While the growing complexity and sophistication of cyber attacks is a very real and dangerous threat to organizations, requiring advanced security defences, cyber attacks that use simple (and sometimes even outdated) methods still prove useful to attackers.
Some old and nearly forgotten types of cyber attacks are re-entering the cyber landscape. A recent report indicates a 400% increase in brute force attacks on remote desktop protocols (RDPs) following the worldwide increase in remote workers. And while brute force attacks are a familiar topic and the epitome of “old school”, they are still effective and popular with cyber criminals.
That’s why we’re taking a deep dive into this type of attack, one that’s making a big comeback. We’ll define, explore and share how to protect against brute force attacks—so you don’t have to fall victim to an attacker’s “simple solution”.
What are brute force attacks?
“Brute force attack” refers to a method used to obtain private information such as usernames, passwords, passphrases, and similar. By repeatedly submitting different combinations of credentials, attackers can ultimately guess them correctly, and gain access to the data those credentials protect. Brute force attacks are often referred to as “brute force cracking” as well, as they fundamentally use brute force—in this case, computational power—to try and crack something—in this case, the credentials that guard sensitive data (or any data valuable to attackers). Common targets for brute force attacks are cracking passwords and encryption keys as well as API keys and SSH logins.
To imagine this scenario outside of the cyber realm and in the real world, try picturing a brute force attack like a thief trying to break into a safe by attempting every possible combination of numbers. That just wouldn’t be effective if done manually, on the spot.
More often than not, attackers carry out brute force attacks using an automated tool, script or bot to run through every possible combination of information needed until they can guess the one that grants them access. For example, by using a list of commonly used credentials, and even real user credentials obtained through security breaches and data leaks from breaches on the dark web, bots can systematically attack the target and do the attackers’ work for them.
The success of a brute force attack is measured in the time it takes to successfully crack a password/credential, which can be anywhere from a few seconds to a few years. Modern computers and technology allow attackers to crack an 8-character alphanumeric password in a few hours, and weak encryption in a few months which isn’t that rare to see in cases of advanced persistent threats.
As password length increases, the time it takes to brute force it increases as well. The same goes for the encryption key: a key with 128-bit encryption will have 2128 combinations and 256-bit encryption will have 2256 combinations. Even with current technology, that amount of combinations for 256-bit encryption would take attackers several years to guess them all.
Stay in the loop with the best infosec news, tips and tools
Follow us on Twitter to receive updates!Follow @SecurityTrails
How brute force attacks are used
While not the most sophisticated of cyber attacks, brute force attacks are both reliable and simple to perform, as all attackers have to do is to let their machines do the work. Given the frequent lack of protection and mitigation strategy on the target’s end, this often proves quite effective. But even the simplest of defences, such as a long and complex password, can make for a timely process and could deter attackers.
When targets employ such seemingly basic strategies for protection, they increase the difficulty with which attackers might succeed in gaining unauthorized access. In fact, the time it takes to brute force a system and gain access is a valuable metric that security teams can use to test their network and system security.
The goal of a brute force attack can be anything including the theft of personal information that can be used to access accounts and different resources, credential harvesting for sale to third parties or on the dark web, identity theft to commit fraud, misappropriation of goods, launching of further attacks, redirection of domains to websites containing malware, and much, much more.
Brute force attacks are usually part of a bigger cyber attack, serving as the first step when attempting to breach a system and gain unauthorized access to sensitive data. And when it comes to the cyber attack life cycle, brute force attacks are usually used in the initial reconnaissance phase—to carry out a cyber attack cyber criminals need entry points to their targets and brute force attacks are a perfect hands-off solution to obtain those entry points.
Attackers use automated brute force attacks and run them parallel while trying to crack credentials, and even after gaining access to a network they can run further brute force attacks to perform privilege escalation.
Types of brute force attacks
While brute force attacks boil down to inputting every possible combination of desired information until access is granted, there are different methods in which cybercriminals can carry out these attacks. We’ve already mentioned some common examples but there are others, both simple and advanced.
The most basic, and somewhat outdated, type of brute force attack is the dictionary attack. Using this method, an attacker starts with assumptions of common passwords and builds a dictionary of possible passwords (some of the most popular and still widely used passwords are “password1234”, “123456” and “admin”). They then go through their dictionary and input each entry until hitting on the correct password. Dictionary attacks are often used against multiple targets, requiring a large number of attempts due to their simplicity and frequent lack of effectiveness against more advanced targets.
In credential stuffing, already breached and known username and password pairs are used in the attempt to gain access to multiple services, applications and sites. This type of attack exploits the fact that many users reuse passwords across different accounts.
Simple brute force attacks
Trying every possible combination must yield results at least once, right? That’s the logic in place here: a simple brute force attacks can use different methods, such as inputting all possible passwords one at a time and using a systematic approach to guess them, without any outside logic. This type of brute force attack is commonly used to gain access to local files, as there’s no limit to the number of attempts possible.
Hybrid brute force attacks
Hybrid brute force attacks can be seen as the combination of dictionary and simple brute force attacks. Starting with a predetermined list of passwords (such as in the dictionary attack), hybrid brute attacks use external logic to determine which password will be the most likely to succeed (instead of inputting every password). Password variations can include adding numbers or changing letter cases, providing more possibilities to enter.
Reverse brute force attacks
A reverse brute force attacks involves using a small number of common passwords and repeatedly testing them against multiple accounts. What’s “reverse’’ in this type of attack is the fact that it doesn’t try to guess a password, but rather uses generic passwords and brute forces the username. This type of brute force attack is usually used to carry out more targeted attacks against a particular network.
Rainbow table attacks
Rainbow table attacks differ from other types of brute force attacks as they don’t target passwords, but hash functions that are used to encrypt credentials. Once a user enters a password, it is converted to a hash value. Then, if the hash value of that password matches the stored hash value, the user is authenticated and can log in. Attackers have found a way to exploit this process—by using a precomputed dictionary of plaintext passwords and their hash values, or “rainbow table”, attackers can determine passwords by reversing the hashing function.
Well-known cases of brute force attacks
Brute force attacks are widespread and frequent; it’s safe to say that almost every organization, almost every individual even, has experienced at least one such attempt. However, there have been a few notable cases throughout the years, with targeted organizations suffering massive losses.
Here are a few well-known cases of brute force attacks:
In 2013, GitHub was the victim of a successful brute force attack which compromised several of their accounts. Cybercriminals executed brute force login attempts from 40,000 unique IP addresses, in order to access several accounts using weak passwords. It remains unclear how many accounts were actually affected, and GitHub is taking steps to ban weak passwords in the aftermath of this brute force attack.
In 2018, Firefox’s “master password” protection was discovered to be using a weak mechanism dependent on the deprecated SHA-1 hashing algorithm. The algorithm was meant to protect access to users’ stored passwords, but was easily cracked with a brute force attack. This bug remained unfixed for nine years, with Firefox finally deploying a fix in 2019 to resolve the issue.
In 2015, Alibaba’s popular e-commerce platform Taobao was affected by a large-scale brute force attack, with about 21 million accounts affected in the breach. A database containing 99 million usernames and passwords was used to brute force Taobao accounts; one in five of those attempts was successful due to the bad practice of users reusing passwords.
Northern Irish Parliament
2018 saw another notable brute force attack. In March, Stormont, the email service at the Northern Ireland Parliament, was hit with a brute force attack that allowed attackers access to the email accounts of several Parliament members.
How to spot a brute force attack
During the initial phases of a cyber attack, detecting brute force attacks as they happen, and before they’re successful, can mean the difference between suffering a hazardous data breach and getting out unscathed. There are key indicators of attack to watch out for that can tell you if your site is under a brute force attack, and most of them are concerned with monitoring login activity.
If your network administrators notice many repeated failed logins coming from the same IP address, the same IP address used to access multiple usernames, or different IP addresses attempting to access the same username, that can mean a brute force attack is taking place. Furthermore, an unusual pattern of failed login attempts, such as a sequential alphabetical or numerical pattern, multiple logins at odd hours or even a successful login event that was followed by the use of an untypical amount of bandwidth, can indicate not only that a brute force attack is occurring, but that attackers might have already breached the network and are exfiltrating data.
How to protect against brute force attacks
While brute force attacks might be simple and sometimes ineffective, it’s still a risk not to take them seriously. They rely on two very common and very bad cybersecurity habits—weak passwords and inefficient network administration. Fortunately, there are many easy-to-implement protection methods and techniques that will cost attackers more time and resources to carry out a successful brute force attack—making your organization a less attractive target.
Here are some of the best practices and protection measures against brute force attacks available:
Enforce strong password policies
A strong password policy, and strong passwords themselves, form the first line of defense in protecting confidential information. A password policy is a set of rules used to improve the security of a system by motivating users to create and maintain secure passwords and store them properly. The first part of this means using a strong password mandated for every account on a network. Criteria for strong passwords include:
- At least 8 characters
- Not containing any personal information, especially a real name, username or company name
- Passwords must be different across all accounts
- No repetition of previously used passwords
- Avoiding the complete spelling of any words
- No numbers following a numerical sequence (such as “1234…”)
- A combination of uppercase letters, lowercase letters, numbers and special characters
Also critical to strong password policy is enforcing rules about how often passwords need to be changed, and notifying users when that time comes. A good password policy will also be communicated to all users and explored with security awareness training.
Use a password manager
With all of the criteria that goes into having secure and complex passwords in mind, and knowing that a strong password policy requires having all different passwords for all accounts, remembering and storing all of them can be a hassle. This is why using a password manager is a great way to enforce and maintain a secure password policy that will be easy to implement for all users on a network.
Not only are password managers useful for storing and automatically filling out complex passwords, they can also help create more secure passwords and provide notification regarding any unsafe credential practices. To learn more about some of the best solutions out there, refer to our list of top 5 secure password managers.
As even complex passwords don’t guarantee safety from brute force attacks, adding an additional layer of security to all of the accounts on your network is crucial. And for this purpose we have MFA, or multi-factor authentication.
Multi-factor authentication considers the use of two or more methods of authentication in order to access an account. Those authentication factors are: knowledge (something only the user knows, such as a password, username, the answer to a security question, etc.), possession (something a user possesses, such as a one-time SMS password or security token), inherence (something a user “is”, as in biometrics), and finally, location.
The use of MFA is often cited as the first and possibly most important step in creating barriers that will keep attackers from gaining unauthorized access to accounts. It’s absolutely crucial for protecting against brute force attacks; even if attackers can guess a user’s password, they’ll be faced with yet another layer of protection to break through.
Limit login attempts
As indicators of brute force attacks, login activity and attempts are among the clearest, and improving the monitoring and rules around login activity is an important protection method against brute force attacks. A surefire method of prevention is to lock out users from logging into their accounts after a set number of attempts, and unlocking them after a period of time or manually, by an administrator. Another method is to implement time delays between login attempts, as some brute force attacks are based on a large number of attempts in a short amount of time.
The CAPTCHA system is commonly used on many websites and services, to verify whether a user is human and to stop active brute force attacks as they occur. Tools like these, with the most famous being reCAPTCHA, require users to complete a task that’s simple for a human, but not for a brute force tool. Such a task might be having to identify images containing a certain element, or a pattern of letters and numbers, in order to complete a successful login.
Never underestimate the power of a simple cyber attack method in the hands of malicious actors. When we see that even large organizations with advanced security defenses fall victim to seemingly simple brute force attacks, who’s to say that we won’t?
Fortunately, simple attacks like brute force attacks require simple solutions: basic and fundamental practices that maintain a strong general security posture go far in defending against these types of attacks.