This guide will cover the process to follow when you have been made aware (Eg by AWS Guardduty) of a brute force attack against one of your instances.
Runbook will cover action points below but the summary should be considered to be:
Another important note is to ensure that you take lots of notes of actions taken at each stage so a timeline can be built for later analysis and review.
| Action | Details | Owner |
|---|---|---|
| Gather information | Collect details of the instance (Location, function, source IP of the attack) | Incident engineer |
| Validate alarm | Is the concern valid? Is there an external actor acting maliciously against your instance or is someone trying to clone a git repository from the instance with their wrong ssh key (it happens!) | Incident engineer |
| Block Access | If the threat is malicious, block access to the instance imediately. There should be no reason for port 22 to be exposed to 0.0.0.0/0. If the attack is coming from an allowed IP, remove the rule allowing access. | Incident engineer |
| Assessing Compromise | Finally, review the instance logs to determine if the attacker had successfully compromised the instance. Read separate runbook on this topic | Incident engineer |
| Complete report | Write up all notes using template and submit an incident report (following your incident management procedure). | Incident engineer |
Longer term solutions: