This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 63
/
AzurePrivateLink.yaml
113 lines (112 loc) · 4.44 KB
/
AzurePrivateLink.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
version: 1
ATT&CK version: 8.2
creation date: 03/26/2021
name: Azure Private Link
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: Azure
tags:
- Azure Security Center Recommendation
- Network
description: >-
Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL
Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual
network.
Traffic between your virtual network and the service travels the Microsoft backbone network.
Exposing your service to the public internet is no longer necessary. You can create your own
private link service in your virtual network and deliver it to your customers. Setup and
consumption using Azure Private Link is consistent across Azure PaaS, customer-owned, and shared
partner services.
techniques:
- id: T1557
name: Man-in-the-Middle
technique-scores:
- category: Protect
value: Partial
comments: >-
This control provides partial protection for this technique's sub-techniques resulting
in an overall Partial score.
sub-techniques-scores:
- sub-techniques:
- id: T1557.002
name: ARP Cache Poisoning
- id: T1557.001
name: LLMNR/NBT-NS Poisoning and SMB Relay
scores:
- category: Protect
value: Partial
comments: >-
This control reduces the likelihood of MiTM for traffic between remote users, cloud, and 3rd parties
by routing the traffic via the Microsoft backbone rather than over the Internet.
- id: T1565
name: Data Manipulation
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control provides partial protection for one of this technique's sub-techniques resulting
in an overall Minimal score.
sub-techniques-scores:
- sub-techniques:
- id: T1565.002
name: Transmitted Data Manipulation
scores:
- category: Protect
value: Partial
comments: >-
This control reduces the likelihood of data manipulation for traffic between remote users, cloud,
and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
- id: T1499
name: Endpoint Denial of Service
technique-scores:
- category: Protect
value: Partial
comments: >-
Prevents Denial of Service (DOS) against systems that would otherwise need to connect via an
internet-traversing path (coverage partial, since doesn't apply to systems that must be
directly exposed to the Internet)
sub-techniques-scores:
- sub-techniques:
- id: T1499.004
name: Application or System Exploitation
- id: T1499.003
name: Application Exhaustion Flood
- id: T1499.002
name: Service Exhaustion Flood
- id: T1499.001
name: OS Exhaustion Flood
scores:
- category: Protect
value: Partial
- id: T1498
name: Network Denial of Service
technique-scores:
- category: Protect
value: Partial
comments: >-
Prevents Denial of Service (DOS) against systems that would otherwise need to connect via an
internet-traversing path (coverage partial, since doesn't apply to systems that must be
directly exposed to the Internet)
sub-techniques-scores:
- sub-techniques:
- id: T1498.002
name: Reflection Amplification
- id: T1498.001
name: Direct Network Flood
scores:
- category: Protect
value: Partial
- id: T1040
name: Network Sniffing
technique-scores:
- category: Protect
value: Partial
comments: >-
This control reduces the likelihood of a network sniffing attack for traffic between remote users,
cloud, and 3rd parties by routing the traffic via the Microsoft backbone rather than over the Internet.
comments: >-
This is a private network service, allowing connections between Azure, on-prem, and 3rd party
services without traversing the Internet. Generally this reduces risk from MiTM, DOS,
network-based data manipulation and network sniffing from untrusted network.
references:
- 'https://docs.microsoft.com/azure/private-link/private-link-overview'