This guide will cover the process to follow when you have been made aware (Eg by AWS Guardduty) of a brute force attack against one of your instances.
Runbook will cover action points below but the summary should be considered to be:
Another important note is to ensure that you take lots of notes of actions taken at each stage so a timeline can be built for later analysis and review.
|Gather information||Collect details of the instance (Location, function, source IP of the attack)||Incident engineer|
|Validate alarm||Is the concern valid? Is there an external actor acting maliciously against your instance or is someone trying to clone a git repository from the instance with their wrong ssh key (it happens!)||Incident engineer|
|Block Access||If the threat is malicious, block access to the instance imediately. There should be no reason for port 22 to be exposed to 0.0.0.0/0. If the attack is coming from an allowed IP, remove the rule allowing access.||Incident engineer|
|Assessing Compromise||Finally, review the instance logs to determine if the attacker had successfully compromised the instance. Read separate runbook on this topic||Incident engineer|
|Complete report||Write up all notes using template and submit an incident report (following your incident management procedure).||Incident engineer|
Longer term solutions: