Quite often, security teams receive network alerts by their network monitoring systems that someone is scanning ports or there is a possible brute force attack on one or more servers. According to the SANS Institute, port scanning is one of the most popular techniques attackers use to discover services that they can exploit to break into systems. Essentially, hackers send a message to each port on a network, one at a time, to discover and keep track of ports that are open. They can determine not only what services are running, but what services require authentication or allow anonymous logins. A brute force attack is a method of using tools and scripts to rapidly try all combinations of names and passwords in an attempt to gain entry. Logs will show hundreds or even thousands of login attempts over a short period of time. Security teams can create rules in SIEM systems such as Sumologic, Elastic Search, or Wazuh to alert for these types of detections.
How to deal with these types of malicious attacks?
These types of alerts usually start with network detection, yet need extra information and context for further remediation from systems such as endpoint detection and vulnerability scanners.
Incorporating threat intelligence and expert knowledge, DTonomy would recommend the following course of action.
DTonomy AIR Built-in Playbooks
DTonomy’s AI-Assisted platform provides built-in automated playbooks to assist security analysts in creating comprehensive workflows to address these types of attacks. These playbooks contain integrations to many systems such as:
The playbook that integrates these systems could perform automated response as follows:
On the left bottom, the workflow is calling other playbooks for a more complete investigation of the target machine and maximizing the usage of similar logic.
More DTonomy Automation Use Cases: Link
We are pleased to announce that DTonomy is now part of Stellar Cyber. The integrated solution will enhance cyber threat detection and response automation!