Does your organization monitor authentication attempts to detect credential-based attacks and unauthorized credential reuse?
Explanation
Monitoring authentication attempts helps identify potential brute force attacks, credential stuffing, password spraying, or instances where stolen credentials are being used. This monitoring should include tracking failed login attempts, successful logins from unusual locations or devices, and patterns that might indicate automated attacks.
Evidence could include screenshots of authentication monitoring dashboards, alert configurations from security tools, authentication logs with anomaly detection rules, or documentation of your incident response procedures for credential-based attacks.
Implementation Example
Monitor authentication attempts to identify attacks against credentials and unauthorized credential reuse
ID: DE.CM-09.286
Context
- Function
- DE: DETECT
- Category
- DE.CM: Continuous Monitoring
- Sub-Category
- Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
Related questions
- Does your organization have a system in place to monitor DNS, BGP, and other critical network services for suspicious or malicious activities?
- Does your organization implement network monitoring controls to detect and alert on unauthorized endpoint connections to both wired and wireless networks?
- Does your organization have a process to regularly monitor facilities for unauthorized or rogue wireless networks?
- Does your organization regularly compare actual network traffic flows against established baselines to detect and investigate deviations?
- Does your organization continuously monitor network communications to detect changes in security postures as part of a zero trust architecture?
- Does your organization monitor physical access control logs for unusual patterns and failed access attempts?

