Brute force attack investigation

 

  1. Responsibility Index


Phase

Responsibility 


    Identification


L1 Analyst:- GSOC Monitoring Team 


    Investigation


 L2 Analyst:-This includes individuals from Network Team/GSOC


Containment


L2 Analyst: -  This includes individuals from Network Team/ Server team

   

     Remediation


L2 Analyst:-This includes Network Team/Server Team/GSOC


Recovery


L2 Analyst:-This includes Network Team/Server Team/GSOC


  1. Brute Force attack Procedure

    1. Identification Stage


Stage

Source

Identification

Brute Force incident is reported by 

  • Network Team

  • Incident/If the alert is raised by the SIEM


  1. Investigating Stage


Stage

Actions by Respective Team

Investigation









Security team checks


If the Brute Force attack is identified and an alert generated via SIEM below parameters are considered for investigating:

  • Source addresses of the attempts

  • Firewall Action

  • Investigating Destination on which brute force attempted


Validating the Source:

  • Validating the source is done by taking the IP details from the alert generated.

  • The reputation of the source IP address is verified in IP reputation sites such as

     https://www.virustotal.com/

     https://www.abuseipdb.com/      

  • Any recent malicious or similar activates from the source can be verified at IBM X-force database.

     https://exchange.xforce.ibmcloud.com/

  • Any other activates from source towards other assets is verified in the SIEM.

  • All the logs that are recorded in the SIEM console from the source are taken from the time of first event observed.

  • The end result is taken into a CSV and other parameters such as destinations that are targeted, type of event observed and ports targeted are recorded.


Firewall Action:

  • Firewall action on the source of attack has to be observed.

  • Go to Firewall logs and filter out the logs with the source IP

  • Check whether any events of firewall permit are found

  • If firewall action is observed as permitted and if the source is found to be blacklisted during source validation then the network team has to be notified.

  • Incident has to be raised to the network team to block the destination at the perimeter level attaching all the evidence (Source reputation, Firewall permit logs) found.


Investigating Destination:

  • The end asset that has been targeted has in the process of attack are to be investigated.

  • Go to SIEM and filter out the logs from the destination at least 24 Hrs prior to the first event of attack observed.

  • Event ID codes and any unusual or abnormal events from the host are to be recorded.

  • Successful login attempt events from the remote IP are to be filtered out.

  • The reputation of the remote IP addresses for which successful events found are verified

  • If any blacklisted and risky IP’s are found in the logs they could be blocked if no business requirement is observed.

  • Incident has to be raised to the network team to block the destination at the perimeter level attaching all the evidence (Source reputation, Asset logs) found.


User account Evaluation:

  • User account used in the process of brute forcing is evaluated.

  • Privileges existing to the account are verified and the impact is evaluated.

Stage

Actions by Respective Team

Investigation

Network team checks


  • Analyse traffic from the source for any other suspicious patterns.

  • Analyze network traffic for similar pattern with respective to the protocols and ports used in the attack found.

  • Analyze traffic from subnets of the source.


Stage

Actions to be taken by Respective Teams

Containment

    Server Team

  • Reset the password of the user account used.


    Network Team

  • Block the Source of the attack if the IP is found to be risky, blacklisted and no business need found




  1. Remediation


Stage

Actions by Respective Teams

Remediation

GSOC team

  • Monitor the destination for any abnormalities 


Server Team 

  • Consider modifying the user account name depending on the attack scale 


Network Team

  • Block the Source IP on the perimeter firewall if the IP is found to be risky and blacklisted considering no business need observed


Stage

Actions By Respective team

Recovery

GSOC team

  • Monitor the source IP contently for any further attempts after the remediation.

  • Monitor the logs from the other IP’s of the source subnet trough which attack was initiated. 


Server Team

  • Perform Scan on the targeted asset and ensure no infection is hosted


Network team

  • Block the evaluated pattern on intrusion prevention system

Comments

Post a Comment

Popular posts from this blog

Which tools and software do we need?

 We will need some software when applying the dynamic analysis method. Let's take a look at these software categories. Virtualization Software We do not want to conduct dynamic analysis on our own system as we need to run the malware to be able to examine its activities. For this reason, we should make use of Virtualization Software that helps us work on some virtual systems. Thanks to these software, you can use a different operating system on your host operating system. If they are configured properly, you can perform your analysis safely, as malicious software cannot escape from this virtual operating system. It is useful to make a small note here on these virtualization software. Since these virtualization environments are essentially software, various vulnerabilities that allow malwares to escape out of these virtual environments and allow code executions on the host operating system may occur on these environments. For this reason, It is crucial to keep your virtualization so...
Read more

Packet drafting for IDS_IPS

 Table of contents Introduction Scapy-Overview Snort-Rule References Introduction In this article will demonstrate how we can generate packet that can test/trigger rule in Snort or Suricata using Scapy. Scapy is a packet manipulation tool for computer networks, originally written in Python by Philippe Biondi. It can forge or decode packets, send them on the wire, capture them, and match requests and replies. It can also handle tasks like scanning, tracerouting, probing, unit tests, attacks, and network discovery. Scapy Overview To run Scapy write scapy in your linux terminal as following: ┌──(kali㉿kali)-[~] └─$ sudo scapy [sudo] password for kali:                                                              aSPY//YASa                     apyyyyCY//////////YCa  ...
Read more