I have several clients who’ve asked me how they can prevent a
brute force attack inside their Windows Infrastructure. This is the use case for
this blog post, a solution for which I’ve been studying using NetEye together
with its SIEM module.
I’ve used a Windows client here, but it’s the same for any server
in which I’ve installed Winlogbeat and configured it to send all security
events to the Logstash component inside NetEye.
I’ve written previously about Winlogbeat and how to configure
it here.
I’ve used Winlogbeat 7.4.2 for this configuration, under NetEye
4.10 with the SIEM module which includes Elastic Stack 7.4 Platinum Edition.
If I’ve set up multiple servers in order to reduce the number
of installations of Winlogbeat clients per server, I can create a Windows
Server collector and use WEF (Windows Events Forward), then configure all
servers on my infrastructure to send security events to the collector.
When Logstash receives data, it loads Elasticsearch, where I can create a dashboard to show log-ons, log-offs, and failed log-ons using ECS-specified field names. To see the results, let’s open NetEye:
Then open Log Analytics and navigate to Elastic Stack:
Now we have a dashboard that shows failed log-on attempts:
So can NetEye help us prevent brute force attacks? It’s
simple with Tornado. I’ll make use of two old blog posts from my colleague
Angelo here and here.
To test this solution I‘ll try one of the common user names
used in this type of attack (let’s pick TEST):
ADMINISTRATOR
ADMINISTRADOR
ADMIN
TEST
LAPTOP
SHOP
JOE
JULIE
SUPORTE
SERVIDOR
DANIELTS
When we exceed the threshold of 10 attempts, we’ll find an alert on NetEye that could be used to send notifications to the NetEye Admin account via e-mail, SMS, Slack, telegram, etc. So now we just need to attach the alarms, one on the user account:
Hi, I’m Franco and I was born in Monza. For 20 years I worked for IBM in various roles. I started as a customer service representative (help desk operator), then I was promoted to Windows expert. In 2004 I changed again and was promoted to consultant, business analyst, then Java developer, and finally technical support and system integrator for Enterprise Content Management (FileNet). Several years ago I became fascinated by the Open Source world, the GNU\Linux operating system, and security in general. So for 4 years during my free time I studied security systems and computer networks in order to extend my knowledge. I came across several open source technologies including the Elastic stack (formerly ELK), and started to explore them and other similar ones like Grafana, Greylog, Snort, Grok, etc. I like to script in Python, too. Then I started to work in Würth Phoenix like consultant. Two years ago I moved with my family in Berlin to work for a startup in fintech(Nuri), but the startup went bankrupt due to insolvency. No problem, Berlin offered many other opportunities and I started working for Helios IT Service as an infrastructure monitoring expert with Icinga and Elastic, but after another year I preferred to return to Italy for various reasons that we can go into in person 🙂 In my free time I continue to dedicate myself to my family(especially my daughter) and I like walking, reading, dancing and making pizza for friends and relatives.
Author
Franco Federico
Hi, I’m Franco and I was born in Monza. For 20 years I worked for IBM in various roles. I started as a customer service representative (help desk operator), then I was promoted to Windows expert. In 2004 I changed again and was promoted to consultant, business analyst, then Java developer, and finally technical support and system integrator for Enterprise Content Management (FileNet). Several years ago I became fascinated by the Open Source world, the GNU\Linux operating system, and security in general. So for 4 years during my free time I studied security systems and computer networks in order to extend my knowledge. I came across several open source technologies including the Elastic stack (formerly ELK), and started to explore them and other similar ones like Grafana, Greylog, Snort, Grok, etc. I like to script in Python, too. Then I started to work in Würth Phoenix like consultant. Two years ago I moved with my family in Berlin to work for a startup in fintech(Nuri), but the startup went bankrupt due to insolvency. No problem, Berlin offered many other opportunities and I started working for Helios IT Service as an infrastructure monitoring expert with Icinga and Elastic, but after another year I preferred to return to Italy for various reasons that we can go into in person :) In my free time I continue to dedicate myself to my family(especially my daughter) and I like walking, reading, dancing and making pizza for friends and relatives.
In this post, we'll explore the synergy between a Cyber Threat Intelligence (CTI) platform and a traditional Security Operations Center (SOC) service. For those interested in the topic, I recommend reading my previous article, where I demonstrated a concrete example Read More
We all know that NetEye Upgrades are boring activities. Upgrading is important and useful because it brings you bug fixes and new features, but nonetheless it's extremely expensive in terms of time. The most boring, tiring and lengthy part is Read More
In today’s digital landscape, cybersecurity is paramount. As a technical consultant, I’ve seen firsthand how organizations struggle to keep up with evolving threats. One tool that's consistently stood out in the fight against cyber threats is Elastic Defend. In this Read More
Hi all, it's been a while. I'm deeply sorry not to have sent out some blog posts lately, so now I'll try to get back your trust by providing some useful information. Not only that, I'll even go out of Read More
At the beginning of the month we released NetEye version 4.37 that contains Elastic Stack 8.14.3. Every version update of Elastic has both improvements and additions. To see all available integrations in NetEye, click on the screenshot here: As you Read More