Book a demo
See how canaries can enhance your security
Andy Smith
CEO, Tracebit
Sam Cox
CTO, Tracebit
Schedule a 45 minute personalised demo of Tracebit with one of our co-founders to:
- Discuss your specific security challenges
- Cover the range of canaries Tracebit can deploy for your use case
- Walk through a simple Tracebit deployment
Announcing Azure Canaries General Availability
Today we are incredibly excited to announce the general availability of Tracebit Canaries for Microsoft Azure.
Tracebit’s vision is to make security canaries a standard control for all security teams.
For us, there are three parts to this equation:
- Genuinely high signal to noise alerts that are clearly actionable
- A seamless deployment as well as minimal long term maintenance, with a robust security model
- Canary support across a broad range of platforms, enabling detections as an early warning as well as indicator of crown jewel compromise.
This latest release gets us closer towards this vision as we extend our platform to support canary infrastructure for Azure.
What do Azure Canaries bring me?
An example Tracebit Azure Canary Alert
At a high level the value a Tracebit deployment brings in to an Azure estate is as follows:
Increased visibility - we monitor diagnostic settings logs, a sometimes under-monitored component of an Azure estate; and, we deliver high signal to noise detections on these logs without time intensive detection engineering.
Threat Detection
We introduce coverage for the following threats:
- Data Exfiltration - We deploy Azure Storage Account canaries to detect events that may indicate data exfiltration or unauthorized data access.
- Privilege Escalation - We deploy Azure Key Vault canaries to detect attempts to access secrets that may be used to elevate privileges or leverage secrets for other attacks.
- Lateral Movement - We deploy Azure Managed Identities, that may be used in attempts to move laterally within an Azure tenancy.
What’s the customer experience been so far?
We’ve been delighted with the adoption and feedback from our early access partners. Here, Karen from Docker shares their experience:
The Tracebit Platform made setting up Azure canaries incredibly smooth. The deployment via Terraform was seamless, adding additional subscriptions is straightforward too.
The outcome has been fantastic - we’ve levelled up our detections in Azure with minimal effort and no false positives.
Karen H., Senior Security and Compliance Engineer
What are the real world threats?
Whilst it stands to reason that, for example, there is value in detection on unauthorized access to storage accounts, we think it’s important to prioritise our work based on real world threats.
I wanted to share a few recent examples from Crowdstrike, the impact that they had on businesses using Azure and how Tracebit Azure Canaries could have aided in detection.
Threat 1 - Ransomware on Azure Storage Accounts
Sophos X-Ops Incident Responders 2023 - BlackCat Ransomware
"The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage …. In total, the ransomware operators could encrypt 39 Azure Storage accounts successfully.”
In this case, a ransomware group targeted storage accounts to encrypt them and ransom the data back to the Azure. Groups associated with this group have been known to extort business over threats to leak data.
A Tracebit Storage Account Canary could have detected this group early on in the enumeration phases of their attack with a clear, actionable alert.
Threat 2 - Privilege escalation against Azure KeyVault
Crowdstrike Global Threat Report 2024 - Indrik Spider UNC2165 Group
“February 2023, CrowdStrike Services responded to an INDRIK SPIDER incident involving BITWISE SPIDER’s LockBit RED ransomware. During this incident, INDRIK SPIDER exfiltrated credentials from cloud-based credential manager Azure Key Vault.”
In this report, Crowdstrike highlights an incident where a ransomware group target the Azure Key Vault in an attempt to escalate privileges. This shows that even ransomware actors are wise to where credentials are stored in cloud environments.
An attacker interaction with a Tracebit Key Vault Canary would have given a clear and actionable alert.
Threat 3 - Lateral Movement Via Azure Virtual Machines
Crowdstrike brief on intrusion campaigns targeting telcos - Scattered Spider Group
“The adversary leveraged compromised credentials from a victim user and authenticated to the organization’s Azure tenant. Using this access, the adversary instantiated Azure VMs to conduct credential theft activity and lateral movement to on-premises systems”
In this report, the attacker launched Azure Virtual Machines to obtain credentials and perform lateral movement. A Tracebit Managed Identity Canary will detect when a VM has been assigned the identity by an attacker in an attempt to retrieve or use the associated credentials to gain access to resources in other Subscriptions within the Tenant.
What’s coming next?
We’ve got a lot more ahead of the Microsoft ecosystem - but it’s fair to say that identity (Microsoft Entra ID) is being regularly requested by customers, feel free to subscribe to our mailing list at the bottom of this page for more updates there.
How can I learn more?
If the above sounds like it could be valuable for you - just click book a demo, share your details and our founders will reach out for a conversation!
