Azure Defender for Azure DNS in Azure Security Center

| ,

Published on | Updated on December 8, 2020

5 Min. Read

In this article, I will share with you how to use Advanced Threat Protection for Azure DNS in Azure Security Center.

Introduction

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:

  1. Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS). CSPM in Security Center is available for free to all Azure users.
  2. Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts. CWPP is part of the Azure Defender plan (formerly known as the Standard Tier).

Azure Defender is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:

Azure Security Center is continuously expanding, the Azure Security Center team just announced the public preview for two new offerings for Azure Defender. Advanced Threat Protection (ATP) for the Azure Resource Manager (ARM) and Azure DNS layer. The two new offerings expanding Azure Security Center breadth threat protection coverage for Azure environments.

In this article, I will share with you how to use advanced threat protection for Azure DNS, and in the next article, I will share with you how to use advanced threat protection for Azure Resource Management (ARM) layer in Azure Security Center.

Prerequisites

To follow this article, you need to have the following:

  1. Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
  2. Azure Security Center with Azure Defender enabled. Azure Defender for DNS enabled per subscription under the Pricing & Settings page as shown below. Please note there is no additional cost during the (preview) period. Azure Defender for Azure DNS in Azure Security Center 1
  3. Choose one of you existing Azure virtual machine deployed in any of your subscription with Azure Defender for DNS enabled, and make sure it’s connected to the Azure default DNS resolvers (by default all Azure VMs are connected to the Azure default DNS), or you can create a new virtual machine.

Simulate Azure DNS alert in Security Center

Assuming you have all the prerequisites in place, take now the following steps:

You first need to connect to the virtual machine using RDP for Windows or SSH for Linux.

Next, open the PowerShell window and run the following query. The script will try to resolve random domain names that do not exist on the Internet.

Resolve-DnsName bbcnewsv2vjtpsuy.onion.to
Resolve-DnsName all.mainnet.ethdisco.net
Resolve-DnsName micros0ft.com 
Resolve-DnsName 164e9408d12a701d91d206c6ab192994.info 

For($i=0; $i -le 150; $i++) {
$rand = -join ((97..122) | Get-Random -Count 32 | % {[char]$_})
Resolve-DnsName "$rand.com"
}

Resolve-DnsName aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.ru # investigate

$rand = -join ((97..122) | Get-Random -Count 63 | % {[char]$_})
Resolve-DnsName "$rand.shukuruku.com"

For($i=0; $i -le 1000; $i++) {

$rand = -join ((97..122) | Get-Random -Count 63 | % {[char]$_})
Resolve-DnsName "$rand.shukuruku.com"
}

Resolve-DnsName reseed.i2p-projekt.de 

Write-Host -NoNewLine 'Press any key to continue...';
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown');

Please note that Advanced Threat Protection (ATP) for Azure DNS can catch things more sophisticated than that, it’s just a basic script that will fire numerous queries to unresolved domain names. This detection and analysis apply to all DNS communications via Azure DNS. Learn more about the current detection capabilities for Azure DNS in the summary section.

Investigate security alerts for DNS

At this point, you just need to wait for the advanced threat detection engine to kick in (which can take a little while, in my example, it took around one hour, I hope that Microsoft will improve the detection time once the public preview is over).

Once the detection takes place, a new alert with ‘Medium/Low Severity‘ will be generated in Security Center | Security alerts dashboard, similar to the one below:

Azure Defender for Azure DNS in Azure Security Center 2

Please note that the simulation script that I used in the previous step, will fire numerous queries and each one is triggering different alert to demonstrate ATP for DNS. However, in real-world, this could be one alert only (e.g. Communication with suspicious random domain name for example), or triggering multiple alerts based on the suspicious activities that were performed on the DNS layer.

You can select any of the security alerts to view more details about this suspicious activity and Take Action >> as needed.

Azure Defender for Azure DNS in Azure Security Center 3

If you’ve already integrated Azure Security Center with Azure Monitor, then you will also receive a notification based on the action group that you specified. In my example, I am using email notifications. You can find more details on how to integrate Azure Security Center with Azure Monitor here.

Azure Defender for Azure DNS in Azure Security Center 4

And if you’ve connected Azure Security Center to Azure Sentinel which I highly recommend as described in this article, then you can see the same alerts with all relevant data needed for investigation and response as shown in the figure below:

Azure Defender for Azure DNS in Azure Security Center 5

And if you are leveraging the Workflow automation feature in Azure Security Center with LogicApp to post a message on Microsoft Teams for example, then you will receive an alert in your team channel, similar to the one below:

Azure Defender for Azure DNS in Azure Security Center 6

That’s it there you have it!

How Azure Defender for Azure DNS works

Azure Defender for Azure DNS protects your Azure resources connected to the Azure DNS resolvers against malicious DNS activities. Advanced Threat Protection (ATP) in Azure Security Center continuously analyzing your Azure DNS queries and detecting suspicious activities, such as DNS queries to malicious domains (C&C servers, crypto-mining, phishing), data exfiltration using DNS tunneling, and suspicious DNS query patterns (DNS cache-poisoning, blackhole DNS, and much more).

Advanced Threat Protection for Azure DNS is agentless, you do not need to install any agent or software on the protected resources.

Summary

In this article, I showed you how to use advanced threat protection for Azure DNS in Azure Security Center.

Advanced Threat Protection (ATP) for Azure DNS provides additional security intelligence for the management layer that detects unusual and potentially harmful communication and exfiltration attempts via DNS. At the time of this writing, Advanced Threat Protection (ATP) for Azure DNS provides you the following detection capabilities:

  • Communication with a suspicious random domain name (similar to what I have demonstrated in this article).
  • Communication with the suspicious algorithmically generated domain.
  • Anonymity network activity using a web proxy.
  • Possible data transfer via DNS tunnel.
  • Anonymity network activity.
  • Communication with possible phishing domain.
  • Digital currency mining activity.
  • Possible data download via DNS tunnel.
  • Network intrusion detection signature activation.
  • Possible data exfiltration via DNS tunnel.
  • Anomalous network protocol usage.
  • Attempted communication with suspicious sinkhole domain.

Additional resources I highly encourage you to check:

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

This Holiday Season, Win with Altaro

Azure Defender for ARM in Azure Security Center

Next

Leave a comment below...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Charbel Nemnom’s Blog

Get the latest posts delivered right to your inbox

The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in Black.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!