A brute force attack is a cyber-attack where the criminal tries to break into user accounts by guessing ID and password combinations through mathematical methods, by referring to a dictionary, or via other techniques – bombarding the account with login attempts until a match is found. This article explains the meaning of brute force attacks, their types, and prevention measures.Â
Table of Contents
What Is a Brute Force Attack?
A brute force attack is a cyber-attack where the criminal tries to break into user accounts by guessing ID and password combinations through mathematical methods, by referring to a dictionary, or via other techniques – bombarding the account with login attempts until a match is found.
A brute force attack is a method of gaining unauthorized access to a computer by guessing usernames and passwords. Brute force is a direct attack that has a high chance of success.
Certain cybercriminals use scripts and programs as brute force weapons. To get around authentication processes, such tools try a variety of password variations. In some circumstances, attackers attempt to access online applications by looking for the correct session ID. The objective of the person or organization initiating the brute force attack could be to infect websites with spyware or disrupt the operation.
While some assailants still use brute force assaults manually, bots now perform practically all brute force attacks. Intruders have access to lists of regularly used passwords and authentic user credentials gained through security vulnerabilities or the dark web. Robots attack domains in an organized manner, testing these pools of credentials and alerting the hacker when they get access.
Automated programs are widely used in simple brute-force attacks to predict all default combinations till the correct input is detected. This is an old but still efficient attack method for breaking default ones. The length of a brute-force attack might vary. In a couple of seconds, brute-forcing may crack weak password management. A complex password might take hours or days to create. Companies can extend the assault period by using strong password combinations, giving them more chances to react to and resist cyber-attack.
Why are brute force attacks common?
Brute force is more common in the early phases of the cyber kill chain, such as reconnaissance and invasion. Attackers require access or entry points into their victims, and brute force approaches are a “set it and leave it†approach to getting that access. After gaining access to the network, hackers can utilize brute force tactics to increase their privileges or carry out encryption downgrade operations.
To find hidden websites, hackers use brute force assaults. Websites that exist on the internet but aren’t connected to other sites are known as secret websites. A brute force attack checks various addresses to determine if they produce a valid web page and then looks for one that can be exploited. For instance, a brute force attack was used to penetrate Equifax with a list of usernames and passwords accessible to the public.
Because a brute force attack requires little sophistication, attackers might automate many attacks to operate in parallel to increase their chances of obtaining a favorable outcome.
See More: What Is a Spear Phishing Attack? Definition, Process, and Prevention Best Practices
Types of Brute Force Attacks
Each brute force attack might utilize a variety of tactics to unearth confidential information. Any of the following common brute force techniques could be used against the intended victim:
1. Simple (traditional) brute force attack
This type of brute force attack entails an attacker guessing many passwords to target a specific set of identities. They repeat this process until a match is found.
In many circumstances, an attacker uses many password attempts to target individual credentials (random values). This method takes time and is resource-intensive since it requires creating every conceivable set of characters, numerals, and special characters. As a result, it’s excellent for short credentials but terrible for slightly longer ones. For instance, one may try a variety of password guesses using the login “admin.â€
2. Reverse brute force attacks (password spraying)
To the extent that they define the attack procedure, brute force attack labeling standards are often relatively basic. In an opposite brute force assault, also described as a credential spraying attack, the assailant uses the exact opposite strategy as the simple technique we just discussed.
An attacker uses a targeted number of essential secrets (passcodes) to predict many potential identities in a credential spraying assault. In essence, they spray the pre-determined set of passwords while cycling through their vast list of user IDs and credentials to see which ones stick.
Password spraying assaults can be a nightmare for businesses with employees that don’t use encrypted logins.Â
3. Dictionary attacks
This form of attack’s name says it all – essentially, it entails utilizing massive pre-defined collections of popular phrases or terms that can be found in a glossary (hence the name). It’s more specialized than a brute force approach in this regard. To show up with all conceivable permutations of phrases or character sets, criminals typically employ password cracking tools and wordlist producers.
They may even examine individual users online (searching at their blogs, social media profiles, etc.) to establish their hobbies and see if certain words or phrases pop out in more focused dictionary attacks. After that, they can add these phrases and words to their dictionaries.
4. Hybrid brute force attacks
This is the unwelcome merging of two different brute force techniques. For instance, the hacker could integrate a dictionary assault with a typical brute force attack. This procedure entails selecting frequent words from the glossary and replacing them with random numbers or characters. The notion is that employing this combination method instead of either of the separate procedures is more effective.
5. Credential stuffing attacks
A credential stuffing attack entails a cybercriminal regularly “stuffing†identified passwords into login input fields on numerous sites. This procedure puts known passwords (the ones that have been hijacked or otherwise exposed) to the test on various websites. The theory is that an assailant will ultimately get lucky and identify an account on some or all of the destination websites that utilize those passwords.
Credential stuffing assaults can also use botnets to try to access multiple websites while using hacked credentials from a list or directory. Given that individuals repeat passwords across numerous (52 percent) or all (13 percent) of their domains, it’s no wonder that these assaults are frequently successful. Credential breaches (i.e., cyber cases involving stolen credentials, email accounts, and passwords), according to F5’s 2021 Credential Stuffing Survey, are not going away.
See More: What Is Social Engineering? Definition, Types, Techniques of Attacks, Impact, and Trends
Examples of Brute Force Attacks
Now that we have discussed the various components of brute force attacks, let us now discuss some examples of this pernicious cyberthreat:Â
1. The 2020 brute force attack driven by geopolitical motivations
In 2020, it appeared that certain members of the Russian military were targeting Microsoft Office 365 accounts in an attempt to break into the accounts of electrician-related stakeholders. Microsoft detected the attack and issued a warning.Â
According to the firm, the hackers targeted over 200 organizations last year, including advocacy groups, political parties, and political consultants. Among those targeted were institutions such as the US-based German Marshall Fund, the European People’s Party, and a variety of US-based consultants working both for Republicans and Democrats.
2. The 2021 T-mobile attack that led to the data being sold for only $200
T-Mobile experienced a cyberattack in which a hacker purported to have stolen 100 million users’ personal information. Although the business admitted to the breach, it claimed that it impacted 40 million consumers. T-Mobile CEO Mike Sievert apologized to consumers for the data leak and promised them that the company is trying to safeguard its systems to prevent future assaults.
In conjunction with specialized tools and skills, the malicious party utilized their understanding of technical systems to acquire access to testing environments and then used brute force assaults and other means to gain access to IT servers containing client data. It’s worth mentioning that although the reservoir of T-Mobile user data was previously offered for 6 Bitcoin, the data was eventually sold for just $200.
3. The 2021 brute force attack leading to healthcare data theft
Up to 30,063 Florida Blue (Blue Cross and Blue Shield of Florida), members’ personal health information may have been seen or acquired by unauthorized parties during a brute force assault on the Florida Blue online member portal. On June 8, 2021, unidentified bad actors started a brute force attack against the site, using a massive database of user identities and related passwords obtained from internet sources. The database seems to have been assembled after security breaches at third-party organizations involving hacked login and password combinations.
4. The 2013 GitHub brute force attacks
Several GitHub customers were informed in 2013 that they may have been a victim of a brute force hack. Numerous users used weak passwords, which resulted in the site being attacked and sensitive data ending up in the hands of the intruders.Â
Users were alerted by GitHub that they would be required to update their passwords using more secure password combinations. The attackers utilized almost 40,000 individual IP addresses throughout this event, making it more straightforward for them to remain undetected. This assault was deliberately carried out gradually to avoid alarming GitHub security.
See More: What Is a Man-in-the-Middle Attack? Definition, Detection, and Prevention Best Practices for 2022
Brute Force Attack Prevention Best Practices in 2022
The following are some tried and true methods for preventing brute force attacks:
1. Use strong and inimitable passwords
Instead of using typical passwords, encourage users to generate their own. The FBI advises creating unique passwords with at least 15 digits and several keywords. Long passwords made up of random words/characters are thought to be safer and more accessible than gibberish. As a result, you are less likely to scribble them off or use them to protect several accounts.
Because consumers prefer to take the most straightforward option when setting account credentials, we provide unique passwords. Due to this, users frequently create terrible (non-secure) passwords or reuse passwords across several domains. Firms must establish stringent password security rules and enact a password policy.
2. Limit login attempts and disable root SSH logins
Many websites, particularly those powered by WordPress, allow for an infinite number of login attempts by nature. If you are a website admin, it is good to install a plugin to restrict your domain’s number of connection attempts to prevent brute-force assaults. You can specify the number of trials you wish website visitors to have using such extensions. Their IP addresses will be blocked from the site for a long time if they surpass the number of tries.
Also, a user with root privileges may make brute force attacks on solid shell (SSH) connections possible. To prevent the root user from being accessible over SSH, configure webpages and enable the “DenyUsers root†and “PermitRootLogin no†settings.
3. Adopt IP address monitoring
With the second strategy, you should restrict login attempts to people with a specific IP address or range of IP addresses. This is particularly crucial if you have a hybrid workplace or most of the workforce works from home. Set up alerts for any login attempts from unusual IP addresses and ensure they are blocked.
4. Use two-factor authentication
Your accounts will be more secure with two-factor or multi-factor authentication. When signing into a server, a user must verify their authenticity before being permitted access to the system. Once 2FA is activated, the user will be asked to validate that they are the ones attempting to sign in to the email account. They must enter a unique code provided to a cellphone number to validate their authenticity before being granted access to the network.
See More: Mitigating the Impact of Ransomware Attacks With Business Continuity Planning
5. Employ a CAPTCHAÂ
CAPTCHAs are challenges that are tough for automated software applications to complete but are simple for people to achieve, such as identifying patterns or tapping in a specific location on a webpage. Websites use them to stop bots and spam from accessing their content.
These systems are equipped in various shapes and sizes, with some requiring you to complete word problems, perform simple mathematical calculations, or identify objects in photos. Irrespective of how inconvenient (and unpleasant) this site safety mechanism can be, it has some utility.Â
CAPTCHA can help protect against account takeovers, illegal purchases, and other scenarios. A CAPTCHA’s effectiveness as a security mechanism is based on the fact that it demands a nearly 100% accurate response. According to the prevalent theory, it should be a game that is simple for people but extremely tough for machines.
6. Use web application firewalls (WAFs)
A web application firewall (WAF) provides appropriate security against brute force assaults that try to obtain access to your system without authorization. It usually limits the number of queries a source can make to a URL space in a given time interval. Except for brute-force assaults aimed at stealing session tokens, WAFs can also protect against denial-of-service (DOS) assaults that deplete server resources and prevent vulnerability scanning tools that monitor your computer network for flaws.
7. Adopt threat detection and network security tools
A web application firewall (WAF) is a valuable tool for detecting and preventing password stuffing attacks. However, it isn’t perfect and can be useless against network brute force attacks involving numerous attackers with different IP addresses. That’s why you should also use various forms of safeguards.
Intrusion detection systems (IDS) aid in detecting and reporting network security problems and attacks; however, they are not without flaws. You cannot utilize IDS alone to block or react to these problems, and you will need a different set of tools. Security data and event monitoring (SIEM) software is an excellent approach to quickly discovering, evaluating, and dealing with threats. SIEM enables you to detect brute force attacks in real-time, allowing you to take action to thwart the attackers’ plans.
However, we recognize that these technologies and the specialists required to manage them efficiently can be prohibitively expensive for smaller in-house businesses. Using a security support provider could be an intelligent alternative in this case.
8. Enforce the use of secure, encrypted connections among employees
You may be aware that encryption is critical to cybersecurity. We usually think of using SSL/TLS credentials to secure website connections over HTTPS. Virtual private networks (VPNs) are also practical tools, especially for employees and administrators who work from home. If you need VPN connectivity for remote connections and have a VPN connection set up to keep distant VPN connections separate from your home network, you can avoid the remote desktop protocol (RDP)-focused brute force assaults we have outlined previously.
9. Provide mandatory cyber awareness training
This should go without saying, but many businesses still don’t provide any kind of cybersecurity awareness courses, so it’s worth noting. A cyber awareness program is a helpful resource that teaches users how to detect and react to real-world hazards. Your staff training courses should cover everything from classic phishing schemes and social engineering strategies to what to do if they encounter something strange or unusual.
One crucial point to remember: in your coaching, incorporate real-life examples. Phishing email samples should not be tough to come across — go through your garbage and trash files. Supplying real-world instances of phishing emails and pictures of bogus websites discovered in public, on the other hand, can make a big difference between passable and truly excellent training manuals.
See More: Is Transparency a Missing Element in Industry Preparedness Against Cyberattacks?
Takeaways
The best way to prevent brute force attacks is to limit invalid logins. In this way, attacks can only hit and try passwords for a limited time. This is why web-based services start showing CAPTCHAs if you hit the wrong passwords three times, or they will block your IP address. While brute force attacks are relatively common, one can take proactive measures to prevent them.Â
By staying vigilant, adopting good password hygiene, and securing your network, you can stave off brute force attacks no matter how many attempts the threat actor makes. Finally, regular password changes are also an effective countermeasure to this type of cyber threat.Â
Did this article help you understand what brute force attacks are and how to prevent them? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!Â