How Periculo Helps Businesses Prevent Brute Force Attacks with ISO 27001

Maintaining your Cyber Security Posture Day to Day

A managed service customer looking to maintain their ISO27001 certification entrusts us with daily log checks to monitor their ongoing security posture. With the monotony of reviewing the same logs day after day, it can be hard to remain vigilant, but this is a vital part of being a secure, professional organisation. The challenge lies not only in detecting new threats but also in recognising subtle changes in patterns that could indicate an evolving security incident.

What Could Go Wrong?

Our client began to experience a small number of failed sign-in attempts from suspicious IP addresses across the globe. These incidents were sporadic at first, making it easy to overlook them—especially with the assurance that their cloud service provider would block sign-in attempts from known malicious IP addresses. However, the situation quickly escalated. Within a few days, we observed a dramatic rise in the number of these sign-in attempts, jumping from a few per day to hundreds within a few hours.

The client was under a brute force attack. In this context, a brute force attack involves an attacker systematically trying multiple combinations of usernames and passwords until they successfully gain unauthorised access to an account. While their cloud service provider could block attempts from malicious IP addresses, a deeper analysis of the error codes showed that some attempts were simply due to incorrect passwords and were bypassing the security control. This suggests that attackers might be using automated tools to guess passwords on a wide variety of different IP addresses. Given enough time, an attacker could potentially guess a correct password, providing them access to sensitive data.

How Can We Stop This?

‍There are several steps that you can take to protect yourself from brute-force attacks and similar threats:

• Check for Compromised Credentials: Start by determining if the user accounts being targeted have been compromised elsewhere. Websites like Have I Been Pwned allow users to check if their email addresses have been involved in a data breach. If a user’s credentials have been exposed, immediate action should be taken to change the password and review the account's security. These websites should explicitly indicate whether usernames, emails, passwords or other data have been leaked, allowing you to understand the severity of each leak.
• Implement Multi-Factor Authentication (MFA): Using MFA ensures that even if an attacker manages to guess a password, they will still require a second form of verification (like a code sent to a user's phone or email). This drastically reduces the risk of unauthorised access. Organisations should consider making MFA compulsory rather than optional to ensure all accounts are protected.
• Set Up Robust Access Rules and Policies: Ensure that your cloud service provider’s rules and policies are configured to respond appropriately to suspicious login attempts. This could include setting a limit on the number of failed login attempts before an account is temporarily disabled or flagged for review.
• Regularly Review and Clean Up User Accounts: Old, unused accounts are a common entry point for attackers. Regularly review all user accounts and remove those that are no longer in use. This reduces the number of potential entry points for an attacker and simplifies the task of monitoring active accounts.

How Did Things Improve for the Client?

After identifying which accounts were being used for the attempted sign-ins, we discovered that they were old, unused accounts. These accounts were subsequently deleted as they were no longer required, prompting a more thorough cleanup and review of all user accounts. This simple action significantly reduced the risk of similar incidents in the future.‍

A comprehensive review of the cloud service provider’s rules and policies was also conducted. The client introduced a limit on the number of failed login attempts before an account is disabled, providing greater assurance that such an issue would be less likely to occur again.‍

Finally, daily log checks improved as well. Without hundreds of failed login attempts cluttering the logs, it became easier to spot other anomalies and respond to them more effectively.

How Can You Help Yourself?

While having a managed security provider is invaluable, organisations can take meaningful steps on their own to improve their cybersecurity posture:

• Regular Security Audits: Conduct regular audits of your systems, networks, and policies to ensure they meet the latest security standards and best practices.
• Employee Training: Make sure employees are aware of the risks associated with phishing, social engineering, and weak passwords. Regular training sessions can help staff recognise potential threats and take appropriate action.
• Monitor and Analyse Logs: While this task can be tedious, it is crucial. Regularly monitor and analyse logs to identify patterns that could indicate malicious activity. Automated tools can help in filtering out noise and highlighting significant events.
• Keep Software Updated: Ensure that all software, including operating systems and third-party applications, is kept up to date with the latest security patches. Vulnerabilities in outdated software are one of the most common entry points for attackers.

What do the regulators say about daily log checks?

Notwithstanding the obvious benefits of keeping your organisation safe from attackers, numerous security standards require you to maintain regular log checks. These can come in many formats, but all recommend the implementation of automated checks which can help keep you safe and alert you when an incident occurs.‍

How Can We Help?

At Periculo, we help organisations like yours enhance their security posture and align with internationally recognised standards. Whether you're seeking to achieve a specific certification like ISO27001, Cyber Essentials, SOC 2 or simply want to strengthen your overall security approach, our expert team can provide tailored solutions to meet your needs. We believe in empowering organisations to take control of their cybersecurity — because when it comes to security, proactive prevention is always better than reactive response.