FlexibleIR | War Room Details for Advanced Cybersecurity Incident Response

AWS-Cloudtrail-ExcessiveFailedLoginsonAWSConsole26-07-2023 PendingMedium

0% Completion 00:00:00

Participant

IT

Participant

CEO

Participant

CFO

Participant

CISO

Preparation 0/2	Identification 0/15	Remediation 0/3	References 0/1
Role AWS Cloudtrail - Excessive Failed Logins on AWS Console Start Role The rule detects excessive login failures in AWS console. Start	Role Check the pattern on which the attempts were made - Timelines and user names. Start Role Check if the User has done any password reset in last 24 hours or beyond. Start Role Verify if the Login failure is observed from same source IP or different IP Start Role Check from which Source IP the logins are getting attempted. - External or Internal IP. Start Role If external - From the identified source address, check for the reputation of the source address from various open source TI sites(Virustotal,MX Toolbox,Abuse IP DB), check for the historical threat association ,geolocation details of the identified external source address Start Role If internal IP address, check what the logs shows about this system over last 24 hours and last 7 days. Start Role Record the User being used for brute force logins Start Role Understand the User role and privileges Start Role Check for historical details of what type of actions the user who logged in does normally. Check his actions for the last 24 hours and then extend the time based on context. Start Role Monitor if the action is first time activity by user account or was it executed in the past by running the query for last 7 days and extend the time frame if needed Start Role Check with the user. Is this the user doing this or somebody else who has got credential access. Start Role Look if similar alerts were observed for different username from same source IP Start Role Check if the user account has been locked out after multiple failed attempts. Start Role Verify if failed logon has occurred followed by a successful logon. Start Role Check on the pattern of login failure traffic coming. Especially the time intervals. Start	Role Check if these events were triggered from a logon script, request the team to validated and confirm if the correct credentials are updated Start Role If the Public IP used is malicious or not an recognized IP request to block the IP at firewall Start Role If this was an unexpected activity kindly reset the account credentials by following strong password policy Start	Role https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html#cloudtrail-aws-console-sign-in-events-iam-user-failure Start