Credential stuffing attack on Auth0

auth0

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the auth0 integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect Account Take Over (ATO) through credential stuffing attack.

Strategy

To determine a successful attempt: Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a HIGH severity signal.

To determine an unsuccessful attempt: Detect a high number of failed logins from at least ten unique users. This generates an INFO severity signal.

Triage and response

  1. Inspect the logs to see if this was a valid login attempt.
  2. See if 2FA was authenticated
  3. If the user was compromised, rotate user credentials.

Changelog

13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.