When account credentials are unknown, attackers may use a brute force attack in order to gain access. This can occur as an early stage of their attack, to gain initial access, or to enhance their privileges after access has already been obtained. MITRE’s D3FEND matrix outlines how to address this technique; however, security teams struggle to consistently implement D3FEND’s recommendations.
This blog demonstrates how Security Orchestration, Automation, and Response (SOAR) can be used to consistently implement the final three stages of the D3FEND framework to respond to brute force attacks.
The MITRE D3FEND Matrix has six stages: model, harden, detect, isolate, deceive, and evict. Within each stage are specific tasks that when performed can successfully detect, contain, and recover from brute force attacks. Here is how Smart SOAR can be used to automate the tasks recommended by MITRE in the isolate, deceive, and eviction stages:
D3FEND Recommendation: Network Traffic Filtering. In the isolation stage, the incident response team must restrict incoming and outgoing traffic from any suspicious endpoint. Here, we use a combination of tools including CrowdStrike, VirusTotal, and FortiGate Next-Generation Firewall (NGFW) to automate this process across four steps:
D3FEND Recommendation: Decoy User Credential. Various identity and access management (IAM) tools can be used within Smart SOAR to create user accounts that are designed to deceive hackers and notify the security team when a breach has occurred. In this example, we use Azure Active Directory to create a user and assign them to a benign group. Then, we run a scheduled automation to check the activity logs of that user and create an incident when a login is detected.
Scheduled automations are playbooks that are run on a timed cadence, such as once a week or once a month.
These playbooks are not triggered by security alerts ingested into the platform, rather, they continue operating in the background and are useful for proactive threat hunting.
D3FEND Recommendation: Authentication Cache Invalidation. The final stage of the D3FEND framework is eviction. If a user’s account has been compromised, IAM tools can be used to repair their accounts. In this case, Active Directory’s Revoke Sign-In Sessions command forcibly ends an existing user’s sessions across various devices and applications. When this task is executed, all active authentication sessions for a specific user are immediately invalidated, requiring users to re-authenticate.
D3FEND Recommendation: Credential Revoking. In combination with the Revoke Sign-In Sessions command, Active Directory’s Reset Password command can be used to change the user’s password to a new, temporary one. When the user has logged back in, they may be prompted to create a new, unique password. This ensures that the account remains secure and is only accessible by authorized individuals.
In this example we used CrowdStrike, VirusTotal, Fortinet, and Active Directory to respond to a brute force attack following MITRE D3FEND’s best practices. With unlimited integrations, Smart SOAR can enable similar workflows using any common tools in these categories. SOAR tools are particularly helpful in the isolation, deception, and eviction stage, as they are able to take action in any environment your security team has access to.