Automated Responses

Creating Defenses

Defenses

When defining a response, you can associate a set of defensive countermeasures to be run when an incoming alert is dispatched. Defenses can be useful to stop or slow an attacker while you mount a defense. It is especially useful to prevent Advanced Persistent Threats from gaining a foothold.

Defenses are created from the Response page. Click on the Add Defense button and the defense dialog will be displayed.

Add Defense

First select the appropriate defense name. After selecting the defense, relevant parameter fields may be displayed. For example: the run-http defense will prompt for the HTTP method, url, headers and post data. You can add multiple defenses for a single response.

List of Defenses

block-attacker

This defense blocks the attacker at the local host (iptables) firewall. The attacker will be immediately banned from the host. You can specify the duration for the ban in seconds and a list of IP addresses to exempt from the ban.

kill-process

This defense will kill a banned process. This defense can only be used by the banned-process threat check. It takes no parameters and will kill the offending process.

run-command

The run-command defense can be used to run any local command on the host. The command should be an absolute path name to a program or script. The command is run as root.

run-http

This defense can be used to run arbitrary HTTP requests. The parameters are:

run-lambda

Run an AWS Lambda function. This will take the parameters:

slow-attacker

This defense will slow the attackers network traffic. This can be useful to slow the attacker without making the attacker aware they have been detected.

stop-host

Stop the affected host. This will issue an AWS Stop Instance command. All ephemeral instance data is lost.

terminate-host

Terminate the affected host. This will issue an AWS Terminate Instance command. The instance is lost.

Notifications

See Also

© SenseDeep® LLC. All rights reserved. Generated at 05:29:12 Sep 22, 2017. Privacy Policy and Terms of Use.