跳到主要內容

Review & Remediate Attack Path Risks

Implementation Effort: Medium — Requires enabling Defender CSPM, reviewing attack path analysis, and remediating high-risk recommendations across storage and related resources.

User Impact: Low — This is a backend security operation; users are not directly involved.

Overview

Microsoft Defender for Storage, through its integration with Defender for Cloud, provides Attack Path Analysis to help identify and remediate risks that could lead to data breaches. Attack paths are visual representations of how attackers could move laterally through your environment to reach sensitive storage resources.

Key Capabilities

  • Context-aware risk prioritization: Attack paths are ranked by severity using a proprietary algorithm that considers exposure, sensitivity, and exploitability 1.
  • Multicloud visibility: Attack paths span Azure, AWS, and GCP environments.
  • Data-centric filtering: You can filter attack paths that specifically target sensitive data in storage accounts 2.

How to Review Attack Paths

  1. Go to Microsoft Defender for Cloud in the Azure portal.
  2. Navigate to Attack path analysis.
  3. Select an attack path to view its structure.
  4. Click on a node to view insights and associated recommendations.
  5. Use filters like Sensitive data to focus on high-impact risks 2.

How to Remediate Attack Paths

  1. From the Attack path analysis view, select an attack path.
  2. Click Remediation.
  3. Review and apply the recommended actions, such as:
    • Disabling public access to storage
    • Enforcing secure transfer (HTTPS)
    • Enabling malware scanning or sensitive data discovery
    • Restricting access using private endpoints or RBAC 1

Prerequisites

  • Defender CSPM must be enabled.
  • Agentless scanning should be active.
  • Required roles: Security Reader, Security Admin, Contributor, or Owner 1.

Failing to review and remediate attack paths can leave your storage accounts exposed to lateral movement, privilege escalation, and data exfiltration.

This activity supports the Zero Trust principle of "Assume Breach" by proactively identifying and closing exploitable paths to sensitive storage resources.

Reference