Are You Ready for Low and Slow Auth Attacks?

thatDot avatar Rob Malnati

Preventing Authentication Attacks In Real Time

Authentication attacks come in many forms, each using different strategies with distinct, often difficult to detect, characteristics. Detecting password spraying attacks is particularly difficult due to the deliberately low frequency of authentication attempts, the number of services probed, and the extended time period across which attempts are made. Detecting and preventing password spraying attacks in real time is impossible with current solutions. I’ll take a look at why this is and how Quine changes the game.

Low and Slow Attacks: Brute Force, A Little Bit At A Time

In the past, brute force attacks have been synonymous with easy-to-spot bursts of machine-driven activity designed to overwhelm defenses. But as attackers gain sophistication, they have found ways to reduce their profile while still harnessing the power of automation.

Low and slow attacks use automation to spread authentication attempts over days, weeks and months, in addition to distributing the attempts across a network of target systems, from a range of source IPs. Based on Mitre definitions of brute force attacks, Password Spraying, Password Guessing, and Credential Stuffing attacks all leverage metered activity to probe password systems so slowly that failed attempts go undetected by legacy time window-based “lock out” business rules.

Why Low and Slow Attacks Work

Volumetric brute force password attack strategies can often be detected due to their size and velocity using typical statistical analysis mechanisms.

Password spraying attacks take a very different approach, probing multiple accounts for commonly used or compromised passwords. These attacks attempt to stay under the threshold that would trigger “3 strikes and you’re locked out” rules typically used by authentication applications.

Of course, current authentication attack prevention measures do not stop with rules defined in authentication applications. Logs, often from multiple systems (e.g. firewalls, DNS, and web authentication logs), are typically processed by log/SIEM analysis solutions which perform more complex analysis, including analysis of multiple data sets concurrently or across longer time periods.

SIEMs, however, are by definition not analyzing data in real time and their use is limited by the volume of data they retain for active analysis, and specifically by the costs to retain and process that data. .  

A graph with Complexity of Data as Y Axis and Time to Analyze as X Axis. Polices are Real-time but simple. SIEM log analysis is complex but slow.
Detection Time Frames vs. Low and Slow Attack Behavior Patterns

Real-time application rulesets don’t have the context gained from looking at long time periods of data or from data sourced from other systems. Batch-based log/SIEM analysis tools can perform more complex analytics but are not in the real-time flow of authentications, meaning you may not find out about successful attacks until hours or days later, and make it prohibitively expensive to incorporate the extended time frames of data needed to find low and slow attack behaviors.

A figure illustrating how low/slow attacks extend over time periods beyond the storage and cost limits of current approaches.
Detection Time Frames vs. Low and Slow Attack Behavior Patterns

The tradeoffs with current approaches are stark: either impose time windows to process events in real time and reduce cost or sacrifice real time responsiveness to store and process data over a greater time interval at great expense. In either case, it isn’t clear you’ll be able to prevent all or even some low and slow attacks. That’s what makes this attack vector so insidious

Low Cost, Real-time Analysis without Time Windows

With low and slow attack strategies exploiting the limited time window visibility of existing application and log analysis solutions, new detection and response tools are needed. These tools need to:

  1. support detection of attack behavior patterns in logs from multiple systems, over extended periods of time, while being,
  2. cost aligned with the large data retention needs of active extended time window monitoring.
A graph showing Cost rising as data needed to analyze larger time windows increase using traditional tools, and the need to reduce cost.
Low and Slow Attack Detection Requires a New Tool ROI Paradigm

Cost-effective complex log analysis on enterprise or service provider scale requires a new  approach.  

Streaming Graph Makes Windowless Pattern Detection Cost Effective, Real Time

The open source Quine Streaming Graph offers a new approach to complex behavior analysis necessary for the detection of password spraying and other low and slow attacks (including advanced persistent threats, or APTs). Two key Quine innovations are of particular interest in this context – standing queries and partial match tracking over extended time windows

  1. Standing queries are queries that live in the streaming graph and continuously filter against new data for query matches in real-time. Finding low and slow behaviors across scale volumes of logs from multiple systems and extended time periods using graph query definitions which have proven much more efficient than traditional RDBMS query logic.  
  2. Partial match tracking across in-memory and persistent storage, at scale, allows Quine to retain possibly interesting incomplete matches until the moment when a complete match occurs. By deferring storage of high volumes of partial matches to inexpensive persistent storage solving for the cost issues associated with traditional log analysis systems, while operating in the real-time workflow when attacks are occurring to minimize the impact of a breach.

And Quine eliminates time windows without incurring the cost of SIEM solutions, sifting through data from multiple sources to find and store only the patterns that matter – in this case, the ones that indicate a low and slow attack is underway.

Learn more or try Quine yourself

Quine is available in both open source and enterprise editions. You can try it yourself. Learn how to ingest your own data and build a streaming graph that can detect all sorts of attacks in real time.

  1. Join Quine Community Slack and get help from thatDot engineers and community members.
  2. Download Quine – JAR file | Docker Image | Github
  3. Check out the Ingest Data into Quine blog series covering everything from ingest from Kafka to ingesting .CSV data
  4. Try the Ethereum Fraud Detection recipe  – this recipe showcases ingest and standing query patterns that you may find helpful.

Photo credit: Karl Ibri @karlibri