Credential Stuffing attack
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect Account Takeover (ATO) attempts on services. ATO attempts include brute force, dictionary, and distributed credential stuffing attacks.
This detection rule is designed to detect credential stuffing campaigns, where an IP attempts to log in to different accounts using stolen password lists, often trying a single password per account.
Required business logic events
Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented events:
users.login.failure
users.login.success
Strategy
Monitor login events and track failed logins. Generate a Low
severity signal when an IP address exceeds the threshold of 30 failed logins (or 15 if the IP has a poor reputation), and in which more than 5 different user accounts were attacked. A fallback is also present in case the instrumentation doesn’t provide a usr.id
when the user doesn’t exist.
The signal severity is increased to Critical
when the IP address has a successful login, and the compromised account is highlighted.
Triage and response
- Consider blocking the attacking IP addresses temporarily to slow attacks.
- Check compromised accounts, suspend account access temporarily, and force password change.
- Implement and enable MFA (multi-factor authentication) when possible.