Uncover the Secrets of Blob-Hunting: Learn How to Detect, Investigate and Prevent it with Defender for Storage & Microsoft Sentinel

Share on facebook
Share on twitter
Share on linkedin

đŸ”„Uncover the Secrets of Blob-Hunting: Learn How to Detect, Investigate and Prevent it with Defender for Storage & Microsoft Sentinel. đŸ”„

❓Why do you need to start blob-hunting?

đŸ”„Stop exfiltration of sensitive information from misconfigured resources from Azure Blob Storage, Amazon S3, and GCP Cloud Storage.

đŸ”„Find your gaps. Most people think they don’t have misconfigured storage resources, unfortunately, this assumption is incorrect is most cases.

đŸ”„Learn and implement quick and effective ways to harden your security posture and prevent these threats from happening.

❓What’s blob-hunting, and how exactly is it achieved?

đŸ’„Blob-hunting is the act of guessing the URL of containers or blobs open to unauthenticated public access with the intent of exposing data from them

đŸ’„There are several ways to expose blobs, with different starting points:

1- The first starting point is brute-force guessing the names of storage accounts and discovering them when there’s little or no prior knowledge of their existence.

2- The second starting point begins after threat actors already know the names of storage accounts. For example, attackers can find names online through search engines and can then start brute-force guessing the names of the containers.

3- The third starting point is brute-forcing the way into the blobs by guessing the entire URL – the account, container, and blob names. This is usually the case when the container access level is set to ‘Blob’ and threat actors can’t discover and enumerate blobs but can access them if they have the full URL.

A breakdown of the blob-hunting process implemented by threat actors

đŸ’„Finding storage account names
đŸ’„Exposing container names
đŸ’„Exposing and enumerating blob names
đŸ’„The flow of a full blob-hunting attack

❓How does Microsoft Defender for Storage help detect and prevent these blob-hunting attempts?

đŸ’„Microsoft Defender for Storage detects blob hunters trying to discover resources open to public access and attempt to expose blobs with sensitive data so that you can block them and remediate your posture. The service does this by continuously analyzing the telemetry stream generated by Azure Storage services without the necessity of turning on the diagnostic logs, accessing the data, and impacting performance. When potentially malicious activities are detected, security alerts are generated.

❓How to proactively look for blob-hunting with Microsoft Sentinel

đŸ’„When diagnostic settings are enabled, you can proactively hunt blob enumeration activity using Microsoft Sentinel. The following two queries can be executed within Microsoft Sentinel to detect suspicious enumeration activity.

Want to learn more? 💡

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Posts