Brute Force Attack Prevention | Cyware Use Cases
A brute force attack is one of the most popular methods used by cybercriminals to crack authentication codes. Learn more in this use case from Cyware.
Category: Analytics and SIEM
Cyware Products Used:
Respond: Fusion and threat response solution to manage the brute force attack triage, investigate, and, respond automatically using cyber fusion-powered collaboration between your internal security teams.
Orchestrate: Security Orchestration solution to manage the playbook and third-party integrations.
Third-Party Integrations Used:
Splunk SIEM: To detect and report suspicious brute force attacks.
Problem Statement
Brute force attack is one of the popular methods used by cybercriminals to crack authentication credentials. The attacker applies a trial and error method to find the user authentication credentials. Although this attack method prevails for many years, it continues to remain one of the most challenging threats for security teams and web application developers. Brute force attacks can lead to the theft of intellectual property and personal information if not detected and responded to in time.
Solution
Organizations need a mechanism that can automatically detect brute force attacks using malicious activities such as brute force IPs, increased brute force statistics, or brute force compromised accounts. Once detected, the attack indicators must automatically be blocked on the organization’s network.
How do we solve this problem?
The Brute Force Attack Detection and Response playbook use the Splunk SIEM tool to detect failed brute force login attempts and automatically create an incident in Respond to respond to the threat. The playbook performs the following activities.
Detection: The playbook retrieves any brute force attack alerts from the Splunk SIEM tool. The alert logs contain important details such as source IP address, hostnames, usernames used by the attacker, ports, number of attempts detected, and the time duration of the detected events.
Retrieve Asset Details: Using the alert details retrieved from the Splunk SIEM tool, the playbook performs the following activities.
Searches for infected device details on Respond. You can also configure a configuration management database (CMDB) tool such as Active Directory to retrieve asset details.
Searches for the devices associated with the source IP address received from the alert and retrieves the details of the asset.
Create CFTR Incident: The playbook automatically creates an incident in Respond using all the initial SIEM alert details and the infected asset details. The affected user details and the port numbers identified on the SIEM alert are also added to the Respond incident.
Response: The playbook performs the following response activities.
Creates a high-priority action in Respond to quarantine the affected host asset. The action notes contain details such as affected asset details and associated Splunk alert ID.
Creates an action in Respond to block the user account observed for the brute force login attempt.
Changes the status of the affected device to Remediation - In Progress on Respond.
Send Notification: After creating response actions, the playbook notifies the affected users about the quarantine of the asset, along with the Respond action details.
Remediation and Closure: Gather more details about the alert with respect to the incident response phases and close the incident after all the response actions are completed.
Benefits
Timely Detection and Response
By automatically detecting security events such as an invalid number of login attempts or a successful login by the same user with invalid login history, organizations can quickly detect and respond to possible attacks that are underway and rectify them before the attack succeeds.
Reduce Detection and Response Times
A brute force attack can cause severe damage to the data and intellectual property of an organization. Hence an automated playbook plays an important role in countering the threat at machine speed instead of relying on slower, manual processes.