Azure Threat Research Matrix


In this article, I will share with you the Azure Threat Research Matrix. The purpose of the Azure Threat Research Matrix (ATRM) is to conceptualize the known tactics, techniques, and procedures (TTP) that adversaries may use against the Azure platform. Inspired from MITRE ATT&CK, ATRM is designed to give quick insight into a potential TTP that an adversary may be using in their attack campaign.

In comparison to MITRE ATT&CK, Azure does not have the same capabilities for some of the tactics, e.g. Initial Access. While some tactics in ATT&CK may pertain to Azure, the ATRM is meant to be specific within Azure AD and Azure Resources.



AKS | Image Cleaner


In this article, I will show you how you can clean unreferenced images stored at the nodes level. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.

ImageCleaner does not support the following:

  • Windows node pools
  • ARM64 node pools

When enabled, an eraser-controller-manager pod is deployed on each agent node, which will use an ImageList CRD to determine unreferenced and vulnerable images. Vulnerability is determined based on a trivy scan, after which images with a LOW, MEDIUM, HIGH, or CRITICAL classification are flagged.

An updated ImageList will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually. Once an ImageList is generated, ImageCleaner will remove all the images in the list from node VMs.

To enable Image Cleaner on an existing AKS cluster:

az aks update -g MyResourceGroup -n MyManagedCluster --enable-image-cleaner

To enable Image Cleaner with an interval of hours:

az aks update -g MyResourceGroup -n MyManagedCluster --image-cleaner-interval-hours 48

Based on your configuration, ImageCleaner will generate an ImageList containing non-running and vulnerable images at the desired interval. ImageCleaner will automatically remove these images from cluster nodes.



Network security groups support for private endpoints


Network security groups (NSGs) support for private endpoints is now generally available. This feature enhancement provides you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled on the subnet containing private endpoint resources.

By default, network policies are disabled for a subnet in a virtual network. To utilize network policies like UDR and NSG support, network policy support must be enabled for the subnet. This setting is only applicable to private endpoints within the subnet. This setting affects all private endpoints within the subnet. For other resources in the subnet, access is controlled based on security rules in the network security group.

Enable Network Policy:

  1. Sign-in to the Azure portal.
  2. In the search box at the top of the portal, enter Virtual network. Select Virtual networks.
  3. Select myVNet.
  4. In settings of myVNet, select Subnets.
  5. Select the default subnet.
  6. In the properties for the default subnet, select Enabled in NETWORK POLICY FOR PRIVATE ENDPOINTS.
  7. Select Save.