To effectively safeguard your web applications against brute force attacks, it is crucial to have robust incident response processes in place. Splunk, a leading data analytics platform, provides powerful tools and features to help you proactively detect and respond to such threats.
In today's digital landscape, the increasing sophistication of cyber threats poses great challenge for organizations. One prevalent attack method is brute force, where malicious actors attempt to gain unauthorized access to web applications by systematically guessing usernames and passwords.
To effectively block attackers based on their IP addresses, it is crucial to extract the relevant information from log files. Specifically, we need to extract the attacker's IP address as a field from the log data. To do this, we will search for the string "error: invalid login credentials for user" (including the quotes) within the log files.
Once we have identified the relevant log entries, we will use the "Extract New Fields" functionality in Splunk to extract the desired field. When removing the unnecessary parts and isolating the IP address, we will select a sample event and utilize the "Regular Expression" matching option on the "Select Method" page.
For the name of the extraction, we will use "src_ip" to represent the source IP address of the attacker. By completing this extraction process, we will have a designated field within Splunk that contains the essential information required for further analysis and blocking actions.
The next step involves creating a search that identifies users who have exceeded the allowed number of failed login attempts within a specified time frame. In this case, the alert will target users who have failed to log in more than 20 times in the last 2 minutes.
By selecting a time frame of the "Last 2 minutes," we can effectively monitor recent login attempts and detect potential brute force attacks. The search query will analyze the log data to identify users who have surpassed the defined threshold, indicating suspicious activity.
To implement IP banning using an alert, we will create a private alert based on the search query from the previous objective. This alert will run in real-time, utilizing a 2-minute rolling window to continuously monitor login attempts.
Within the search results, each identified IP address will be added as a triggered alert with a medium severity level. To prevent overwhelming the system with redundant alerts, we will implement result throttling based on the src_ip field for the duration of the rolling window (2 minutes). This ensures that alerts are triggered only once per IP address within the specified time frame.
Furthermore, we will configure a Webhook as a trigger action for the alert. Your company has established a custom firewall HTTP endpoint that can automatically ban offending IP addresses. By setting up the Splunk alert callback to this endpoint, the firewall will be notified whenever the alert is triggered, enabling swift and automated IP banning.
It is important to note that the specifics of setting up the alert, including the configuration of result throttling and the webhook, will depend on the capabilities and requirements of your company's firewall and infrastructure.
In this tutorial, we have Splunk's capabilities for Brute Force Detection in a web application incident response scenario. By leveraging Splunk's powerful features, you can effectively detect and respond to potential threats, mitigating risks and safeguarding your systems and data.
Remember to adapt the configurations and settings mentioned in this tutorial to align with your specific environment and requirements. Stay vigilant, regularly review and fine-tune your detection mechanisms, and keep abreast of emerging security practices to stay one step ahead of evolving cyber threats.
The best articles, links, and news delivered once a week to your inbox.