Brute forced ConsoleLogin event correlates with an assumed role event

aws

Classification:

attack

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Correlate a bruteforce login with a user attempting to assume an anomalous number of roles.

Strategy

Correlate the Potential brute force attack on AWS ConsoleLogin and Anomalous number of assumed roles from user signals based on the ARN: {{@userIdentity.arn}}.

Triage and response

  1. Set signal triage state to Under Review.
  2. Determine if the brute force attack was successful.
    • If the login was not legitimate:
      • Investigate the user using the User Investigation Dashboard
      • Rotate credentials on the brute forced account
      • Enable MFA if it is not already enabled
    • If the login was legitimate:
      • Triage the signal as a false positive