Defending Against Brute Force Attacks with Hoplite's Active Network Defense

Greetings from the Hoplite HQ.?Like security teams all over the world, the spectrum of security events we see daily range from bad actor amateur hour, to those that require a deep breath, and some fresh coffee.?Cyber Threat Intelligence, expansive visibility, keen eyes 24X7 and some powerful software keep us aware, and armed to deal with threats lurking around each corner.?Each phase of Internet evolution brings about new forms of background noise, or the automated recon-scan-exploit cycles that never subside.?Increasingly, this background noise is comprised of brute force attacks, specifically password spraying, and password stuffing (not the tasty kind) that target the growing number of cloud accounts.?These automated attacks rely on ?dictionaries of common passwords, and lists of previously exposed credentials to make repeated attempts to gain access to cloud accounts.?Unfortunately, over time the odds are in the favor of the bad actors, eventually they're likely to find an account without MFA, a re-used password exposed in a third-party breach, or a long-forgotten and little-used admin account with a weak password.?Compounding the challenge, bad actors most often use collections of compromised systems (nodes in 'bot nets') to distribute the attack traffic across many source IP addresses.

All of this occurs silently, and just under the surface of many other competing priorities.?But wait, we are a people with all manner of mastery of science, and technology that's put RC cars on Mars, so why do these security challenges still exist??Many of the answers to that question are outside the scope of post, but it suffices to say that selling services with a 'secure by default' philosophy is just more difficult than not.?Now, these and many other attack activities often go unnoticed for several reasons:

• Most cloud environments, O365 and Azure included, do not enable adequate security controls, and security event logging by default.?And worse, navigating endless menus and disparate tools to establish basic security visibility is difficult.?Please Note: This is not an attack on MS specifically, but a statement of fact that we're well into the 21st century and establishing basic security visibility remains an unfulfilled expectation, and a struggle for many.
• Most organizations do not have the time or in-house capabilities to research, configure, maintain, and monitor event logging for the growing number of cloud services we all rely upon daily.?The same budget, resource, and complexity challenges that make it difficult for organizations to aggregate and analyze security event logs on premise, extend to cloud environments.
• Even when InfoSec teams are aware of brute force attacks and authorized to take action (which is no small feat if defending against an attack runs any risk of business impact), it can be difficult to configure reliable, and automated defenses.?This is assuming a given cloud platform even provides the features and instrumentation to enable adequate defenses.

Certainly no shortage of challenges, however, there is good news.?There are a growing number of useful, if complex, capabilities being added to popular cloud platforms like Office (Microsoft) 365, and Azure that provide an opportunity to develop adaptive automated defenses against brute force attacks.

Hoplite's Active Network Defense (AND) security monitoring and automation platform has been integrated with Office 365 and Azure since 2018.?These integrations were developed to help customers establish near real-time O365 and Azure security event visibility, upon which traditional and AI/ML correlation rules, downstream analytics, playbooks, and other automation capabilities were built.?Collection of granular event logs describing user logins, devices, application activities, and cloud-side network events is critical for general cloud security, but it's all very useful for defending against brute force attacks.

There's rarely a week that passes without active Network Defense flagging some form of brute force attack against customer cloud platforms and Internet-facing applications, so we have plenty of opportunities to refine monitoring, and defensive techniques.?We recently dealt with an Annoying & Persistently Tedious (APT) bad actor targeting a customer Azure AD / O365 tenant with a password spraying attack.?Unlike many such attacks, this was a moderate volume at > 300k login attempts daily, well-coordinated, and horizontally distributed across more than 1,000 source IPs.?While the customer had MFA and geographic access restrictions, there were still a handful of service accounts (everyone has them) that were at risk of bots inside the allowed geographies.?Ultimately, this exposure was more than we would accept, so we set to work on an automated solution.

Over a 48-hour period we gathered modelling data, and built a new detection model that assesses all failed logins with correlations on target cloud platforms, workloads, source device details, source IPs, failed login time deltas, and Cyber Threat Intelligence.?The result is an unsupervised automation engine that classifies source IPs worthy of blocking and automatically updates cloud-side access control lists.?The first production deployments this week are now protecting customer Azure AD environments to great effect.?With this new detection model we're seeing > 95% classification accuracy, and the average number of failed login attempts before bots are blocked is < 5.?That's a very small window of potential success for the bad actors.?We also took this opportunity to build in dynamic Cyber Threat Intelligence distribution channels that allow us to release Indicators of Compromise (IOCs) specific to customer verticals to further enhance protection.?We'll deploy this capability on an as-needed basis, but I expect it will be part of a future release of the Active Network Defense platform.

But like all friendly bots, it will first need a fitting name.?I'm personally leaning toward Ash, or Chomps.

Be well, enable logging, and play well with others.

-Anthony