Your Guide to Detecting Access Failure Incidents
By: Data Scientists Bronwen Cohn-Cort and Shaul Saitowitz
Usernames and passwords are keys to computer systems and networks, but they are often inadequate for keeping intruders out. Even additional layers of authentication can be compromised. Adlumin keeps its customers safe by monitoring networks for suspicious break-in attempts and authentication malfunctions.
Brute Force, but Not with a Crowbar
Hackers use scripts or applications such as THC Hydra to submit many guesses for user credentials – a brute force attack. Guessing tactics range from a simple systematic approach to using external logic to prioritize the most likely combinations.
Any asset that uses credentials is vulnerable to brute force attacks, from user accounts to VPNs or network switches. Each of these represents different risks. Cracking a network switch could allow the attacker to access any traffic flowing through that switch and even make changes to the switch itself. Breaking into a VPN would give access to the network and anything else authorized for the connection.
Figure 1: Counts of Failed Office365 Logins
Adlumin monitors all incoming logs for our tenants, looking for evidence of brute force attacks at all possible entry points. Suspicious numbers of failed logins over a short interval indicate that an attacker attempts to break in by trying many password permutations. This triggers an alert, notifying the customer of the break-in attempt so that protective action can be taken.
Often used in conjunction with password logins, Multi-factor Authentication (MFA) service providers allow users of a subscribing client to authenticate via other methods, thereby adding another layer of security. One standard additional layer is a Possession Factor, where a user enters a 6-digit code sent as a text message, email, or given by an authenticator app to an account or device to which only the user has access. In the MFA context, a password can be classified as a Knowledge Factor; thus, these two factors (Knowledge and Possession) authenticate the user. This is also called 2-Factor Authentication (2FA). Enabling MFA or 2FA across all users is a simple step to improving security and delaying attackers or keeping them out of a system.
Figure 2: Disruptive situations around MFA credentials
Adlumin Data Science is developing a detection for disruptions in a client’s MFA service – incidents that can challenge business continuity or represent even more insidious threats. The approach involves reviewing the number of users unable to access their account via MFA within a specific period. As described earlier in this article, this activity could be an attacker attempting brute force methods to access the system by logging in to multiple user accounts and looking to gain access via a user that hasn’t enabled MFA. This activity could also be that the MFA service provider is compromised or has otherwise experienced an incident that impacts credential authentication, leading to many users being locked out of their accounts. In both instances of MFA credentials being denied or resulting in the locking-out of users, the client’s business is disrupted.
Adlumin Data Science’s development of detection based on identifying an unusual number of users experiencing lockouts or having credentials denied over a specific period would warn clients that use MFA service providers of a possible impending disruption or attack.
Warning of Possible Disruptions
Whether caused by a brute force attack or a compromised MFA service provider, Adlumin Data Science monitors for a suspicious or unusual amount of credential activity for network switches, user accounts, or other credentialed locations. Adlumin’s identification of such a disruption or break-in attempt warns customers to take protective action.