In our previous post we tapped into cloud security and threat detection in general. There we mentioned various solutions within the Azure Security Center, such as Azure Defender for App Services. Today we will focus on that. We will give a technical background of how this solution is able to detect even the most sophisticated attacks in time. Then, we will also introduce its invaluable built-in but less well-known services, the Azure Alert and Azure Workbooks.  

We find these services essential because it fully bolsters basic security needs. Since Security is all about: 

• having an overview of the current state of security, 
• getting alerted immediately if anything unusual happens, 
• and responding to unexpected events. 

And Azure Defender for Web Apps together with Azure Alert and Azure Workbooks delivers on these without omission. 

After your reading, make sure to check out our awesome free tool to discover your security score.

Or you can opt directly for our 3 days’ workshop to map your security environment and test it in your environment. 

When applications get exploited or have serious threats being sent to them, detection often happens when it is too late. Phishing, hacking, misdelivery, misconfiguration, trojan, various malware (like password dumper, ransomware, RAM scraper) are still the top cybersecurity threats. Many of these techniques are simple, easily accessible, and inexpensive. For less than 100 EUR anyone can cripple an organization for weeks. As a result, the frequency of these attacks is rapidly increasing. On the other hand, some of them, like ransomware attacks, are becoming more sophisticated and therefore, more difficult to detect. Yet, the frequency of these types of attacks is also increasing. Consequently, it is a challenge for organizations to keep up with the ever-evolving cybersecurity landscape and act in time. Security is not static anymore; it must shift to a continuously evolving approach.  

We’ve all seen the news about companies with their applications being attacked due to missing updates, common exploits, and other threats. Ransomware and other malware attacks can cripple a company’s operations for weeks. A non-exhaustive list of 2021 cyberattacks includes Accenture, Acer, AXA, CNA Financial, FujiFilm, KIA Motors and NBA. 

But attackers don’t spare hospitals either. In Germany, a patient died while being redirected from a hospital attacked by a ransomware. Similarly, in the US also several hospitals have been targeted. Then, sometimes a whole country gets affected – attacks are common against governmental departments, agencies, and businesses as well. For example, a couple of months back, Colonial Pipeline suffered an attack that led to fuel shortage and panic buying across the US. It was one of the largest cyberattacks against the oil and gas industry, that sent the US energy infrastructure to the edge.

These attacks could have been prevented with the right technology and organizational mindset. That is to say, organizations need to protect themselves against next-generation threats and deploy cybersecurity solutions rooted in the Zero-Trust principles (assume breach, verify explicitly, and use least privilege access). 

The good news is, you are not alone against the entire world. There is an affordable and user-friendly solution out there to protect your applications. And when we say affordable, we mean it. 50 cents per app service per day, that is less than the price of a coffee. Introducing our front-runner, the Azure Defender for Web Apps, a tool that automatically detects, assesses, and identifies threats, patterns, and exploits on your Azure hosted applications. 

Moreover, it comes with the handy services of Azure Alerts and Azure Workbooks that offer complete security insights on your applications. We are great fans of these features at DexMach because it plugs in fully in our customer philosophy. We stand for empowering our customers and giving them control through powerful insights and support.  

Azure Defender for Web Apps uses the scale of the cloud to identify attacks targeting applications running over Web Apps. Attackers probe web applications to find and exploit weaknesses. Before being routed to specific environments, requests to applications running in Azure go through several gateways, where they’re inspected and logged. This data is then used to identify exploits and attackers, and to learn new patterns that will be used later. Of course, it also generates security recommendations. 

As a cloud-native solution, Azure Defender can identify attack methodologies applying to multiple targets. For example, from a single host it would be difficult to identify a distributed attack from a small subset of IPs, crawling to similar endpoints on multiple hosts. But the log data and the infrastructure together can tell the story: from a new attack circulating in the wild to compromises in customer machines.  

Azure Defender for Web Apps covers a wide range of threat detection features using an almost complete list of MITRE ATT&CK tactics. On top of that, it also provides the added functionality of dangling DNS detection – more on that later.  

The built-in threat protection supported by the list of MITRE ATT&CK tactics covers all phases of an attack:  

• Pre-attack threats that will detect vulnerability scanners running against your applications  
• Initial access threats which will detect known malicious intruders using Microsoft Threat Intelligence  
• Execution threats that will detect high privilege commands, fileless attack behavior, crypto mining, and other suspicious code execution  

When a website is decommissioned, any DNS entries that remain in your DNS registrar, are vulnerabilities for a takeover. Azure Defender makes you aware of any remaining custom domains after removing the website. And this is available whether your domains are managed in Azure DNS or even an external domain registrar.  

There is a lot which Azure Defender for Web Apps can cover out of the box, some examples of our favorites:  

• Attempt to run high privilege command detected  
• Connection to web page from anomalous IP address detected  
• Digital currency mining related behavior detected  
• NMap scanning detected  
• Potential dangling DNS record for an App Service resource detected  
• Potential reverse shell detected  

Now all of this is nice, but what if you want insights into what is happening with your web apps?  You could use  Azure Workbooks to combine the different data sources provided by Azure Defender and Security Center to gain insights into what is exactly happening with your environment.  

Moreover, as an added benefit of these Azure Workbooks, pre-made templates exist made by Microsoft and its community. Of course, you can always build it yourself using the data that is available in your log analytic workspaces. Once you have a workbook created, you can share it in your own environment to keep your developers and security specialists on the tip of their toes.  

Finally, extra features don’t stop at just simply bringing insights. With Azure Alerts you can get alerts when common attack threats are being deployed on your application, or at any event that you set up in your custom security settings.  

In conclusion, don’t be a cautionary tale. Premium security tools today are affordable and user-friendly – regardless of whether you are a nonprofit, for-profit, small, or big organization.