A brute force attack is an attempt to reveal passwords and login credentials in order to gain access to network resources. These attacks are mainly done with the purpose of gaining unauthorized, and undetected access to compromise systems. Threat actors usually prefer this attack method since it is simple to carry out, and can cause significant damage. Once a person’s credentials are revealed, the attacker can log in, generally unnoticed.
Brute force attacks are still prevalent today, and many organizations are frequently affected. The most common motives behind Brute force attacks are to steal sensitive data, spread malware, hijack systems, and make websites and systems unavailable.
Types of Brute Force Attacks
Simple/Traditional Brute force attack
A manual method where the threat actor simply guesses a user`s credentials. PIN numbers with a small number of combinations, and weak, easily guessable passwords such as “Password123”, “qwerty”, or “1234” are often attempted first. The threat actor can also use publicly gathered knowledge of the victim, and guess the password by using the name of the target’s pet name, favorite movie, or birth dates.
Dictionary attacks use automated tools that enter words into password fields. Words commonly found in language sets are often used as passwords. In many cases, a dictionary attack will use multiple languages, including fictional ones, such as those from science-fiction movies and television shows. Sometimes, the “dictionary” consists of a list of previously breached passwords. This attack sometimes costs a lot of time and might trigger account lockout warnings that would be noticed by the system administrators or the user.
A dictionary attack may also be attempted offline by using a stolen password storage file, but this is more complicated, as the attacker would have to access the network to initially gain access to the file. One would wonder, if the attacker has already gained access to the password file, haven’t they already successfully breached the network, making a password attack unnecessary? In some ways this may be true, but gathering passwords is more valuable for future access.
The way this works is because attackers rely on password fatigue. If the breach of the password file is discovered, most organizations will force a password change for all the affected accounts. However, a person who uses a password such as “Winter2023” will be inclined to simply change it to “Spring2023”, making future password guesses a trivial matter for the attacker.
A dictionary attack will not work against truly unique passwords, however, a review of the most common passwords of 2022 indicates that, when it comes to setting passwords, they are anything but unique. That is a glaring example of the problem of password fatigue.
Hybrid Brute Force attack
This attack type is a combination of a simple brute force attack and a dictionary attack. Well-known breached credentials will be compared to a word list, and a brute force attack is applied on each possible match. This attack is more powerful and dangerous, as it can gather more credentials faster than each individual attack method.
This attack is commonly used to compromise user accounts through usernames and passwords collected from a data breach. The stolen credentials are tested using automated tools against many places such as social media platforms, online marketplaces, and web applications. If the threat actor is able to log in successfully using the tested credentials, then the credentials are valid. Next, the threat actor would drain accounts that have value by making purchases, accessing sensitive information, using the account to spread phishing messages, or selling the stolen credentials. The best defense against this type of attack is using unique passwords, and Multi-Factor Authentication (MFA) on all accounts.
Reverse Brute Force attacks
Also known as the password spraying attack, as the name defines the threat actor uses the opposite method of a brute force attack. The threat actor targets a network by trying out all the credentials from previously obtained passwords that match against many common usernames.
Methods of preventing Brute Force attacks.
Proper Password management
The old method of creating passwords that are more than ten characters and include uppercase, and lowercase letters with numbers and symbols has been shown to cause more problems than it solves. Passwords that are difficult for humans to remember are famously comically easy for a computer to guess. However, the use of unique passphrases makes it a bit more difficult for threat actors to carry out Brute Force attacks.
For the typical computer user, a password manager is the best way to increase password entropy. Network administrators can add to this secure method by using high encryption rates on password storage files, as well as other cryptography methods, such as “salting the hash”, which adds random data to a hash function.
Using Multi-Factor Authentication (MFA)
Using authentication factors other than a password to login into an account such as PIN numbers, One-Time Passwords (OTPs), and smartcards can make it harder for threat actors to successfully breach accounts, even if the password is known.
CAPTCHA stands for Completely Automated Public Turing test to Tell Computers and Humans Apart. This is used to prevent bots from executing automated scripts in Brute Force attacks. It includes typing text images, checking image objects, and identifying specific objects; mainly tasks that a robot would fail to succeed. Humorously, sometimes it is equally difficult for humans to succeed at CAPTCHA prompts.
Setting a limit for Failed Login Attempts
Many sites use a policy that limits login attempts to a specific number within a set time period. After surpassing the rate of failed attempts while logging into an account the threat actor gets locked out from the login portal.
Using an Allowlist to limit access to specific pages
Allowlists ensure that only selected users, IP addresses, and domains can access specific web pages, applications, and other systems. Any access attempts other than what is defined on the list will be automatically blocked. Using a blocklist instead of an allowlist is effective if the relative IP address that should be blocked is known ahead of time, however, threat actors can use a proxy IP to make the traffic look like it is coming from a different IP rather than their own.
Using threat detection and network security tools
Security tools, including a Web Application Firewall (WAF), a Security Configuration Manager, and other monitoring tools and filters can limit the impact of brute force attacks.
Brute Force attacks of various types are still prevalent today, affecting organizations with many losses at a large scale. It is very important to employ proper defensive strategies to counter these various attacks, and to protect valuable resources and data in organizations.
About the Author:
Dilki Rathnayake is a Cybersecurity student studying for her BSc (Hons) in Cybersecurity and Digital Forensics at Kingston University. She is also skilled in Computer Network Security and Linux System Administration. She has conducted awareness programs and volunteered for communities that advocate best practices for online safety. In the meantime, she enjoys writing blog articles for Bora and exploring more about IT Security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.