This article is contributed. See the original author and article here.

According to Microsoft Threat Intelligence Report, one of the most common attacks against IaaS VMs in Azure is the RDP brute-force attack. This attack usually take places for VMs that are exposing the RDP port (TCP 3389). Although RDP is the primary source, there are also brute-force against SSH (TCP 22).. Nowadays with COVID-19, with more employees working from home more often, threat actors are taking advantage of the increase of management ports open, which includes RDP and SSH. Users with weak passwords and without MFA enabled, are more susceptible to be compromised by and RDP brute force attack.. Keep in mind that compromising a server via RDP brute force is just the initial foothold, once the threat actors gain access to target machine, it will continue conducting malicious activities which may include coin mining and even ransomware type of attack.

 

One way to reduce the likelihood that your machine will be compromised via RDP brute-force is by reducing the exposure, in other words, limiting the amount of time that a port is open by securing your management ports using Just-in-time access, capability available in ASC Standard Tier.

 

This blog explain how to leverage automation to block traffic of specific IP to a VM in the NSG as a response to a Brute-force alert detected by Azure Security Center.

 

How does the automation work?

When Azure Security Center detects a Brute-force attack, it triggers an alert to bring you awareness that a brute force attack took place. The automation uses this alert as a trigger to block the traffic of the IP by creating a security rule in the NSG attached to the VM to deny inbound traffic from the IP addresses attached to the alert. In the alerts of this type, you can find the attacking IP address appearing in the ‘entities’ field of the alert.

 

The Logic App uses a system-assigned Managed Identity. You need to assign Contributor permissions or Security Reader and Network Contributor permissions to the Logic App’s Managed Identity so it is able to create an NSG rule once there is an attack detected. You need to assign these roles on all subscriptions or management groups you want to monitor and manage resources in using this playbook. Note: You can assign permissions only if your account has been assigned Owner or User Access Administrator roles, and make sure all selected subscriptions registered to Azure Security Center.

Refer to the Readme file in our GitHub Repository for detailed procedure.

 

Deployment process and details

Navigate to Azure Security Center GitHub repository and select “Deploy to Azure” or “Deploy to Azure Gov”, as shown in Image 1:

Image 1: Git Hub repositoryImage 1: Git Hub repository

 

Once you have clicked on ‘Deploy’ option in the screen above, you should automatically be redirected to the Azure portal Custom deployment page where you can fill in the details of requirement as shown in Image 2, as shown below:

Image 2: Azure portal, Custom DeploymentImage 2: Azure portal, Custom Deployment

 

The ARM template will create the Logic App Playbook and an API connection to Office 365, and ASCalert.

You need to authorize the Office 365 API connection so it can access the sender mailbox and send the email notification from there.

 

Once you review and create from Image 2, you would notice below resources created from the ARM template (Refer Image 3)

 

Image 3: Summary of the resources created from the ARM templateImage 3: Summary of the resources created from the ARM template

Define when the Logicapp should automatically run:

Workflow automation feature of Azure Security Center can trigger Logic Apps on security alerts and recommendations. For example, you might want Security Center to email a specific user when an alert occurs. When you add the workflow automation and trigger conditions as show in Image 4, the triggers will initiate this automatic workflow. In this example, you want the Logic App to run when a security alert that contains “bruteforce” is generated.

Image 4: Workflow AutomationImage 4: Workflow Automation

 

Note: Read more about workflow automation here

 

When a Bruteforce attack is detected by Azure Security Center as shown in Image 5, this would automatically apply the automation and blocks the traffic of the IP by creating a security rule in the NSG attached to the VM to deny inbound traffic from the IP addresses attached to the alert as shown in Image 6

Image 5: Brute force attack alertImage 5: Brute force attack alert

 

Image 6: IP blocked by ASCImage 6: IP blocked by ASC

 

You would receive an email notification on the alert details as shown in Image 7:

Image 7: Email notification from the logicappImage 7: Email notification from the logicapp

 

This logic app as well as many other can be found here:

Direct Link to GitHub sample

Azure Security Center GitHub Repo

 

Most organizations lack the time and expertise required to respond to these alerts so many go unaddressed. Having this type of automation can address the threat immediately. I hope you enjoy reading this article and implementing, testing it as much as I enjoyed writing it.

 

Reviewer

Special thanks to:

Yuri Diogenes, @Yuri Diogenes, Senior Program Manager (CxE ASC Team)

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.