Preventing Authentication Attacks In Real Time
Authentication attacks come in many forms, each using different strategies with distinct, often difficult to detect, characteristics. Detecting password spraying attacks is particularly difficult due to the deliberately low frequency of authentication attempts, the number of services probed, and the extended time period across which attempts are made. Detecting and preventing password spraying attacks in real time is impossible with current solutions. I’ll take a look at why this is and how Quine changes the game.
Low and Slow Attacks: Brute Force, A Little Bit At A Time
In the past, brute force attacks have been synonymous with easy-to-spot bursts of machine-driven activity designed to overwhelm defenses. But as attackers gain sophistication, they have found ways to reduce their profile while still harnessing the power of automation.
Low and slow attacks use automation to spread authentication attempts over days, weeks and months, in addition to distributing the attempts across a network of target systems, from a range of source IPs. Based on Mitre definitions of brute force attacks, Password Spraying, Password Guessing, and Credential Stuffing attacks all leverage metered activity to probe password systems so slowly that failed attempts go undetected by legacy time window-based “lock out” business rules.
Why Low and Slow Attacks Work
Volumetric brute force password attack strategies can often be detected due to their size and velocity using typical statistical analysis mechanisms.
Password spraying attacks take a very different approach, probing multiple accounts for commonly used or compromised passwords. These attacks attempt to stay under the threshold that would trigger “3 strikes and you’re locked out” rules typically used by authentication applications.
Of course, current authentication attack prevention measures do not stop with rules defined in authentication applications. Logs, often from multiple systems (e.g. firewalls, DNS, and web authentication logs), are typically processed by log/SIEM analysis solutions which perform more complex analysis, including analysis of multiple data sets concurrently or across longer time periods.
SIEMs, however, are by definition not analyzing data in real time and their use is limited by the volume of data they retain for active analysis, and specifically by the costs to retain and process that data. .
Real-time application rulesets don’t have the context gained from looking at long time periods of data or from data sourced from other systems. Batch-based log/SIEM analysis tools can perform more complex analytics but are not in the real-time flow of authentications, meaning you may not find out about successful attacks until hours or days later, and make it prohibitively expensive to incorporate the extended time frames of data needed to find low and slow attack behaviors.
The tradeoffs with current approaches are stark: either impose time windows to process events in real time and reduce cost or sacrifice real time responsiveness to store and process data over a greater time interval at great expense. In either case, it isn’t clear you’ll be able to prevent all or even some low and slow attacks. That’s what makes this attack vector so insidious
Low Cost, Real-time Analysis without Time Windows
With low and slow attack strategies exploiting the limited time window visibility of existing application and log analysis solutions, new detection and response tools are needed. These tools need to:
- support detection of attack behavior patterns in logs from multiple systems, over extended periods of time, while being,
- cost aligned with the large data retention needs of active extended time window monitoring.
Cost-effective complex log analysis on enterprise or service provider scale requires a new approach.
Streaming Graph Makes Windowless Pattern Detection Cost Effective, Real Time
The open source Quine Streaming Graph offers a new approach to complex behavior analysis necessary for the detection of password spraying and other low and slow attacks (including advanced persistent threats, or APTs). Two key Quine innovations are of particular interest in this context - standing queries and partial match tracking over extended time windows
- Standing queries are queries that live in the streaming graph and continuously filter against new data for query matches in real-time. Finding low and slow behaviors across scale volumes of logs from multiple systems and extended time periods using graph query definitions which have proven much more efficient than traditional RDBMS query logic.
- Partial match tracking across in-memory and persistent storage, at scale, allows Quine to retain possibly interesting incomplete matches until the moment when a complete match occurs. By deferring storage of high volumes of partial matches to inexpensive persistent storage solving for the cost issues associated with traditional log analysis systems, while operating in the real-time workflow when attacks are occurring to minimize the impact of a breach.
And Quine eliminates time windows without incurring the cost of SIEM solutions, sifting through data from multiple sources to find and store only the patterns that matter – in this case, the ones that indicate a low and slow attack is underway.
Learn more or try Quine yourself
Quine is available in both open source and enterprise editions. You can try it yourself. Learn how to ingest your own data and build a streaming graph that can detect all sorts of attacks in real time.
- Join Quine Community Slack and get help from thatDot engineers and community members.
- Download Quine - JAR file | Docker Image | Github
- Check out the Ingest Data into Quine blog series covering everything from ingest from Kafka to ingesting .CSV data
- Try the Ethereum Fraud Detection recipe - this recipe showcases ingest and standing query patterns that you may find helpful.
Photo credit: Karl Ibri @karlibri