Brute Force Attacks
What is a brute force attack?
Brute force attacks utilise automated techniques such as credential stuffing and card cracking, continually testing large quantities of information on a website to gain user account entry.
For instance, in a credential stuffing attack, a threat actor continually injects illegally acquired usernames and passwords to validate the credentials. Once a valid match is acquired, the threat actor can take over the account, either accessing the contents for their gain or selling the validated details for a profit.
Types of Brute Force Attacks
Simple Brute Force Attacks
A simple brute force attack is when a hacker attempts to guess a user’s login credentials without using software. This can be found through easy combinations or by gaining information on an individual.
Dictionary Attacks
A dictionary attack uses known lists of passwords from previous leaks not necessarily tied to each user’s account. This exploits the tendency to pick common words as passwords.
Hybrid Brute Force Attacks
A hybrid brute force attack is when a hacker combines a dictionary attack method with a simple brute force attack. They utilise potential words and swap letters and numbers in and out to try and find the password.
Reverse Brute Force Attacks
A reverse brute force attack sees an attacker begin the process with a known password, which is typically discovered through a network breach.
Credential Stuffing
Credential stuffing preys on recycled passwords. Attackers collect username and password combinations they have stolen, which they then test on other websites to see if they can gain access to additional user accounts.
How to protect yourself against a brute force attack
Preventing brute force attacks can be achieved using methods such as:
CAPTCHA
A Completely Automated Public Turing test to tell Computers and Humans Apart, aka a CAPTCHA form, requires users to prove they are human by solving a puzzle related to a grid of images or typing out a sequence of numbers and letters.
Strong Customer Authentication (SCA)
SCA requires customers to provide at least two forms of identification to access their accounts, such as a password and a fingerprint, or a password and a one-time authentication code sent to the user’s mobile phone.
Limiting login attempts
Limiting the number of login attempts makes the use of brute force techniques exceptionally difficult but not impossible, and also introduces usability issues when genuine customers make multiple failed attempts to access their accounts.
IP blacklisting
If you’re able to identify the IPs commonly used by bad bots attacking your web-facing infrastructure, it’s possible to block these IPs from your network. It’s worth noting that most bot operators will switch their IPs using variable IP addresses and this technique is only effective against known IPs used by bad bots.
Web Application Firewalls (WAFs)
WAFs protect web applications from common software vulnerabilities. However, most sophisticated threat actors are creating bots that mimic normal human behaviour and while WAFs will effectively block large volumes of malicious traffic, they are not complex enough to capture traffic that looks ordinary.
Rate limiting
Detecting surges of traffic to your web-facing infrastructure can be indicative of unusual and potentially malicious behaviour such as that used in a brute force attack. However, some attacks rotate and distribute their IP addresses to appear as many different users. It’s vital to accompany rate-limiting with behavioural analysis that will determine the intent of the traffic.
Sophisticated bot detection
Collaborate with a bot management vendor who can quickly and accurately distinguish bots from humans, using technology that learns and adapts as quickly as the bots do to ensure it is always effective and efficient. Learn more about sophisticated bot management from Netacea.
Malware protection
Malware refers to malicious software and tools that are used to attack systems to obtain data, cause damage or gain access. Malware is often disguised as a download, an attachment or embedded in social media images. The best protection against malware is a robust defence: the use of anti-virus software combined with network monitoring that can detect any unusual activity.
Who uses brute force attacks and why
Security researchers acknowledge that, while brute force attacks are a common means of hacking systems and networks, they are also one of the least sophisticated. Nevertheless, these cyber-attacks can be difficult to overcome by businesses that have not invested in effective security measures.
Brute force attacks are usually carried out by bots that make up large armies of infected computers around the world (known as botnets). The attackers use the botnet to repeatedly attempt to log into accounts using a long list or ‘dictionary’ of words and numbers as passwords.
Popular brute force attack tools
Brute force tools can be used in two ways:
Spoofing. A hacker may install malware on users’ devices which will then ‘spoof’ the user to make it appear that they are logging in successfully. This can trick the user into believing their account has been compromised and seek help from a support person, who will likely unwittingly provide the attacker with access to their account or network.
Password cracking. To obtain sensitive data such as passwords, bank accounts and credit card information, cybercriminals use software which systematically cracks weak passwords by attempting millions of possible combinations until the right one is found.
While this may seem laborious for an individual hacker on his own, when installed on maliciously infected computers around the world (i.e., a botnet), thousands of guesses are made every second – allowing hackers to crack even complex passwords.
The impact of a successful brute force attack
The breach can have far-reaching effects on both users and businesses. They include:
Identity theft – stealing someone’s identity to access their accounts, such as bank accounts or credit cards. This enables the attacker to purchase goods using these details. In addition, information such as social security numbers can be sold for use in other cyber attacks.
Loss of data – due to loss of confidentiality if data is stolen which could destroy the company’s reputation. Additionally, there may be reputational damage caused by a leak of sensitive customer information that leads to public distrust and dissatisfaction with the business.
Downtime – this refers to system outages where websites or computer networks cannot be accessed due to a cyber attack. This is costly to the business in terms of lost revenue, customer satisfaction as well as loss of image.
The impact of brute force attacks on small businesses
Small businesses may be less prepared for a successful brute force attack due to budget constraints or a lack of staff with adequate technical knowledge. As a result, they may suffer serious financial losses and be forced out of business if their information systems are seriously damaged.
What are the motives behind brute force attacks?
- Steal sensitive data
- Spread malware
- Hijack systems
- Make websites unavailable
- Profit from ads
- Reroute website traffic to commissioned ad sites
- Infect sites with spyware, collecting data
Steps to prevent brute force attacks
Several measures can be taken by both individuals and companies which will help prevent successful brute force attacks:
Use complex passwords – for example, don’t use your name or an easily guessed number for your password (e.g., 123456). This makes it significantly more difficult for hackers to crack your password due to the large number (millions) of passwords they need to guess.
Using a password manager like 1Password or LastPass – it’s easy to lose track of all the different usernames and passwords we have for websites, apps and devices these days. Using a password manager will allow you to create strong, unique passwords that are only stored in one place. This will make it much harder for attackers to gain access to other accounts if they do manage to crack your main password.
Changing your keys regularly – hackers can try out millions of combinations of letters and numbers until they find an unlocked door. If you change your keys regularly, even if someone does get hold of them, they may already be out of date.
Regular password changes – this is very important to keep your data safe for as long as possible. Hackers will typically try to gain access soon after a breach in security, so make sure you change your passwords on an annual basis at least. Having multiple accounts? Try using the same password across all of them with just slight variations (e.g., add a number or symbol). You can easily remember one password with these minor alterations instead of trying to remember a different unique password for each account.
Implementing two-factor authentication – if you’re worried about hackers attempting to get into your account when you’re not there, consider setting up two-factor authentication on some or all of your accounts which means that you need something other than a password (a code) to log in. This makes it much harder for attackers.
Implementing firewalls – this is essential to protect your business from attacks on the network level. A firewall will filter incoming and outgoing traffic by looking at the type of data (i.e., IP addresses). You should implement a firewall if your company utilizes cloud computing or has remote users accessing the web or email using mobile devices such as smartphones, tablets and laptops which may connect wirelessly.
Using up-to-date antivirus software – computer malware can be introduced onto a network in various ways but the most common way is by clicking on malicious links and attachments sent via email. Ensure that your computers are equipped with antivirus software which not only protects you from external threats but also acts as a deterrent to would-be hackers.
Regularly updating applications – attackers regularly target vulnerabilities within operating systems, programs and apps. Make sure that you update these regularly with patches or new versions so that your information stays safe.
Data backups – if an attacker manages to get hold of any sensitive information, they could use it for nefarious purposes such as identity theft or fraud. Regular backups will ensure that even if this does occur, you will still have access to all your important files.
Ensuring strong communication encryption – encrypted networks provide a layer of security between two nodes (e.g., computers) which cannot be accessed by others on the network. Encryption scrambles data via algorithms so that even if it is intercepted, it will prevent other nodes from reading its contents.
Protecting your wireless network – use WPA2 encryption and a strong password to secure all access points/hubs for Wi-Fi networks as WEP encryption can easily be cracked. Make sure you change your default username and password for each device to something unique and complex. Utilize MAC filtering so that only devices with known MAC addresses can connect to the Wi-Fi network, although this isn’t foolproof since anyone can fake their MAC address.
Securing your Wi-Fi password – try to avoid using the same Wi-Fi network name and password for all of the devices on your network as this method makes it easier for hackers to exploit a single weak spot. Instead, create unique names and passwords for each device which are unknown to potential adversaries.
Keeping tabs on all access points/hubs – you should regularly monitor your networks (both wired and wireless) to protect against unauthorized usage or malicious threats such as spambots or viruses. A simple way to do this is by installing a firewall that not only filters incoming traffic but also logs outgoing requests so that you can assess any unusual activity if necessary.
Protecting all web servers – you should implement SSL certificates on any websites that contain private information so that visitors know their information is encrypted and cannot be read by others. If you have mobile users, you should also implement SSL on all applications that connect to your back-end systems.
Implementing strong password policies – if employees can create their passwords, they may choose a pattern which can easily be guessed or use simple words or phrases that won’t adequately secure their account. At the very least, ensure that all passwords must be at least 8 characters and utilize upper case letters as well as lower case ones with at least one number or symbol in each. Make sure you train your employees on how best to create and remember complex passwords so they will adhere to these rules (and not write them down).
Frequently asked questions about brute force attacks
What is an example of a brute force attack?
While there are several methods of brute forcing a system, the most common example is when somebody tries to get around restrictions on a website by entering different username/password combinations until they find one that works.
How long do brute force attacks last?
These types of attacks can be very long and drawn out. While some may only take a few weeks or months to achieve their goal, others may go on for years until they get in. The length of the attack will depend on the level of security in place and the resources available to the hacker.
What is a DDOS brute force attack?
A Distributed Denial of Service (DDOS) brute force attack is where an attacker accesses a network with multiple different IP addresses, which means that more places are trying to get information than places are providing it. This overloads the server so that it cannot provide any information and shuts down all services until it has been rebooted by an administrator.
Is it illegal to brute force?
Brute-forcing can be considered illegal depending on what the attacker is trying to do as well as how they are doing it, but it is hard to determine whether or not someone who uses this type of attack will face legal consequences for their actions.
Are brute force attacks common?
Brute force attacks occur constantly, but individuals are usually unaware when they have been targeted. These types of attacks are popular amongst cybercriminals who use them to gain access to online bank accounts or other private information so that it can be sold for profit.
What is the difference between a dictionary attack and brute force?
A dictionary attack involves guessing a password based on lists of words and character sequences known to be common passwords. A brute force attack, however, simply tries every possible combination until successful.
How fast is a brute force attack?
While brute force attacks are usually intensive and take a long time to complete, they are not always the slowest attack. This method of breaking into a system simply tries every possible combination that could work so sometimes it is very fast.