
Learn how to effectively investigate, contain and remediate this incident by following our
Response Playbook.
Network Bruteforce incidents are patterns of high-volume, repetitive connection attempts from a source endpoint to a specific service running on a destination endpoint that happen within a short period of time. Unlike account-level incidents, network bruteforce detections rely on NetFlow metadata, which allows for the early detection of suspicious behavior before a full compromise occurs.
By detecting this activity, Lumu provides visibility into:
- Bruteforce attacks: Identifies malicious attempts to identify valid credentials, open services, and escalate access or move laterally within the network of your organization.
- Service misconfigurations: Highlights internal network misconfigurations that can produce patterns similar to bruteforce attacks, potentially leading to the disruption and denial of internal services.
This document outlines how the Lumu Portal delivers valuable insight into the detection of this attack by providing the necessary context— Scope, Severity, and Source —presented in a narrative that supports your response team's decision-making.
Collected Data
Lumu captures specific metadata fields to facilitate forensic analysis and scope determination. The data collected for this incident includes:
- Source and Destination IP: Identifies the source endpoint initiating the traffic and the target destination.
- Destination Port: Pinpoints the specific service (e.g., SSH, SMB, LDAP) being targeted.
- Number of packages: The volume of data packets transmitted during the attempt.
- Number of connection attempts: The frequency of attempts, helping to measure the intensity of the attack.
Incident details
The Lumu Portal delivers the collected data to facilitate rapid triage and decision-making. The data is displayed as follows:
1. Operation Summary: This section highlights critical information, including the First and Last Events, and First IP Affected. This data establishes a general scope of the incident that allows analysts to quickly differentiate between a momentary spike and a sustained campaign against your network infrastructure.
2. Observed Brute Force Events:
This section aggregates the most relevant data regarding the brute force activity. It quantifies the attack's overall severity and scope, allowing analysts to immediately assess the magnitude of the threat.
- Events: Displays the number of distinct attack waves, helping to identify if the attack was a continuous stream or a series of pulsed attempts.
- Targets: Shows the total count of unique destination IPs affected. This determines the breadth of the campaign, distinguishing between a focused attack on a single high-value target and a "spray" attack aiming to find any weak link across the organization.
- Attempts: Counts the total volume of connection attempts (and attempts per second). This reflects the intensity of the attack, helping to assess the potential load impact on the targeted services.
3. Events List:
This detailed list breaks down each individual event, displaying specific information per target. This granular view enables pattern analysis that allows analysts to identify mechanical regularities (indicating misconfigurations) or erratic spikes (indicating active adversaries).
- Target: Identifies the specific destination IP address within your network that is receiving the connection attempts. This allows analysts to prioritize the response based on the criticality of the asset (e.g., distinguishing between a critical database server and a user workstation).
- Service: Displays the specific port and protocol being targeted (e.g., LDAP TCP 389, SMB TCP 445). This information is crucial for defining the course of action, as it helps determine if the source device has a legitimate business need to connect to that service or if it indicates unauthorized lateral movement.+2.
- Packets: Shows the number and average size of packets transmitted. This metric helps analysts determine if the connection was merely an attempt or if data transfer actually occurred, which is vital for assessing potential data exfiltration.
- Attempts: Indicates the raw count of connection attempts and the rate per second. This reflects the intensity of the attack and helps assess the potential load impact on the targeted service, revealing whether the attack is a "slow-and-low" stealth attempt or a noisy flood.
- Date: Provides the timestamp of the event and its duration. This helps establish a precise timeline for forensic correlation with other network logs.
Incident data export
While the Lumu Portal displays the most critical data points—such as the top targets and services—complex attacks often involve volumes of traffic that exceed what can be efficiently displayed on a single screen. For that reason, Lumu allows in-depth investigations with its Export Feature. You can export data using the dropdown menu located at the top of the page.
Exportable data
You can export the following data for this incident:
- All events (.csv)
Downloads the complete, raw dataset of the entire incident lifecycle. It serves as the master record for comprehensive auditing, long-term trend analysis, or ingestion for correlation with other security events. - STIX report
Generates the incident data in the Structured Threat Information Expression (STIX) format. This standardized report allows for seamless integration with other security tools (such as SOAR platforms or Threat Intelligence Platforms) to automate response actions and share threat intelligence across your security stack.
You can also export the data for a specific event. Simply click on the download icon located on the right side of the specific event row.
This information allows forensic analysts to isolate and examine the specific traffic of an attack to a specific target to understand the precise timing and behavior of the adversary during that specific interval.