Does Brute Force analysis really worth today?
Just an observation from the time and efforts security analysts spend today in the Brute Force attack incidents.
Rule: Brute Force attack detected as 20 login within 1 minute threshold is reached from an user id
Response: Send mail to windows team/client/user asking for clarification.
Typical Action: User is not aware of. IT team did not find any unusual activity and logon failure is stopped next day.
Question: Ideally if an user did 20 login failures within 1 minute, either the user did it himself on a system where he doesn't have access or someone used his id from the source IP mentioned in the log. Excluding the scenario of any application using it thus making a true positive incident. If the user did it, he will never accept it and if someone else did, he will never know it. So the only possible way to prove is the CCTV footage who was sitting on the system ( considering DHCP log is examined for the actual host at that point of time).
I just want to know, is the above approach right or any other possibilities also exist for a brute force alert to be true positive and to get results from the investigation?
Is anyone really following in the organization for these alerts which comprises huge amount in the total SIEM alerts?
Would be happy to see more inputs on this.
Hello, I'm a security analyst new to this site.
Note: I'm not a Sr. Analyst so please correct me on anything I'm wrong about
With the details provided this incident hardly sounds like a security concern worth escalating. However assuming it is a legitimate internal brute force attack the CCTV footage would have to be able to see the workstation to provide a definitive answer on who the user was. (Personally I can't find a single camera that can see workstations in my building). Given the traffic stopped the next day I would believe there wouldn't be enough information to actually catch the person.
For me escalating a brute force would mostly be to stop the traffic from occurring while it is occurring. I would think attempting to catch the individual would end up a massive waste of time unless a monetary loss occurred or PII was leaked. (etc on the circumstances)
Truthfully if I escalated every brute force with only 20 failed logins I would receive a massive amount of emails from annoyed clients asking why I'm wasting their time. I would also have no time to investigate all of the Inbound Scan false positives or perform ad hoc analysis.
As the security analyst in this scenario I would want more details before determining how far the incident should be investigated. Without more details your baseline description of the event screams user error to me and the investigation could probably be stopped there. These are just some of the questions I would personally want answers to before coming to a conclusion of any type.
1. Was there a successful login after the failures?
2. What is the past failed login activity for the user / are they a repeat offender?
3. Are the logins coming from a SIP the user typically uses?
Brute Force attacks should be relatively simple for an analyst to investigate and not take an extensive amount of time. False positives on brute force signatures are generally pretty clear cut. Also a brute force with 20 failures and no successful logins would be an awful attempt at brute forcing anything. Personally given the scenario I wouldn't escalate the incident as a legitimate security concern.
Sorry for wasting your time if this input is irrelevant or not helpful.
David Van Meter
I can't think of a reason why methods that worked 5 years ago (eg. simple brute force attack) would not work now; it's not as if more failed logins are now permitted these days.
However, content has evolved in the same period. There are now the dedicated Windows Monitoring pack, and also the Activate content around Windows (http://hp.com/go/activate). These contain much more specific and refined content that may be more effective out of the box for comtemporary.