AWS EC2 Instance Involved in Brute Force Attack
Rapport de recherche Datadog : Bilan sur l'adoption de l'informatique sans serveur Rapport : Bilan sur l'adoption de l'informatique sans serveur
<  Back to rules search

AWS EC2 Instance Involved in Brute Force Attack

guardduty

Classification:

attack

Tactic:

Technique:

Set up the guardduty integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Overview

Goal

Detect Brute Force Attacks

Strategy

Leverage GuardDuty and detect when an attacker is performing a brute force attack. The following are GuardDuty findings trigger this signal:

Triage & Response

  1. Inspect the role of the EC2 instance in the attack. Find the role in the signal name - either ACTOR or TARGET.
    • If you are the TARGET and the instance is available on the internet, expect to see IPs scanning your systems.
    • If you are the TARGET and the instance is not available on the internet, this means a host on your internal network is scanning your EC2 instance. Open an investigation.
    • If you are the ACTOR, this means that your instance is performing brute force attacks on other systems. Open an investigation.