One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1943772 |
| Date de publication | 2020-09-28 11:00:00 (vue: 2020-09-28 11:05:49) |
| Titre | Stories from the SOC – Cloud and On-site Protection |
| Texte |
This blog was jointly authored by Josue Gomez
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive Summary
One of the benefits of having your managed detection and response (MDR) service managed by AT&T Cybersecurity is the visibility into threats from a large number of customers of all sizes and across different industries. This allows the team to take what they learn from one customer and apply it to another. Our security operation center (SOC) analysts were able to use an OTX alarm and an AWS correlation rule to discover open ports on public facing servers for two different customers in 24 hours.
Investigation
Initial Alarm Review
Indicators of Compromise (IOCs)
In a 24-hour period the AT&T SOC analyst team identified open port vulnerabilities which malicious actors were attempting to exploit on two different customer instances. While the environments of these two customers are very different, the sensors that are deployed as part of the AT&T Unified Security Management (USM) platform provide flexibility and help customers to stay protected across multiple platforms.
Customer 1’s initial alarm is below. In addition to the OTX indicator, the fact that the alarm was based on a public URL and the event outcome was “Accept” led our analyst team to speculate that the alarm was accurately indicating a successful system compromise.
The Customer 2 initial alarm came in when an IP located in a foreign country was observed attempting to brute force authenticate via SSH port 22 on one of Customer 2’s cloud-based security management servers.
Unlike Customer 1 who has a primarily on-premises environment, Customer 2 has a largely cloud based infrastructure. The analyst team performed a deep dive into the targeted AWS cloud asset and observed logs showing multiple IPs located in the foreign country attempting to establish a connection over the open vulnerable port.
Expanded investigation
Alarm Detail
In the case of Customer 1, the analyst team determined the IP identified by OTX had been scanning multiple public facing assets in the hours before the alarm was triggered. Logs indicated the malicious actor was focusing on scanning for a Telnet service until they found an open Port 23, at which point scanning ended. A search for that malicious IP on the destination side showed an outbound connection from Customer 1’s web server with an “Allow” outcome, confirming a two-way connection had been established over Telnet. The analyst team communicated the details of the investigation to Customer 1 and recommended they close all the server’s ports, aside from Port 80 and Port 443, as is the best practice for a public facing web server.
For Customer 2, the team prioritized the malicious activity on their AWS instance as High severity and quickly jumped on a call to inform the customer of the SSH brute-force attacks occurring against one of their internal cloud assets. The built-in Amazon Guard Duty plugin, paired with the cloud monitoring capabilities available in the USM platform, allowed the team to capture this malicious activity in real |
| Envoyé | Oui |
| Condensat | over 1’s 2’s 443 able accurately across activity actor actors addition administrators after against alarm alarming all allowed allows amazon analysis analyst analysts another any apply are aside asset assets at&t attack attacks attempting authenticate authored available aws based been before below benefits best blog both brings brute building built call came capabilities capture case center close cloud communicated compromise conducted confirming connection connection correlation country customer customers cybersecurity dangers deep deployed describes destination detail detailing details detection determined different discover discovery dive duty end ended environment environments establish established event executive expanded exploit facing fact flexibility focusing force foreign found from further gomez guard had hardening has having help high hour hours identified incident incidents indicated indicating indicator indicators industries inform infrastructure initial instance instances instructed internal internet investigate investigation investigations iocs ips jointly josue jumped large largely learn led located logs malicious managed management mdr minutes misconfiguration monitoring multiple network notification number observed occurring one open operation otx outbound outcome over paired part performed period place platform platforms plugin point port ports practice premise premises prevent primarily prioritized protected protection provide public put quickly real realized recent recommendation recommended remediation reported respond response resulted review reviewing rule scanning search security sensors separate series server server’s servers service severity showcase showed showing side site sizes soc speculate ssh stay steps stories successful such summary system take targeted team telnet these threat threats time timeline took triggered two unified unlike until url use usm value very visibility vulnerabilities vulnerable way web what when which who world your |
| Tags | Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.