| PV-1 |
nan |
Define and establish secure configurations |
Parent |
Establish secure baselines |
No Azure Policy available |
Define security configuration baselines for different resource types in the cloud using configuration management tools to establish compliant environments by default. Leverage industry standards, vendor recommendations, and organizational requirements to create comprehensive baselines that can be automatically applied during resource deployment. |
Without standardized security configuration baselines, cloud environments suffer from inconsistent security postures that create exploitable weaknesses. |
Initial Access (TA0001): exploit public-facing application (T1190) leveraging misconfigured services with default credentials or excessive network exposure. |
A financial services organization established comprehensive security configuration baselines across their cloud infrastructure supporting online banking applications and customer data processing systems serving 2.5 million customers. |
Must have |
CM-2, CM-6, CM-6(1) |
2.2.1, 12.3.1 |
4.1, 4.2 |
PR.IP-1, PR.DS-6 |
A.8.9, A.5.37 |
CC6.1, CC6.6 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Absence of secure configuration standards leads to: Configuration drift vulnerabilities:Resources deployed without security baselines introduce misconfigurations including open firewall rules, weak authentication settings, excessive permissions, and disabled security logging-creating entry points for attackers.Inconsistent security postures:Different teams deploying resources with varying security configurations create an unpredictable attack surface where some environments have strong protections while others remain vulnerable.Compliance violations:Regulatory frameworks (PCI-DSS, HIPAA, SOC 2) mandate specific security configurations-absent baselines result in non-compliant deployments and audit failures.Default configuration exploitation:Cloud services often ship with default configurations optimized for functionality rather than security-unmodified defaults frequently contain security weaknesses that attackers routinely exploit.Manual configuration errors:Teams manually configuring security settings introduce human errors includ |
Persistence (TA0003): create account (T1136) exploiting weak account policies or administrative access controls in baseline configurations. |
Challenge:Financial services organization lacked standardized security configurations across cloud infrastructure, resulting in inconsistent security postures across 500+ Azure resources with configuration-related security incidents and prolonged environment deployment times due to manual security configuration processes. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense Evasion (TA0005): impair defenses (T1562) disabling security controls that were not properly configured or enforced in baseline deployments. |
Solution approach: Define comprehensive security baselines: Create Template Specs containing security configuration standards for common resource types:Virtual networks with network security groups configured for least-privilege accessStorage accounts with encryption at rest enabled, public access disabled, and logging configuredKey vaults with access policies restricting secret access to authorized applications onlyApp Services with HTTPS enforcement, identity integration, and security headers configuredSQL databases with transparent data encryption, auditing enabled, and firewall rules configuredEstablish compute resource baselines using Azure Machine Configuration:Windows Server baseline configurations using Azure Machine Configuration for CIS complianceLinux hardening baselines deployed through Azure Automanage machine best practicesContainer image security scanning integrated with Microsoft Defender for Containers in Azure Container RegistryAzure Kubernetes Service security baselines enforcing Azure Policy add-on with built-in security policies Implement infrastructure-as-code deployment: Deploy Bicep templates with Azure Policy integration ensuring compliance at deployment:Bicep modules with built-in security parameters (minimumTlsVersion, supportsHttpsTrafficOnly properties)Azure Policy deployIfNotExists effects automatically enabling diagnostic settings and encryptionTemplate specs versioned and stored in Azure for centralized baseline managementUse Azure DevOps pipelines with Azure Resource Manager deployment tasks and policy compliance checksImplement Azure Repos branch policies requiring security team code review before merging baseline changes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Discovery (TA0007): cloud infrastructure discovery (T1580) enumerating misconfigured resources to map attack paths and identify high-value targets. |
|
|
|
|
|
|
|
|
| PV-1 |
PV-1.1 |
Establish security configuration baselines |
Child |
Establish secure baselines |
No Azure Policy available |
Define security configuration baselines for different resource types in the cloud using configuration management tools to establish compliant environments by default. Leverage industry standards, vendor recommendations, and organizational requirements to create comprehensive baselines that can be automatically applied during resource deployment. |
nan |
nan |
Organizations lacking standardized security configurations deploy resources with inconsistent security postures, creating vulnerabilities across environments while consuming significant operational effort manually configuring each deployment. Configuration baselines establish repeatable security standards that prevent configuration drift and ensure consistent protection across all cloud resources. Standardized security configurations accelerate secure deployment while reducing configuration-related security incidents and compliance violations. Establish consistent security configurations through standardized baselines: Define security configuration baselines:UseMicrosoft Cloud Security Benchmarkand service-specific security recommendations to establish configuration standards for each Azure service.Implement Azure landing zones:UseAzure landing zonesto accelerate workload deployment with pre-configured security settings and governance controls.Use infrastructure-as-code templates:Codify and deploy consistent security configurations usingBicep templatesandTemplate Specsfor repeatable deployments.Reference architectural guidance:FollowAzure Well-Architected Frameworksecurity pillar for architectural configuration guidance and best practices. |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| PV-2 |
nan |
Audit and enforce secure configurations |
Parent |
Monitor and enforce compliance |
API Management direct management endpoint should not be enabled |
Continuously monitor and alert on deviations from defined configuration baselines. Enforce desired configurations through automated remediation that denies non-compliant configurations or automatically deploys corrective configurations to maintain security posture. |
Configuration drift from established security baselines introduces vulnerabilities that accumulate over time, creating an expanding attack surface. |
Defense Evasion (TA0005): impair defenses (T1562) exploiting configuration drift to disable or weaken security controls. |
A healthcare technology company implemented comprehensive configuration monitoring across cloud infrastructure supporting electronic health record (EHR) systems and patient data analytics platforms serving 150+ hospitals. |
Must have |
CM-2, CM-3, CM-6, CM-7, CM-7(1) |
2.2.2, 2.2.7, 11.5.1 |
4.1, 4.2, 4.7 |
DE.CM-7, PR.IP-1 |
A.8.9, A.8.34 |
CC6.1, CC6.6, CC7.1 |
|
|
|
|
|
App Service apps should have Client Certificates (Incoming client certificates) enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
App Service apps should have remote debugging turned off |
|
Without continuous monitoring and enforcement: Silent configuration drift:Manual changes, emergency modifications, and incremental updates gradually weaken security configurations without triggering alerts-resulting in environments that appear secure but contain exploitable gaps.Compliance degradation:Systems initially deployed with compliant configurations drift away from regulatory requirements through normal operational changes, creating audit findings and certification risks.Inconsistent enforcement:Different teams applying security configurations manually introduce variations and omissions that create security weak points throughout the environment.Emergency change exceptions:High-pressure situations lead to security bypasses and temporary configurations that become permanent, eroding overall security posture.Scale amplification of drift:In cloud environments, configuration changes replicate across multiple resources through automation-a single drift event can weaken hundreds of resources simultaneously.Undetected misconfigurations |
Persistence (TA0003): modify authentication process (T1556) leveraging weakened authentication configurations that drifted from secure baselines. |
Challenge:Healthcare technology company experienced configuration drift incidents that created HIPAA compliance risks, with configuration changes going undetected for weeks and manual remediation processes taking days to correct security configuration violations across 150+ hospital environments. |
|
|
|
|
|
|
|
|
|
|
|
|
App Service apps should not have CORS configured to allow every resource to access your apps |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure API Management platform version should be stv2 |
|
|
Discovery (TA0007): cloud infrastructure discovery (T1580) identifying misconfigured resources through systematic enumeration of configuration weaknesses. |
Solution approach: Deploy continuous monitoring infrastructure: Enable Microsoft Defender for Cloud across all subscriptions with security policies configured to assess:Storage account encryption and access configurationsNetwork security group rules and network exposureIdentity and access management configuration complianceDatabase security configurations and access controlsVirtual machine security baseline complianceConfigure Azure Monitor Log Analytics with KQL queries detecting configuration changes:AzureActivity queries monitoring NetworkSecurityGroupRuleOperations for firewall rule modificationsAzureDiagnostics queries detecting StorageAccountEncryptionDisabled eventsAuditLogs queries tracking Microsoft Entra PIM role assignments and privilege escalationsPolicyEvents queries monitoring policy exemption requests and compliance state changes Implement policy-driven enforcement: Deploy Azure Policy built-in initiatives for HIPAA HITRUST 9.2 compliance:Audit effect policies using Microsoft.Compute, Microsoft.Storage, Microsoft.Network resource providersDeny effect policies enforcing allowedLocations, allowedVirtualMachineSkus, deniedResourceTypesDeployIfNotExists effect policies deploying Microsoft Defender for Cloud, diagnostic settings, encryptionConfigure Azure Policy remediation tasks with managed identity assignments:Automated remediation tasks using system-assigned managed identities for policy complianceAzure Automation runbooks triggered by policy compliance state changesAzure Logic Apps workflows for complex remediation requiring multi-step orchestration |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Machine Learning compute instances should be recreated to get the latest software updates |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Function apps should have Client Certificates (Incoming client certificates) enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Function apps should have remote debugging turned off |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Function apps should not have CORS configured to allow every resource to access your apps |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers should not share host namespaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers should only use allowed AppArmor profiles |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers should only use allowed capabilities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers should only use allowed images |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers should run with a read only root file system |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster pod hostPath volumes should only use allowed host paths |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster pods and containers should only run with approved user and group IDs |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster pods should only use approved host network and port list |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster services should listen only on allowed ports |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster should not allow privileged containers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes clusters should disable automounting API credentials |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes clusters should not allow container privilege escalation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes clusters should not use the default namespace |
|
|
|
|
|
|
|
|
|
|
|
| PV-2 |
PV-2.1 |
Implement continuous configuration monitoring |
Child |
Monitor and enforce compliance |
API Management direct management endpoint should not be enabled |
Continuously monitor and alert on deviations from defined configuration baselines. Enforce desired configurations through automated remediation that denies non-compliant configurations or automatically deploys corrective configurations to maintain security posture. |
nan |
nan |
Configuration drift occurs gradually as manual changes, emergency fixes, and unauthorized modifications deviate resources from security baselines, creating security gaps that traditional periodic audits detect too late to prevent exploitation. Continuous configuration monitoring provides real-time visibility into configuration state and automated detection of security control degradation. Automated enforcement prevents configuration drift while maintaining security posture consistency across all cloud resources. Maintain security baseline compliance through continuous monitoring and enforcement: Configure continuous configuration assessment:UseMicrosoft Defender for Cloudto continuously assess resource configurations against security recommendations and identify deviations from baselines.Implement policy-based monitoring:DeployAzure Policywith audit and enforcement effects to monitor and control resource configurations across all subscriptions.Create configuration deviation alerts:UseAzure Monitorto create alerts when configuration deviations are detected, triggering investigation and remediation workflows.Deploy preventive controls:ImplementAzure Policy deny effectsto prevent deployment of non-compliant configurations at resource creation time.Automate configuration remediation:UseAzure Policy deployIfNotExists effectsto automatically remediate configuration drift without manual intervention. |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
App Service apps should have Client Certificates (Incoming client certificates) enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
App Service apps should have remote debugging turned off |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
App Service apps should not have CORS configured to allow every resource to access your apps |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure API Management platform version should be stv2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Arc enabled Kubernetes clusters should have the Azure Policy extension installed |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Machine Learning compute instances should be recreated to get the latest software updates |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Function apps should have Client Certificates (Incoming client certificates) enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Function apps should have remote debugging turned off |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Function apps should not have CORS configured to allow every resource to access your apps |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers should not share host namespaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers should only use allowed AppArmor profiles |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers should only use allowed capabilities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers should only use allowed images |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster containers should run with a read only root file system |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster pod hostPath volumes should only use allowed host paths |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster pods and containers should only run with approved user and group IDs |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster pods should only use approved host network and port list |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster services should listen only on allowed ports |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes cluster should not allow privileged containers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes clusters should disable automounting API credentials |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes clusters should not allow container privilege escalation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Kubernetes clusters should not use the default namespace |
|
|
|
|
|
|
|
|
|
|
|
| PV-3 |
nan |
Define and establish secure configurations for compute resources |
Parent |
Establish secure baselines |
No Azure Policy available |
Define secure configuration baselines for compute resources including Virtual Machines (VMs) and containers. Use configuration management tools and pre-configured images to establish compliant compute environments by default, ensuring security hardening is applied consistently across all compute deployments. |
Compute resources including virtual machines and containers often deploy with insecure default configurations that expose organizations to compromise. |
Initial Access (TA0001): exploit public-facing application (T1190) targeting services running on insecurely configured compute resources. |
A manufacturing company established secure compute baselines across industrial IoT infrastructure and enterprise applications supporting 50+ production facilities and supply chain management systems. |
Must have |
CM-2, CM-6, SC-28, SC-28(1) |
2.2.1, 2.2.4, 2.2.5 |
4.1, 4.8, 18.3 |
PR.IP-1, PR.DS-6, PR.PT-3 |
A.8.1, A.8.9, A.8.19 |
CC6.1, CC6.6, CC6.7 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without secure compute baselines: Operating system vulnerabilities:Default OS installations contain unnecessary services, weak authentication settings, and missing security patches that provide attack vectors for privilege escalation and lateral movement.Container security gaps:Container images built without security hardening contain vulnerable base layers, excessive privileges, and insecure runtime configurations that enable container escape and host compromise.Service configuration weaknesses:Applications and services deployed with default configurations often enable unnecessary features, use weak credentials, and lack proper access controls.Persistent access opportunities:Compute resources with weak security baselines provide attackers with stable footholds for maintaining long-term access and conducting reconnaissance.Scale amplification:Cloud auto-scaling and orchestration systems replicate insecure compute configurations across hundreds of instances, amplifying the impact of baseline security weaknesses.Compliance violations:R |
Execution (TA0002): command and scripting interpreter (T1059) leveraging weak compute security to execute malicious code. |
Challenge:Manufacturing company faced security incidents involving compute resources with critical vulnerabilities, lengthy compliance audit preparation due to inconsistent security configurations, and slow VM deployment processes that delayed production facility expansions across 50+ locations. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Persistence (TA0003): create or modify system process (T1543) exploiting weak compute baselines to establish persistent access. |
Solution approach: Establish VM security baselines: Create hardened VM images using Azure Image Builder with Azure Compute Gallery:Windows Server 2022 images with Azure Image Builder customizations applying CIS benchmarksUbuntu 22.04 LTS images using Azure Image Builder runScripts for security hardeningMicrosoft Defender for Endpoint onboarding automated through Image Builder build scriptsAzure Compute Gallery versioning with replication across regions for baseline distributionConfigure Azure Machine Configuration for OS-level compliance:Azure Machine Configuration packages deploying DSC configurations to Windows VMsAzure Machine Configuration custom policies enforcing Linux security baselinesAzure Disk Encryption enablement enforced through Azure Policy deployIfNotExistsSecure Boot and vTPM requirements enforced through VM creation policies Deploy container security baselines: Configure Azure Container Registry with Microsoft Defender for Containers:Microsoft Defender for Containers vulnerability scanning using integrated Trivy scanner for ACR imagesACR quarantine pattern using repository permissions blocking vulnerable image pullsContainer build optimization using minimal base images and multi-stage buildsAzure DevOps pipeline gates failing builds on critical/high CVEs detected by DefenderImplement Azure Kubernetes Service security baselines:Azure Policy for AKS enforcing pod security baseline using built-in policy definitionsAzure CNI with Calico network policies for namespace-level network isolationAzure Kubernetes Fleet Manager distributing secure configurations across clustersAKS Image Cleaner automatically removing old images based on retention policies |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense Evasion (TA0005): impair defenses (T1562) disabling security controls on weakly configured compute resources. |
|
|
|
|
|
|
|
|
| PV-3 |
PV-3.1 |
Establish compute security baselines |
Child |
Establish secure baselines |
No Azure Policy available |
Define secure configuration baselines for compute resources including Virtual Machines (VMs) and containers. Use configuration management tools and pre-configured images to establish compliant compute environments by default, ensuring security hardening is applied consistently across all compute deployments. |
nan |
nan |
Compute resources deployed with default configurations contain known security weaknesses and unnecessary services that attackers exploit for initial access and privilege escalation, with operating system vulnerabilities remaining primary attack vectors in cloud environments. Security hardening reduces attack surface by disabling unnecessary services, applying security configurations, and enforcing least-privilege principles at the operating system level. Hardened compute baselines prevent common exploitation techniques while ensuring consistent security posture across all compute resources. Implement compute security hardening through standardized baselines: Apply operating system security baselines:UseAzure security baselines for WindowsandLinuxoperating systems to enforce CIS benchmarks and Microsoft security recommendations.Create hardened virtual machine images:UseAzure Image Builderto create hardened VM images with security configurations pre-applied before deployment.Establish container security baselines:Apply container security standards usingMicrosoft Defender for Containersrecommendations for image hardening and runtime protection. |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| PV-4 |
nan |
Audit and enforce secure configurations for compute resources |
Parent |
Monitor and enforce compliance |
Guest Configuration extension should be installed on your machines |
Continuously monitor and alert on configuration deviations from defined baselines in compute resources. Enforce desired configurations through automated remediation that prevents non-compliant configurations or automatically applies corrective measures to maintain security posture. |
Compute resource configurations drift from security baselines through normal operations, creating vulnerabilities that accumulate over time. |
Privilege Escalation (TA0004): exploitation for privilege escalation (T1068) targeting systems with configuration drift allowing elevated access. |
A financial technology company implemented comprehensive compute configuration monitoring across trading systems and customer-facing applications supporting real-time financial transactions and sensitive financial data processing. |
Must have |
CM-3, CM-6, CM-6(1), SI-2, SI-2(2) |
2.2.2, 2.2.7, 11.3.1, 11.3.2 |
4.1, 4.2, 4.7, 18.5 |
DE.CM-7, DE.CM-8, PR.IP-1 |
A.8.9, A.8.19, A.8.34 |
CC6.1, CC6.6, CC7.1, CC7.2 |
|
|
|
|
|
Linux machines should meet requirements for the Azure compute security baseline |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
|
Without continuous monitoring and enforcement: Configuration drift on critical systems:Production systems gradually deviate from secure baselines through legitimate changes, emergency modifications, and incremental updates-weakening security posture without triggering alerts.Patch management gaps:Missing security updates leave compute resources vulnerable to known exploits while organizations believe systems are current.Service sprawl vulnerabilities:New services and applications installed on compute resources introduce security weaknesses that bypass baseline security controls.Container runtime security drift:Container orchestration platforms allow runtime modifications that can weaken security policies and expose underlying infrastructure.Compliance verification gaps:Without continuous monitoring, compute resources fall out of compliance with regulatory requirements between periodic audits. |
Defense Evasion (TA0005): impair defenses (T1562) leveraging configuration changes that weakened security controls. |
Challenge:Financial technology company experienced configuration drift incidents affecting trading systems, with detection taking days and manual remediation taking hours, creating compliance risks and potential security compromises in systems processing real-time financial transactions for millions of customers. |
|
|
|
|
|
|
|
|
|
|
|
|
Windows machines should meet requirements of the Azure compute security baseline |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Azure Stack HCI servers should have consistently enforced application control policies |
|
Configuration drift in compute resources provides attackers with evolving opportunities for exploitation as security controls weaken over time. |
Persistence (TA0003): modify authentication process (T1556) exploiting authentication configuration drift to maintain persistent access. |
Solution approach: Deploy comprehensive configuration monitoring: Enable Microsoft Defender for Cloud across all compute resources:Continuous assessment of VM security configurations against CIS benchmarksContainer security posture evaluation for Kubernetes clustersSecurity recommendation prioritization based on risk assessmentIntegration with Microsoft Sentinel for centralized security monitoringImplement Azure Machine Configuration:Windows and Linux baseline compliance monitoring for 500+ VMsCustom policies enforcing financial services security requirementsAutomated remediation of common configuration drift scenariosCompliance reporting for regulatory audit preparation Establish automated remediation workflows: Configure Azure Automation State Configuration:PowerShell DSC configurations maintaining trading system security requirementsAutomated correction of security-related configuration drift within 5 minutesException handling for legitimate configuration variations during maintenanceCompliance validation ensuring remediation actions complete successfullyDeploy Change Tracking and Inventory monitoring:Real-time detection of unauthorized software installationsMonitoring of security-critical file and registry changesAlert generation for configuration changes outside maintenance windowsIntegration with change management processes for approved modifications Implement container security monitoring: Enable Microsoft Defender for Containers across AKS clusters:Runtime security monitoring detecting suspicious container behaviorImage vulnerability assessment for all deployed container imagesKubernetes cluster configuration assessment against security best practicesNetwork traffic analysis identifying unusual communication patternsEnforce AKS security policies through Azure Policy for Kubernetes:Azure Policy built-in definitions enforcing pod security baseline (no privileged containers)Azure Policy add-on for AKS using Gatekeep |
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Azure Stack HCI servers should meet Secured-core requirements |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines |
|
|
Discovery (TA0007): system information discovery (T1082) gathering information from misconfigured systems to identify attack opportunities. |
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Linux virtual machines should use only signed and trusted boot components |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Secure Boot should be enabled on supported Windows virtual machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: vTPM should be enabled on supported virtual machines |
|
|
|
|
|
|
|
|
|
|
|
| PV-4 |
PV-4.1 |
Implement compute configuration monitoring |
Child |
Monitor and enforce compliance |
Guest Configuration extension should be installed on your machines |
Continuously monitor and alert on configuration deviations from defined baselines in compute resources. Enforce desired configurations through automated remediation that prevents non-compliant configurations or automatically applies corrective measures to maintain security posture. |
nan |
nan |
Compute resource configurations change frequently through patch installations, application updates, and administrative modifications, creating opportunities for security control degradation that attackers exploit to establish footholds in cloud environments. Continuous compute configuration monitoring detects security weaknesses and unauthorized changes before adversaries can exploit misconfigurations for privilege escalation or lateral movement. Automated configuration assessment and remediation maintains compute security posture while preventing configuration drift across virtual machine and container deployments. Maintain compute security through continuous configuration assessment and enforcement: Continuously assess compute security configurations:UseMicrosoft Defender for Cloudto continuously assess compute resource security configurations against industry benchmarks and best practices.Implement ongoing compliance monitoring:DeployAzure Machine Configurationfor ongoing compliance monitoring and automated remediation of configuration drift.Maintain desired configuration state:UseAzure Automation State Configurationto maintain desired configuration state across compute resources with automated correction capabilities.Monitor configuration changes:ImplementChange Tracking and Inventoryto monitor configuration changes across compute resources and detect unauthorized modifications.Enable container security posture monitoring:DeployMicrosoft Defender for Containersfor contain |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Linux machines should meet requirements for the Azure compute security baseline |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Windows machines should meet requirements of the Azure compute security baseline |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Azure Stack HCI servers should have consistently enforced application control policies |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Azure Stack HCI servers should meet Secured-core requirements |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Guest Attestation extension should be installed on supported Linux virtual machines scale sets |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Guest Attestation extension should be installed on supported Windows virtual machines scale sets |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Linux virtual machines should use only signed and trusted boot components |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Secure Boot should be enabled on supported Windows virtual machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: vTPM should be enabled on supported virtual machines |
|
|
|
|
|
|
|
|
|
|
|
| PV-5 |
nan |
Perform vulnerability assessments |
Parent |
Remediate using risk-based prioritization |
A vulnerability assessment solution should be enabled on your virtual machines |
Perform comprehensive vulnerability assessments across all cloud resources on a scheduled basis and on-demand. Track and compare scan results to verify remediation effectiveness. Include assessment of infrastructure vulnerabilities, application weaknesses, configuration issues, and network exposures while securing administrative access used for scanning activities. |
Unidentified vulnerabilities across cloud infrastructure provide attackers with numerous exploitation opportunities. |
Initial Access (TA0001): exploit public-facing application (T1190) leveraging unpatched vulnerabilities in web applications and services. |
A healthcare services company implemented comprehensive vulnerability assessment across cloud infrastructure supporting patient care systems, medical device integration, and health information exchanges serving 500+ healthcare facilities. |
Should have |
RA-3, RA-5, RA-5(1), RA-5(2), RA-5(5) |
6.3.1, 6.3.2, 11.3.1, 11.3.2 |
7.1, 7.2, 7.5, 7.7 |
DE.CM-8, ID.RA-1 |
A.5.14, A.8.8 |
CC7.1, CC7.2 |
|
|
|
|
|
Machines should have secret findings resolved |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Vulnerability assessment should be enabled on SQL Managed Instance |
|
Without comprehensive vulnerability assessment: Unknown vulnerability exposure:Systems contain security weaknesses that remain undetected until exploited-providing attackers with established footholds that bypass security controls.Outdated vulnerability databases:Security teams lack current knowledge of emerging threats and newly discovered vulnerabilities affecting their infrastructure.Multi-layer blind spots:Traditional network-focused scanning misses vulnerabilities in cloud services, container images, serverless functions, and managed services.Configuration-based vulnerabilities:Misconfigurations and policy weaknesses escape detection by traditional vulnerability scanners focused on software flaws.Privileged access risks:Administrative accounts used for vulnerability scanning create additional attack vectors if not properly secured and monitored.Assessment coverage gaps:Incomplete scanning leaves portions of infrastructure unassessed, creating safe havens for attacker operations.Remediation tracking failures:Without systematic vulnerability tracking, organization |
Privilege Escalation (TA0004): exploitation for privilege escalation (T1068) targeting known vulnerabilities in operating systems and applications. |
Challenge:Healthcare services company lacked comprehensive vulnerability assessment capabilities, with critical vulnerabilities remaining undetected for weeks and manual vulnerability management processes resulting in low remediation rates that created compliance risks across 500+ healthcare facilities processing sensitive patient data. |
|
|
|
|
|
|
|
|
|
|
|
|
Vulnerability assessment should be enabled on your SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Lateral Movement (TA0008): exploitation of remote services (T1021) using vulnerabilities to move between systems and networks. |
Solution approach: Deploy integrated vulnerability scanning: Enable Microsoft Defender for Cloud integrated vulnerability scanning:Agentless scanning for Azure VMs using Microsoft Defender for Cloud with integrated Qualys scannerMicrosoft Defender for Containers vulnerability scanning using Trivy for 300+ Azure Container Registry imagesMicrosoft Defender for SQL vulnerability assessment with automatic baseline creationAzure Monitor Log Analytics integration exporting SecurityAssessment table to Microsoft Sentinel Implement Microsoft Defender for Cloud continuous assessment: Configure automated vulnerability detection and prioritization:Risk-based vulnerability prioritization considering asset criticality and exposureIntegration with Exploit Prediction Scoring System (EPSS) natively available in Microsoft Defender Vulnerability Management for exploit likelihood dataCorrelation with threat intelligence feeds to identify actively exploited vulnerabilities (using Microsoft Defender Threat Intelligence priority scoring and exploit tracking)Integration with asset inventory for context-aware vulnerability assessmentReal-time attack campaign context through Microsoft Defender Threat Intelligence articles and breach insightsBusiness impact assessment for vulnerabilities affecting patient care systems Establish vulnerability management workflows: Automate vulnerability remediation workflows with Azure Logic Apps:Azure DevOps REST API integration creating work items from SecurityAssessment KQL queriesAzure Automation runbooks triggering Azure Update Manager patch deployments for critical CVEsMicrosoft Defender for Cloud workflow automation sending vulnerability data to Azure DevOpsAzure Policy remediation tasks deploying security configurations addressing misconfigurationsImplement governance with Microsoft Defender for Cloud secure score:Azure Monitor workbooks visualizing vulnerability trends from |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense Evasion (TA0005): exploitation for defense evasion (T1562) leveraging vulnerabilities to disable or bypass security controls. |
|
|
|
|
|
|
|
|
| PV-5 |
PV-5.1 |
Implement comprehensive vulnerability assessment |
Child |
Remediate using risk-based prioritization |
A vulnerability assessment solution should be enabled on your virtual machines |
Perform comprehensive vulnerability assessments across all cloud resources on a scheduled basis and on-demand. Track and compare scan results to verify remediation effectiveness. Include assessment of infrastructure vulnerabilities, application weaknesses, configuration issues, and network exposures while securing administrative access used for scanning activities. |
nan |
nan |
Organizations lacking comprehensive vulnerability visibility operate with unknown security weaknesses that attackers identify and exploit before security teams discover them, with critical vulnerabilities remaining undetected across compute resources, containers, and databases. Continuous vulnerability assessment provides complete visibility into security weaknesses across all cloud resources, enabling proactive remediation before adversaries exploit vulnerabilities for initial access or privilege escalation. Multi-layered scanning combined with exposure management delivers risk-based prioritization that focuses remediation efforts on vulnerabilities most likely to enable successful attacks. Identify and prioritize security weaknesses through comprehensive vulnerability assessment: Enable comprehensive vulnerability assessment:DeployMicrosoft Defender for Cloudvulnerability assessment for virtual machines, containers, and SQL databases to identify security weaknesses across all resource types.Use integrated vulnerability scanning:Implementbuilt-in vulnerability scannerfor comprehensive VM assessment without requiring additional agent deployment or licensing.Integrate exposure management:UseMicrosoft Security Exposure Managementto identify attack paths and prioritize vulnerabilities based on asset criticality and potential blast radius for risk-based remediation.Implement database vulnerability assessment:DeploySQL vulnerability assessmentfor database security evaluation and c |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Machines should have secret findings resolved |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Vulnerability assessment should be enabled on SQL Managed Instance |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Vulnerability assessment should be enabled on your SQL servers |
|
|
|
|
|
|
|
|
|
|
|
| PV-6 |
nan |
Rapidly and automatically remediate vulnerabilities |
Parent |
Remediate using risk-based prioritization |
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) |
Rapidly and automatically deploy patches and updates to remediate vulnerabilities using risk-based prioritization that addresses the most severe vulnerabilities in highest-value assets first. Implement automated patching capabilities that balance security requirements with operational stability. |
Slow vulnerability remediation extends the window of exposure, allowing attackers to exploit known weaknesses before patches are applied. |
Initial Access (TA0001): exploit public-facing application (T1190) targeting known vulnerabilities during extended remediation windows. |
A global e-commerce platform implemented automated vulnerability remediation across cloud infrastructure supporting online retail operations and customer data processing serving 10+ million customers worldwide. |
Should have |
SI-2, SI-2(1), SI-2(2), SI-2(5), RA-5 |
6.3.3, 6.4.3, 11.3.1 |
7.2, 7.3, 7.4, 7.5, 7.7 |
PR.IP-12, RS.MI-3 |
A.8.8, A.5.14 |
CC7.1, CC7.2, CC8.1 |
|
|
|
|
|
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Machines should be configured to periodically check for missing system updates |
|
Without rapid remediation capabilities: Extended exposure windows:Critical vulnerabilities remain exploitable for days or weeks while manual patching processes progress-providing ample time for attackers to develop and deploy exploits.Patch management delays:Complex approval workflows and testing requirements delay security updates, leaving systems vulnerable during extended remediation cycles.Scale amplification:Cloud environments with hundreds or thousands of resources require automated patching to achieve timely remediation-manual processes cannot scale effectively.Business disruption risks:Fear of system downtime delays patching decisions, leaving vulnerabilities unaddressed while organizations debate operational impact.Third-party software gaps:Applications and middleware not covered by operating system patching remain vulnerable longer due to complex update procedures.Inconsistent prioritization:Without risk-based remediation prioritization, critical vulnerabilities affecting high-value assets may not receive appropriate attention.Remediati |
Privilege Escalation (TA0004): exploitation for privilege escalation (T1068) leveraging unpatched local vulnerabilities. |
Challenge:Global e-commerce platform experienced lengthy mean time to patch (14 days for critical vulnerabilities), high security incident volume related to unpatched vulnerabilities, and compliance audit findings related to inadequate patch management processes across 2,000+ VMs supporting online retail operations. |
|
|
|
|
|
|
|
|
|
|
|
|
SQL databases should have vulnerability findings resolved |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL servers on machines should have vulnerability findings resolved |
|
|
Lateral Movement (TA0008): exploitation of remote services (T1021) using known vulnerabilities to spread between systems. |
Solution approach: Deploy automated patch management infrastructure: Deploy Azure Update Manager with automatic VM assessment and patching:Azure Update Manager periodic assessment enabled on 2,000+ Azure VMs and Arc-enabled serversMaintenance configurations with dynamic scoping using Azure Resource Graph queriesPre/post-patching Azure Automation runbooks for application stop/start orchestrationAzure Policy deployIfNotExists enforcing update assessments across all subscriptionsConfigure EPSS-based prioritization using Microsoft Defender Vulnerability Management:KQL queries joining SecurityAssessment and SecurityRecommendation tables for vulnerability-to-patch correlationAzure Monitor alert rules triggering on critical CVEs with EPSS scores > 0.7Azure Update Manager scheduled patching with priority classifications (Critical/Important/Moderate)Azure Resource Graph queries identifying internet-facing VMs for expedited patching Establish automated remediation workflows: Automate remediation with Azure Logic Apps and Microsoft Defender integration:Azure Logic Apps workflows triggered by Microsoft Defender for Cloud vulnerability alertsMicrosoft Graph Security API queries correlating CVEs with Azure Update Manager KB articlesAzure Automation runbooks invoking Install-AzUpdateManagerUpdate for emergency patchingMicrosoft Defender Vulnerability Management threat and vulnerability management API for exposure scoring Implement compensating controls for delayed patching: |
|
|
|
|
|
|
|
|
|
|
|
|
System updates should be installed on your machines (powered by Update Center) |
|
|
|
|
|
|
|
|
|
|
|
| PV-6 |
PV-6.1 |
Implement automated vulnerability remediation |
Child |
Remediate using risk-based prioritization |
Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) |
Rapidly and automatically deploy patches and updates to remediate vulnerabilities using risk-based prioritization that addresses the most severe vulnerabilities in highest-value assets first. Implement automated patching capabilities that balance security requirements with operational stability. |
nan |
nan |
Manual patch management creates lengthy vulnerability exposure windows during which attackers exploit known vulnerabilities before security teams complete remediation processes across large-scale environments. Automated vulnerability remediation reduces mean time to patch from weeks to hours, preventing adversaries from exploiting publicly disclosed vulnerabilities during extended exposure periods. Risk-based prioritization ensures critical vulnerabilities receive immediate attention while automated patching maintains consistent security hygiene across all compute resources. Accelerate vulnerability remediation through automation and risk-based prioritization: Implement automated patch management:DeployAzure Update Managerfor automated patching of Windows and Linux virtual machines across Azure VMs and Arc-enabled servers with centralized management capabilities.Configure maintenance windows:Set upupdate settingswith maintenance windows aligned to business requirements to minimize impact on production workloads.Enable zero-downtime patching:UseHotpatchingfor Windows Server 2025 to install security updates without requiring system reboots, reducing downtime and exposure windows.Establish risk-based prioritization:Prioritize vulnerability remediation considering vulnerability severity, asset criticality, and exposure level to focus on highest-risk issues first. |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Machines should be configured to periodically check for missing system updates |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL databases should have vulnerability findings resolved |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL servers on machines should have vulnerability findings resolved |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
System updates should be installed on your machines (powered by Update Center) |
|
|
|
|
|
|
|
|
|
|
|
| PV-7 |
nan |
Conduct regular red team operations |
Parent |
Remediate using risk-based prioritization |
No Azure Policy available |
Simulate real-world attacks through red team operations and penetration testing to provide comprehensive security validation. Follow industry best practices to design, prepare, and conduct testing safely while ensuring comprehensive scope and stakeholder coordination. |
Traditional vulnerability assessment and penetration testing may miss sophisticated attack techniques and complex attack chains that real adversaries employ. |
Reconnaissance (TA0043): active scanning (T1595) and gathering victim information (T1589) to identify attack opportunities and plan targeted operations. |
A financial services organization implemented comprehensive red team operations across cloud infrastructure supporting investment banking, trading systems, and customer wealth management platforms processing billions in daily transactions. |
Nice to have |
CA-8, CA-8(1), CA-8(2) |
11.4.1, 11.4.2, 11.4.6 |
15.1, 18.1, 18.2, 18.3, 18.5 |
DE.DP-4, ID.RA-10 |
A.5.7, A.8.29 |
CC7.3, CC7.4 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without comprehensive adversarial testing: Blind spots in security controls:Automated security tools and standard penetration tests fail to identify weaknesses that skilled attackers exploit through creative combinations of legitimate features and minor vulnerabilities.False security confidence:Organizations believing their security posture is strong based on compliance checkboxes and standard testing may be vulnerable to advanced persistent threats and targeted attacks.Human factor vulnerabilities:Security awareness training and technical controls may be insufficient against sophisticated social engineering and human manipulation techniques.Complex attack chain gaps:Multi-stage attacks combining physical access, social engineering, technical exploitation, and persistence techniques escape detection by siloed security testing.Incident response weaknesses:Security teams may lack experience detecting and responding to sophisticated attacks, leading to delayed discovery and inadequate containment.Purple team collaboration gaps:Di |
Initial Access (TA0001): phishing (T1566) and exploit public-facing application (T1190) testing organizational susceptibility to social engineering and technical exploitation. |
Challenge:Financial services organization lacked realistic security testing capabilities with automated tools missing critical security gaps, limited visibility into sophisticated attack detection capabilities, and difficulty demonstrating security validation effectiveness to regulators examining investment banking and wealth management security controls. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Persistence (TA0003): valid accounts (T1078) and create account (T1136) simulating adversary establishment of long-term access. |
Solution approach: Establish Microsoft-aligned red team testing program: Implement testing following Microsoft Cloud Red Teaming methodology:Quarterly exercises using Microsoft Enterprise Cloud Red Teaming attack simulation frameworkAnnual assessments leveraging Microsoft Entra attack simulation tools and Microsoft Sentinel analyticsThreat intelligence from Microsoft Defender Threat Intelligence informing attack scenariosPurple team exercises using Microsoft Defender for Cloud attack path analysis findingsConfigure testing environment with Azure safeguards:Azure Resource Manager locks preventing production resource deletion during testingAzure Policy deny effects blocking deployment of dangerous configurations in productionMicrosoft Defender for Cloud just-in-time VM access limiting red team lateral movement scopeAzure Monitor action groups providing real-time alerts on testing activities exceeding boundaries Execute Azure-focused attack simulation: Simulate cloud-specific attack scenarios:Microsoft 365 phishing attack simulation using Microsoft Defender for Office 365 campaignsAzure App Service exploitation testing web application firewall effectivenessAzure Resource Manager API abuse testing Azure Policy and RBAC controlsAzure DevOps pipeline compromise simulating supply chain attacks on CI/CD infrastructureTest Microsoft Entra ID and identity security controls:Microsoft Entra Privileged Identity Management (PIM) elevation path exploitationMicrosoft Entra Conditional Access policy bypass attempts using device compliance gapsMicrosoft Entra authentication protocols testing for MFA bypass and token theftAzure Key Vault secret exfiltration attempts validating access policies and logging |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Lateral Movement (TA0008): remote services (T1021) and internal spearphishing (T1534) testing detection of adversary movement across environment. |
|
|
|
|
|
|
|
|
| PV-7 |
PV-7.1 |
Implement comprehensive adversarial testing |
Child |
Remediate using risk-based prioritization |
No Azure Policy available |
Simulate real-world attacks through red team operations and penetration testing to provide comprehensive security validation. Follow industry best practices to design, prepare, and conduct testing safely while ensuring comprehensive scope and stakeholder coordination. |
nan |
nan |
Organizations relying solely on automated vulnerability scanning and compliance assessments fail to validate whether security controls prevent sophisticated adversary techniques used in real-world attacks. Adversarial testing simulates actual attack scenarios to identify security control gaps, detection blind spots, and incident response weaknesses that automated tools cannot discover. Regular red team operations provide realistic security validation while ensuring security investments effectively prevent, detect, and respond to advanced persistent threats. Validate security effectiveness through realistic adversarial testing: Follow Microsoft penetration testing rules:Adhere toMicrosoft Cloud Penetration Testing Rules of Engagementfor cloud-based testing activities to ensure authorized and safe testing procedures.Reference Azure testing guidance:FollowAzure penetration testing guidancefor authorized testing procedures and coordination requirements with Microsoft.Use Microsoft red teaming methodology:ApplyMicrosoft Cloud Red Teaming methodologyfor comprehensive attack simulation aligned with real-world adversary techniques.Coordinate testing scope:Establish testing scope and constraints with relevant stakeholders and resource owners to ensure business continuity and minimize unintended impacts. |
nan |
nan |
nan |
nan |
nan |
nan |
nan |