Brute forced ConsoleLogin event correlates with an assumed role event

aws

Classification:

attack

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Correlate a bruteforce login with a user attempting to assume an anomalous number of roles.

Strategy

Correlate the Potential brute force attack on AWS ConsoleLogin and Anomalous number of assumed roles from user signals based on the ARN: {{@userIdentity.arn}}.

Triage and response

  1. Set signal triage state to Under Review.
  2. Determine if the brute force attack was successful.
    • If the login was not legitimate:
      • Investigate the user using the User Investigation Dashboard
      • Rotate credentials on the brute forced account
      • Enable MFA if it is not already enabled
    • If the login was legitimate:
      • Triage the signal as a false positive