One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2804505 |
| Date de publication | 2021-05-18 10:00:00 (vue: 2021-05-18 11:05:41) |
| Titre | Stories from the SOC -SSH brute force authentication attempt tactic |
| Texte |
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive Summary
An SSH Brute Force attack is a form of cybersecurity attack in which an attacker uses trial and error to guess credentials to access a server. Unlike a lot of other tactics used by cybercriminals, brute force attacks aren’t reliant on existing vulnerabilities. Instead, cybercriminals rely on weak or guessable credentials. Brute Force attacks are fairly simple and have a high success rate, with several tools and programs available for attackers to use. Once an attacker correctly guesses valid credentials, they may be able to view, copy, or delete important files or execute malicious code.
The Managed Threat Detection and Response (MTDR) analyst team team received 96 alarms for Brute Force Authentication – SSH Login Failure. The team conducted further analysis and discovered 8,114 failed login attempts involving different usernames in one minute, indicating a legitimate brute force attack. The analysts worked back with customer’s team to block SSH access to the host and prevent any additional logons.
Investigation
Initial Alarm Review
Indicators of Compromise (IOC)
The alarms for this indicator of compromise are part of the weaponization stage, or second stage, of the cyber kill chain. Each individual alarm contained different usernames in each event from a single source IP address. All the alarms originated from different source IP addresses, targeting a public facing host on port 22.
Expanded Investigation
Events Search
Searching for additional events was started by filtering all failed logon events to the effected host to validate no events were missed in the alarms. There were over 4,000 events when the research began and grew to over 8,000 in under a minute. Each “invalid user” error contained a different username.
Event Deep Dive
The attacker was using multiple IP addresses from different countries, indicating a botnet may have been utilized for this attack. The usernames used in the attack did not match any usernames associated with customer accounts, and there was no additional activity involving these usernames.
Reviewing for Additional Indicators
Any additional events during the time of the attack were reviewed to determine if any other indicators of compromise were detected. The SSH activity in the additional events followed the same pattern as the original alarms attempting to exploit port 22 on this public facing host. All SSH attempts were failed and the host was not compromised.
Response
Building the Investigation
As the alarms and events came into the queue, it was recognized it could be a potential dictionary attack. We reviewed the details of each alarm and events associated with that alarm and determined the usernames used did not match any of the known user accounts. There were no successful logins during this activity as all the usernames were not legitimate. A successful attack would compromise the bastion server and potentially provided access to the rest of the environment. While the alarms were incrementing in the queue, an investigation was created and a report outlining the events was provided to the customer. The event details were added to the Investigation and we provided a recommendation to the customer to review the firewall policy configuration.
|
| Envoyé | Oui |
| Condensat | “invalid once 000 114 able access accounts activity added additional address addresses alarm alarms all analysis analyst analysts any are aren’t associated at&t attack attacker attackers attacks attempt attempting attempts authentication available back bastion been began best block blog botnet brute building came chain close code compromise compromised concluded conducted configuration confiming contained copy correctly could countries created credentials customer customer’s customers cyber cybercriminals cybersecurity deep delete describes destination details detected detection determine determined dictionary did different disabled discovered dive during each effected environment error event events execute executive existing expanded exploit facing failed failure fairly files filtering firewall followed force form from further future grew guess guessable guesses have high host important incident incrementing indicating indicator indicators individual informed initial instead interaction investigation investigations involving ioc kill known legitimate likely login logins logon logons lot malicious managed match may minute missed more mtdr multiple not once one open opened original originated other outlining over part pattern policy port ports potential potentially practice prevent preventing programs provided public queue quickly rate real received recent recognized recommendation reliant rely remained report reported research responded response rest review reviewed reviewing same scanning search searching second security see series server several simple since single soc source ssh stage started stories success successful summary tactic tactics targeting team these threat time tools trial under unlike unnecessary use used user user” username usernames uses using utilized valid validate view vulnerabilities weak weaponization when which worked world would |
| Tags | Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.