Thanks to recent events involving certain celebrities’ stolen pictures, “brute-force attack” is now one of the hot buzz words making its rounds. As an IT professional - do you know what a brute force attack is, how to spot one when it happens, and how to prevent it?
A brute-force attack is, simply, an attack on a username, password, etc. that systematically checks all possible combinations until the correct one is found.
Scripts are usually used in these attacks to automate the process of arriving at the correct username/password combination. This is why time is of the essence when it comes to detecting and stopping a brute force attack – the more time the attacker has, the more passwords can be tried. Brute force attacks are one of the few hacks detectable by their volume, rather than their type. In your web (or proprietary app) logs, you’ll usually see a crazy amount of failed login attempts, usually originating from the same IP address.
In some cases, the attacker might run usernames and/or password attempts sequentially, providing a nice identifiable trend for your host intrusion detection or log correlation systems to pick up. False positives should be considered as well but should be easy to weed out. For instance, multiple login attempts from the same IP trying to access the same account with the same password might just be a web/mobile app that has yet to be updated or was not supplied the correct credentials in the first place.
While brute force attacks are not exactly an elegant or complex attack type, they can still slip through the cracks when you lack sufficient visibility into your environment’s security. You need a way to minimize the noise so you can prioritize the most immediate threats and respond to them first. AlienVault Unified Security Management (USM) provides IDS and log correlation powered by built-in correlation rules developed by the AlienVault Labs security research team to notify you immediately when patterns are observed that indicate an attack.
And, USM also checks the IP information against our Open Threat Exchange (OTX), the largest crowd-sourced threat intelligence exchange. In the example below, you can see details from OTX on the reputation of the IP, including any malicious activities associated with it.
While these events are being logged, normalized, and supplemented with OTX data, USM is watching out for event patterns that might indicate malicious activity. USM defines these attack patterns through built-in correlation directives that are updated weekly by the AlienVault Labs security research team.