What is a Brute Force Attack?
Cybercriminals are always looking for ways to break into IT systems. Methods used to do this include social engineering techniques like phishing to get access to login credentials. Another method that is still in use is to try to guess the login name and password for a system. Surprisingly, 5% of all data breaches investigated in 2019 came down to attackers guessing the login details.
The primary way that attackers guess login details is to use scripts to try millions of combinations until they find a correct one. This is known as a brute force attack. It is called this as the method is simple and takes a direct approach to breach the defenses.
Brute force attacks often also involve a period of reconnaissance to try and find out as much information as possible about the people in the organization being attacked. This is so that passwords that people tend to use that are easy to remember can be guessed and tried in the brute force attack first. Common username and password combinations are stored in lists and tried before more esoteric and random ones. Brute force attackers also frequently employ botnets of malware-infected computers so that the password guess attempts can be spread out over multiple devices to increase the processing power. This reduces the time required to try all the combinations for a given password length.
Brute force attack methods are also used to find addressable URLs on the Internet. Not all URLs are public or indexed by search engines. Cybercriminals can try to guess URLs for hidden websites on a domain name and then try other attack methods to compromise them.
Types of Brute Force Attacks
The basic form of a brute force attack is to try every possible combination until the correct one is found. Within this basic approach, multiple methods have emerged.
Exhaustive key search - current computers are so fast that they can cycle through every possible combination of an eight-character password in about two hours. They can also compute and try every possible hash for a weak encryption key in a few months.
Dictionary attack - a list of common passwords and login names is used to target systems. All the possible combinations are tried.
Credential recycling attack - a type of dictionary attack in which the dictionary is compiled from previous breaches in other organizations. People tend to use the same common passwords when they have to remember them.
Reverse brute force attack - starts with the premise that many people will use a simple password like ‘Passw0rd123’ and then tries to brute force and guess account names that have that as the password.
Brute Force Attack Tools
Unfortunately, wannabe attackers do not have to be skilled in scripting to use brute force attack methods. Cybercriminals have developed tools and made them available so that anyone can use them.
Protecting against Brute Force Attacks
Brute force attacks take time, and the login attempts are visible to network monitoring tools. Taking some simple precautions with the login procedures and credential rules can mitigate the risk from brute force attacks. Not all organizations have, as evidenced by the 5% success rate in 2019.
To protect against brute force attacks:
- Increase password length & complexity - enforce long and complex passwords. These long and complex passwords should be impossible to remember. To stop users writing them down, or storing them in a plain text file to copy and paste, deploy an encrypted password management tool that works across all computers and mobile devices. Use this tool to generate, store securely, and enter all passwords. Make sure that the one memorable password that each user needs to access the password tool is also strong and changed frequently.
- Limit login attempts - accounts should be set to limit the number of login attempts in a given period. Lock accounts after a specific number of failed login attempts. Look for patterns in these account locks to see if there is evidence of a brute force attack in progress.
- Implement Captcha - use Captcha or equivalent to verify that login attempts are coming from humans and not a bot. LoadMaster has support for Captcha.
- Implement multi-factor authentication - require users who successfully enter a correct login and password combination to supply some other form of identifying information, such as a PIN that is randomly generated and time-limited. LoadMaster has support for multi-factor authentication solutions from several vendors.