Lancope is now part of Cisco Learn MoreLancope Arrow About Cisco
Burglar Breaking Into A Window

Detecting Brute Force Attacks with Stealthwatch

David Salter

In a typical password brute force attack scenario, an attacker uses either automated tools (along with dictionary files) or manually attempts several password combinations to break into a password protected system. A successful authentication gained through a brute force attempt allows an attacker to carry out configuration changes or pivot into other devices using the same successful credentials, which can eventually result in data theft or an impact to normal business functions.

Cisco Stealthwatch can identify a password brute force attack on these services: 

  • Telnet
  • SSH
  • RDP
  • FTP

By default, the Brute Force Login alarm triggers if more than 20 connections less than 5,000 bytes each are detected in a short period of time. These security event settings may be adjusted if the alarm generates a high number of false positives. 


If a Brute Force Login alarm is raised, it is displayed in the Alarm Table:

In this example Brute Force Login was triggered from a client on the Internet (183.121.132.242) and targeting a host (172.24.192.143) that resides in the Catch All Host Group.

An alarm triggering against a host in the Catch All group is an extra reason to investigate. Catch All is a special Host Group that houses IP addresses that have been defined as part of the organization, but have not been configured into a proper Host Group (e.g. Client Desktops). In this particular example, communication attempts or successful communication might indicate a compromised host.

To investigate via the Stealthwatch client interface, right click the source IP address (183.121.132.242) and open an Associated Flow Table. To investigate via the web interface, select the View Details from the Alarm Table.

The Flow Table shows a Telnet session that lasted 21 seconds:

By selecting the row in the Flow Table on the client interface and pressing the spacebar, a Quick View will be opened. The Quick View clearly displays the Who (1), What (2) and When (3) of this alarm:

From the web interface, click on the source IP (183.121.132.242). When the Host Report opens, select View Flows, and make sure the query settings are correct and run the query.

The query results display the Who (1), What (2) and When (3):

More details can be displayed by hovering over the IP address and clicking the eclipse icon.

This is only one type of advanced threat that can be detected by Stealthwatch. Others include command-and-control activity, distributed denial-of-service (DDoS) attacks, insider threats, malware propagation, and more.

Category:

More from this contributor:

Don’t Stretch SIEM Beyond its Capabilities for Contextual Security Analytics
In recent years, the branch office evolution has resulted in organizations shifting from offering basic services over expensive leased circuits to...
Detect with Host alarms
Rogue DHCP servers can potentially distribute IP addresses on your network to un-authorized hosts. Security operators can use Stealthwatch to report...
Don’t Stretch SIEM Beyond its Capabilities for Contextual Security Analytics
It is sometimes important for security operators to be able to detect applications used over non-standard ports. Cisco Stealthwatch Flow Sensors have...