Collinsgora/azure-breach-irp

## 📋 目录 | # | 章节 | 描述 | |---|---------|-------------| | 1 | [概述与架构](#overview--architecture) | IRP 生命周期、范围、框架对标 | | 2 | [严重等级分类](#severity-classification) | SEV-1 到 SEV-4 及响应 SLA | | 3 | [泄露类别与 MITRE 映射](#breach-categories--mitre-attck-mapping) | 映射到 ATT&CK 技术的攻击类型 | | 4 | [IRP 阶段](#irp-phases) | 7 阶段响应生命周期 | | 5 | [角色与职责](#roles--responsibilities) | 事件期间各角色的职责分工 | | 6 | [快速参考 Runbook](./runbooks/) | 按场景分类的可复制粘贴 CLI 命令 | | 7 | [KQL 查询库](./kql-queries/) | Sentinel/Log Analytics 调查查询 | | 8 | [证据与监管链](./evidence/) | 收集命令与监管文档模板 | | 9 | [模板](./templates/) | 事件日志、PIR、利益相关者沟通 | | 10 | [参考](#references--standards) | NIST, MITRE, ISO, CIS, POPIA | ## 概述与架构 ### IRP 生命周期 — 完整 7 阶段流程 ``` flowchart TD A([🔍 Threat Detected]) --> B{Validate Alert} B -->|False Positive| Z([✅ Close & Document]) B -->|Confirmed| C[📢 Declare Incident\nAssign Severity + IC] C --> D[Phase 1\n🛡️ PREPARATION\nControls in place before breach] D --> E[Phase 2\n🔍 DETECTION\nIdentify & triage the threat] E --> F[Phase 3\n🛑 CONTAINMENT\nStop the bleeding] F --> G[Phase 4\n🔎 INVESTIGATION\nForensics & attack path] G --> H[Phase 5\n🧹 ERADICATION\nRemove all attacker presence] H --> I[Phase 6\n♻️ RECOVERY\nRestore clean services] I --> J[Phase 7\n📊 POST-INCIDENT REVIEW\nBlameless retrospective] J --> K([📁 Lessons Applied\nControls Updated]) F -.->|Evidence collected first| G G -.->|Scope changes| F style A fill:#C0392B,color:#fff,stroke:#922B21 style B fill:#F39C12,color:#fff,stroke:#D68910 style C fill:#1A3A5C,color:#fff,stroke:#0D1F33 style D fill:#2E75B6,color:#fff,stroke:#1A4D80 style E fill:#2E75B6,color:#fff,stroke:#1A4D80 style F fill:#C0392B,color:#fff,stroke:#922B21 style G fill:#8E44AD,color:#fff,stroke:#6C3483 style H fill:#D35400,color:#fff,stroke:#9C3A00 style I fill:#27AE60,color:#fff,stroke:#1D8348 style J fill:#1A3A5C,color:#fff,stroke:#0D1F33 style K fill:#27AE60,color:#fff,stroke:#1D8348 style Z fill:#7F8C8D,color:#fff,stroke:#5D6D7E ``` ### Azure 安全架构 — 纵深防御 ``` graph TB subgraph INTERNET["🌐 Internet / External Threats"] ATK([👤 Threat Actor]) end subgraph PERIMETER["🔒 Perimeter Layer"] FW[Azure Firewall\nDDoS Protection] WAF[Application Gateway\nWAF v2] end subgraph IDENTITY["🪪 Identity Layer — Zero Trust"] CA[Conditional Access\nPolicies] PIM[Privileged Identity\nManagement PIM] IDP[Identity Protection\nRisk Policies] end subgraph WORKLOAD["⚙️ Workload Layer"] VM[Virtual Machines\nDefender for Servers] AKS[AKS Containers\nDefender for Containers] APP[App Services\nDefender for App Service] end subgraph DATA["💾 Data Layer"] KV[Key Vault\nPurge Protection] SA[Storage Accounts\nPrivate Endpoints] SQL[Azure SQL\nDefender for SQL] end subgraph DETECTION["🔭 Detection & Response Layer"] MDC[Microsoft Defender\nfor Cloud] SENT[Microsoft Sentinel\nSIEM / SOAR] MON[Azure Monitor\nActivity Log Alerts] end ATK -->|Attack vectors| FW ATK -->|Phishing / Credential| CA FW --> WAF WAF --> WORKLOAD CA --> PIM PIM --> WORKLOAD IDP --> CA WORKLOAD --> DATA WORKLOAD --> MDC IDENTITY --> MDC DATA --> MDC MDC --> SENT MON --> SENT SENT -->|🚨 Alert| IRP([IRP Triggered]) style INTERNET fill:#FADBD8,stroke:#C0392B style PERIMETER fill:#FDEBD0,stroke:#D35400 style IDENTITY fill:#EBF5FB,stroke:#2E75B6 style WORKLOAD fill:#E9F7EF,stroke:#27AE60 style DATA fill:#F5EEF8,stroke:#8E44AD style DETECTION fill:#EBF4FB,stroke:#1A3A5C style IRP fill:#C0392B,color:#fff,stroke:#922B21 ``` ## 严重等级分类 ``` quadrantChart title Azure Incident Severity — Impact vs Urgency x-axis Low Urgency --> High Urgency y-axis Low Impact --> High Impact quadrant-1 SEV-1 CRITICAL quadrant-2 SEV-2 HIGH quadrant-3 SEV-4 LOW quadrant-4 SEV-3 MEDIUM Ransomware Deployed: [0.95, 0.95] Full Tenant Compromise: [0.90, 0.98] Global Admin Breach: [0.85, 0.90] Active Data Exfiltration: [0.88, 0.85] Privilege Escalation: [0.75, 0.80] Lateral Movement: [0.70, 0.75] Suspicious Sign-in: [0.45, 0.50] Single Resource Compromise: [0.50, 0.55] Failed Brute Force: [0.25, 0.30] Policy Violation: [0.20, 0.25] Misconfiguration Detected: [0.30, 0.20] ``` | 严重性 | 代码 | 描述 | 响应 SLA | 上报 | |----------|------|-------------|-------------|------------| | 🔴 | **SEV-1 极危** | 勒索软件、租户完全沦陷、主动数据渗出 | **15 分钟** | IC + All Hands | | 🟠 | **SEV-2 高危** | 特权账户泄露、横向移动、数据暴露 | **1 小时** | IC + Security Lead | | 🟡 | **SEV-3 中危** | 可疑登录、单一资源沦陷、异常 API 调用 | **4 小时** | Security Analyst | | 🟢 | **SEV-4 低危** | 策略违规、攻击失败、配置错误 | **24 小时** | On-call Analyst | ## 泄露类别与 MITRE ATT&CK 映射 ``` mindmap root((Azure Breach\nCategories)) Identity T1078 Valid Accounts T1110 Brute Force T1556 Modify Auth Privilege Escalation T1548 Abuse Elevation T1098 Account Manipulation T1136 Create Account Data Access T1530 Cloud Storage Data T1552 Unsecured Credentials T1213 Data from Info Repos Persistence T1098.001 Add Cloud Credentials T1136.003 Cloud Account Creation T1525 Implant in Image Exfiltration T1048 Alt Protocol Exfil T1567 Exfil to Web Service T1537 Transfer to Cloud Acct Impact T1496 Resource Hijacking T1490 Inhibit Recovery T1486 Data Encrypted ``` | 泄露类别 | 常见指标 | MITRE 技术 | 默认严重性 | |----------------|------------------|----------------|-----------------| | **身份沦陷** | 不可能旅行、MFA 绕过、陌生 IP | T1078 – Valid Accounts | SEV-2 | | **服务主体滥用** | SP 新凭证、意外 API 调用 | T1098.001 – Add Cloud Credentials | SEV-2 | | **权限提升** | 新 Owner 角色、PIM 滥用、新 Global Admin | T1548 – Abuse Elevation Control | SEV-1 | | **租户后门** | 新联合信任、恶意企业应用 | T1136.003 – Cloud Account Creation | SEV-1 | | **存储数据渗出** | 公开 Blob 访问、批量下载、SAS Token 激增 | T1530 – Data from Cloud Storage | SEV-2 | | **VM 勒索软件/挖矿** | 挖矿、C2 信标、高出站流量 | T1496 – Resource Hijacking | SEV-1 | | **Key Vault 泄露** | 未知身份访问机密 | T1552.001 – Credentials in Files | SEV-2 | | **机密暴露** | 日志中 API 密钥、提交历史中的 PAT | T1552.004 – Private Keys | SEV-2 | | **网络渗出** | NSG 规则被修改、意外公网 IP | T1048 – Exfil Over Alt Protocol | SEV-2 | | **供应链攻击** | 受损依赖项、恶意流水线步骤 | T1195 – Supply Chain Compromise | SEV-1 | ## IRP 阶段 ### 阶段决策树 ``` flowchart LR A[Alert Fires] --> B{Is it real?} B -->|No| Z[Document\nClose Ticket] B -->|Yes| C{Severity?} C -->|SEV-1| D1[15 min\nAll hands] C -->|SEV-2| D2[1 hour\nSecurity lead] C -->|SEV-3| D3[4 hours\nAnalyst] C -->|SEV-4| D4[24 hours\nOn-call] D1 --> E[Collect\nEvidence First] D2 --> E D3 --> E D4 --> E E --> F[Contain] F --> G[Investigate] G --> H{Scope\ncomplete?} H -->|No| G H -->|Yes| I[Eradicate] I --> J[Verify Clean] J --> K[Recover] K --> L[PIR] style D1 fill:#C0392B,color:#fff style D2 fill:#D35400,color:#fff style D3 fill:#F39C12,color:#fff style D4 fill:#27AE60,color:#fff ``` | 阶段 | 名称 | 关键操作 | 文档 | |-------|------|-------------|------| | 1 | 🛡️ 准备 | 泄露前控制、监控设置、备份验证 | [→ docs/01-preparation.md](./docs/01-preparation.md) | | 2 | 🔍 检测 | 告警分诊、范围评估、事件声明 | [→ docs/02-detection.md](./docs/02-detection.md) | | 3 | 🛑 遏制 | 身份锁定、网络隔离、机密轮换 | [→ docs/03-containment.md](./docs/03-containment.md) | | 4 | 🔎 调查 | KQL 取证、攻击路径重建、MITRE 映射 | [→ docs/04-investigation.md](./docs/04-investigation.md) | | 5 | 🧹 根除 | 移除持久化、清理资源、验证无 IOC | [→ docs/05-eradication.md](./docs/05-eradication.md) | | 6 | ♻️ 恢复 | 从纯净备份还原、验证、重新启用服务 | [→ docs/06-recovery.md](./docs/06-recovery.md) | | 7 | 📊 事后审查 | 无责备 PIR、经验教训、控制改进 | [→ docs/07-post-incident-review.md](./docs/07-post-incident-review.md) | ## 角色与职责 ``` graph LR IC[👑 Incident Commander\nDecision authority\nExternal comms owner] SA[🔍 Security Analyst\nKQL investigation\nAlert triage] CL[☁️ Cloud Lead\nCLI containment\nResource isolation] IL[🪪 IAM Lead\nEntra ID\nRole cleanup] DL[🛠️ DevOps Lead\nSecrets rotation\nPipeline review] CM[📣 Comms Lead\nStakeholder updates\nRegulatory notices] IC --> SA IC --> CL IC --> IL IC --> DL IC --> CM SA -.->|Findings| IC CL -.->|Actions| IC IL -.->|Actions| IC style IC fill:#1A3A5C,color:#fff style SA fill:#2E75B6,color:#fff style CL fill:#8E44AD,color:#fff style IL fill:#D35400,color:#fff style DL fill:#27AE60,color:#fff style CM fill:#7F8C8D,color:#fff ``` ## 仓库结构 ``` azure-breach-irp/ ├── README.md ← You are here ├── docs/ │ ├── 01-preparation.md ← Pre-breach readiness checklist │ ├── 02-detection.md ← Triage & incident declaration │ ├── 03-containment.md ← CLI containment commands │ ├── 04-investigation.md ← Forensics & KQL queries │ ├── 05-eradication.md ← Eradication checklist │ ├── 06-recovery.md ← Recovery steps & validation │ └── 07-post-incident-review.md ← PIR agenda & action items ├── runbooks/ │ ├── RB-01-compromised-global-admin.md │ ├── RB-02-ransomware-azure-vm.md │ ├── RB-03-secrets-exposed.md │ └── RB-04-mass-blob-exfiltration.md ├── kql-queries/ │ ├── identity-investigation.kql │ ├── privilege-escalation.kql │ ├── data-exfiltration.kql │ └── vm-network-forensics.kql ├── evidence/ │ ├── collection-commands.sh │ └── chain-of-custody-template.md └── templates/ ├── incident-log-template.md ├── pir-template.md └── stakeholder-comms-template.md ``` ## 参考与标准 | 标准 | 描述 | |----------|-------------| | [NIST SP 800-61r2](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) | 计算机安全事件处理指南 | | [MITRE ATT&CK Cloud](https://attack.mitre.org/matrices/enterprise/cloud/azure/) | 对手战术与技术 — Azure | | [ISO/IEC 27035](https://www.iso.org/standard/78974.html) | 信息安全事件管理 | | [CIS Azure Benchmark](https://www.cisecurity.org/benchmark/azure) | Azure 安全配置最佳实践 | | [Microsoft Sentinel Playbooks](https://learn.microsoft.com/en-us/azure/sentinel/incident-response-playbooks) | 官方 Microsoft SOAR Playbook | | [Entra ID Security Ops](https://learn.microsoft.com/en-us/entra/architecture/security-operations-introduction) | 身份事件调查指南 | | [POPIA — Information Regulator](https://www.justice.gov.za/inforeg/) | 南非数据保护法 | | [Microsoft MSRC](https://www.microsoft.com/en-us/msrc) | Microsoft 安全响应中心 | ## 报告安全问题 发现漏洞？**请勿公开提出 Issue。** 预期响应：**48 小时**内确认，**5 个工作日**内提供解决时间表。

标签：ATTACK-Python-Client, Azure安全, CIS Benchmark, CLI Runbook, Cloudflare, IRP, ISO 27035, KQL查询, Mermaid图表, Microsoft Azure, MITRE ATT&CK, NIST框架, PB级数据处理, PE 加载器, SOC分析, Web报告查看器, 事件响应计划, 云计算, 合规管理, 安全编排与自动化, 安全运维, 库, 应急响应, 插件系统, 数据泄露响应, 网络安全, 规则引擎, 足迹分析, 隐私保护