AWS EC2 instance involved in brute force attack

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect Brute Force Attacks

Strategy

Leverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:

Triage and response

Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either ACTOR or TARGET.
- If you are the TARGET and the instance is available on the internet, expect to see IPs scanning your systems.
- If you are the TARGET and the instance is not available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.
- If you are the ACTOR, this means that your instance is performing brute force attacks on other systems. Open an investigation.

Changelog

1 November 2022 - Updated links.