The Threat Stack Cloud Investigate Package includes a Threat Intelligence Ruleset. Threat Stack subscribes to a number of open-source and commercial data feeds (e.g. openbl) - lists of known bad ip addresses, which could be bot-net command and control servers or other malicious hosts. When a monitored instance connects to or accepts a connection from one of these IP addresses, an alert is generated. Unfortunately, brute force or dictionary attacks in which unsuccessful attempts are made to connect to publicly accessible servers can generate large numbers of alerts which do not represent significant risk. We recommend following these best practices in order to minimize the number of false positives and still be protected against actual threat intelligence risks:
- Protect your instances using ec2 key pairs and prohibit access using only usernames and passwords.
- For publicly accessible hosts (e.g. web servers):
- Create an inbound Threat Intelligence Rule that includes a suppression for web access (e.g. 80 and 443). Set this to Severity 2 and the threshold to 1 time per hour.
- Create an inbound Threat Intelligence Rule that only alerts on web access attempts. Set this to Severity 3 and the threshold to a high number (e.g. 40 or 60 times per hour).
- For servers that are not exposed to the public internet, use the default inbound threat intelligence rule.
- Create a login rule for all servers that whitelists usernames and/or IP addresses from which logins are permitted.