- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Remote Desktop Protocol (RDP) is a widely used technology that allows users to remotely access and control computers and servers over a network connection. It is commonly used by organizations for various purposes, such as remote administration, technical support, and telecommuting.
However, the convenience of RDP also comes with potential risks. RDP has been a common target for cybercriminals who exploit vulnerabilities, weak authentication, or misconfigurations to gain unauthorized access to systems. And according to the Unit 42 Cloud Threat Report, 73% of organizations have RDP exposed to the public internet.
RDP brute force refers to a type of cyberattack in which an attacker systematically attempts to gain unauthorized access to a network by repeatedly guessing or "brute forcing" the password of an RDP account.
RDP brute force attacks can be carried out by malicious actors with various motivations, including stealing sensitive data, gaining control of a system for further exploitation, or causing disruption to the targeted network or system. These attacks can be particularly effective if the passwords used are weak or easily guessed.
“Nearly one out of every four issues we found on the attack surface was related to an exposed RDP server” - 2022 Attack Surface Threat Report
A successful RDP brute force attack may be the last step before the attacker moves laterally in the network and achieves his final goal, so it is important to quickly and efficiently detect, investigate, and respond to RDP brute force alerts.
Unit 42 research shows that services exposed to the internet are often scanned and targeted opportunistically by attackers.
Investigate and respond to external RDP brute force alerts using XSOAR
The Cortex XDR - Possible External RDP Brute-Force content pack was designed to automate the incident investigation and response process and help SOC teams speed up response.
Key Playbook Automations
Indicator Enrichment
Enriches information on IP addresses for both compromised users and attackers. Cortex XSOAR will automatically gather the following information:
If the attacker’s IP is detected as known malicious IP, XSOAR will execute an initial automated, or semi-automated, response action that includes blocking the attacker’s IP and disabling the compromised user.
Threat Hunting and Investigation
The next steps include performing an automated deep dive investigation and exploring the following investigation criteria:
Set Incident Verdict
There are three key factors used in the playbook to determine whether the incident is malicious, with the verdict presented to the analyst in our incident layout window:
Response Actions
When the final verdict is determined to be malicious, XSOAR will initiate the following automated/semi-automated response procedures:
Incident Window for Analyst Review
Once a Cortex XDR incident contains “Possible External RDP Brute-Force” alert is ingested, a new tab will be created under the “Cortex XDR Incident” layout that contains the RDP Brute Force investigation details. The layout tab contains the following:
In conclusion
A well-defined playbook for investigating and responding to RDP brute force alerts is crucial for safeguarding your systems. Stay vigilant, proactive, and prepared, and regularly update your playbook to stay ahead of evolving threats. With a coordinated response and strong security measures in place, you can effectively defend against RDP brute force attacks and protect your organization's critical assets.
For more information on this pack and other automation use cases, visit our Cortex Marketplace.
Don’t have Cortex XSOAR? Download our free Community Edition today to test out this playbook and hundreds more automations for common use cases you deal with daily in your security operations or SOC.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
3 Likes | |
1 Like | |
1 Like | |
1 Like | |
1 Like |
User | Likes Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 |