How to Respond to a Brute Force Attack on Azure VM

Leave a Comment / Blog / By

How to Remediate a Brute Force Attack on Azure VMs

Brute force attacks have become a common method used by attackers to gain unauthorized access to servers, applications, and databases. With cloud computing becoming an important part of IT infrastructure, securing cloud-hosted resources such as Azure Virtual Machines (VMs) is more critical than ever.

Once you’ve analyzed the attack and confirmed the incident as a true positive, it’s time to take action. Your remediation action will be based on your organization’s needs and the functionality of the target machine (e.g., a public-facing web server). Here are some response and remediation steps:

  1. Block the Attacker’s IP: If the source IP is confirmed to be malicious, block it at the firewall level or use a service like Azure Firewall to prevent further attempts from that IP.
  2. Change Credentials: If an account was successfully compromised or targeted, initiate a password reset for that account and ensure that multi-factor authentication (MFA) is enabled.
  3. Review Access Logs: Investigate other systems for any signs of further compromise, especially those that use the same credentials or are accessible via the attacked user’s account.
  4. Notify Affected Users: If employee accounts were targeted, notify them to ensure they follow security best practices like enabling MFA and using stronger passwords.
  5. Monitor for Future Attempts: Continue to monitor the environment for similar attacks. Set up additional alerts for unusual login activities and fine-tune your detection rules to better capture such attacks in the future.

In this post, I will discuss how to secure your Azure VM against brute-force attacks, focusing on three key steps:

  1. Securing the connection using Network Security Groups (NSGs)
  2. Turning on Microsoft Defender for Cloud and Identity Protection
  3. Enable Multifactor Authentication on Azure VM

1. Securing the Connection Using Network Security Groups (NSGs)

Network Security Groups (NSGs) act as a firewall for your Azure VM, controlling both inbound and outbound traffic. By configuring appropriate rules, you can effectively limit who can access your VM, drastically reducing the risk of brute-force attacks.

This lab is a continuation of our previous lab. Click here to learn how to analyze a brute force attack in Microsoft Sentinel. In the previous post, I analyzed brute force attacks in Microsoft Sentinel. The target machine was a honeypot I created in Azure. I intentionally made this machine vulnerable to brute force attacks by exposing the VM to the internet and allowing any port, protocol, source, and destination to be opened. In this lab, I am going to secure the honeypot against brute force attacks.

How to Secure a Virtual Machine Hosted in Azure

To remediate the brute force attack analyzed in the previous post, the VM must be secured. There are different ways you can secure your machine against brute force attacks, as listed above, depending on your situation, but for this example, the remediation is simple for this Azure virtual machine. You can Block the attacker’s IP address or addresses, but this solution is temporary (maybe to end the session and delay the attacker’s activity) because most attackers now use some form of proxy (VPN or anonymous web browser such as Tor) to keep their online activities private. This means that they can easily mask or change their IP address using a VPN. You can create a Network Security Gateway (NSG), enable RDP, and whitelist your IP address or addresses.

How to Whitelist an IP Address in Azure Using Network Security Group (NSG)

Start by logging into the Azure Portal. Search for Virtual machine in the search bar and click on it.

You should see your virtual machine listed, as shown in the screenshot below. Click on your VM.

The virtual machine property opens up. Click on Network Settings on the left menu to set up specific rules that allow access only from trusted IP addresses or IP ranges. For example, if you know you or your team will only access the VM from specific locations, restrict access by IP.

You will find your existing NSG rule, as shown in the screenshot below. Delete the existing rule and create a new rule with priority 100 so you can give it a meaningful name.

Click on + Create port rule to create a Network Security Group (NSG) rule. Select Inboud port rule.

Under Source, select IP Addresses. You can specify an IP address, IP range, or a subnet. For this example, I will specify my IP address as the source IP address and 3389 as the destination port. Click the Save button to save the rule.

The new rule was successfully created, as shown in the screenshot below.

How to Block Malicious IP Address in Azure Using Network Security Group (NSG)

You can block the attacker’s IP address or addresses. If, after a thorough analysis of the incidents, the source IP is confirmed to be malicious, the next thing is to block it. An attacker successfully logged into the honeypot as an anonymous user. Blocking the malicious source IP address helped stop or delay the attacker.

In the Microsoft Sentinel dashboard, run the Kusto Query Language (KQL) query below to get the list of security events summarized by IP address.

SecurityEvent
| where EventID == 4625
| summarize Count = count() by IpAddress

This query tracks failed login attempts (EventID 4625) and counts how many times they occurred from each IP address in the SecurityEvent log. By analyzing the data, you can identify potential brute force attacks or other suspicious behavior based on where the failed login attempts originate. The result will give you a list of IP addresses along with the number of failed logins from each address. You can modify the query to fit your specific needs, such as filtering by time or adding more conditions.

Your result should look similar to the screenshot below. To learn more about each IP address, you can click on the right arrowhead next to the IP address to expand it.

Once you have the IP addresses, Identify the malicious IP addresses to block using Network Security Group NSG and follow these steps:

In your Azure virtual machine property, click on Network Settings on the left menu. Click on + Create port rule to create a Network Security Group (NSG) rule. Select Inboud port rule.

Select IP Addresses under Source, then list the IP address or addresses to block separated by a comma. Select Any under Destination, select RDP under Service, select Deny under Action, specify the Priority, name your rule, and click on the Add button to add the rule.

The Deny rule was successfully created, as shown in the screenshot below.

Turn on Microsoft Defender

Next, log into your Azure Virtual Machine and turn Microsoft Defender on if it’s currently off. I turned Microsoft Defender off in the previous lab to make the honeypot vulnerable. So, I will turn it back on as shown below.

Enable Multifactor Authentication on Azure VM

By enforcing MFA through Microsoft Entra ID, you can ensure that anyone trying to access your Azure VM will need to go through an additional layer of authentication.

To enable multifactor authentication (MFA) for an Azure Virtual Machine (VM), it is important to understand that MFA is generally set up at the Entra ID level and not directly on individual VMs. However, you can secure access to the VM using Entra ID authentication and enforce MFA to access the VM. Click here to learn how to enable multifactor authentication (MFA) for an Azure Virtual Machine (VM).

Post-Incident Analysis and Prevention

After the incident, it’s important to perform a post-incident review and improve your defenses:

  • Review your password policies: Ensure that your organization uses strong password policies, including longer passwords and complexity requirements.
  • Limit Failed Login Attempts: Enforce stricter login policies, such as account lockout thresholds.
  • Enforce MFA: Make sure all accounts, especially administrative and high-privilege accounts, are protected by multi-factor authentication (MFA).
  • Improve Detection Rules: Based on the attack patterns observed, refine your detection rules in Microsoft Sentinel to capture evolving attack strategies.
  • Educate Users: Conduct awareness training for employees on recognizing phishing attempts and the importance of password hygiene.

Conclusion

Brute force attacks are a significant security threat, but with the right tools and practices, you can detect, investigate, and mitigate their impact. Microsoft Sentinel provides powerful tools for analyzing these types of attacks by correlating logs, detecting unusual login patterns, and allowing for rapid incident response.

FAQs

Is MFA sufficient to prevent brute force attacks? Multi-factor authentication (MFA) adds an essential layer of protection and can significantly reduce the chances of an attacker successfully breaching an account, even if they know the password.

What is the most effective way to detect a brute force attack? Leveraging Microsoft Sentinel’s pre-built detection rules and setting up custom alerts based on your environment’s specific needs is the most effective way.

How can I improve my brute force attack detection in Sentinel? You can enhance detection by fine-tuning the thresholds, utilizing machine learning models, and correlating data from various sources like VPN logs, RDP logs, and firewall logs.

About The Author

Rachel Jasurda

Hi, my name is Rachel; I’m a Cybersecurity Specialist and the founder of Cybersecurity Demystify. I enjoy learning and love helping others learn the easy way. Happy Learning!

See author's posts

Leave a Comment

Your email address will not be published. Required fields are marked *


Contact
Contact

Terms and Conditions - Privacy Policy

CHAT