extending the cloud network to on-premise increases the surface attack area and locking down services to a LAN prevent access from remote connections, such as when working from home.
So how do we enable our teams without reducing our security posture or increasing our surface attack area?
The answer? Just in time access.
Threat actors actively hunt internet facing, accessible machines with open management ports, like RDP or SSH. All of your virtual machines are potential targets for an attack when open to the internet. When a VM is successfully compromised, it is then used as the entry point to attack further resources within your environment.
As with all cybersecurity prevention techniques, your goal should be to reduce the attack surface. In this case, that means having fewer open ports, especially management ports.
To solve this dilemma, Microsoft Defender for Cloud offers Just In Time (JIT) access. With JIT, you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
When you enable just-in-time VM access, you can select the ports on the VM to which inbound traffic will be blocked. Defender for Cloud ensures "deny all inbound traffic" rules exist for your selected ports in the network security group (NSG) and Azure Firewall rules. These rules restrict access to your Azure VMs’ management ports and defend them from attack.
When a user requests access to a VM, Defender for Cloud checks that the user has Azure role-based access control (Azure RBAC) permissions for that VM. If the request is approved, Defender for Cloud configures the NSGs and Azure Firewall to allow inbound traffic to the selected ports from the relevant IP address (or range), for the amount of time that was specified. After the time has expired, Defender for Cloud restores the NSGs to their previous states. Connections that are already established are not interrupted.
Further to this, Defender for Cloud, actively scans your infrastructure to understand which machines are at risk and which machines can be enabled for JIT. When Defender for Cloud finds a machine that can benefit from JIT, it adds that machine to the recommendation's Unhealthy resources tab.
Just In Time access provides a fully orchestrated access solution that enables security administrators to minimise the surface attack area and ensure a proactive security posture across your entire estate. By combining Network Security Groups (NGS's), Private EndPoints and Azure Firewalls or Web Application Firewalls (WAF's), Microsoft provides a comprehensive set of tools and services to help protect your estate at its foundational core, the network.
Our clients frequently benefit from engaging with our Security Architects, regardless of the stage of their cloud journey. As threats evolve everyday, a multi-layered, cyber security strategy will ensure your business, its' data and your user community are protected. The cybercrime landscape has evolved. It's time to level up your defences. Speak to one of our team today to understand how we can help you identify and mitigate risk in the face of an evolving cyber security landscape.
Microsoft doc on JIT here