Credential stuffing attack on Auth0

auth0

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect Account Take Over (ATO) through credential stuffing attack.

Strategy

To determine a successful attempt: Detect a high number of failed logins from at least ten unique users and at least one successful login for a user. This generates a HIGH severity signal.

To determine an unsuccessful attempt: Detect a high number of failed logins from at least ten unique users. This generates an INFO severity signal.

Triage and response

  1. Inspect the logs to see if this was a valid login attempt.
  2. See if 2FA was authenticated
  3. If the user was compromised, rotate user credentials.

Changelog

13 June 2022 - Updated Keep Alive window and evaluation window to reduce rule noise.