Outbound SSH traffic indicating brute force activity
Description
AlphaSOC detected outbound traffic patterns consistent with SSH brute force attacks, where a system attempts to establish multiple SSH connections to external hosts. This behavior typically indicates that an internal system has been compromised and is being used to discover or gain unauthorized access to other systems across the internet.
Impact
Compromised systems conducting SSH brute force attacks can lead to unauthorized access to external systems, damaging the organization's reputation and potentially resulting in legal liability. Additionally, the compromised internal system could be part of a larger botnet, consuming network resources and potentially triggering blacklisting by internet service providers.
Severity
Severity | Condition |
---|---|
Low | Suspicious outbound SSH traffic to a single IP address |
Investigation and Remediation
Investigate the source system for signs of compromise. Isolate affected systems and perform a thorough malware scan.