8 hours 28 minutes
hello and welcome to another application of the minor attack framework discussion. Today. We're going to be looking at brute force, So let's go ahead and jump over to our objectives.
So today's objectives ours followed. We're going to describe what brute force is and how that can be to the benefit of a threat actor and some common ports that they would hit in that mitigation techniques from brute forcing and detection techniques.
So let's go ahead and look at how we're defining brute force within the minor attack framework. So essentially, when a threat actor doesn't have the ability to obtain credential hashes, then the other option is what we call brute forcing. And so this is when the attacker attempts to essentially guess a password so they don't know what it is.
So they're just going to throw random characters
a system until they log in or they do not. So this could be done against a possible list of passwords. This could either be generated or pre built. There are a number of tools that come with pre generated password lists,
and so this would be considered ah, high risk for detection or other high risk for detection because it would create a huge amount of noise. And typically we don't want to see things like filled log in attempts. We don't want to see those come things coming up in long since over threat actors trying to be sneaky,
then they're not going to usually use this method. They're gonna try to do something else.
Now, when we look at brute forcing commonly there are ports associated with that and there are a lot of tools out there that are used for brute force in these different areas. And so we've got things like Ssh and Telnet and FTP. These are very common externally. I mean again, all of these air common per se, but brute force sports
my SQL in mess SQL Oracle BNC Rdp L dap. So any number of these areas could be brute forced and could be then used by a threat actor
for further accessing the system or getting into a system to maybe put payloads or files or whatever the case may be on it. Now I do want to say that Mawr and Mawr, we should be concerned with having RTP open. So
whether that's on 33893390 I've seen people take it and put it an obscure port ranges, thinking that it's going to keep that from being detected. You have to remember that it's not about the port number per se. It's about the actual service running off the port. So even if you take something like ssh
and you put it in the,
um, assign herbal port range, that's above that 10 24. So if you put it against any other port,
it still is a service. It's still going to be detectable. It'll just be in a higher port range. And so that just that doesn't mean that you're securing the port. It just means that you're attempting to obscure where that port is at. And most tools that threat actors air using to scan network interfaces externally, things that nature. They're going to search the whole
range of usable ports all the way up to the 129,000 and some change. And so don't don't think that security through obscurity
is going to prevent detection in this measure. So you want a lot down the sports to trusted I P's you want to use white listing techniques you want to use maybe SSL VPN connections or VPN connections prior to doing things like already P and things of that nature.
That's just something that you should start considering eyes just a part of your S O. P. So let's talk about mitigation techniques real quick
so we can set account lockouts to permit password guessing. Essentially, this is just gonna make it very arduous and slow for the threat actor to get into a system through password guessing.
We want to enable multi factor authentication when we can. It's again. It's not always going to prevent a threat actor from getting in,
but it definitely slows down brute forcing attempts and things of that nature and then weaken, determines and best practice policies for the organization based on missed or other compliance guidelines.
So just ensuring that, um,
we look at what is current in the organization right now. I believe that password policies based on this would say that things never expire, but they ask for 14 plus character passwords. I've seen others where it's 12 characters minimum. If we're going to use kind of standard complexity where we've got letters characters, numbers,
things of that nature so
in the mix. So really, it just depends on the organization what they're willing to bear, what compliance regulations state and what they can do.
So let's talk about some detection methods as well. So right out the gate we can look for high amounts of failed long on attempts against systems across various accounts. And so if you see a list starting from Eggen and to be getting into sea of common user names,
then it may be that someone's going through and trying to force a system
on domain controllers you can on it long on success and failures For the following event, i d. 46 25 we could do Kerberos authentication service failure, success of an I. D. For 771 and then on all systems Weaken Dio long on success and failure event
I D. 46 48
again, Depending on how the environment is set up and what you're learning on on what your capabilities are, you can use these things to your advantage. At least turning these longs on on a system,
and having that locally could be of use if a threat Actor doesn't wipe that After getting onto a system,
I mean again, you have to have someone going back and checking these things. You can't just turn it on and let it run and think that it's going to give you an alert right out the box.
So let's do a quick check on learning true or false brute Force attacks or win an adversary attempts to guess account passwords using things like password lists.
All right, well, if you need more time, please pause the video. So in this case, this is a true statement. Brute forcing is an attack type where an adversary will guess account passwords using things like password lists, and so that is a true state.
So let's go ahead and jump over to our summary for today's discussion.
So in summary, we described brute force and what that is so it's essentially a technique where a threat actor uses tools and password lists to attempt to force their way into a system by guessing their password. We reviewed some mitigating techniques, and we reviewed some detection techniques as well.
So with that in mind, I want to thank you for your time today,
and I look forward to seeing you again soon
MITRE ATT&CK Defender™ (MAD) ATT&CK® SOC Assessments Certification Training
This course prepares you for the ATT&CK® Security Operations Center Certification. In this course, students ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
MITRE ATT&CK Defender™ (MAD) ATT&CK® Fundamentals Badge Training
This course is the fundamental piece of the MITRE ATT&CK Defender™ (MAD) series where we ...
2 CEU/CPE Hours Available
Certificate of Completion Offered