A security analyst notices repeated failed login attempts from an internal IP address on the domain controller. After enabling account lockout, the lockouts continue but the source IP changes. What is the best next step?
Trap 1: Increase the account lockout threshold
Lockout is already enabled; attackers are using different accounts or bypassing lockout via distributed attempts.
Trap 2: Ignore the event as it is likely a false positive
Repeated failed logins from multiple IPs indicate a real attack, not a false positive.
Trap 3: Disable the user account being targeted
The target account may be legitimate; disabling it could impact business operations without stopping the attack.
- A
Analyze the log events to identify the attack pattern and implement additional controls such as MFA
Understanding the attack pattern allows for targeted controls like requiring MFA for the targeted account or blocking the attack vector.
- B
Increase the account lockout threshold
Why wrong: Lockout is already enabled; attackers are using different accounts or bypassing lockout via distributed attempts.
- C
Ignore the event as it is likely a false positive
Why wrong: Repeated failed logins from multiple IPs indicate a real attack, not a false positive.
- D
Disable the user account being targeted
Why wrong: The target account may be legitimate; disabling it could impact business operations without stopping the attack.