Risk Assessment and Penetration Testing In Microsoft Azure 101

Pentesting (aka Ethical Hacking): An absolute synergy of Art and Science.

In this article, we are going to learn:

• The creative methods (Art) to find vulnerabilities in the Microsoft Azure
• The Systematically organized methods (Science) to exploit those vulnerabilities

We would also learn about the Controls and Countermeasures to mitigate the risk from those vulnerabilities and attacks, in the last part of the article.

I have trisected this article into the following three parts:

Part 1: Penetration Testing Concepts

We would start with an introduction to the Vulnerability Assessment and Penetration Testing Methodologies, Tactics, Techniques and Procedures. After completing warm-up, we would build the penetration testing lab infrastructure and explore the tools that we are going to leverage in the journey of this article. In the last section of this part, we would learn about how to strategize and execute a Red Teaming exercise in the Azure environment.

Part 2: Azure Vulnerabilities and Attacks

In the second part, we would start with learning about the methodology of performing Threat Modeling and Risk Assessment for Microsoft Azure. The next couple of sections in Part 2 would explain detailed and hands-on methods of performing Vulnerability Assessment and Penetration Testing of the Microsoft Azure Components and Services. We would conclude this part of the article with a section on the process of performing automated penetration testing.

Part 3: Controls and Countermeasures

The final part of this article would explain the Information Security Controls and Countermeasures that should be implemented in the Microsoft Azure ecosystem to mitigate the IT Risk. We would start by discussing some critical security topics like Cryptography, IoT Security and DevSecOps. Then we would move further to the concept of Compliance and Privacy. In the next section of this part, I would explain the process of performing Incident Response and Forensics in Microsoft Azure. Finally, we would conclude this article with a final section called: Ready Reckoner – it will be a reference to quickly find the most important information on any main topic in the article, a small memorandum.

Let’s Start!

Vulnerability Assessment and Penetration Testing 101 

Vulnerability Assessment (VA) is the art of finding the exploitable weakness present in the information technology systems and resources. Once the process of Vulnerability Assessment is completed and we have the details of a confirmed vulnerability, now to understand the exploitability of the vulnerability (likelihood), the process of Penetration Testing (PT) is performed. In the PT process, we would make an attempt to exploit the identified vulnerabilities with an objective to obtain the following additional vulnerability details:

• Attack Vector (AV): describes how vulnerability may be exploited. The severity would be higher the more remote an attacker can exploit the vulnerability.
•  Attack Complexity (AC): describes how easy or difficult it is to exploit this vulnerability.
• Privileges Required (PR): describes what level of privileges are required by the attacker to exploit the vulnerability.

In addition to the details around exploitability of the vulnerability, the process of Penetration Testing would also give the following Insight into the impact of exploiting the vulnerability (impact):

• Confidentiality Impact (CI): describes the impact of the vulnerability on the confidentiality of the data processed by the system or resource.
• Integrity Impact (II): describes the impact of the exploitation of a vulnerability on the integrity of the exploited system.
•   Availability Impact (AI): describes the impact on the availability of the target system if the identified vulnerability is exploited.

The vulnerability details (e.g. AV, AC, PR, CI, II, AI) obtained during the Penetration Testing phase can be leveraged to calculate the Risk Rating associated with the vulnerability by using the Risk Equation (i.e. Risk Rating = Likelihood X Impact) or by referring the following Risk Matrix:

This section was just an introduction to the objective (‘why’ to perform VAPT exercise) of performing VAPT exercise. In the next couple of sections, we are going to discuss:

• Vulnerability Assessment and Penetration Testing Workflow: Explaining ‘what’ to do in the VAPT exercise
• Penetration Testing Tactics and Technique: Explaining ‘how’ to do the VAPT exercise

Vulnerability Assessment and Penetration Testing – The Work Flow

Let us discuss the end-to-end Vulnerability Assessment and Penetration Testing (VAPT) workflow. In this section, we would discuss the process of performing VAPT.

Following are the ten major phases of VAPT workflow:

1.     Goals and Objectives

It is critical to define the Goals and Objectives of performing the VAPT exercise. Clearly defined and communicated Goals and Objectives would help in the successful execution of the VAPT exercise in the following ways:

• Develop a Business Case to reflect on how the VAPT goals and objectives are aligned with the enterprise objectives and strategies. Hence, it would help in obtaining the Senior Management support to execute the VAPT exercise.
•   Identify the purpose of executing VAPT exercise and compile a list of results/outputs that Business and Technical teams are interested in looking at the end of VAPT engagement (e.g. testing the efficiency of the information security controls, understanding the security posture of the organization, compliance requirements, etc.).
•    Defining Goals and Objectives would also help in identifying the Scope of VAPT exercise and it would also ensure that the Scope of the VAPT exercise is aligned with Goals and Objectives

2.     Scope

While performing the VAPT, the scope of the VAPT exercise needs to be clearly defined. In this phase, the list of systems, locations, techniques and tools that can be a part of the VAPT exercise is compiled.

Additionally, it’s always a good practice to explicitly highlight (in the VAPT engagement and contract documents) the critical Information System components, range of IP addresses, exploit techniques that we strictly want to keep away from the VAPT exercise. This action would ensure that the VAPT exercise should not affect the services provided by the organization.

3.     Information Gathering

Information Gathering (aka Reconnaissance) is generally the most time-consuming phase of the VAPT workflow. In this phase we would attempt to gather as much information on the target as possible, this information would be used to attack the target in the Attack and Penetration phase

Following are two major techniques of conducting reconnaissance:

•  Active Reconnaissance
• Passive Reconnaissance

4.     Vulnerability Detection

In this phase, the Pentester would use different techniques to detect the potential vulnerabilities in the resources (including human resources!), components, services, systems, technologies, tools and infrastructure defined in the Scope phase of the Vulnerability Assessment and Penetration Testing workflow.

5.     Information Analysis Planning

Thanks to the last four phases, the Pentester knows the target and the potential vulnerabilities associated with those targets.

Now is the time to analyze the available information and plan a road map to exploit the vulnerabilities in the target. Following are some of the frameworks that can be leveraged in this phase:

•   MITRE ATT&CK
•  Penetration Testing Execution Standard (PTES)
• STRIDE Methodology
• NIST SP 800-115: Technical Guide to Information Security Testing and Assessment

6.     Attack and Penetration

The identified vulnerabilities in the target are exploited in this phase, using different tools, techniques and procedures

Following are some Penetration Testing Methodologies and Standards:

• Open Source Security Testing Methodology Manual (OSSTMM)
•  Open Web Application Security Project (OWASP)
•  National Institute of Standards and Technology (NIST)
• Penetration Testing Execution Standard (PTES)
•  Information System Security Assessment Framework (ISSAF)

7.     Privilege Escalation

Once the Pentester is able to exploit the vulnerability in the ‘Attack and Penetration’ phase of the Vulnerability Assessment and Penetration Testing workflow. Now in this phase, Pentester would attempt privilege escalation to gain more permissions or obtain access to additional, more sensitive systems.

 Following are the two types of privilege escalation attacks:

• Horizontal Privilege Escalation: Pentester gains access to resources belonging to another user with a similar level of access
•  Vertical Privilege Escalation: Pentester gains higher privileges

8.     Result Analysis

The result of the Vulnerability Assessment and Penetration Testing exercise would be analyzed in this phase with the objective of giving a ranking to the vulnerabilities that were successfully exploited.

Typically, the vulnerability ranking is performed on the basis of the following attributes:

•  Attack Vector
•  Attack Complexity
•   Privileges Required 
•  Vulnerability Severity
•   Data Sensitivity

9.     Reporting

Vulnerability Assessment and Penetration Testing (VAPT) report is the outcome of the VAPT exercise and provides the structured details of the VAPT exercise.

Following are some of the important and essential sections of the VAPT report:

•  Introduction (Objectives, Scope and Approach)
•  Executive Summary
• Technical Summary (Methodology and Findings)
• Potential Impact of Vulnerability
• Vulnerability Remediation Options (Recommendations and Risk Rating)
• Risk Rating

10. Cleanup

Once the report is submitted and Management (or Resource Owner) confirms that they are OK with the submitted details and they do not need any additional details (i.e. more detailed proof-of-concept), now at this stage, the Pentester is all set to execute the final phase of the Vulnerability Assessment and Penetration Testing workflow – called Cleanup

Following are the key activities are performed in this phase

•  Removing any executables, scripts, users, temporary files from the compromised resources
•  Return to original system settings and configuration parameters, if they were modified during the VAPT exercise.

Penetration Testing Tactics and Techniques

Penetration Testing Tactics are what Pentester is trying to achieve and Techniques are how they accomplish those goals. In this section, we would learn the major Penetration Testing Tactics and we would learn the Techniques associated with those Tactics. Please note this section is just an introduction to the techniques used in pentesting. In the second part of this article, we would practically use these techniques to target Microsoft Azure components and services. Following are some of the major VAPT Tactics and Techniques:

1.     Initial Access

It consists of the techniques used to get into the network. Common techniques include the exploitation of the following:

• Public-facing application
• External remote services
• Supply chain compromise

2.     Execution

It consists of the techniques used to run malicious code on the target system for multiple objectives. Some significant objectives are exploring a network or stealing data. Following are the common Execution techniques:

• Dynamic Data Exchange
• Execution through API
• PowerShell

3.     Persistence

It consists of techniques used to keep access to the compromised systems and resources. Following are the common Persistence techniques:

• Accessibility features
• Account manipulation
• Browser extensions

4.     Privilege Escalation

It consists of techniques used to gain higher-level permissions on a system or network. Following are the common Privilege Escalation techniques:

•  Access token manipulation
• File system permissions weakness
• Web Shell

5.     Defense Evasion

It consists of techniques used to avoid detection throughout their compromise. Following are the common Privilege Escalation techniques:

• Clear command history
• Connection proxy
• Disabling security tools

6.     Credential Access

It consists of techniques used to steal credentials. Following are the common Credential Access techniques:

• Brute Force
• Credential from Web Browsers
• Network Sniffing

7.     Discovery

It consists of techniques used to gain knowledge about the system and resources. Following are the common Discovery techniques:

• Network Service Scanning
• Process Discovery
• Cloud Service Discovery

8.    Command and Control

It consists of techniques used to communicate with a compromised system. Following are the common Command and Control techniques:

• Communication through removable media
• Connection proxy
• Data Encoding

9.     Exfiltration

It consists of techniques used to steal data from the network. Following are the common Exfiltration techniques:

• Data encryption
• Exfiltration over command and control channel
• Transfer data to Cloud account

10. Impact

It consists of techniques used to manipulate, interrupt, or destroy your systems and data. Following are the common Impact techniques:

• Account access removal
•  Data destruction
• Data encrypted for impact

Microsoft Azure – An Introduction

Cloud computing continues to be a foundation that enables the business to transform and gain a competitive advantage. Such is the impact of cloud computing that the public cloud market is expected to rise from $146 billion in 2017 to $266 billion in 2020 and the worldwide cloud services market is forecast to grow 33 percent in the next couple of years to total $355 billion in 2022, according to Gartner, Inc.

Microsoft Azure, codename Project Red Dog in 2008 and released as Windows Azure in 2010 before being renamed Microsoft Azure in 2014 is a cloud computing service created by Microsoft for building, testing, deploying and managing applications and services through Microsoft-managed data centers.

At present, Microsoft Azure is the fastest-growing cloud platform and one of the latest commercial accomplishments of Microsoft Azure is that it wins Pentagon’s $10 billion JEDI contract. The Joint Enterprise Defense Infrastructure (JEDI) contract is a United States Department of Defense (DoD) cloud computing contract and currently, more than 95 percent of Fortune 500 companies are using Microsoft Azure.

From the Art of War, If you know your enemies and know yourself, you will not be imperiled in a hundred battles, I mean that we need to know Microsoft Azure in order to defeat and protect it, no doubts.

I believe enough of Microsoft Azure’s business introduction for now. Let us now jump into the technical details of Microsoft Azure and start with understanding the cloud models offered by Microsoft Azure:

The above image shows the different types of cloud services (cloud service models) supported by Microsoft Azure. Management of the cloud resources is a shared responsibility between Microsoft and the customer. The division of responsibility depends on the cloud service model leveraged by the customer. Following are the important attributes of the cloud service models:

• Infrastructure-as-a-Service (IaaS): The capability provided to the customer to provision processing, storage, networks, and other fundamental computing resources.
• Platform-as-a-Service (PaaS): The capability provided to the customer to rent everything they need to build an application, relying on a cloud provider for development tools, infrastructure, and operating systems.
• Software-as-a-Service (SaaS): The capability provided to the customer to subscribe to an application rather than purchasing it once and installing it.

Following are the Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) provided by Microsoft Azure:

1.     Compute

The compute service offers the computing operations to the customers. It includes operations like application development, hosting and deployment in the Azure platform. Compute has the following components:

• Virtual Machine: Provision Linux and Windows virtual machines.
• Virtual Machine Scale Set: Create thousands of VMs in minutes.
• Azure Kubernetes Service: Deployment, management and operations of Kubernetes.
•  Azure Functions: App development using an event-driven, serverless architecture.
• Service Fabric: Develop microservices and orchestrate containers on Windows and Linux.
• App Service: Create cloud apps for web and mobile.
• Container Instances: Containerize apps.
• Batch: Cloud-scale job scheduling and compute management.
• Cloud Services: Create a highly available, scalable cloud applications and APIs.
•  Azure Dedicated Host: Deploy Azure virtual machines on a physical server only used by your organization.

2.     Web and Mobile

Azure Web and Mobiles services are used to build, deploy and scale web applications and native apps for any mobile device. Following are some common Azure Web and Mobile services:

• Web Apps: It allows the users to build and host websites without the need to manage the required infrastructure.
• Mobile Apps: It offers a scalable mobile app development platform for users.
•  API Apps: API apps allow users to develop, host and consume APIs in the cloud and on-premises.
• Logic Apps: It helps users to simplify and implement scalable integrations.

3.     Developer Services

Developer Services are used to build, manage and continuously deliver cloud applications using any platform or language. Following are some commonly used Developer Services:

• Visual Studio: It provides an environment for developing applications in the cloud.
• Azure SDKs: It’s a collection of libraries for programming languages. They help you build applications that manage and interact with Azure services.
•  Azure DevOps: Azure DevOps provides developer services to support teams to plan work, collaborate on code development, and build and deploy applications.

4.     Integration

Integration services assist the customers to seamlessly integrate on-premises and cloud-based applications, data and processes across the enterprise. Following are some of the common Integration services:

• API Management: This service is used to publish APIs to developers, partners and employees securely and at scale.
• Service Bus: Service Bus provides the functionality to connect across private and public cloud environments.
• Event Grid: This service is leveraged in the event-based apps to manage routing of all events from any source to any defined destination.

5.     Analytics and IoT

Analytics services help Microsoft Azure customers to gather, store, process, analyze and visualize data of any variety, volume or velocity and IoT services enable the customers to connect, monitor and manage the organization’s IoT assets. Following are some significant Analytics and IoT services:

• HDInsight: This service is used to provision cloud Hadoop, Spark, R Server, HBase and Storm clusters.
• Azure Machine Learning: Typically used by developers and data scientists to build and deploy machine learning models faster.
• Data Factory: Data Factory is one of the most significant services offered by Microsoft Azure. This service enables the hybrid data integration at the enterprise scale.
• Event Hubs: Event Hubs is a fully managed, real-time data ingestion service.
• Azure Stream Analytics: This service is used to perform real-time analytics on the streams of data from applications and devices.
• Azure Data Lake Storage: It’s a massively scalable data lake functionality built on Azure Blob Storage (object storage for unstructured data).
• Azure Data Share: This service is used for sharing data with external organization
• Azure IoT Hub: It’s used to connect, monitor and manage IoT assets

6.     Data

Azure Data services provide fully managed database services and the following are some good examples of the Azure Data services:

• Azure SQL Database: It is a cloud database service that provides the SQL Server engine compatibility.
• Azure Synapse Analytics: This service brings together enterprise data warehousing and Big Data analytics.
• Table Storage: Azure Table Storage is used to store structured NoSQL data in the cloud

7.     Media and Content Delivery Network

Media services deliver video content to any desired location and the Azure Content Delivery Network ensures that the media is delivered in a secure and reliable manner. Following are a couple of Media and Content Delivery Network services:

• Media Services: It encode, store and stream video and audio
• Azure Content Delivery Network: Azure Content Delivery Network (CDN) is a global CDN solution for delivering high-bandwidth content

8.     Storage

Azure Cloud Storage services provide scalable cloud storage for the data, apps and workloads. Following are some common Azure Storage services:

• Blob Storage: Blob Storage is a REST-based object storage service for unstructured data.
• Disk Storage: Disk Storage is a high-performing disks service for Azure Virtual Machines.
• Azure NetApp Files: It is a file-storage service to run your file-workloads in Azure.

9.     Networking

Azure Networking services are used to connect cloud and on-premises infrastructure by leveraging some of the following common Azure Networking services:

• Azure ExpressRoute: It is a dedicated private-network fiber connection to Azure.
• Virtual Network: This service is used to provide private networks and optionally connect to on-premises data centers.
• Load Balance: Load Balancer service offers high availability and network performance to the applications
• Azure Bastion: Azure Bastion service enables a private and fully managed RDP and SSH access to the virtual machines
• Web Application Firewall: Azure Web Application Firewall (WAF) is a cloud-native application firewall service that provides protection for web apps. It helps in protecting web apps from malicious attacks and common web vulnerabilities.
• Azure DNS: Azure DNS service is used to host the Domain Name System (DNS) domains in Azure
• Traffic Manager: Traffic Manager route the incoming traffic for high performance and availability.
• Azure VPN Gateway: This service is used for connecting the customer infrastructure to the cloud. Azure VPN Gateway connects your on-premises networks to Azure via site-to-site VPNs. This connection is secured by implementing Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).

Microsoft Azure Architecture Components

• Azure Regions

Microsoft provides the Azure services around the world and in order to provide this global service, Microsoft has created boundaries called geographies. Typically, a geography boundary is the border of a country and allows customers with specific data-residency and compliance needs to keep their data and apps close. There are often regulations for data handling that apply to an entire country, and Microsoft’s approach ensures compliance with the regulatory requirements.

Each geography is broken out into two or more regions, each of which is usually hundreds of miles apart to support the concept of Business Continuity and Disaster Recovery. Microsoft also operates isolated regions that are completely dedicated to government data due to the additional regulations that governmental data requires.

In each region, Microsoft has built datacenters that contain the physical hardware that Azure uses. Currently, there are around 58 Azure regions worldwide, preserving data residency and offering comprehensive compliance and resiliency options for customers.

•  Availability Zones

Since the regions are physically separated by hundreds of miles to project Azure customers from outages due to disasters in a particular region. However, it’s also critical to maintain availability when a problem occurs at a particular datacenter within a region. Hence, Microsoft developed availability zones. There are at least three availability zones within each enabled region. So by deploying an Azure service in two or more availability zones, we can achieve high-availability.

•  Azure Resource Manager

Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in the Azure account. You can use management features, like access control, locks, and tags, to secure and organize your resources after deployment.

• Resource Groups

Azure Resource Manager has a feature called Resource Groups. A Resource Groups is a logical container for Azure services. By creating all Azure services associated with a particular application in a single resource group, you can then deploy and manage all of those services as a single entity.

Azure and Pentesting

Before jumping into ‘how’ and ‘what’ to do in Azure Pentesting, I think that we should give a thought to ‘why’ we need to do Azure Pentesting. Here are some key reasons that ‘why’ we should do Azure Pentesting:

• Determine the feasibility of a particular set of (cloud) attack vectors and uncover the critical vulnerabilities.
• Identify the security posture and assessing the security and exposes the weakness before attackers do!
• Assess potential business and operational impacts of successful attacks.
• Test the effectiveness and efficiency of the information security controls.
• Provide evidence to support a Business Case for increased investment.
•  Enable compliance with the industry standards and security regulations.
• Pentesting results can be leveraged in the Enterprise Risk Management program to prioritize and tackle risks based on the risk rating (derived from vulnerability exploitability and impact). Additionally, pentesting results would be very helpful in keeping senior management informed about the organization’s risk level.

Steps of performing Azure Pentesting

Step 1: Understand the legal limitations

The customers wishing to execute the Azure Pentesting are required to follow Microsoft’s Penetration Testing Rules of Engagement process to avoid any unintended consequences to other customers in the multi-tenant cloud. Any violation of Penetration Testing Rules of Engagement terms may result in a legal action as defined in the Microsoft Online Service Terms.

I have obtained the following significant legal details from the official Microsoft Penetration Testing Rules of Engagement Document:

For the purposes of Rules of Engagement, “Microsoft Cloud” is defined as including the following Microsoft products:

• Azure Active Directory
• Microsoft Intune
• Microsoft Azure
• Microsoft Dynamics 365
• Microsoft Account
• Office 365
• Azure DevOps

Reporting Security Issues

If during your penetration testing you believe you discovered a potential security flaw related to the Microsoft Cloud or any other Microsoft service, please report it to Microsoft within 24 hours by following the instructions on the Report a Computer Security Vulnerability page (The Microsoft Security Response Center investigates all reports of security vulnerabilities affecting Microsoft products and services. If you are a security researcher and believe you have found a Microsoft security vulnerability, they would like to work with you to investigate it.). Once submitted, you agree that you will not disclose this vulnerability information publicly or to any third party until you hear back from Microsoft that the vulnerability has been fixed. All vulnerabilities reported must follow Coordinated Vulnerability Disclosure.

Microsoft offers bug bounty awards and recognition for many types of security issues. If you find a security issue in the Microsoft Cloud and wish to be considered for a bounty, please follow our bug bounty rules and submission guidelines. To receive a bounty, an organization will be required to complete a pre-registration process in order to participate in the program. Please email [email protected] for complete details.

Microsoft Azure Penetration Testing Notification

As of June 15, 2017, Microsoft no longer requires pre-approval to conduct a penetration test against Azure resources.

Customers who wish to formally document upcoming penetration testing engagements against Microsoft Azure are encouraged to fill out the Azure Service Penetration Testing Notification form. You are required to provide the following information in the form:

• Your contact email address -- Microsoft may use this to get ahold of you should problems arise
• Your subscription ID -- This form is only used for assets tied to an Azure Subscription
• The dates the test will occur -- You may bundle multiple tests in one submission as long as they are the same subscription GUID
• Detailed description of the test -- Please make sure to include the following
• A list of all assets which will be targeted (IP or FQDN)

The types of tests which will be performed     

Once the form is submitted, the Azure Safeguards Team will send an automated acknowledgment to the provided contact email AND the owners of the subscription. This email is your one and only confirmation from Microsoft.

If you believe you have discovered a potential security flaw related to Azure or any other Microsoft service, please promptly report it to us by following the instructions at https://technet.microsoft.com/en-us/security/ff852094.

If you have other questions about penetration testing or the status of your notification, you can reach us at https://www.microsoft.com/windowsazure/support/.

If you believe you have discovered a potential security flaw that may qualify for the Online Services Bug Bounty please refer to the Bug Bounty Terms at https://technet.microsoft.com/en-us/security/dn800983/.

Following are Microsoft’s rules of engagement to perform penetration testing on the Microsoft Cloud

The goal of this program is to enable customers to test their services hosted in Microsoft Cloud services without causing harm to any other Microsoft customers.

The following activities are prohibited:

• Scanning or testing assets belonging to any other Microsoft Cloud customers.
• Gaining access to any data that is not wholly your own.
• Performing any kind of denial of service testing.
• Performing network-intensive fuzzing against any asset except your Azure Virtual Machine
• Performing automated testing of services that generates significant amounts of traffic.
• Deliberately accessing any other customer’s data.
• Moving beyond “proof of concept” repro steps for infrastructure execution issues (i.e. proving that you have sysadmin access with SQLi is acceptable, running xp_cmdshell is not).
• Using our services in a way that violates the Acceptable Use Policy, as set forth in the Microsoft Online Service Terms.
• Attempting phishing or other social engineering attacks against our employees.

The following activities are encouraged:

• Create a small number of test accounts and/or trial tenants for demonstrating and proving cross-account or cross-tenant data access. However, it is prohibited to use one of these accounts to access the data of another customer or account.
• Fuzz, port scan, or run vulnerability assessment tools against your own Azure Virtual Machines.
• Load testing your application by generating traffic which is expected to be seen during the normal course of business. This includes testing surge capacity.
• Testing security monitoring and detections (e.g. generating anomalous security logs, dropping EICAR, etc).
• Attempt to break out of a shared service container such as Azure Websites or Azure Functions. However, should you succeed you must both immediately report it to Microsoft and cease digging deeper. Deliberately accessing another customer’s data is a violation of the terms.
• Applying conditional access or mobile application management (MAM) policies within Microsoft Intune to test the enforcement of the restriction enforced by those policies.

Even with these prohibitions, Microsoft reserves the right to respond to any actions on its networks that appear to be malicious. Many automated mitigation mechanisms are employed across the Microsoft Cloud. Those would not be disabled to facilitate a penetration test.

Step 2: Understand the technical limitations

Pentesting in Microsoft Azure has some significant differences from an on-prem assessment and the following are a few key technical limitations that differentiate Azure pentesting from the traditional pentesting:

• Shared responsibility

o  It's essential to consider the limitations on cloud pentesting. As we have discussed earlier in the section that the management of cloud resources is a shared responsibility between Microsoft and customers. The division of responsibility depends on the cloud service model (i.e. IaaS, PaaS, SaaS) and cloud deployment model (i.e. Private, Public, Community, Hybrid) leveraged by the customer.

o   Hence, it means being aware of what your responsibilities are for the system being tested. For example, IaaS cloud service model the pentester can perform much more intrusive and broad testing than SaaS cloud service model, because of the difference in the level of responsibilities as per the shared responsibility model and the potential risk to multi-tenant shared infrastructure and to ensure that the pentesting does not negatively impact any third parties.

o  It’s important to note that some cloud services will have dedicated IP addresses and it’s only mapped with target asset in the scope of pentesting, however we should be aware that there is a chance that the service IP address is shared among multiple customers on the same infrastructure. Doing an aggressive scan against one of these (shared) IPs would be a definite violation of Microsoft’s Penetration Testing Rules of Engagement.

• Restricted Attack Techniques

o  It is important to note that certain pentesting techniques are off-limits to protect other Azure users. Some are more obviously destructive, such as executing Distributed Denial of Service (DDoS) attacks on the server.

o  Typically the another restricted cloud pentesting attack technique is ‘Pivoting’ Pivoting is an attack method where initially a cloud resource is compromised and then the attacker leverage that compromised resource to attack the target system. It could allow the attacker to control a trusted service between the compromised resource and target system. Please note that pivoting from a compromised cloud-based host to an external non-cloud system is usually not allowed by Cloud Service Providers. This could limit the pentester.

o  Don’t scan widely and uncontrolled and stick with the assets, services and components in the pentest scope

Step 3: Define scope and objective

In any pentesting engagement, defining scope is one of the most critical aspects of pentesting. Scoping a pentest in the cloud environment is significantly more important in comparison to performing scoping in a traditional ecosystem, because in the traditional ecosystem if an attack goes beyond the scope it would only affect the target organization. However, in the cloud environment, the pentest process can attack and impact other organizations in the same cloud environment or even Microsoft! Hence, the pentesting scope should be defined in accordance with the Shared Responsibility Model, that we have discussed earlier in this section. In order to have a well-defined scope of the Azure pentesting, we are required to compile the following information:

• The dates the test will occur
• A list of all assets which will be targeted (IP or FQDN)
• The types of tests which will be performed
• Target subscription identifiers
• Target services and associated IPs
• The objective and desired outcome of performing the engagement

This information would give us a good sense of how to scope pentesting. Typically, the scope of Azure pentesting is defined around the following domains:

• Account Security: Identity and Access Management (IAM) process is tested in this domain.
• Cloud Service Security: Configurable data structures and cloud infrastructure is tested in this domain.
• Application or Business Logic: Services or components that are exposed to the end-users or are under the control of the end-users would be added to the scope of pentesting in this domain.

Step 4: Create a Microsoft Azure pentesting plan

Now we need to create a pentesting plan in accordance with the Scope and Objective defined in the prior step. Following are some key items to plan in Azure pentesting:

• Preparation

o  Once the scope is complete now we would notify Microsoft by submitting the Azure Service Penetration Testing Notification form at https://portal.msrc.microsoft.com/en-us/engage/pentest in accordance with the Microsoft Penetration Testing Rules of Engagement. The requirements and conditions of performing pentesting are subject to change at any time, I would recommend checking the current requirements on the following portal: https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement Data Access

o  Identify and define the pentesting tools, tactics and procedures (TTP) and methodology of performing penstesting

• Threat Modelling

o  Leverage the threat model developed by Microsoft called STRIDE to identify computer security threats. We are going to discuss the concept of STRIDE in the next section and we are going to have to have a quick introduction to STRIDE in this section:

o  Spoofing: Impersonation or otherwise falsely assumed identity

o  Tempering: Sabotage or modification of data

o  Repudiation: Compromise of the authenticity

o  Information Disclosure: Leak of information to an unauthorized user

o  Denial of Service: Making a system, feature or resource unavailable

o  Elevation of Privileges: Exploiting a vulnerability to achieve an elevation of privilege beyond what was intended

• Reconnaissance and Research

o  Pentester would perform the information gathering of the resources, systems and assets in the scope of pentesting

o  In addition to reconnaissance, we would also conduct further research for the potential vulnerabilities, misconfigurations and exploitation methods associated with the details obtained in the reconnaissance phase

• Testing

o  Pentester would make an attempt to exploit the STRIDE vulnerabilities found in the prior step

·        Test for other case and objectives

o  Pentester would perform testing for non-Microsoft Threat Model (STRIDE) cases

o  Additionally, beyond the STRIDE case – pentester would identify other possible test cases (if any) defined in the ‘Scope and Objective’ phase.

I would like to reiterate myself that the Azure pentesting should be in accordance with the Microsoft Cloud Penetration Testing Rules of Engagement Agreement and the following are the key items that we should take care of:

·        Test only the subscriptions, services and components that you have clear permission to test.

·        Perform only the testing you described in the Azure Service Penetration Testing Notification form https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement

·        Do not target the Microsoft services or those of the shared services

Step 5: Reporting

Pentesting report is the outcome of the pentest exercise and provides the structured details of the pentest exercise.

Following are some of the important and essential sections of the pentesting report:

• Introduction (Objectives, Scope and Approach)
• Executive Summary
• Technical Summary (Methodology and Findings)
• Potential Impact of Vulnerability
• Vulnerability Remediation Options (Recommendations)
• Risk Rating

If during the pentesting you have discovered a potential vulnerability in the Microsoft Azure, please report it to Microsoft within 24 hours by following the instructions on the Report a Computer Security Vulnerability page https://www.microsoft.com/en-us/msrc/faqs-report-an-issue. Once submitted, you agree that you will not disclose this vulnerability information publicly or to any third party until you hear back from Microsoft that the vulnerability has been fixed. All vulnerabilities reported must follow Coordinated Vulnerability Disclosure https://www.microsoft.com/en-us/msrc/cvd

Microsoft offers bug bounty awards and recognition for many types of security issues. If you find a security issue in the Microsoft Cloud and wish to be considered for a bounty, please follow our bug bounty rules and submission guidelines: https://www.microsoft.com/en-us/msrc/faqs-bounty. To receive a bounty, an organization will be required to complete a pre-registration process in order to participate in the program. Please email [email protected] for complete details.

Microsoft also offers a cloud environment called the Azure Security Lab to the security researchers to emulate hackers in a customer-safe cloud environment. The Azure Security Lab is a set of dedicated cloud hosts for security researchers to test attacks against IaaS scenarios, and which is isolated from Azure customers. You can apply at https://aka.ms/AzureSecLab.