The Battleground: 

A county infrastructure that has the public works offices all interconnected such as the Police Department, Library, Fire Department, etc. 

The Presumption: 

Having rules in place to prevent malicious actors from attempting password spraying/brute-force attack by blocking after a certain number of failed attempts. Only allow SMTP relay from certain IP addresses. 

The Discovery: 

After reviewing logs of an on-site spam filter, we noticed a very large number of failed authentications from external foreign IP addresses. The attempts were coming in very rapidly trying to get an email address to authenticate to gain access to the mailing server. 

The mass number of failed authentications that were attempting to authenticate seemed to be brute-forcing their way into the county’s mail server. The NSOC replicated the same type of log the attackers were trying. Once the log was generated and compared to the attacker’s logs, it was clear that the attackers were trying to brute force their way in with authentication attempts. 

Our Solution: 

Our analyst notified the county’s IT department to inform them of the logs that had been found. The IT department responded back saying a rule was in place to help prevent brute force attacks on the device, but the rule had been disabled. 

Lessons Learned:  

Check devices often to ensure that necessary rules are created and have been enabled. There is always the possibility that someone who may be working on a device forgets to re-enable some rules.