Brute Force Attacks: Denying the Attacker, Not the User

Posted by Heather Howland on May 13, 2019 9:39:49 AM
Find me on:

According to haveIbeenpwned.com, close to 8 billion accounts have been compromised. The site  provides a tool to see if any of your passwords have been compromised and are available on the dark-net. Once passwords are compromised, they are easily exposed to bad actors who can use them for brute force attacks and credential stuffing.

bigstock--182918236

Famously, Facebook’s Mark Zuckerberg had his password hacked from his twitter account and it was later revealed that his stolen password was a result of LinkedIn’s massive breach where over 117 accounts were compromised. Zuckerberg is not only an executive but has privileged access. Any system or application that he re-used the stolen password with was at risk of breach.

Despite these stories being years old, most people continue to engage in bad password practices and re-use their passwords for multiple applications. These types of incidents prove that a breach is never an isolated incident and there are dire and long-term consequences to compromised credentials.

Once a bad actor acquires the credentials of an account, it is nearly impossible to identify a legitimate user vs. an attacker with stolen credentials. Even without a stolen credential, attackers can leverage brute force attacks where they try many passwords or pass phrases with the hope of eventually guessing the right one. They leverage brute force attacks for two reasons:

  1. To try to find the right combination of usernames and passwords so they can access and gain a foothold in the environment
  2. To perform a Denial of Service (DoS) of target network by locking out legitimate users

How can you detect legitimate vs. illegitimate access from user credentials?

Understanding an employee’s behavior in terms of what their baseline, normal patterns are (location, regular server access, time of day, etc.) vs. what is abnormal and risky behavior is a start. User and Entity Behavior Analytics (UEBA) technology can learn and monitor user behavior 24/7. UEBA solutions are useful for security teams looking to identify the network vulnerabilities that attackers exploit to move around and gain access to sensitive systems.

Assuming that an attacker manages to get a compromised password and tries to gain access into a user’s account, UEBA solutions can pick up on abnormal risk factors such as unknown endpoint (because the attacker is coming from his own device) and abnormal access attempts (such as servers and machines that the user does not use on a day-to-day basis).

However, traditional behavioral analytics tools present multiple challenges for security teams. First, some behavioral analytics tools can leverage too many data sources and generate so much noise that they miss potential threats. Secondly, traditional behavioral analytics tools fail to correctly identify a legitimate access attempt vs. an illegitimate access attempt. A very common scenario is when legitimate users enter the wrong password or simply don't update the password on some of their devices. To a traditional behavioral analytics tool, this would resemble a Brute Force attack and present a false positive to the security teams.

It is important that your UEBA solution be intelligent enough to baseline normal user behavior by pulling in pertinent identity, behavior, and risk data sources. Some good examples are: how often a user uses an endpoint, the time of day when endpoint is used, the location of the access attempt, what resources the user accesses, how frequently they access those resources, and so on. Once a normal baseline behavior is set, anything that deviates from that behavior (for example, there is a wrong password attempt from an endpoint that is not associated with a user) should be reviewed by a security analyst as a possible threat.  

Conditional Access: From Detection to Prevention

Being able to detect malicious activity vs. legitimate activity is great but detection is only the first step of establishing a healthy security program. Reduce SOC burden by setting policies and leveraging a conditional access solution that is able to respond in real time based on identity, behavior, and risk. Once a threat is detected, use conditional access to block any access attempts from that unknown endpoint or account. Alerting only serves to create more noise for security teams and it is critical to move beyond detection to an adaptive, preventative solution. This way, not only do you reduce false positives, you can alleviate the burden of your SOC team all while reducing your total cost of ownership.

To learn more about how Preempt’s Conditional Access solution can help with preventing threats like brute force attacks, you can read more here.

There are two major takeaway from leveraging a Conditional Access solution to protect against brute force attacks:

  1. Attackers cannot use this technique to run a DoS attack by locking users out of their accounts. Their requests will be stopped from reaching the AD domain controller while allowing legitimate users to normally continue business activity.  
  2. Security analysts will be able to focus on only the malicious brute force attacks and not on innocuous attempts by the legitimate user to retrieve their forgotten passwords.

Topics: Privileged Users, password brute force, Credential Compromise, ueba, Incident Response, Threat Detection, Conditional Access