This section describes how securiCAD can be used to analyse your Azure environments. In short, securiCAD can analyse your Azure environment by collecting data, using foreseetis securicad-azure-collector, from the environment, which is then used to perform attack simulations in securiCAD Enterprise.
The collector script uses the public Azure API's to create a representation of the infrastructure. Once completed there will be a file in
JSON format available. The Azure collector script is available on pypi.
For information on the latest Azure Collector versions, see our GitHub.
To collect the Azure infrastructure configuration needed for creating a securiCAD model (digital twin), an Azure Reader role needs to be added to in the Azure subscription which then is used when using the SDK for fetching the configuration. You can do that using Azure app registration.
The extractor program needs to assume the identity of a security principal assigned a -Reader role on a subscription level to be able to extract your environment. We suggest you either register a new application under App registrations in the Azure Active Directory to create a new Service Principal, or by assigning a system wide Managed Identity for an azure virtual machine (possibly the same machine running securiCAD Enterprise) and give the security principal this permission. The first option is required if you are running locally.
- In the Azure console, create a new App Registration and give it a suitable name, e.g.
- Support account types should be Accounts in this organizational directory only.
- Collect the individual keys for the fetcher to be able to access the Azure API's. The image below shows the different keys you need. You also need to create a Client Secret.
- Creatinging the Client Secret
First go into client credentials shown here:
New client secret as shown here:
The keys generated should then be stored in a secure place for further use.
Restricting data collection
securicad-azure-collectorwill only be able to collect the data that the RBAC assignment allows it to do. Always follow Best practices for RBAC Assignments when creating your roles and use the appropriate resource restrictions to limit the collected data.
As mentioned earlier, assign the newly generated Security Principal (in the case above our App Registration) a Reader role assignment on the subscriptions your wish to collect.
It's ideal to allow the collector to read Active Directory Group members of the groups that have an IAM assignment within the Azure cloud. This will allow the model to connect the security principals that belong to the group within the model. To do this click on API permissions on the App Registration dashboard and grant it the GroupMember.Read.All permission by clicking Add a permission > Microsoft.Graph > Application Permissions > GroupMember.Read.All . Note that an Active Directory Admin will have to approve this permission for it to be granted.
Application Insights records the traffic in your azure environment and can be used to enrich the securiCAD model by making us of its topology mapping. The topology dump allows the parser to connect services that are communicating to each other through connection strings/keys, as it sees that there are some sort of communication between these services that are not relying on RBAC assignments. To make use of this, set up an Application Insights component in your azure environment, and attach the services that you are about to analyze in securiCAD in their respective configuration page, and let the entire system run for some time.
Next, collect all the keys in one place and keep them safe since you now can extract the information on your Azure environment with them.
The keys needed for extraction are Subscription ID, Directory (Tenant) ID, Application Registration Client ID and Secret.
They will then be prepared in a bash script file like this:
export AZURE_SUBSCRIPTION_ID='xxx' export AZURE_TENANT_ID='xxx' export AZURE_CLIENT_ID='xxx' export AZURE_CLIENT_SECRET='xxx'
Load the environment variables into the shell by running the script like following:
You may tag your Azure resources with the following key/value pair below in order to logically segment the objects in different simulations once you've created your model. Note that Group: can be represented as a list of several different groups via a comma separated list or a singular value. The value of C/I/A is expected to be an integer between 0-10. The value defines the consequence value if you were to set it as a high value asset. Meaning how critical is Confidentiality, Integrity and Availability for the resource? If it's 0, you may just exclude the corresponding key as well.
The securiCAD Azure Collector will look for the scad key and place the scanned objects in logical groups. These groups can then be used to create CIA simulations, using our enterprise-sdk programmatically. More details about the use case of can be found here.
In the instructions below, make sure that you are using the correct version of the securiCAD Azure Collector. If you are using securiCAD as a service hosted by Foreseeti, always use the latest version of the collector.
The latest version of the AWS Collector requires Python 3.8 or above. While older versions of Python might still allow you to install the securicad-aws-collector, the collected data will not be compatible with securiCAD.
Install the securiCAD-azure-collector using git:
$ git clone https://github.com/foreseeti/securicad-azure-collector
Install the securicad-azure-collector with pip:
$ pip install securicad-azure-collector
Below is an example of how to run the securiCAD Azure Collector.
$ python3 -m securicad.azure_collector
If output paths aren't specified (run
python3 -m securicad.azure_collector --help), the program will dump a timestamped active_directory_YYYY-mm-dd_HH:MM.json file under the environment_files directory, and a file called application_insights_YYYY-mm-dd_HH:MM.json under the same directory if an application insights resource was found within the scope of the provided Azure environment. Again, the application_insights.json can be used to enrich the model by connecting services that communicate to each other through connection strings / keys. This data file is optional, but we suggest running if you are using App Services and Function Apps that are communicating with Azure backend resources where Managed Identities are not used. The resulting JSON files can be uploaded directly into securiCAD Enterprise or by using the securiCAD Enterprise SDK.
Find more examples and collector options on GitHub.
Updated 5 months ago