Use case: Configure protection against credential stuffing and brute force attacks in ForgeRock Identity Cloud

Use case overview

Protecting against credential stuffing and brute force attacks is a common use case that can be achieved using the Autonomous Access service in ForgeRock Identity Cloud.

Credential stuffing attacks typically involve bots that use automated scripts to test every username and password combination in a (stolen) database to try and gain access to a user’s account or website. Brute force attacks involve multiple login attempts using a different password each time to try and break into an account.

In this example use case, we’ll create an Autonomous Access journey that detects non-user specific attacks such as credential stuffing, suspicious IPs and brute force attacks. When the user attempts to log in, the journey is adapted according to the perceived risk. A risk score of high, medium or unknown will result in denied authentication.

Steps to achieve this use case

You’ll need an Identity Cloud tenant with the Autonomous Access add-on service.

Create an attack detection journey

  1. Sign in to the Identity Cloud admin UI using your admin tenant URL, in the format https://<tenant-name>/am/XUI/?realm=/#/.

  2. Go to Journeys > New Journey.

  3. Enter a unique name for the journey, select which identities will authenticate using this journey, (optionally) enter a journey description, and click Save.

  4. Create a journey similar to this:

    Node descriptions:

    • Platform Username - Prompts the user to enter their username. See Platform Username node for further information.

    • Platform Password - Collects the user’s password. See Platform Password node for further information.

    • Identity Existing User - Checks the username against the identity repository. If that fails, this event is reported back to the Autonomous Access data lake as a failed result and the authentication is denied. See Identify Existing User node for further information.

    • Data Store Decision - Verifies that the username and password values match those in the data store configured for the realm. If that fails, this event is reported back to the Autonomous Access data lake as a failed result and the authentication is denied. See Data Store Decision node for further information.

    • Autonomous Access Signal - Allows you to specify the heuristics and/or anomaly detection to be included in risk score generation during the AI/ML pipelines. See Signal node for further information.

      For this use case, we’ll perform checks for Credential Stuffing, Suspicious IP and Brute Force attacks.

    • Anonymous Access Decision - Takes the data sent by the Signal node and lets you direct the flow to actionable paths depending on where the risk score falls within the range of high, medium, low, and unknown scores. See Decision node for more information.

      For this use case, if the risk score is unknown or above the configured low threshold, this event is reported back to the Autonomous Access data lake as a failed result and the authentication is denied.

    • Autonomous Access Result - Provides the final outcome and risk prediction results from the AI/ML analytics.

      For this use case, we have two Autonomous Access Result nodes: one for Success and one for Fail. See Result node for further information.

    • Increment Login Count - Increments the successful login count property of a managed object. See Increment Login Count node for further information.

    • Inner Tree Evaluator - Nest an authentication flow as a child within the journey. See Inner Tree Evaluator node for further information.

  5. Click the Autonomous Access Signal node and clear all the check boxes except:

    • Credential Stuffing - detects if a single IP is trying to access many users over a period of time.
    • Suspicious IP - an IP is deemed suspicious if the IP is making too many authentication attempts over a period of time.
    • Brute Force - detects the frequency of authentication attempts for a user over a period of time. If the frequency is high, then Autonomous Access flags the event as a possible brute force attack.

  6. Click the Autonomous Access Decision node and, if necessary, adjust the risk score definition for risk high, medium, low, and unknown scores.

    uc_aa_decision_node

  7. Click the Inner Tree Evaluator node and select the ProgressiveProfile journey. This will request progressive profile attributes as the user proceeds with login.

  8. Click the Autonomous Access Result node linked to the failure outcome and select FAILURE as the Final Journey Outcome.

    uc_aa_result_failure_node

  9. Click Save to save the Journey.

NOTE: The success or failure of the journey is recorded and fed back into the Autonomous Access AI model.

Conclusion

This simple use case has demonstrated how to easily implement a journey to help protect against credential stuffing attacks and brute force attacks using Autonomous Access. For further information on how Autonomous Access can help with AI-driven threat prevention, see ForgeRock Autonomous Access and the additional resources below.

Additional resources

Documentation:

Other resources:

1 Like