Response Processors: Login Processor: Incident - Site Login User Brute Force

Complexity: Medium (3.0)

Default Response: 1x = Break Authentication for 1 hour, 2x = Break Authentication for 6 hours, 3x = Clear Inputs for 1 day

Cause: The login processor is designed to protect the login dialog of the website. It works by monitoring all login attempts and identifying suspicious and malicious events. This specific incident is triggered when a user attempts to login with the same username 9 or more times with invalid passwords.

Behavior: In this case, the user is probably attempting to brute force the account indicated in the incident details. Brute force against authentication works by enumerating over a list of common passwords and testing all of them against the target username. The hope is that the target user selected a weak password and that password is in the "dictionary" list of passwords to try. In some cases, a custom brute force tool can be employed, which enumerates over a list of passwords that were carefully constructed using the targets personal information (birthdays, anniversaries, names, ages, phone numbers, and so on.)