Bruteforce attack

Goal

Detect Account Takeover (ATO) attempts on services. ATO attempts include brute force, dictionary, and distributed credential stuffing attacks.

This detection rule is designed to detect brute force attempts, where an IP attempts to log in to a single account using different passwords, until it finds the correct one by chance.

Strategy

Monitor login events and track failed logins. Generate a Low severity signal when an IP address exceeds the threshold of 15 failed logins to a single user account. Increase signal severity to Critical and identify the compromised account when the IP address has a successful login to this same account.

Triage and response

  1. Consider blocking the attacking IP addresses temporarily to slow attacks.
  2. Check compromised accounts, suspend account access temporarily, and force password change.
  3. Implement and enable Multi-Factor Authentication (MFA) when possible.