{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/password_spraying/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco ASA"],"_cs_severities":["medium"],"_cs_tags":["authentication","brute_force","password_spraying","cisco_asa"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief focuses on detecting account lockouts on Cisco ASA (Adaptive Security Appliance) devices. The increasing sophistication of cyberattacks means that organizations must monitor not just successful breaches, but also failed authentication attempts that may signal ongoing brute force attacks, password spraying campaigns, or credential stuffing attempts. The presence of these types of attacks indicate that credentials may have been compromised from external breaches and are being used to gain unauthorized access to network infrastructure. This analytic specifically leverages Cisco ASA message ID 113006, which signifies a user account lockout triggered by exceeding the permitted number of failed authentication attempts. This detection is crucial for defenders, as it enables timely response to potential unauthorized access attempts, protecting sensitive resources and maintaining network integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker attempts to authenticate to the Cisco ASA using compromised credentials or by guessing passwords.\u003c/li\u003e\n\u003cli\u003eThe authentication attempts fail.\u003c/li\u003e\n\u003cli\u003eThe Cisco ASA logs message ID 113006, indicating a failed authentication attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to attempt authentication, exceeding the configured lockout threshold.\u003c/li\u003e\n\u003cli\u003eThe Cisco ASA locks the user account, logging message ID 113006 with details of the account lockout and the failure threshold.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers based on the 113006 event identifying the user account and originating host.\u003c/li\u003e\n\u003cli\u003eSecurity team investigates the lockout event, looking for associated malicious activity.\u003c/li\u003e\n\u003cli\u003eIf confirmed malicious, the security team takes action to block the attacker and remediate the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to unauthorized access to the network, potentially leading to data breaches, service disruption, or further lateral movement within the network. While a single account lockout might seem minor, a series of lockouts, especially affecting privileged accounts, could indicate a coordinated attack. Organizations in all sectors are vulnerable, with financial services and healthcare being particularly attractive targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIngest Cisco ASA syslog data into Splunk via the Cisco Security Cloud TA to populate the \u003ccode\u003ecisco_asa\u003c/code\u003e macro.\u003c/li\u003e\n\u003cli\u003eConfigure Cisco ASA devices to generate and forward message ID 113006 for account lockout events to Splunk.\u003c/li\u003e\n\u003cli\u003eTune and deploy the Sigma rule \u0026quot;Cisco ASA - User Account Lockout Detected\u0026quot; to detect account lockouts.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts from the Sigma rule, focusing on privileged accounts, unusual source IP addresses, and multiple simultaneous lockouts.\u003c/li\u003e\n\u003cli\u003eReview and tune the lockout threshold on Cisco ASA devices based on your organization's security policies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-asa-account-lockout/","summary":"Detection of user account lockouts on Cisco ASA devices due to excessive failed authentication attempts, potentially indicating brute-force attacks, password spraying, or credential stuffing.","title":"Cisco ASA User Account Lockout Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-asa-account-lockout/"}],"language":"en","title":"CraftedSignal Threat Feed - Password_spraying","version":"https://jsonfeed.org/version/1.1"}