In some cases, the attacker might run usernames and/or password attempts sequentially, providing a nice identifiable trend for your host intrusion detection or log correlation systems to pick up. False positives should be considered as well but should be easy to weed out. For instance, multiple login attempts from the same IP trying to access the same account with the same password might just be a web/mobile app that has yet to be updated or was not supplied the correct credentials in the first place.
Thanks to recent events involving certain celebrities’ stolen pictures, “brute-force attack” is now one of the hot buzz words making its rounds. As an IT professional – do you know what a brute force attack is, how to spot one when it happens, and how to prevent it?
A brute-force attack is, simply, an attack on a username, password, etc. that systematically checks all possible combinations until the correct one is found. Scripts are usually used in these attacks to automate the process of arriving at the correct username/password combination. This is why time is of the essence when it comes to detecting and stopping a brute force attack – the more time the attacker has, the more passwords can be tried.
Brute force attacks are one of the few hacks detectable by their volume, rather than their type. In your web (or proprietary app) logs, you’ll usually see a crazy amount of failed login attempts, usually originating from the same IP address. You might even see the same account logging in over and over with different passwords from different IP addresses. The login url will show unusually high amounts of volume, and you might see odd and/or malformed referring urls (e.g. http://user:firstname.lastname@example.org/login.html).
While brute force attacks are not exactly an elegant or complex attack type, they can still slip through the cracks when you lack sufficient visibility into your environment’s security. You need a way to minimize the noise so you can prioritize the most immediate threats and respond to them first.
AlienVault Unified Security Management (USM) provides IDS and log correlation powered by built-in correlation rules developed by the AlienVault Labs security research team to notify you immediately when patterns are observed that indicate an attack.
AlienVault USM’s intuitive, easy to use alarms dashboard displays threats and categorizes them as per the kill chain taxonomy, starting with the most serious system compromises. The larger the bubble, the more prevalent that type of threat was in the specified time period. By clicking on an individual alarm’s details, you get even more information about the suspect activity.
Here you can see that the log details have been normalized into easy to interpret events.
And, USM also checks the IP information against our Open Threat Exchange (OTX), the largest crowd-sourced threat intelligence exchange. In the example below, you can see details from OTX on the reputation of the IP, including any malicious activities associated with it.
While these events are being logged, normalized, and supplemented with OTX data, USM is watching out for event patterns that might indicate malicious activity. USM defines these attack patterns through built-in correlation directives that are updated weekly by the AlienVault Labs security research team.
Source : THN