Use attack source tracing -

Background information

The feature of attack source tracing processes, aggregates, and visualizes logs from various Alibaba Cloud services by using a big data analytics engine. Then, the feature generates an event chain diagram of intrusions based on the analysis result. This way, you can identify the cause of intrusions and make informed decisions at the earliest opportunity. You can use the feature in scenarios where urgent response and source tracing of threats are required, such as web intrusions, worm events, ransomware, and unauthorized communications to suspicious sources in the cloud.

Security Center generates a chain of automated attack source tracing 10 minutes after a threat is detected. We recommend that you view the information about attack source tracing 10 minutes after an alert is generated.

The feature of attack source tracing can trace the sources of all types of alerts. For more information about alert types, see Alert types.

Only Security Center Enterprise supports the feature of automatic attack source tracing. If you use the Basic, Basic Anti-Virus, or Advanced edition of Security Center, you must upgrade Security Center to the Enterprise edition before you can use the feature.

Note Three months after an alert is generated, the information about attack source tracing for the alert is automatically deleted. We recommend that you view the information about attack source tracing for alerts at the earliest opportunity.

Limits

Attack source tracing is implemented based on a big data analytics engine. If attacks do not form an attack chain, the information about attack source tracing may not be displayed. In this case, you can directly view the details about alerts.
Security Center automatically handles alerts, such as alerts that are triggered by malicious processes, and sets the status of these alerts to Blocked. By default, the information about attack source tracing for malicious processes is not provided.

Procedure

Log on to the Security center console.
In the left-side navigation pane, click Detection > Alerts.
On the Alerts page, find the alert for which the icon is displayed. Then, click the icon.

Click the Diagnosis tab to view the attack name, attack type, affected resources, source IP address, HTTP request details, and details of requests that are sent to launch attacks.
On the Diagnosis tab, you can also view the information about each node in the chain diagram of the attack source tracing event. Click a node. On the Node Attributes page, you can view details about the node.

Examples: Attack source tracing

Worm propagation events
The following figure shows how a worm propagates by using the source IP address of 185.234.*.*. The worm initiates SSH brute-force attacks to log on to the server and runs the curl command by using Bash to download and run mining programs on the server.
Web intrusion events
The following figure shows how an attacker initiates attacks from the IP address of 202.144.*.*. The attacker exploits web vulnerabilities to implant webshells and mining programs into a Linux server. In addition, the attacker writes code to the crond scheduled task to achieve persistence. The node information on the Diagnosis tab helps you understand this process more clearly. In addition, you can view the IP addresses that are used by the attacker and the URL information of suspicious download sources on the Diagnosis tab.

You can click an HTTP attack node to view its details. Traffic data indicates that the attacker exploited unauthorized Apache Solr access vulnerabilities to call API operations and run system commands. To block the attack, we recommend that you fix the vulnerabilities to avoid similar attacks in the future.