Salem Spellbook
A series of alert triage runbooks for information security analysts

Brute Force Authentication

A Brute force alert typically indicates repetitive failed login attempts to one or many valid accounts. The analytics that produces these alerts aims to identify attackers trying to guess the correct password for a valid account. Modern authentication systems generally employ controls to prevent or limit password guessing, which has greatly reduced the number of actual brute force attacks in the wild. However, the prevalence of leaked user passwords and the value of obtaining access to a valid account means adversaries are encouraged to try this technique.

Get Runbook PDF

Common Alerts

Alerts that typically can be triaged with this runbook:
  • Brute force attempts
  • Brute force attack using a valid user
  • Credential stuffing attack
  • Password Spraying attack

Typical false positive scenarios

Most alerts you'll see as a cyber analyst are false positives, here are top false positive scenarios to consider when you're deciding an alert should be escalated to incident response.
  • Password Change: There is typically a spike in regular user authentication failures around password change events.
  • Expired Password: When service account credentials expire the system using that account will likely keep trying to authenticate until the asset owner applies new credentials. This activity is likely very periodic (for example a new event every 5 minutes).
  • Bad Data: Some audit logs will capture erroneous login failures in cases where many authentication protocols are tried in a fixed order. You'll observe this when all failures are of the same authentication type and failures are followed by a successful authentication of a different type. An example would be a system configured to try domain authentication before falling back to local authentication.
  • Blocked Attempts: Authentication attempts from external sources to internet-facing systems (such as a web server or VPN) are very common. Most organizations don't consider this to be a threat unless any of the attempts are successful. Be careful, if you accept authentication attempts from a service like TOR, it could appear that many sessions are related when in fact they are not.

Have questions or changes to propose?

Join the conversation on Twitter @salemcyber

Have too many False Positives?

Learn how Salem, the AI cyber analyst can Reduce false postives for this and many more Cyber Threat Use cases

Learn More
Friends of Salem Newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.