Password guessing is an incessant activity for applications and services which are facing public Internet. It is also done on internal network by malicious insiders. Dictionary and brute force attacks are the most common mechanisms used in Password guessing. One of the possible means to investigate remote password attacks is by analysing the logs from enterprise applications collected from SIEM Products (Security Incident and Event Management). The investigation to be carried out for this type of attack is discussed in briefly here.
SIEM should collect logs from all systems in the enterprise that can be targeted for Password guessing attacks.
• Log events with multiple invalid credentials count on a single application or across systems indicate that it was an attempt to guess the user name on a particular application or across systems.
• Log events with common/standard user names across many systems will indicate that it was an attempt to perform the password guessing attack.
• Also, log events with simple combinations of invalid credentials used will indicate the attempt to perform this attack. Hence successful login after many failed login attempts from same source, from unusual IP and/or unusual hours, from passive users are the situations to be investigated and to be focused during log analysis from the SIEM products. These can be easily detected by applying correlation rules form SIEM products. A rule to check invalid authentication attempts followed by successful authentication will automate the investigation and attack confirmation.
Once the attack is confirmed, further steps would be to perform extended analysis on the results derived from investigations. I would call them as 'SIT' analysis and it stands for Source analysis, Impact analysis and Target analysis.
• The Source analysis will help in understanding the party performing the attack, and matching that with other activities from the same IP address or the same network range.
• The Impact analysis will help in understanding the overall impact of these activities on IT environment.
• The Target analysis will help in figuring out whether attack targets were affected by the attack in any material way.
All investigation even the minor ones will leads to action items. Confirmed authentication attacks should always trigger an immediate response, even for non-privileged accounts. Response actions can be to enforce password change for all enterprise users, de-provision or terminate the compromised account, block the external source IP and increase the monitoring of the target systems and network. The enterprises can have secure network, by ensuring continues investigations of attacks on its network and performing the right actions in response to investigations.
SIEM should collect logs from all systems in the enterprise that can be targeted for Password guessing attacks.
• Log events with multiple invalid credentials count on a single application or across systems indicate that it was an attempt to guess the user name on a particular application or across systems.
• Log events with common/standard user names across many systems will indicate that it was an attempt to perform the password guessing attack.
• Also, log events with simple combinations of invalid credentials used will indicate the attempt to perform this attack. Hence successful login after many failed login attempts from same source, from unusual IP and/or unusual hours, from passive users are the situations to be investigated and to be focused during log analysis from the SIEM products. These can be easily detected by applying correlation rules form SIEM products. A rule to check invalid authentication attempts followed by successful authentication will automate the investigation and attack confirmation.
Once the attack is confirmed, further steps would be to perform extended analysis on the results derived from investigations. I would call them as 'SIT' analysis and it stands for Source analysis, Impact analysis and Target analysis.
• The Source analysis will help in understanding the party performing the attack, and matching that with other activities from the same IP address or the same network range.
• The Impact analysis will help in understanding the overall impact of these activities on IT environment.
• The Target analysis will help in figuring out whether attack targets were affected by the attack in any material way.
All investigation even the minor ones will leads to action items. Confirmed authentication attacks should always trigger an immediate response, even for non-privileged accounts. Response actions can be to enforce password change for all enterprise users, de-provision or terminate the compromised account, block the external source IP and increase the monitoring of the target systems and network. The enterprises can have secure network, by ensuring continues investigations of attacks on its network and performing the right actions in response to investigations.
