Azure Compute: Understanding VM Types and Azure Network Security for Incident Response

Microsoft Azure provides a wide range of compute services, organized based on workload types and categorized as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). For incident response and forensic investigations, the focus is typically on virtual machines (VMs) and the related networking infrastructure.

-----------------------------------------------------------------------------------------------------------

Virtual Machines: Types and Applications

Azure offers various classes of virtual machines tailored for different workloads, all with specific performance characteristics. Here’s a breakdown of the most common VM types you'll encounter during an investigation:

1. Series A (Entry Level):

   • Use Case: Development workloads, low-traffic websites.

   • Examples: A1 v2, A2 v2.

2. Series B (Burstable):

   • Use Case: Low-cost VMs with the ability to "burst" to higher CPU performance when needed.

   • Examples: B1S, B2S.

3. Series D (General Purpose):

   • Use Case: Optimized for most production workloads.

   • Examples: D2as v4, D2s v4.

4. Series F (Compute Optimized):

   • Use Case: Compute-intensive workloads, such as batch processing.

   • Examples: F1, F2s v2.

5. Series E, G, and M (Memory Optimized):

   • Use Case: Memory-heavy applications like databases.

   • Examples: E2a v4, M8ms.

6. Series L (Storage Optimized):

   • Use Case: High throughput and low-latency applications.

   • Examples: L4s, L8s v2.

7. Series NC, NV, ND (Graphics Optimized):

   • Use Case: Visualization, deep learning, and AI workloads.

   • Examples: NC6, NV12s.

8. Series H (High Performance Computing):

   • Use Case: Applications such as genomic research, financial modeling.

   • Examples: H8, HB120rs v2.

   https://azure.microsoft.com/en-us/pricing/details/virtual-machines/windows/

   https://azure.microsoft.com/en-us/pricing/details/virtual-machines/linux/
   

VM Storage: Managed Disks

Managed Disks in Azure operate similarly to physical disks but come with a few key distinctions relevant for incident response:

• Types of Managed Disks:

  1. Standard HDD: Slow, low-cost.

  2. Standard SSD: Standard for most production workloads.

  3. Premium SSD: High performance, better suited for intensive workloads.

  4. Ultra Disk: Highest performance for demanding applications.

     
     

Each VM can have multiple managed disks, including an OS disk, temporary disk (for short-term storage), and one or more data disks. Forensics often involves snapshotting the OS disk of a compromised VM, attaching that snapshot to a new VM for further analysis.

Costs are associated with:

• Disk type and size.

• Snapshot size (critical for investigations).

• Outbound data transfers (when retrieving forensic data).

• I/O operations (transaction costs).

  
  

  https://learn.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview

  https://learn.microsoft.com/en-us/azure/virtual-machines/disks-types

-----------------------------------------------------------------------------------------------------------

Azure Virtual Network (VNet): The Glue Behind Azure Resources

An Azure Virtual Network (VNet) allows Azure resources like VMs to communicate with each other and with external networks. During an incident response, it’s essential to understand the network topology to see how resources were connected, what traffic was allowed, and where vulnerabilities might have existed.

Key points about VNets:

• Private Addressing: Azure assigns a private IP range (typically starting with 10.x.x.x).

• Public IP Addresses: Required for internet communication, but comes with extra charges.

  
  

• On-Premises Connectivity:

  1. Point-to-Site VPN: Connects individual computers to Azure.

  2. Site-to-Site VPN: Connects an on-premises network to Azure.

  3. Azure ExpressRoute: Private connections that bypass the internet.

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

-----------------------------------------------------------------------------------------------------------

Network Security Groups (NSG): Traffic Control and Incident Response

• NSG Overview:Azure automatically creates NSGs to protect resources, like virtual machines (VMs), by allowing or blocking traffic based on several criteria:

  
  

  • Source/Destination IP: IP addresses from which the traffic originates or to which it is sent.

  • Source/Destination Port: The network ports involved in the connection.

  • Protocol: The communication protocol (e.g., TCP, UDP).

    
    

• Rule Prioritization:NSG rules are processed in order of their priority, with lower numbers having higher priority. Custom rules have priorities ranging from 100 to 4096, while Azure-defined rules have priority in the 65000 range.

  
  

  Incident Response Tip: Ensure that firewall rules are correctly prioritized. A common issue during investigations is discovering that a misconfigured or improperly prioritized rule allowed malicious traffic to bypass protections.

• Flow Logs:Network flow logs, which capture traffic information, are essential for understanding traffic patterns and investigating suspicious activity. Flow logs are generated every minute, and the first 5GB per month is free. After that, the cost is $0.50 per GB plus storage charges.

  
  

  Example: If an attack involved unauthorized access through a compromised port, flow logs would help you trace the origin and nature of the traffic, providing critical forensic data.

https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview

https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#network-security-groups

-----------------------------------------------------------------------------------------------------------

Network Virtual Appliances (NVA): Advanced Network Security

Azure provides additional options for advanced traffic management and security beyond basic NSGs:

1. Azure Load Balancer: Distributes incoming network traffic across multiple resources to balance load.

2. Azure Firewall: Offers advanced filtering, including both stateful network and application-layer inspections.

3. Application Gateway: Protects web applications by filtering out vulnerabilities like SQL injection and cross-site scripting (XSS).

4. VPN Gateway: Connects on-premises networks securely to Azure.

   
   

Many third-party Network Virtual Appliances are also available on the Azure Marketplace, such as firewalls, VPN servers, and routers, which can be vital components in your investigation.

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/category/networking?page=1&subcategories=all

-----------------------------------------------------------------------------------------------------------

Azure Storage: Central to Forensics and Logging

Azure storage accounts are integral to how logs and other data are stored during investigations. Proper storage setup ensures data retention and availability for analysis.

• Storage Account Types:

  • Blob Storage: Scalable object storage for unstructured data, such as logs or multimedia.

  • File Storage: Distributed file system storage.

  • Queue Storage: For message storage and retrieval.

  • Table Storage: NoSQL key-value store, now part of Azure Cosmos DB.

• Blob Storage:Blobs (Binary Large Objects) are highly versatile and commonly used for storing large amounts of unstructured data, such as logs during forensic investigations. Blobs come in three types:

  
  

  • Block Blobs: Ideal for storing text and binary data, can handle up to 4.75TB per file.

  • Append Blobs: Optimized for logging, where data is appended rather than overwritten.

  • Page Blobs: Used for random access data, like Virtual Hard Drive (VHD) files.

    
    

• Direct Access and Data Transfers:With the appropriate permissions, data stored in blob storage can be accessed over the internet via HTTP or HTTPS. Azure provides tools like AzCopy and Azure Storage Explorer to facilitate the transfer of data in and out of blob storage.

  
  

  Example: Investigators may need to download logs or snapshots stored in blobs for offline analysis. Using AzCopy or Azure Storage Explorer, these files can be easily transferred for examination.

-----------------------------------------------------------------------------------------------------------

How This Script Helps:

• VM Information for Analysis: The extracted data (VM ID and VM size) is essential for identifying and analyzing the virtual machines involved in an incident.

$results = get-azlog -ResourceProvider "Microsoft.Compute" -DetailedOutput

$results.Properties | foreach {$_} | foreach {

    $contents = $_.content

    if ($contents -and $contents.ContainsKey("responseBody")) {

        $fromjson = ($contents.responseBody | ConvertFrom-Json)

        $newobj = New-Object psobject

        $newobj | Add-Member NoteProperty VmId $fromjson.properties.vmId

        $newobj | Add-Member NoteProperty Vmsize $fromjson.properties.hardwareprofile.vmsize

        $newobj

    }

}

-----------------------------------------------------------------------------------------------------------

Conclusion:

In Azure, combining effective Network Security Group (NSG) management with automated VM log extraction provides essential visibility for incident response. Understanding traffic control through NSGs and using PowerShell scripts for VM log retrieval empowers organizations to investigate security incidents efficiently, even without advanced security tools like SIEM.

Akash Patel