Threat Management
Classification: CONFIDENTIAL — Internal Use Only
This document defines the threat categories relevant to GPUS-IT infrastructure, the current detection capabilities, and the initial response approach for each.
Threat Categories
DNS-Specific Threats
| Threat |
Detection |
Response |
| DNS cache poisoning |
DNSSEC validation on RAIN; bind_exporter anomaly alerts |
Flush resolver cache; review BIND logs in Kibana |
| Zone transfer hijacking |
Firewall restricts AXFR to RAIN only; auditd zone change events |
Rotate TSIG keys; review access logs |
| DNS amplification (DDoS) |
Prometheus query rate spike → P3 alert |
Rate-limit recursion; null-route attacking source |
| NXDOMAIN flood |
bind_exporter NXDOMAIN rate metric in Grafana |
Review firewall drops index; block source at perimeter |
Host-Level Threats
| Threat |
Detection |
Response |
| Unauthorized access |
SSH auth-logs-* index; Grafana P1 alert on failed logins |
Lock account; review sudo log; initiate IRP |
| File integrity violation |
AIDE daily check; mismatch reported in asset-inventory.log |
Isolate server; compare against backup; initiate IRP |
| Privilege escalation |
auditd sudo rules; auth-logs-* in Kibana |
Terminate session; review audit trail; reset credentials |
| Malware / rootkit |
AIDE mismatch; Prometheus anomalous process metrics |
Snapshot for forensics; rebuild from backup |
Network Threats
| Threat |
Detection |
Response |
| Lateral movement |
firewall-drops-* index; unusual traffic to management VLAN |
Block at firewall; review VPN logs; initiate IRP |
| VPN tunnel compromise |
Cloud VPN status check; IKEv2 renegotiation alerts |
Re-key VPN; rotate PSK; review GCP audit logs |
| Data exfiltration |
VPC Flow Logs in GCP; anomalous outbound volume |
Block egress; initiate IRP; notify CISO |
Severity Matrix
| Severity |
Definition |
Initial Response Time |
| P1 |
Service outage or confirmed breach |
Immediate (< 15 min) |
| P2 |
Service degradation or suspected breach |
< 1 hour |
| P3 |
Anomalous activity requiring investigation |
< 4 hours |
| P4 |
Informational — monitor and log |
Next business day |
| Tool |
Location |
What It Monitors |
| Grafana |
SUN:3000 |
Infrastructure metrics; P1–P4 alert rules |
| Kibana |
WIND:5601 |
All logs: DNS, DHCP, auth, firewall drops |
| AIDE |
All four servers |
Daily file integrity |
| auditd |
All four servers |
Privileged commands, file access, auth events |
| VPC Flow Logs |
GCP |
Cloud network traffic |
See Incident Response Plan for the full response procedure.
Threat Management · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only