Detecting SSH Brute Force
Objective
Attackers may gain credential access by using brute force techniques (T1110). If these techniques are used via the network, Threat Defender can detect and block them.
Using event tracking tables and dynamic network segmentation, all SSH connections inside an internal company network are tracked and brute force attempts are detected. The access to internal resources of suspected brute force attackers is blocked.
Creating a Correlation Scenario
First, navigate to Policy > Advanced Correlation. Create a correlation scenario that provides the framework for the required event tracking tables, dynamic network object and rule set.
Creating the Event Tracking Tables
In the correlation scenario, open the Event Tracking Tables tab. Create an event tracking table that stores source ports per IP address.
The following table shows the required settings of the event tracking table:
Name |
Retention Time |
Primary |
Max. No. Primary |
Secondary |
Max. No. Secondary |
|---|---|---|---|---|---|
|
|
|
|
|
|
Note
Under Maximum Number of Primary Attributes, make sure that the table is large enough to fit your network.
For detailed instructions on how to create an event tracking table, refer to Creating an Event Tracking Table.
Creating the Dynamic Network Object
Create a dynamic network object in the correlation scenario that stores the SSH brute forcing clients.
The following table shows the required settings of the dynamic network object:
Name |
Network |
Size |
Timeout |
|---|---|---|---|
|
External |
|
|
For detailed instructions on how to create a dynamic network object in a correlation scenario, refer to Creating a Dynamic Network Object.
Note
Make sure that the size of the dynamic network object is large enough to store all device entries.
Tip
A timeout of 0 means that the entries are not removed automatically.
Creating the Rule Set
To monitor SSH connections and drop traffic from possible attackers, the following three rules are needed in the correlation scenario:
Rule 1 silently drops all traffic from devices stored in the
SSH Brute Forcersnetwork object. This way, identified brute forcing devices are blocked.Rule 2 enters all client IP addresses and source ports of SSH connections into the
ETT SSH - Ports per IPevent tracking table.Rule 3 counts the entries in the
ETT SSH - Ports per IPevent tracking table. If a client IP has more than 20 source ports within ten seconds, this indicates that an SSH brute force attack may be underway. Therefore, all clients with more than 20 entries are added to theSSH Brute Forcersdynamic network object.
The following table shows the required rule settings:
Rule |
Source |
Destination |
Condition |
Actions |
|---|---|---|---|---|
|
|
Final Action: Drop Traffic and Stop Processing |
||
|
|
Add to Event Tracking Table |
||
|
|
Advanced Correlation Condition: |
Dynamic Network Object |
For detailed instructions on how to create a rule in a correlation scenario, refer to Creating Rules in a Correlation Scenario.
Click the APPLY CHANGES button at the top of the menu bar to activate your configuration changes.
Result
Threat Defender monitors all SSH connections and counts the source ports of each client IP address. If it detects client IP addresses that used more than 20 different source ports within ten seconds, this indicates that an SSH brute force attack may be underway.
The originator of the SSH brute force attack is identified. Threat Defender adds it to the dynamic network object to isolate it. Traffic from hosts in this network object is blocked. SSH brute force attacks run by these hosts are stopped.
Note
Once the suspected brute force attack is remedied, you need to flush the content of the dynamic network object. To do so, click the RESET STATE button in the correlation scenario.