In this project, I built a honeynet in Azure and analyzed the live traffic with Microsoft Sentinel to learn a bit more about enhancing network security and handling incident responses. I utilized Sentinel to help me structure attack maps, trigger alerts, and record some metrics.
Metrics:
- Windows Event Logs (SecurityEvent)
- Linux Event Logs (Syslog)
- Log Analytics Alerts (SecurityAlert)
- Incidents created by Sentinel (SecurityIncident)
- Malicious Flows / Possible Malware allowed into our honeynet (AzureNetworkAnalytics_CL)
The architecture of the honeynet in Azure consists of the following components:
- A Virtual Network (VNet)
- Multiple Network Security Groups (NSGs)
- 3 Virtual Machines (2 windows, 1 linux)
- A Log Analytics Workspace
- An Azure Key Vault
- An Azure Storage Account
- And Microsoft Sentinel
In the "BEFORE" metrics, all resources were deployed with unrestricted exposure to the internet. Both the Virtual Machines and their Network Security Groups, alongside built-in firewalls, were configured with wide-open settings that completely exposed the environments to potential threats.
For the "AFTER" metrics, Network Security Groups were hardened by blocking ALL network traffic (except for administrative entities), and all other resources were protected with firewalls as well as private endpoints.
Network Security Groups Allowed Inbound Malicious Flows
Linux Syslog Authentication Failures
Windows RDP/SMB Authentication Failures
MS SQL Server Authentication Failures
The following table shows the metrics measured in the insecure environment for 24 hours:
Start Time 2024-01-08 18:35
Stop Time 2024-01-09 18:35
| Metric | Count |
|---|---|
| SecurityEvent | 53615 |
| Syslog | 17373 |
| SecurityAlert | 11 |
| SecurityIncident | 361 |
| AzureNetworkAnalytics_CL | 1648 |
All map queries returned no results due to no instances of malicious activity for the 24 hour period after hardening.
The following table shows the metrics measured in my environment for another 24 hours, but after applying security controls:
Start Time 2024-01-09 19:58
Stop Time 2024-01-10 19:58
| Metric | Count |
|---|---|
| SecurityEvent | 12048 |
| Syslog | 31 |
| SecurityAlert | 0 |
| SecurityIncident | 0 |
| AzureNetworkAnalytics_CL | 0 |
I created a honeypot in Azure and analyzed live network traffic by incorporating log sources and Microsoft Sentinel to facilitate the generation of alerts and incidents based on the ingested logs. Metrics were initially measured in the insecure environment before applying NIST security controls. Subsequently, the same metrics were assessed after the implementation of NIST security controls.
The results showcased a significant reduction in the number of security events and incidents post-implementation.