The Lumu Login Brute force Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four main phases, as described in the following illustration.

This document contains guidelines for Login brute force incident response using Lumu. Consider this playbook as a guideline to improve the effectiveness of the incident response and adapt it according to your specific requirements.

What are Login Brute force incidents?

Lumu is capable of detecting Login brute force activity targeting your organization's credentials. Active Directory (AD) facilitates central management by tying together servers, workstations, and applications, making it a key target for attackers. Because AD stores large amounts of identity-related data—including user permissions and passwords—attackers target it to identify valid credentials and escalate access.

Login Brute force incidents are detected patterns of high-volume authentication failures that aim to compromise user accounts. These attacks leverage the fact that 61% of all attacks involve credential data, and brute force is a technique used in over 80% of data breaches.

By identifying Login Brute force incidents, Lumu helps your organization gain insight into:

• Attacks aiming to compromise domain user credentials to gain a foothold in the network.
• Attempts to move laterally or dump passwords (e.g., from SYSVOL) to escalate privileges to local or domain administrator levels.
• Misconfigurations within the network, such as services with expired credentials, that can produce patterns similar to Brute force attacks.

The data used to identify this type of incident includes:

• Targeted User Accounts: The specific identities being targeted (distinguishing between the Administrator of AD and non-admin users).
• Attacker Sources: The number of unique sources initiating the attacks.
• Failed Login Events: The total volume of failed authentication attempts.

In this article, you will find a general playbook to operate Login Brute force incidents alongside an example scenario.

General Playbook

This is the general playbook for Login brute force incident operation. It covers the main steps that you can take when investigating and remediating this type of incident.

Example Scenario

Now, let’s delve into one of the most common scenarios that an organization can find when operating Login brute force incidents. This will help exemplify the value this feature can provide.

Let’s consider a scenario where Lumu notifies that the Active Directory of an organization is being targeted by a Login brute force attack.

1. Organization A gets notified of a Login brute force incident targeting their Active Directory domain. By inspecting the incident, the specialist in charge will be able to access its details to learn more relevant information about the incident, as well as additional context to better operate it.

2. With the information of the incident at hand, the cybersecurity specialist first analyzes which users are being targeted. Having noticed that the Administrator account is  being targeted, the analyst escalates the severity of the incident.

3. Having defined which users are being targeted, the specialist proceeds to identify the attacker source to identify the endpoint generating the failures. They verify if the source is an internal workstation, a known server, or an external IP connection. This helps determine if the threat is lateral movement (internal) or an attempted breach (external).

If the source is a known device that normally interacts with the network, besides indicating a possible attack to the Active Directory, it could also be misconfiguration. For example, a service account password was changed in AD but not updated on the specific server's scheduled task.

4. The specialist now contextually analyzes the incident. They cross-reference the user's role with the organization's security policies to see if the observed behavior is prohibited and unusual. For example, if a user who only accesses email and shares files is suddenly generating failures on RDP or VNC services, this deviates significantly from their normal behavior and indicates a high-risk compromise attempt.

Generally speaking, failures in services like RDP, VNC or any service exposed to the web indicates that the attacker is trying to gain access to the organization, which is a high-priority threat.

5. Having identified the services and the accounts affected the cybersecurity specialist needs to take a decision based on the operational sensitivity of the account.

1. Administrator: Locking this type of accounts immediately could crash critical servers, stop automated backups, or lock out entire teams, causing a massive operational disruption. Instead of an immediate block, the specialist should investigate the source first. They must verify first if the failures are due to a misconfigured admin script or a genuine attack. They only block after confirming the threat.
2. Standard users: The operational impact of this user being offline is low compared to the security risk of a breach. The specialist prioritizes security should block the account or isolate the endpoint immediately. They contain the threat first and then proceed to verify the details later.

6. Once the course of action is taken (Block vs. Monitor), the team moves to the final remediation phase:

• Contain: If malicious, the source endpoint is disconnected from the network to stop lateral spread. The targeted account undergoes a forced password reset.
• Forensics: The specialist performs forensic work to understand what happened. They review the logs to ensure there were no successful logins mixed in with the failures. If a success is found, the incident is escalated to a full compromise investigation.
• Remediation: Depending on the context of the attack, the team can:
  
  • For incidents coming from an external source, reduce the attack surface by applying tighter firewall rules or applying the principle of least privilege to users and systems.
  • For incidents coming from an internal source, verify and reconfigure compromised devices and policies compromised to stop lateral movement.
  • If the root cause was a misconfiguration (e.g., an old service account script), the specialist contacts the service owner to update the credentials.
    

Preparation

This is the initial phase where organizations take preventive measures to respond effectively to incidents, some recommended steps to prepare your company to deal with a Login brute force incident are listed below:

• Incident Handler Communications and Facilities: It’s vital to gather contact information of everyone involved with incident response to facilitate contact during an incident. Compilate contact information of incident response (IR) team members, external IR teams, and eventually law enforcement, with primary and backup contacts. Determine the escalation and de-escalation criteria and incident reporting mechanisms, such as phone numbers, email addresses, and secure instant messaging.
• Roles and Responsibilities: Details of the roles and responsibilities of key individuals and teams responsible for incident response and decision-making should also be gathered at this stage.
• Training and awareness: Train the incident response (IR) team to identify common MITRE ATT&CK techniques used by adversaries that involve logging in to corporate accounts to damage the organization, and study possible mitigations:
• ID T1110 - Brute Force: Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.
• ID T1110.001 - Password Guessing: Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism.
• ID T1110.003 - Password Spraying: Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain.
• ID T1110.004 - Credential Stuffing: Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed.
• ID T1021.001 - Remote Services - Remote Desktop Protocol: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
• ID T1021.002 - Remote Services - SMB/Windows Admin Shares: Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
• ID T1021.003 - Remote Services - Distributed Component Object Model: Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
• ID T1021.004 - Remote Services - SSH: Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
• ID T1021.005 - Remote Services - VNC: Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.
• ID T1021.006 - Remote Services - Windows Remote Management: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
• ID T1133 - External Remote Services: Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations.
• Tools and Resources: It refers to the correct configuration of the technologies and infrastructure necessary to gain visibility, detect, analyze, and respond effectively to incidents.

How Lumu Helps

Lumu provides the ability to illuminate the blind spots in your network by providing coverage of your entire infrastructure, namely on-premises, public and private clouds, and roaming devices.

• To gain full visibility into your network, set up collectors such as Virtual Appliances, Gateways, and integrations to ensure that all your network metadata is ingested in the Lumu platform. Learn more in our deployment guide.
• Ensure you cover remote users in your compromise assessment. Learn more about Lumu Agent and VPN and SDP configuration.
• Identify your vital assets (clients, IoT, clouds, remote devices, etc.) and assign labels to your traffic to help quickly identify the compromise distribution across your infrastructure in a way that makes sense for your organization.
• Control your attack surface by ensuring that services and connections exposed to external environments are governed by strict policies and controls. Verify that only essential services are exposed, and access is restricted to specific roles via secure, authenticated channels. Regularly monitor and enforce these measures to minimize vulnerabilities.
• Conduct regular awareness campaigns on security policies and risks employees face, and what actions to take when faced with a cyberattack.
• Keep your endpoint protection and operating systems updated.
• Implement best practices for Identity and Access Management (IAM).

Detection & Analysis

Organizations should prioritize rapid incident detection and validation to enable effective containment and eradication. Early detection limits the spread of infection and simplifies the response process. During this phase, security teams monitor and analyze alerts and data from systems, networks, and logs to identify potential incidents, understand the threat's scope, impact, and potential source, assess its severity, and gather forensic information. Proper documentation and communication are essential for successful incident response.

Some steps are listed below:

• Alert Monitoring: Collect and monitor data from network, host, and application logs, along with external sources like threat intelligence, to identify attack vectors and signs of potential incidents.
• Incident Identification: Determine whether an event qualifies as an incident or precursor by analyzing and correlating monitoring data.
• Incident Analysis: Classifying the incident type, incident response teams should quickly analyze and validate incidents. Once an incident is confirmed, the team conducts an initial analysis to determine its scope, including affected systems, origin, and attack methods. This analysis helps prioritize actions like containment and deeper investigation.
• Enrichment and Investigation: Gathering additional information (e.g., threat intelligence, forensics analysis) to understand the scope and impact. Maltiverse by Lumu is vital in this procedure.
• Documentation: Recording the details of the incident, timelines, and results of the analysis. An IR team that suspects an incident has occurred should immediately begin recording all facts related to the incident.

How Lumu Helps

Lumu unlocks the value of your own network metadata by implementing the concept of Continuous Compromise Assessment that provides comprehensive and detailed visibility into your network infrastructure. Lumu illuminates the various activities associated with indicators of compromise (IoCs) detected on your network and provides all the contextual information needed for in-depth analysis through the Lumu Portal.

• Lumu Continuous Compromise Assessment technology provides real-time monitoring over network and identity infrastructure. It correlates network and identity metadata to identify anomalies and contact with malicious infrastructure, providing your organization with multiple tools to determine adverse activity.
• Identify activity related to Login brute force incidents and attack patterns. Look for details, such as date, time, number of contacts, IPs, and domains. You have that information at a glance in the Activity section of the Lumu Portal.
• Use the IoC information provided by Lumu to check if the log files of your defensive infrastructure (e.g. endpoint protection, firewall, UTM gateway) contain this malicious communication.
• Identify the endpoints contacting the adversarial infrastructure related to Login brute force attack. This can be IoCs related to brute force, scanning infrastructure or ransomware gangs. Use the Attack Distribution feature of the Lumu Portal to see how the compromise spreads inside your network.
• Identify how your assets are communicating with the adversarial infrastructure and detect endpoints within the internal network exhibiting anomalous behavior. You can use the Lumu’s Compromise Radar feature to find out the frequency and behavior of malicious communication, so you can differentiate occasional contact from persistent and automated compromises that have the power to cause harm to the organization.
• Use the threat intelligence information provided in each IOC in the Lumu Portal to enrich the context of the activity. Additionally, correlate this with other detections, like Unusual Login, to verify whether the attack attempts were successful. If an incident is confirmed, use this information in incident documentation and analysis.
• If possible, reverse-engineer the malware in a secure environment (or sandbox) to understand its behavior and the functionality it implements.

Containment, Eradication & Recovery

This phase has two key goals: stopping the spread of the threat and preventing further damage within the network. Organizations should implement strategies and procedures based on the risk level of the detected compromise. Containment strategies will vary depending on the type of incident and must consider potential damage or theft of resources, the need for evidence preservation, service availability, and the time and resources required for effective response. Below are some steps to follow in this phase:

• Containment: Implement immediate actions or long-term strategies to isolate or limit the spread of the incident.
• Eradication: Identify the root cause of the incident and eliminate it.
• Recovery: Recover affected systems to a known good state and confirm normal operations, perform testing to ensure systems are no longer compromised, and prevent future incidents.

How Lumu Helps

Confirmed compromise intelligence about the compromised device helps security analysts to understand where and how to contain and eradicate the compromise.

• Lumu Defender integrates with your security stack and gives your organization the ability to orchestrate an effective automated response to contain any cyber threat, in line with your policies.
• Lumu orchestration can assist you in identifying whether the endpoints that reported the brute force behavior were observed displaying anomalous behavior before.
• Use the threat Intelligence information, Mitre ATT&CK TTPs, and IoCs details from Lumu Portal to configure your security infrastructure scheme (firewalls, IDS, IPS, email gateways, etc) to avoid similar malicious activity.
• Lumu Portal provides your organization with information and details about the devices or IP addresses involved in the incident to initiate targeted investigations into the related internal devices.
• Based on your containment strategy, consider isolating the affected devices to prevent lateral movement and limit the spread of the incident within the network
• Identify related services and users and reset the credentials of all involved systems.
• If you suspect the initial attack vector was via email, check the details in the organization's mail server log files.
• Remove threats, and replace or restore the compromised assets to their previous state. Wipe and baseline affected systems if needed.
• Use Lumu technology to establish monitoring to detect further suspicious activity. The incident and its effects need to be remediated across the entire network.
• Complete malware scanning of all systems across the affected network.

Post-Incident Activity

This phase is designed to incorporate the lessons learned from each incident and to evaluate future improvements.

• Lessons Learned: Conduct post-incident reviews to analyze the incident and determine areas for improvement. This step should answer at least the next key questions:
  • What were the root causes of the incident and the incident response issues?
  • Could the incident have been prevented? How?
  • What went well in the incident response?
  • How can we improve our response to future incidents?
• Incident Reporting: Document the incident and share reports with necessary stakeholders.
• Process Improvement: Update policies, procedures, and tools based on findings from the incident.

How Lumu Helps

Lumu helps refine your current and future defense and response by continuously monitoring that the compromise has been eradicated.

• Use Lumu Continuous Compromise Assessment to monitor continuously any communication between your assets and adversarial infrastructure to make sure that no additional contacts are reported.
• Use the context information in the Lumu Portal for details on how the adversary works. Conduct root cause analysis and evaluate the habits of the users.
• Explore the related sources, Mitre ATT&CK Matrix, and articles provided by Lumu in the Context area to understand more about the Tactics, Techniques and Procedures used by adversaries and document the incident.
• Use the incident information to adjust your security policies and Mitre Matrix context to evaluate your security strategy. This may involve changing the configuration of the company's assets and conducting awareness campaigns, focusing on the users that own those devices.
• Coordinate with your endpoint protection technology vendor’s updates if needed.
• Document and share with the stakeholders all the lessons learned from the incident and recommendations of any aspect that could be improved to help prevent a similar cyber incident from reoccurring.