Skip to main content

Scenario S-001 - Compromise of Internet-facing VPS

Element	Description
Scenario ID	S-001
Target asset	Public VPS hosting externally exposed services
Threat source	External attacker
Attack vector	Exploitation of vulnerable public service, weak SSH authentication, or exposed administrative interface
Potential impact	Server takeover enabling malicious activities (malware hosting, botnet participation) and possible pivot attempts toward internal infrastructure
Likelihood	🟨 Medium - Internet-facing servers are continuously scanned for exposed services and weak configurations
Impact rating	🟥 High - a compromised VPS may expose hosted services and provide a foothold for further attacks
Risk rating	🟥 High

Mitigation:

Harden SSH configuration (disable root login, enforce key-based authentication).
Restrict administrative access via firewall rules or VPN.
Keep operating system and services regularly patched.
Deploy host-based firewall and intrusion detection mechanisms.
Forward system and authentication logs to the central logging platform (SIEM).
Monitor abnormal authentication attempts or service activity.

Owners:

Ops - VPS provisioning, patch management, firewall configuration.
Sec - monitoring, detection rules, security policies.

References:

ISO 27001 - Control 5.7 Threat intelligence.
ISO 27001 - Control 8.16 Monitoring activities.
ISO 27001 - Control 8.20 Network security.
NIST CSF - PR.PT Protective Technology.
NIST CSF - DE.CM Continuous Monitoring.
NIST CSF - RS.AN Incident Analysis.
EBIOS RM - Threat scenario analysis for exposed infrastructure assets.

Response actions:

Containment - Immediately isolate the VPS from the network and block malicious IP addresses.
Eradication - Remove malicious processes, revoke compromised credentials, and rotate SSH keys.
Recovery - Rebuild the VPS from a trusted image and restore services from verified backups.
Post-incident - Perform root cause analysis, review firewall rules and hardening baseline, and update monitoring rules.