How to identify a brute force attack?

What is brute force attack?

A brute force attack is a type of cyberattack in which an attacker tries to gain access to a system or account by repeatedly trying different passwords or usernames.

There are a few things you can look for to identify a brute force attack:

• Increased login attempts: if you see a sudden increase in login attempts from a particular IP address or range of IP addresses, this could be a sign of a brute force attack.
• Failed login attempts: if you see numerous failed login attempts, this is also a sign of a brute force attack.
• Blocked IP addresses: if your system or application is blocking IP addresses that are repeatedly trying to log in, this is another sign of a brute force attack. Unusual user behaviour: If you see unusual user behaviour, such as multiple failed login attempts from the same user account, this could also be a sign of a brute force attack.

How to identify a brute force attack with Sycope?

Sycope has many built in rules to detect a variety of security threats. For example, brute force attacks. To use a rule template, click the add rule button. Choose the create rule from template option, and find the template of the brute force attack rule. Choose the template and verify the settings of the rule.

That is general stream time and input filters, values, categories, sorting limit, schedule thresholds, and actions. In the threshold section, you can see that brute force attacks are detected. When the count sessions metric is exceeded, click the create button. The rule has been created.