Stories from the SOC- SSH Brute Force Authentication Attempt

Ervin McBride IV – TDP Engineer II contributed to this article.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the LevelBlue SOC analyst team for LevelBlue Managed Threat Detection and Response customers.

Executive Summary

The Managed Threat Detection and Response (MTDR) analyst team received and reviewed an alarm for Brute Force Authentication – SSH Login Failure. Upon further review, the analyst team discovered sixty-two failed login events for a variety of users where the naming convention suggested a legitimate brute force attempt. The analyst team responded and engaged the customer, who was able to take appropriate action to prevent additional logon attempts.

Initial Alarm Review

Indicators of Compromise (IOC)

The initial alarm for this IOC is associated with the second stage of the Cyber Kill Chain®. As we reviewed each event associated with the alarm, we noticed different usernames entered for each attempt with the source being from a foreign country and targeting a reserved IP address.

Expanded Investigation

Events Search

When searching for additional events, we started by reviewing all failed login activity from the external host to see if any events were not captured in the alarm. Initially, there were twenty-five events associated with the alarm, one for each of the user accounts involved in this attack. Upon further review, we uncovered a total of sixty-two events, with multiple events per user. Each event was a failed login attempt that generated an “Invalid User” error.

Event Deep Dive

The attacker was using a system with an IP address from a foreign country to target the customer’s server (possibly a bastion host given the name). This foreign IP is listed as a scanning IP according to the Open Threat Exchange™. The user IDs seemed very explicit, indicating that the attacker potentially had access to a list of user IDs (via a phishing attempt or other compromise) and was trying to replicate them to gain access to an internal system. We looked into the usernames to determine if there was any additional activity involving them, but there was none outside of the incident in question.

Reviewing for Additional Indicators

We expanded our search to try and determine an additional point of entry or other IOCs which may be related to this incident, however we were unable to discover any. At this point the activity appeared to be a brute force attack from a known malicious host.

Response

Building the Investigation

Given the urgency of the situation, we created a high-severity investigation. Utilizing the capabilities of the USM platform, the technology that underpins the LevelBlue Managed Threat Detection and Response service, we generated a CSV report for the customer, detailing the event activity we observed so they could have visibility into the events and evolving situation. After attaching our report, we developed our notes to the customer with an analysis of what we observed, recommendations for what to do, and reference material for the indicators.

Customer Interaction

The customer responded by agreeing with the analyst assessment that this was indeed an SSH Brute Force attempt. The customer blocked the foreign IP address for inbound and outbound connections to prevent future compromise attempts. The usernames were ultimately revealed to be invalid, so no further attempts were made to root cause how the attacker generated the list.