Wrapping up our Cyber Triage in the Cloud series, we’re taking a look at Microsoft Azure and how we can use it for cloud-based incident response. We previously looked at AWS and GCP. This post will be useful if you are already an Azure customer or if you are looking to move your DFIR lab to the cloud.
In this post, we are going to talk about database options only. The Azure Blob storage is not S3-compatible and therefore the collection tool can not directly upload to it (but we are working on it). The database options are also applicable to Autopsy, since it shares the same PostgreSQL database as Cyber Triage Team.
Benefits of Azure Digital Forensics in The Cloud
First, let’s review the basics of why DFIR labs are moving to the cloud. Namely:
- Scaling: It can be easier to set up Server VMs and expand storage as needed.
- Access: For consultants and MSSPs, a cloud is a central place that doesn’t require either party to give the other VPN access to their internal network. The cloud is also an easier place for responders to get access to when they are traveling or working remotely.
- Maintenance: If you use could-provided services, then you will likely not need to worry about updating the software and backups.
Azure Database Options
Of the three main providers, Azure was the most confusing for database options. The Types of Databases on Azure page lists 10 databases with 5 of them mentioning SQL. Cyber Triage and Autopsy need a PostgreSQL database and Azure Database for PostgreSQL is the only top-level option. This option gives you a managed PostgreSQL instance, which means Azure will be responsible for updates and installation.
When you create one of these instances, you’ll be given 4 further options:
- Single Server: A managed PostgreSQL instance.
- Flexible Server (Preview): A managed PostgreSQL version that you have more control over, some details are here.
- Hyperscale (Citrus) server group: Uses the Citus extension to make a distributed PostgreSQL database cluster. More details are here.
- Azure Arc Enabled PostgreSQL Hyperscale (Preview): This allows you to use the Citus extension on your own hardware and on-premise cloud. More details are here.
The cloud-native SQL database that Azure provides does not have a PostgreSQL-like API.
Of the four options above, the two Hyperscale (Citus) options limit you to a single database per server. Cyber Triage and Autopsy both make one database per collection (or case in Autopsy), so those database options will not work for our use case. That leaves the Single and Flexible Server options.
Here’s an example Cyber Triage deployment with Cloud SQL.
Picking an Azure Database for Incident Response
Like we did for AWS and GCP, we did some basic testing and cost profiling. We performed two tests per configuration. One was to time how long it takes to ingest a single copy of a large test collection (2.5GB). The second was to time how long it takes to add 50 copies of that collection with three being processed in parallel.
Note that we did not test all memory and CPU options. The goal here is to provide some basic direction on pros and cons of each. For reference, we’ve included a set of AWS and GCP managed DB numbers as well. Note that it is hard to compare cloud platform prices because they each factor in different metrics.
Here are the results, ordered by processing time.
* Rates are for the base instance and do not include IOPS or storage rates. These will vary depending on your particular implementation requirements. **14 min with one collection at a time. ~20 min each with three in parallel. ***14 min with one collection at a time. ~20 min each with three in parallel.
NOTE that the storage and IOP rates for AWS, GCP, and Azure differ, so this is not a direct pricing comparison.
As of Nov 2021, our observations are that:
- The Azure “Database for PostgreSQL flexible server (Preview)” gave similar performance to managed GCP, but cheaper (in our test setup).
- We have no idea why the “Database for PostgreSQL Single Server” was so slow. We’ll eventually do some more tests and update this post when we learn more.
- Both managed Azure and GCP had better performance and cost than managed AWS.
- If you are not yet tied to a cloud platform, then Azure seems to be similar to GCP and cheaper and faster than AWS.
Cyber Triage Workflow in Azure
Here’s an example setup of using Cyber Triage in Azure:
Cyber Triage does not currently directly upload to the Azure Blob Storage (like AWS S3), but it is coming. You can manually upload at this point.
- A customer runs the Cyber Triage collection tool on a suspect host in their network. They manually upload the file to the Azure Blob Storage.
- The responder logs in from home and imports the data into the Cyber Triage Server.
- Results are saved to the Azure database.
- The Cyber Triage Server will analyze all of the artifacts and assign scores.
- Other examiners can login and assist as needed.
As a reminder, we highly recommend that if you are going to use Cyber Triage in the cloud, that all parts of it are in the cloud. Cyber Triage was not designed to be public IP facing and it assumes that there is a fast connection between the Cyber Triage client and server.
How to Setup Azure with Cyber Triage
To setup an Azure database, from the dashboard choose to make a “Database for PostgreSQL”.
Choose the “Flexible server” and appropriate size options. Remember the username and password since you’ll need that when configuring Cyber Triage.
The final step is to configure Cyber Triage Server to use this database. You’ll need the server IP of the database server, and the username that you defined in the wizard.
After several tests and trial and error, we found an Azure setup that gave us good performance at a competitive cost for Cyber Triage. If you are looking to offload the management of your database and are running in the cloud, then Azure could be a good platform. If you want to try Cyber Triage in either your cloud network or on your laptop, then fill out this form here.
To get updates on our blogs, you can subscribe to the Cyber RespondIR