Goal

Detect Account Takeover (ATO) attempts on services. ATO attempts include brute force, dictionary, and distributed credential stuffing attacks.

This detection rule is designed to detect distributed credential stuffing campaigns, where an attacker uses many IP addresses to attempt to log into different accounts using stolen password lists. The attacker will often try a single password per account, and may make a few login attempts with each individual IP address.

Required business logic events

Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented events: users.login.failure with usr.id populated.

Strategy

Monitor login events and track the number of failed login attempts. Generate a Low severity signal when the rate of login failures deviate from historical trends. Datadog requires a number of users to be logged in and associated with multiple IP addresses to be attempting logins. This helps deduplicate any non-distributed signals (such as brute force and credential stuffing) that may appear.

The monitored login attempts exclude local IP addresses to help reduce false positives.

Triage and response

1. Review the attacker clusters in the “Attacker Attributes” section to identify the attacker. You may see a mix of legitimate and malicious activity. Confirm that the activity from the cluster correlates with the rise in login failures without legitimate activity so real users are not accidentally blocked.
2. Create a custom WAF rule to block on those attributes if possible.
3. Review any successful logins from the cluster. Those accounts may be compromised and should be blocked until the passwords are reset.