Threat Hunting in Azure with AC-Hunter
Threat hunting in a cloud environment is tricky. The span port we depend on to get a copy of all network traffic doesn’t usually exist in the cloud as there aren’t physical switches between virtual machines.
In 2019 we published some blogs on different approaches to Cloud packet capture (see cloud network and virtual machine monitoring). That series focused on Amazon’s AWS and an approach that used some advanced features of their network architecture to capture Cloud traffic.
At the time Microsoft’s Azure had a “preview” of their Virtual Network Tap, which offered a similar capability. They later removed that feature, so it is no longer possible to capture traffic inside their virtual network that way.
That means we need to be more creative!
Even if we can’t capture traffic on the (virtual) network at a Cloud provider, we can still analyze network traffic at each individual server. Let’s consider an example…
In our Azure environment, we have 15 Windows cloud servers and 20 Linux Cloud servers. To perform Threat Hunting on them we need to watch the network traffic going to and from each of them, looking for Command and Control traffic and other suspicious types. Since we can’t watch the network segment itself, we’ll tell each machine to self-report its network traffic back to a new AC-Hunter server.
Our developers have done exactly this. You can now purchase an AC-Hunter appliance on the Azure Marketplace!
The installation includes the software that performs these self-reports back to AC-Hunter. Within 24 hours you’ll have a picture of whether any of your Azure instances are communicating with a Command and Control server.
This approach works with the following Azure cloud instances: Microsoft Windows 10, Ubuntu Linux (16.04, 18.04, and 20.04), and RedHat/Centos Linux 7. For more information, please see the AC-Hunter Azure Setup Guide.
Bill has authored numerous articles and tools for client use. He also serves as a content author and faculty member at the SANS Institute, teaching the Linux System Administration, Perimeter Protection, Securing Linux and Unix, and Intrusion Detection tracks. Bill’s background is in network and operating system security; he was the chief architect of one commercial and two open source firewalls and is an active contributor to multiple projects in the Linux development effort. Bill’s articles and tools can be found in online journals and at http://github.com/activecm/ and http://www.stearns.org.