Cisco ASA User Account Lockout Detection
Detection of user account lockouts on Cisco ASA devices due to excessive failed authentication attempts, potentially indicating brute-force attacks, password spraying, or credential stuffing.
This brief focuses on detecting account lockouts on Cisco ASA (Adaptive Security Appliance) devices. The increasing sophistication of cyberattacks means that organizations must monitor not just successful breaches, but also failed authentication attempts that may signal ongoing brute force attacks, password spraying campaigns, or credential stuffing attempts. The presence of these types of attacks indicate that credentials may have been compromised from external breaches and are being used to gain unauthorized access to network infrastructure. This analytic specifically leverages Cisco ASA message ID 113006, which signifies a user account lockout triggered by exceeding the permitted number of failed authentication attempts. This detection is crucial for defenders, as it enables timely response to potential unauthorized access attempts, protecting sensitive resources and maintaining network integrity.
Attack Chain
- The attacker attempts to authenticate to the Cisco ASA using compromised credentials or by guessing passwords.
- The authentication attempts fail.
- The Cisco ASA logs message ID 113006, indicating a failed authentication attempt.
- The attacker continues to attempt authentication, exceeding the configured lockout threshold.
- The Cisco ASA locks the user account, logging message ID 113006 with details of the account lockout and the failure threshold.
- The detection rule triggers based on the 113006 event identifying the user account and originating host.
- Security team investigates the lockout event, looking for associated malicious activity.
- If confirmed malicious, the security team takes action to block the attacker and remediate the compromised account.
Impact
Successful exploitation could lead to unauthorized access to the network, potentially leading to data breaches, service disruption, or further lateral movement within the network. While a single account lockout might seem minor, a series of lockouts, especially affecting privileged accounts, could indicate a coordinated attack. Organizations in all sectors are vulnerable, with financial services and healthcare being particularly attractive targets.
Recommendation
- Ingest Cisco ASA syslog data into Splunk via the Cisco Security Cloud TA to populate the
cisco_asamacro. - Configure Cisco ASA devices to generate and forward message ID 113006 for account lockout events to Splunk.
- Tune and deploy the Sigma rule "Cisco ASA - User Account Lockout Detected" to detect account lockouts.
- Investigate alerts from the Sigma rule, focusing on privileged accounts, unusual source IP addresses, and multiple simultaneous lockouts.
- Review and tune the lockout threshold on Cisco ASA devices based on your organization's security policies.
Detection coverage 2
Cisco ASA - User Account Lockout Detected
mediumDetects user account lockouts on Cisco ASA devices based on message ID 113006.
Cisco ASA - Multiple Account Lockouts from Single Host
highDetects multiple account lockouts from a single host within a short time, suggesting password spraying.
Detection queries are available on the platform. Get full rules →