Most vendors or services nowadays offer some form of tagging. To name a few: Azure, AWS, Google Cloud, Qualys, CrowdStrike. The feature itself is pretty straight forward, however if dynamic criteria can be applied or automation, it makes life that much easier.
For most, the automation piece may come from utilizing the API calls. This doesn’t have to nessesaryly be a continuous script or API call but instead a one off. Figuring out how to deploy a single tag to many is always good thing to have in your back pocket, so it’s worth exploring.
Most will offer a cURL example, else if you are wanting to use Powershell, the code could look similar to:
Azure for example has a Powershell module which allows you to easily apply, view or delete tags on scale.
A use case for tagging can stem from a financial point of view, as for users utilizing the cloud, they want to know what they are paying for. Shared infrastructure isn’t always that clean cut, but if you can apply tags to at least be aware, you may be better off.
They also benefit security, and I.T as they let the admins know what a service or host is or what it’s running. It should also allow criteria searching and the ability to filter out hosts/systems based on your categories.
Here is an example of a recent threat were tagging may have benefited you.
If you work anywhere near I.T, for the last couple of months, you would have had a conversation about Log4j or Log4shell: https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
This being a vulnerability that affected a large number of systems (some internet facing) and caused multiple headaches. Not to mention, long hours over the Christmas period. Most companies by now would have started to track or at least scan for what systems they have in their environment running Log4j or hunting spesific JAR files such as log4j-core-2. It really depends on the size, tools and resource available.
If you were fortunate to be in a good place, you may have a spreadsheet somewhere with a list of systems. Although this allows you to track the progress of remediation, that information is limited to that Excel spreadsheet. If for example, a system was attacked, you would have to cross check that sheet to see if it’s on there. This would be a manual effort, and sometimes not that straight forward if not preoperly communicated or the right people being aware.
This is where tagging comes in. If only temporally, tagging all your hosts running Log4j will not only help those remediating the risk, but also the incident response team. If they can quickly identify that this server has additional risk, or actively being targeted in the wild, they can respond accordingly. Medium threats would escalate to high by default as the system has a known threat or they may treat certain activity as more suspicous.
It’s not just incident response though. Tagging all your external facing, will help long-term with vulnerability management and monitoring.
Tagging certain applications you care about, will also help the teams viewing know what this server is, without having to dive into it.
Some may say the CMDB!!, but again…. this is similar to the Excel spreadsheet problem. Although CMDB services such as ServiceNow allow integration from a vast number of tools, it’s often not integrated back. That being multiple tools feeding into SNOW, but that data not feeding back.
If it is great! but if not, your team will have to go somewhere else to validate what they can see elsewhere. Tagging alongside the CMDB, and other tools is allows a standard or pattern to be created which can be easily used or shared.
Of course, I’m not saying tag everything as this would be an overhead nightmare, but instead look to target what you care about and what your security team should know about. Without, you may have to rely on certain people, or that IT member that’s been there longer than the bricks and knows everything, but given a heightened situation, it’s sometimes good to see it written down, rather than depend on memory.
To understand how to tag, or automate, most vendors have documentation or some for of support center to offer help. If not or you are wanting to automate an idea, I’d always be happy to look. Either that or try and help best I can. 🙂
amoran.io 
Leave a Reply