Cloud Security Podcast How Attackers Stay Hidden Inside Your Azure Cloud
Apr 10, 2025
Christian Philipov, a Principal Security Consultant at WithSecure specializing in cloud security, shares insights into common tactics that keep attackers hidden in Azure. He discusses lesser-known APIs like Ibiza and PIM, and highlights the challenges of detecting stealthy activity. Philipov also explains the importance of Microsoft Graph for security operations and how to enhance detection mechanisms. The conversation wraps up with a fun exchange about personal interests like video games and food, showcasing how empathy can play a role in cybersecurity.
AI Snips
Chapters
Transcript
Episode notes
Azure Stealthy Activities Lack Logging
- Azure stealthiness mainly stems from poor logging of enumeration and read-only activities in telemetry.
- Unlike on-premise or AWS, Azure lacked read event logs, making initial reconnaissance hard to detect.
Azure's Multiple APIs Impact Detection
- Azure has multiple APIs like Microsoft Graph, Azure AD Graph, Ibiza API, and PIM API.
- Some APIs don't log read-only enumeration well, making them exploitable for stealthy activity.
Ibiza and PIM APIs Explained
- The Ibiza API is a middleware used by the Azure portal to interact with Microsoft Graph and Azure Resource Manager.
- PIM API is a standalone service focused on privileged identity management with limited logging integration.