What is Slow Brute Force attack?
I hope most of the people are aware of the brute force attack and technique. However, I am describing it below:
The brute force attack is a simplest attack or technique that attacker use to gain access to an account, computer, server or website. In this attack, an attacker uses various combination of username and password on a specific username/account that has admin level privileges, who can delete or modify existing user and create the new one with required permission.
An attacker tries this method until he gets access of his target either it is a website or an AD server or something else with account privileges. Attacker uses many password or passphrase with a hope to get success in login. Once he gets the access on his target then bang! He is enjoying his Christmas day even before the Christmas.
But, now these days Brute force attacks are easily detectable by using various security tools and account lockout policies. Once an account is lockout then all the attempts tried by an attacker are of no use because at the end user is locked to login in his system until admin unlock the account or a specific time that has been decided by system admin to an auto-unlock users account. In most of the cases, Admin asks to change the account password as well so the attacker may need to start from the beginning.
So here Slow Brute Force attack comes into the scene. Slow brute force attack technique is same as the brute force but the repeat attempt of login is delayed by a specific time “time interval depends on the attacker, after how much time they want reattempt”.
Now perk for an attacker in this attack is, this attack is less noticeable or almost undetectable by security tools.
Yes, user behavior analytics (UBA) can help to track such attack but UBA will not recognize it as brute force attack because for UBA these are the failed login attempt done by the user(Rest depends on UBA algorithm).
The reason behind this is, UBA learn from the user’s behavior or as human nature. Users mostly do failed login due to typing error or sometimes forgets his password and try to remember by entering his two three password combination.
So this time delay in reattempt of login in a system seems like an attempt coming from the genuine user and due to login attempt count bonded with the time limit to trigger account lockout policy, user’s account will remain active.
Until a login attempt reaches with specified count within a specific time, that has been defined in account lockout policy, account lockout policy cannot be trigger.
And, when the user account is active and running properly, in that case, no one is going to check few failed attempts on that user account and the attacker will continue his work until he gets the access on his target.
Also, sometimes origin (source IP) of login attempts is replaced by an authentication server, for example, ADFS for MS office authentication. ADFS replace source IP with its own IP address and audit logs for login attempts will always having ADFS server as source and destination IP (also, depending on network hierarchy).
How to trace Slow Brute Force attack?
We can trace such attack only by checking the login attempts pattern and targeted usernames. By checking the usernames, we will find most of them are not even exists in our organization. If we find all the users that have been targeted for login attempts, are existing users in your organization then look for an account lockout or account unlock event. If we didn’t find any lockout events, then please report to the system admin or AD admin to check the login source in ADFS logs for these attempts.
Also, reach out to the user and ask for justification for these login attempts as human error can be done a few times only. So this is a possible slow brute force attack.
If we get unknown usernames that do not exist in our organization then we must check for the source of these attempts. If it is local IP then we should reach out to admin and ask to check for particular user’s login attempts and source IP (for MS office authentication, ADFS server should have such information).
In, ADFS logs you can find the source IP of login attempts using event ID 411.
Once you get the IP detail for all user attempts, check if any IP belong to any business entity of our organization. If IP is not related to any business entity then check IP reputation and see the result. Most of the case you will find malicious IP address as a source of login attempts. In this case please ask your network team to block such IP on an external firewall.
If IP is not listed in blacklist database or not malicious by any IP reputation check site then too please go ahead to block these IP address and report as malicious so your investigation can help others.
Leaving these IP address open means we are not closing the door even after we know our enemy and he knows our address.
Below is the example of one Slow Brute Force attack tracing:
We got repeat failed login attempt in log management tool, refer below:
(Image edited for privacy purpose)
We checked with ADS admin and found login source is 22.214.171.124 so we checked IP reutaion for this source and foudn it malicious.
If you need to know about IP reputation test please let us know, we will be happy to write on that.
Follow us on Facebook, Google Plus and Twitter.