Attacks do not always start with malware or flashy exploits. Sometimes, all it takes is a single weak password. This is what happened one morning, when our 24/7 Security Operations Center (SOC) detected a subtle intrusion attempt via an SSLVPN connection.
There were no endpoint alerts or a flashy ransomware note. We were dealing with a quietly compromised user account that gave an attacker direct access to a customer’s internal Windows domain.
Thanks to layered security monitoring and rapid human-led response, we stopped this attack before it could escalate. In this case, the key to our success was identity-based detection. Read on to find out what we did.
Image 1. Our actions in minutes
How Brute Force Attacks Exploit Remote Access via SSLVPN
Many companies rely on SSLVPNs (like Ivanti or WatchGuard) to support hybrid work and provide remote access for employees. But these systems can become low-hanging fruit when misconfigured or protected only by passwords. Attackers know this and are scanning the internet for exposed login portals and brute-forceable accounts. These online attacks often involve brute force tools that automate repeated login attempts against exposed systems.
The Eye Security MDR Research Unit warns of a sustained rise in credential-based attacks and abuse of remote access solutions. These go beyond opportunistic scans. Every so often, the attacks are part of targeted campaigns, sometimes backed by ransomware gangs or initial access brokers. The findings are consistent with recent reporting by CISA and CrowdStrike .
Early warning signs: this is what our SOC detected first
Our story begins with a single suspicious SSLVPN session. While standard Endpoint Detection and Response (EDR) systems did not trigger alerts, the Eye Security SOC detected unusual activity. Once inside the network, the user started probing the internal network, launching LDAP and SMB reconnaissance from two machines with suspicious names: kali and DESKTOP-XXXXXX. For the SOC analysts, this was a red flag.
These hostnames are commonly used by penetration testing toolkits. Worse still, these can be utilised by real-world attackers who copy these naming conventions to blend in. Reconnaissance using LDAP and SMB is a classic step in lateral movement.
At this point, we had an adversary actively exploring the network but no endpoint alerts. This is where identity-based detection stepped in.
Identity monitoring helped us stop the breach in real-time
Because we had deployed CrowdStrike’s on-prem Identity Protection module across the client’s Windows domain, our SOC had deeper visibility into authentication behaviour than what typical EDR systems can offer.
The identity telemetry allowed us to detect anomalies in user account behaviour, including unusual login times, login paths, and attempts to access systems that the account had never touched before. All signs pointed to an account takeover via brute force.
We confirmed that the attacker had not yet executed malware, encrypted files, or accessed sensitive data. The attacker was still in the “reconnaissance” phase, trying to understand the network layout, user permissions, and potentially elevate privileges. This window gave us an opportunity to act.
What we did next: blocking access and halting spread
Within minutes of the detection, our SOC analysts got busy, performing the following containment and mitigation steps:
- Disabled the compromised VPN user account
- Reviewed authentication logs to rule out other accounts in use
- Alerted the customer’s IT team and provided them with step-by-step mitigation instructions
- Blocked the originating IPs and devices from future access
- Helped initiate a password rotation and multi-factor authentication (MFA) rollout
Thanks to early detection and fast coordination, we stopped the attacker before any real damage could occur. Without that identity visibility, this attacker would have remained undetected, possibly for days.
Why did the brute-force attack succeed? What were the key weaknesses?
Let’s break down the key weaknesses the attacker exploited:
Lack of MFA on SSLVPN accounts
Without multi-factor authentication, brute-force attacks become very likely.
Default or weak passwords
Attackers often try common combinations (e.g. company name + 2024). Simple brute force methods are used to quickly guess common passwords and simple passwords, such as a six-character password, which are especially vulnerable to brute force attacks.
Insufficient visibility into authentication activity
Most traditional tools focus on malware, not login anomalies or lateral movement. This gap gives attackers room to maneuver unnoticed.
The bigger picture: why you need multi-layered security for remote access protection?
This incident shows why cybersecurity requires more than just endpoint protection or network firewalls. Companies should be able to see the full picture: who is logging in, when, where from, and what they are doing once inside.
This is what made the difference in this case:
- 24/7 vigilance. Eye Security’s always-on SOC detected subtle signs of compromise that automation alone would have missed.
- Identity-aware detection. Visibility into user behaviour allowed us to catch lateral movement early.
- Swift response. By disabling the account immediately, we cut off attacker access before they could elevate privileges or deploy tools.
- Proactive partnership. Our team worked hand-in-hand with the client’s IT staff to secure the environment and avoid business impact.
Security recommendations and best practices: how can you prevent brute-force attacks?
Whether you are in manufacturing, logistics, retail, or healthcare, if your employees rely on remote access, you are a potential target. Your employees may have multiple passwords and may reuse them across other websites, which increases the risk of credential-based attacks.
Here are six simple steps to reduce your risk:
1. Enforce MFA
Enable multi-factor authentication for all remote access points, especially VPNs.
2. Introduce a password manager
It helps generate and store long and complex passwords, including elaborate passphrases made up of multiple words and more characters.
3. Monitor identity signals
Add visibility into user authentication, both in the cloud and on-prem, so you can detect abnormal behaviour early.
4. Limit lateral movement
Segment networks and limit which systems can be accessed via remote accounts. Do not let one breach become a full compromise.
5. Harden VPN configurations
Disable unused accounts, enforce strong password policies, and monitor logs for brute-force attempts.
6. Invest in 24/7 monitoring
Attackers operate around the clock. Your defences should too. Human-led SOC monitoring catches what automations cannot.
A final word: full cyber confidence with real-time, expert-driven defence
Cyberattacks do not always start with malware or exploits. Sometimes, all it takes is a single overlooked detail such as a VPN account without MFA, a password guessed by a botnet, or an alert that goes unseen over the weekend. This is why every layer matters. The best protection comes from real-time visibility, expert guidance, and swift action.
At Eye Security, we go beyond detection and response. We provide partnership. Our expert-driven cybersecurity service works hand in hand with integrated cyber insurance to keep your business resilient, technically and financially.
