How to Detect and Respond to Brute-Force Attacks Using Log Data

Brute-force attacks involve repeated attempts to guess passwords or access credentials. Detecting these attacks early and responding promptly minimizes the risk of unauthorized access.

1. Monitor for Repeated Failed Logon Attempts

What to Look For:

  • Failed Logon Events:

    • Event ID 4625: Logs failed authentication attempts.

  • Patterns:

    • Multiple failed logon attempts from the same IP address or targeting the same user account within a short period.

Red Flags: High-frequency failures originating from a single IP or targeting high-privilege accounts.

2. Check for Account Lockouts

What to Look For:

  • Account Lockout Events:

    • Event ID 4740: Indicates that an account has been locked due to too many failed logon attempts.

  • Patterns:

    • Repeated lockouts for the same account or across multiple accounts.

Red Flags: A surge in lockout events, especially for accounts that are critical or rarely used.

3. Investigate Login Success Following Multiple Failures

What to Look For:

  • Successful Logon After Failures:

    • Event ID 4624: Logs successful logons. Correlate with preceding Event ID 4625 logs.

  • Patterns:

    • A successful logon following a series of failed attempts indicates the attacker might have guessed the correct credentials.

Red Flags: Accounts showing successful access immediately after multiple failed attempts.

4. Examine Logs for Unusual Access Times

What to Look For:

  • Access Timing:

    • Review logon attempts occurring during non-business hours or unusual times for the user.

  • Patterns:

    • A sudden increase in logon attempts during weekends, holidays, or late at night.

Red Flags: Logon attempts from accounts or IPs at times when legitimate users are unlikely to be active.

5. Review Source IPs for Geolocation

What to Look For:

  • IP Analysis:

    • Investigate the origin of the source IP addresses.

    • Cross-reference IPs with geolocation data to identify unexpected or foreign locations.

  • Threat Intelligence:

    • Use known threat feeds to flag IPs associated with malicious activity.

Red Flags: Login attempts originating from unfamiliar locations or countries where the organization does not operate.

6. Immediate Mitigation

What to Do:

  • Block Malicious IPs:

    • Use firewall rules or intrusion prevention systems (IPS) to block IPs exhibiting suspicious behavior.

  • Enforce Account Lockout Policies:

    • Temporarily disable accounts after a set number of failed attempts.

  • Implement Multi-Factor Authentication (MFA):

    • Add an additional layer of protection to prevent unauthorized access, even if credentials are compromised.

  • Audit Impacted Accounts:

    • Review the activity of targeted accounts for signs of compromise or lateral movement.

Post-Incident Actions:

  • Educate Users:

    • Notify users about the attempted attack and remind them to use strong, unique passwords.

  • Enhance Monitoring:

    • Deploy SIEM rules to detect and alert on similar brute-force patterns in the future.

  • Implement IP Allowlists:

    • Restrict access to critical systems to trusted IP ranges or VPN connections only.

Conclusion

Brute-force attacks are detectable through patterns of failed logon attempts, account lockouts, and unusual access activity. Combining log analysis with real-time monitoring and robust security controls ensures effective detection and mitigation of such attacks.

PreviousHow to Detect Malicious PowerShell Activity Using Log AnalysisNextHow to Detect Privilege Escalation Attempts Using Windows Event Logs

Last updated