Open Azure Data Lake Detection
Open Azure Data Lake Detection is a specialized cybersecurity process for identifying and remediating Azure Data Lake Storage Gen2 (ADLS) instances misconfigured to allow unauthenticated public access.
Azure Data Lake Storage Gen2 is built on Azure Blob Storage and designed to store massive amounts of raw data for high-performance analytics. Because these "lakes" often consolidate an entire organization's data—including PII, financial records, and proprietary machine learning models—a single misconfiguration can lead to a catastrophic data breach. Open Azure Data Lake detection focuses on identifying these exposures from an "outside-in" perspective, mirroring a threat actor's reconnaissance.
How Open Azure Data Lake Detection Works
The detection process involves identifying storage accounts that have bypassed standard identity controls (such as Microsoft Entra ID) and are exposing their data to the public internet.
DNS and Subdomain Probing: Scanners search for the unique naming patterns associated with Azure Data Lake. For ADLS Gen2, the endpoint typically follows the format
accountname.dfs.core.windows.net. Attackers use permutation scripts to guess common account names (e.g.,company-prod-datalake) and check if they resolve to an active service.Access Level Interrogation: Once a storage account is found, the detector probes the "Public Access Level" of its containers. It checks for two specific risky settings:
Container Level: Allows unauthenticated users to list all files and folders within a container and read the data.
Blob Level: Allows unauthenticated users to read specific files if they know the exact path, though they cannot list all contents.
Anonymous Request Validation: The detection engine attempts to pull metadata or a directory listing from the Data Lake without an Authorization header. If the Azure service returns a "200 OK" status instead of a "403 Forbidden," the data lake is confirmed as "Open."
Key Risks of Publicly Accessible Data Lakes
A detected open Data Lake is a critical vulnerability due to the volume and variety of data typically stored within them.
1. Massive Scale Data Exfiltration
Unlike a single database table, a Data Lake can store petabytes of information. An unauthenticated attacker can use automated tools to crawl the hierarchical namespace and download millions of files, including customer records and sensitive internal documents.
2. Poisoning of Machine Learning Models
Data Lakes are frequently used as the training ground for AI and machine learning models. If a Data Lake has "Public Write" access enabled, an attacker can inject "poisoned" data into the raw zone. This can skew the behavior of future AI models, leading to biased results or intentional security backdoors in the organization's automated systems.
3. Identity and Credential Theft
Data Lakes often contain log files from various applications. These logs can inadvertently contain session tokens, API keys, or plaintext credentials. Detecting an open log repository within a Data Lake provides an attacker with the keys to move laterally into other parts of the Azure environment.
Why Azure Data Lakes Become Exposed
Exposures are rarely intentional; they usually stem from a misunderstanding of Azure's layered security model.
Default Settings: In some legacy storage account versions, public access was enabled by default. While Microsoft has moved to a "Secure by Default" model, existing accounts, or those created with older Infrastructure as Code (IaC) templates, may still retain permissive settings.
Testing and Development Shortcuts: Developers sometimes enable public access to quickly share data with a third-party partner or an external application, intending to close it later, but forgetting to do so.
Complex Permission Hierarchies: ADLS Gen2 uses both Role-Based Access Control (RBAC) and Access Control Lists (ACLs). This complexity can lead to "permission creep," where a container is made public to fix a localized access issue, unknowingly exposing the entire hierarchy.
Common Questions About Azure Data Lake Detection
Is detecting open Data Lakes the same as a vulnerability scan? Not exactly. A vulnerability scan looks for software vulnerabilities (such as unpatched OS vulnerabilities). Open Data Lake detection looks for misconfigurations of cloud-native features. It is a core part of External Attack Surface Management (EASM) rather than a traditional VM.
Does Microsoft provide built-in detection for this? Yes. Microsoft Defender for Storage and Azure Advisor provide internal alerts when a storage account is set to allow public access. However, "Open Data Lake Detection" specifically refers to detecting these issues externally, identifying "Shadow" accounts that may not be covered by internal security policies.
Can I block all unauthenticated discovery at once? Yes. The most effective defense is to set the "Allow storage account public access to this storage account" property to "Disabled" at the storage account level. This overrides any per-container settings and ensures that no unauthenticated request is ever accepted.
Detecting and Securing Open Azure Data Lakes with ThreatNG
ThreatNG provides a specialized defense against exposing massive data repositories by automating Azure Data Lake Detection. By operating from an adversarial, "outside-in" perspective, ThreatNG identifies and validates misconfigured Azure Data Lake Storage (ADLS) Gen2 instances that are accessible to the public internet without authentication.
Because Azure Data Lakes often serve as the central repository for an organization’s most sensitive analytics, logs, and intellectual property, ThreatNG focuses on identifying these high-value targets before they can be discovered by malicious scanners.
External Discovery
ThreatNG’s External Discovery engine is a continuous reconnaissance tool that identifies an organization's Azure infrastructure footprint. It identifies "Shadow Data Lakes" that may have been created outside standard IT procurement or security review processes.
Endpoint Enumeration: ThreatNG proactively probes for Azure Data Lake naming conventions. By using permutations of the organization's name and common descriptors (e.g.,
data-warehouse,analytics-prod,logs-archive), it identifies active endpoints following theaccountname.dfs.core.windows.netformat.Subdomain and DNS Analysis: The platform monitors DNS records and Certificate Transparency logs for CNAMEs that point to Azure storage services. For example, identifying
internal-data.company.compointing to an Azure DFS endpoint reveals a managed entry point to a Data Lake.Infrastructure Attribution: ThreatNG correlates discovered IP addresses and netblocks with known Azure service ranges to identify storage accounts that belong to the organization but are not currently listed in the internal asset inventory.
External Assessment
Once a Data Lake is discovered, ThreatNG conducts a deep External Assessment to determine if the asset is truly open and what specific data is at risk.
Detailed Example (Unauthenticated Access Validation): ThreatNG attempts to interact with the discovered Data Lake using unauthenticated requests. If the service returns a directory listing or allows retrieving file metadata without a valid token, the platform flags the asset as "Publicly Accessible." This confirms that the internal Azure security settings (like "Allow storage account public access") have been left in a permissive state.
Detailed Example (Hierarchical Namespace Inspection): Because ADLS Gen2 uses a hierarchical namespace, ThreatNG assesses whether an attacker can traverse folders. If the assessment reveals that a "Public" setting on a parent container has cascaded down to sensitive sub-directories containing PII or financial exports, ThreatNG validates this as a "Critical Exposure."
Detailed Example (Write Permission Assessment): The assessment determines if the Data Lake allows "Anonymous Write" access. In a Data Lake context, this is extremely dangerous as it allows an attacker to "poison" the data used for business intelligence or machine learning. ThreatNG validates this susceptibility to prevent data integrity attacks.
Reporting
ThreatNG transforms raw cloud discovery data into prioritized executive and technical reports that drive remediation.
Cloud Exposure Scorecards: Reporting provides a risk score specifically for discovered cloud storage, allowing security leaders to see how many "Open Lakes" exist compared to total discovered cloud assets.
Remediation Guidance: Reports include the specific Azure Storage Account and Container names, along with the exact misconfiguration, providing the cloud engineering team with a direct path to remediate.
Continuous Monitoring
The scale and complexity of cloud environments mean that a single change can inadvertently expose a Data Lake. ThreatNG’s Continuous Monitoring ensures that these "lakes" stay private.
Configuration Drift Detection: If a previously secure Data Lake is reconfigured to allow public access—perhaps to facilitate a one-time data transfer—ThreatNG detects this "Drift" immediately and triggers an alert.
New Asset Detection: As developers spin up new analytics environments in Azure, ThreatNG detects new endpoints the moment they become visible on the internet, ensuring security visibility keeps pace with DevOps.
Investigation Modules
ThreatNG’s Investigation Modules allow analysts to conduct deep forensic dives into the nature of an exposed Data Lake.
Detailed Example (Cloud and SaaS Exposure Investigation): This module investigates the specific metadata of the Azure account. By identifying the region and associated services (such as connected Azure Synapse or Databricks workspaces), analysts can assess the business-criticality of the exposed data.
Detailed Example (Sensitive Code Exposure Investigation): Often, the path to a Data Lake is revealed in leaked code. This module scans public repositories, such as GitHub, for hardcoded Azure storage account keys or connection strings. If ThreatNG finds a leaked key that grants administrative access to a discovered Data Lake, it confirms a "Total Compromise" scenario.
Detailed Example (Domain Intelligence): This module analyzes the relationship between the Data Lake and the company’s public web presence. If an open Data Lake is being used to host static content for a main website, the investigation highlights the risk of "Web Defacement" or "Malware Distribution" via the storage account.
Intelligence Repositories
ThreatNG enriches its findings with data from global intelligence repositories to provide a 360-degree view of the risk.
Dark Web Presence: The solution monitors for mentions of the organization's storage account names on illicit forums. If ThreatNG detects a "target list" that includes the company's Data Lake URL, it prioritizes the finding as an "Active Threat."
Vulnerability Correlation: ThreatNG cross-references versions of any exposed services or third-party tools used to manage the Data Lake against known CVEs (Common Vulnerabilities and Exposures), providing a more complete view of the asset's risk.
Complementary Solutions
ThreatNG serves as an external auditor that integrates with internal security tools to provide a holistic defense for Azure environments.
Complementary Solution (Cloud Security Posture Management - CSPM): ThreatNG provides the "Outside-In" discovery of Shadow accounts that the CSPM may not be connected to via API. Feeding these discovered accounts into the CSPM ensures that the organization’s internal policy checks are applied to 100% of the Azure estate.
Complementary Solution (Microsoft Defender for Cloud): ThreatNG validates the alerts generated by internal tools. If Microsoft Defender identifies a "Public Access" setting, ThreatNG’s external scan confirms whether that setting actually makes data reachable from the internet, helping reduce "False Positives" and alert fatigue.
Complementary Solution (Security Orchestration, Automation, and Response - SOAR): ThreatNG triggers automated workflows in SOAR platforms. If a critical "Open Data Lake" is validated, the SOAR platform can automatically execute an Azure PowerShell script to disable public access on that storage account in seconds.
Examples of ThreatNG Helping
Helping Secure R&D Data: ThreatNG discovered an unauthenticated Azure Data Lake used by an R&D team to store raw sensor data from a new product line. The External Assessment revealed the data was publicly listable. ThreatNG’s discovery allowed the security team to lock down the repository before a competitor could scrape the proprietary data.
Helping Prevent Data Poisoning: ThreatNG identified a Data Lake container with "Public Write" permissions that was used to feed a corporate AI model. The reporting alerted the team, who realized that an attacker could have modified the training data. The team reverted to a secure backup and closed write access.
Examples of ThreatNG Working with Complementary Solutions
Working with a SIEM: ThreatNG detects an open Azure Data Lake and sends the endpoint details to the Security Information and Event Management (SIEM). The SIEM searches internal logs for IP addresses that have accessed the endpoint, helping the SOC determine whether an external party has already downloaded sensitive files.
Working with a GRC Platform: ThreatNG pushes the details of discovered unauthenticated Azure assets to a Governance, Risk, and Compliance (GRC) platform. This provides the compliance team with evidence that the organization is actively monitoring for misconfigured cloud storage, which is a requirement for SOC 2 and ISO 27001 audits.
