Introduction
Brute force attacks are a common method used by threat actors to compromise user accounts. While detecting these attempts is crucial, responding to them promptly and effectively can be challenging. The Brute Force Attempt Response playbook automates the response to brute force alerts, minimizing manual intervention and ensuring swift mitigation.
Challenges Faced
Delayed User Notification: Manual processes often slow down the communication between users and security teams.
Risk of Escalation: Unaddressed brute force attempts can lead to account compromises and data breaches.
Inconsistent Response: Without automation, responses to brute force attempts may vary across incidents.
How SIRP Solves This
The Brute Force Attempt Response playbook automates every stage of handling brute force alerts, ensuring efficient resolution and reducing security risks.
User Validation
The playbook retrieves user information from Microsoft Active Directory (LDAP) and sends a notification to the user, asking them to confirm the activity.
Identifying False Positives
If the user confirms that the activity was legitimate, the alert is marked as a "False Positive", and its status is changed to "Closed".
Mitigating Malicious Attempts
If the user reports the activity as unauthorized or does not respond, the playbook disables the user’s ID immediately.
Notifications are sent to both the user and the assigned analyst, enabling coordination for re-enabling the ID after further investigation.
Alert Updates
The alert's disposition is changed to "Incident", and its severity and priority are escalated to "High" for immediate attention.
Playbook Prerequisites
SIEM Rule Configuration: A rule must be in place in the SIEM platform to generate brute force attempt alerts.
Playbook Integrations
Microsoft LDAP (Active Directory): Retrieves user details for verification.
SIRP: Orchestrates notifications, ID disablement, and alert updates.
Playbook Inputs
Username: The account involved in the brute force attempt.
IP: The IP address associated with the brute force activity.
Playbook Outputs
Send Notification to User: Requests confirmation of the activity.
Block User ID: Disables the compromised user ID upon detection of malicious activity.
Send Notification to User: Alerts the user about their ID being blocked.
Send Notification to Analyst: Notifies the SOC analyst to coordinate further actions.
Change Alert Severity: Escalates the severity to "High."
Change Alert Priority: Updates the alert priority to "High."
Change Alert Disposition: Categorizes the alert as an "Incident."
Change Alert Status: Updates the status to reflect the alert resolution.
The SIRP Playbook
Key Benefits
Swift Mitigation: Automates the disabling of compromised accounts, minimizing potential damage.
Accurate Triage: Ensures false positives are handled efficiently, reducing noise in the SOC.
Improved Communication: Automatically notifies both users and analysts, ensuring smooth coordination.
Consistent Responses: Standardized actions streamline the incident response process.
FAQs
What happens if the user does not respond to the confirmation notification?
If the user does not respond, the playbook assumes the activity is malicious, disables the user ID, and escalates the alert for further investigation.
Can this playbook integrate with other directory services?
Yes, additional directory services like OpenLDAP or Azure AD can be integrated as needed.
Is it possible to customize the severity levels or alert dispositions?
Absolutely, the playbook supports customization to align with your organization's policies.