While the Fluency Team strives to lead the way for its customers by identifying threats and creating new behaviors, it also learns from and deploys behaviors that actually come from its customers use of the tool. That is one of the many benefits of providing the same tools to the end users that the Fluency Team itself uses to create behaviors.
Recently, one of the Fluency partners developed a set of behaviors that were not only very useful, but that the team decided would benefit all Fluency users. These rules, once generalized, are to be rolled out to other users as soon as possible.
Credential spraying is the process of taking a list of user credentials for an organization (or randomly generating one based upon the organization’s username patterns) and attempting to find one that is vulnerable. From a single IP, an adversary can take that list of users and attempt to log into each and every one of them using either common password lists or possibly even leaked password lists to identify users that have not changed their passwords.
These credential spraying behaviors that are being rolled out identify this behavior. Using the IP address as the common key, Fluency can check for an aggregation of login attempts to different user accounts. When multiple login failures over a large number of accounts occurs from a single IP address, an alert can be raised to indicate that this is suspicious activity and should be investigated. Organizations can easily filter out their public IP addresses in order to remove false positives from their own users.
Key: Source IP Address
Rule (Aggregation): Multiple Unique Target Login Credentials
With one common pattern, multiple systems can be protected, whether it’s Active Directory or Office 365 or something else. Look forward to these behaviors being rolled out soon to AD, O365, and other systems where applicable.
As always, Fluency is proud to be part of a team along with its end users in working together for the safety of all.