Brute Force Attack Investigation

When You See This

1. 1

   SIEM alert for excessive failed authentication attempts from a single source IP

2. 2

   Account lockout events affecting multiple users simultaneously

3. 3

   Authentication logs showing hundreds of failed attempts followed by a single success

4. 4

   IDS/IPS alert for password spraying or credential stuffing patterns

Investigation Steps

1. 1

   Identify scope and source

   Determine how many accounts are targeted, the source IP(s), and the authentication endpoint under attack. Check if the source is internal (compromised host or insider) or external. Review geolocation data for the source IP and check it against threat intelligence.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=auth action=failure | stats count by src_ip, user, app | where count > 10 | sort -count

   index=auth action=failure src_ip="attacker_ip" | timechart span=1m count by user

2. 2

   Determine if any attempt succeeded

   Search for successful authentication events from the same source IP or for the targeted accounts. Pay special attention to a success that occurs immediately after many failures; this is the strongest signal of a brute force compromise.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=auth src_ip="attacker_ip" action=success | stats earliest(_time) as first_success, count by user, app

   index=auth user="targeted_user" action=success | where src_ip!="known_ranges" | table _time, src_ip, app, action

   Decision Point

   If: A successful login occurred from the attacking IP

   Yes → This is a confirmed compromise. Immediately disable the account, reset credentials, and escalate to Incident Response.

   No → No successful access. Proceed to containment; block the source IP and verify account lockout policies are working.

3. 3

   Check for credential stuffing patterns

   If multiple accounts are targeted with only 1-3 attempts each (vs. hundreds against one account), this is credential stuffing using leaked password databases rather than traditional brute force. Search for the targeted usernames in known breach databases and assess the risk differently.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=auth action=failure | stats dc(user) as unique_users, count as total_attempts by src_ip | where unique_users > 5

4. 4

   Contain and remediate

   Block the attacking IP at the firewall. If credentials were compromised, force password reset and revoke sessions. Review account lockout policies and MFA enforcement. If this is credential stuffing, consider mandatory password resets for all targeted accounts.

   FirewallSIEM
5. 5

   Document and improve defenses

   Record the attack timeline, source details, targeted accounts, and outcome. Recommend improvements such as enforcing MFA, implementing rate limiting, or deploying an account lockout threshold if one does not exist.

   SIEM

Common Mistakes

1. 1

   Focusing only on failed attempts without checking if any login eventually succeeded

2. 2

   Blocking the IP at the firewall but not checking for VPN or proxy rotation by the attacker

3. 3

   Ignoring credential stuffing patterns where each account gets only 1-3 attempts

Escalation Criteria

• Any successful login from the attacking source after brute force attempts

• Internal source IP conducting brute force (indicates compromised host)

• Targeted accounts have privileged access (admin, service accounts)

Frequently Asked Questions

What is the difference between brute force and credential stuffing?

Brute force tries many passwords against one account. Credential stuffing tries leaked username/password pairs from other breaches against your systems. Credential stuffing is harder to detect because each account only gets 1-3 attempts, staying below most lockout thresholds.

Should I always block the source IP?

Yes, if the source is external and clearly malicious. However, check if it is a shared IP (VPN provider, cloud service, CDN) before blocking, as you could impact legitimate users. For cloud provider IPs, consider blocking the specific authentication endpoint rather than the entire IP.

How do I practice brute force investigations?

SOCSimulator includes brute force attack scenarios in Operations rooms and Shift Mode. Practice identifying attack patterns, assessing success, and implementing containment, all with realistic SIEM logs. Start free forever.