Inside Out Security Blog » Data Security » Brute Force Attack: Definition, Types, and Prevention

A brute force attack is a category of attack that leverages computers’ power to rapidly perform the same action millions of times to “guess” passwords, discover hidden URLs, or expose encrypted or hashed passwords. While there are easy and common ways to defend against this attack, it’s a low-effort attack on the part of hackers, making it easy to find a vulnerability within a company’s site.

In this article, we’ll go over exactly what a brute force attack is, how it can put you at risk, and how to best defend against this type of attack.

What is a Brute Force Attack?

A brute force attack is an attempt by an attacker to gain access into an account or secured system by repeatedly entering credentials manually or in an automated way. The attacker leveraging this kind of attack is often looking to uncover passwords to get into accounts, find hidden URLs to find sensitive or important data, or decrypt passwords from a leaked trove of data.

When and why are brute force attacks used?

Brute force attacks are relatively unsophisticated but have a big payoff. It’s the equivalent of a thief trying to get into a house and finding the front door unlocked. If that’s the case, why opt for a more complicated and risky method?

Here are a few types of attacks and what a hacker is trying to accomplish.

Account Takeover/Compromise

This is a classic use of brute force attack. A malicious actor finds their way into an important account via credential stuffing and can compromise the account in a variety of ways, steal important information, or impersonate the account holder.

Data Exfiltration/Leak

Data exfiltration is a common consequence of an account compromise but can also be the result of a compromised or discovered website, leaked passwords, or other sensitive data that can result from a brute force attack.

Website Access

Hackers may also try to get into the backend of your website or another public-facing website in hopes of compromising it or dropping some kind of malicious code. Some companies may accidentally have sites containing sensitive data exposed to the internet — hackers can uncover these sites via brute force attacks.

Ad Hijacking

Hackers may get into your advertising accounts in order to commit ad fraud. Because this isn’t necessarily a network compromise, your traditional security/visibility tools may not catch it.

Cryptojacking

Brute force attacks may lead to device or network compromise where malicious hackers leverage your device or network’s resources in order to mine cryptocurrency.

Botnet Conscription

The same kind of compromise that can lead to cryptojacking can also lead to your devices becoming part of a botnet, capable of contributing to DDoS attacks in the future.

Malware/Ransomware Distribution

Brute force attacks can just be a prelude to further attacks such as malware/ransomware attacks. If a malicious hacker has direct access to your devices or network, it makes it much easier to drop any kind of ransomware or malware on your network, further compromising your organization.

Types of Brute Force Attacks

Brute force attacks can be carried out manually but hackers can also leverage tools that will help them carry out brute force attacks in a more automated fashion, increasing their odds of success. Here are the types of brute force attacks to look out for.

Manual Credential Stuffing

Credential stuffing refers to hackers trying various login combinations in order to access an account. Depending on the type of hacker group or the targeted organization, this can be a manual process that may leverage a known data point, such as an email address or the email format for an organization’s email.

However, this tactic has largely been replaced by automated forms that exponentially increase the odds of success on the hacker’s part.

Data-Breach Informed Credential Stuffing

One of the unfortunate consequences of the various data breaches that have leaked millions and billions of email/password combinations is that common email addresses linked to accounts have been leaked as well as their associated passwords.

Because password reuse is a common practice among most people, hackers know they can try a password/email combination across multiple accounts in hopes of finding a successful attack. This makes targeted brute force attacks much more dangerous because key pieces of log-in data are known.

Data breaches have also provided insights into the most common passwords used across any type of accounts. These insights have revealed that password hygiene still needs improvement as passwords like “123456” or “password” are still commonplace. This gives hackers a strong starting point when attacking an organization.

Automated Credential Stuffing

Trying different email/password combinations can be an arduous process but hackers have access to tools and scripts that can automate the process.

These tools allow for hundreds of email/password combinations to be attempted in a matter of seconds. Without countermeasures to stop them, discovering a password is a matter of statistical probability. Given that log-in credentials such as email addresses are often known, it means a hacker can easily get into an account.

To get around lockout and attempt limitations, some tools can run at different time intervals and a list of passwords can be utilized in order to increase the odds of success within a smaller time frame.

URL Discovery

Many organizations that use popular cloud hosting/infrastructure services like AWS may not have it properly configured. This has led to a number of high-profile data leaks where databases containing sensitive data were exposed on the internet — anyone with the right URL could see it.

Hackers are taking advantage of this as well as other URLs within a domain that may house sensitive data that are publicly available by running scripts that try various URL combinations in order to find these sites.

Cryptographic Decryption

Most brute force attacks are attempts to get into an account. However, brute force attacks can also be used to decrypt passwords from a data breach. Many password leaks come in the form of encrypted password data which require decryption tools in order to transform the password data into plain text.

Organizations should never store passwords in plaintext. They’re “hashed”, meaning it’s been purposefully obfuscated into a different string of characters. However, various tools are available to hackers that have been developed to explicitly match the hash of stored password data, meaning they can reveal the actual password data.

This has led to a cat-mouse dynamic – new encryption and cryptographic obfuscating methods like hashing continue to be developed and applied to secure password data in case of a breach while hackers develop more and more advanced decryption tools.

Preventing Brute Force Attacks From Being Successful

Fortunately, due to the nature of brute force attacks, there are a few ways to protect against these attacks. Here are a few methods and tools to consider.

Use 2FA Whenever Possible

Two-factor authentication (also known as multi-factor authentication) is one of the most effective ways to defend against brute force attacks that seek to get into accounts via password compromises.

Even if a hacker is using an automated tool and winds up with the right password/email combination, it’s unlikely that they have access to the additional authentication factor, making 2FA incredibly effective.

Enable Captcha as Part of the Login Process

Requiring a captcha, even the most basic form of having someone confirm they aren’t a robot, can go a long way in stopping automated brute force attacks. Depending on the script or tool a hacker is using, the captcha may stop the automated password entry.

Even if the tool is designed to click-through a common captcha query, this method still adds extra seconds to attempts that may number in the thousands. This will dramatically slow down a hacker’s efforts and may make them give up and look for another company’s account to get into.

Throttle Log-In Attempts

Placing limits on how often someone can try and get into an account can prevent manual and automated brute force attacks. You can either limit how often someone can try and get into an account (say after 5 or 10 failed attempts) or trigger a password reset after a specific number of failed attempts.

A similar method that still protects against brute force attacks is adding a time interval between failed attempts. This could be 10-30 seconds before each consecutive attempt or you can use a scaling model that increases with each failed attempt (10 seconds, 30 seconds, 2 minutes, 5 minutes, for example).

Leveraging detection tools that will alert you to any behavioral anomalies such as multiple login attempts can also detect if someone is trying to brute-force their way into your network or accounts.

Require Stronger, Unique Passwords

With automated brute force attacks, figuring out a password will happen, given enough time.

However, the longer, more complicated, and unique the password is, the harder it will be for an attacker to figure out the password. Most automated tools use a list of passwords stolen from leaked data breaches in hopes of getting into an account— if unique passwords are used, they may not even be discovered by one of these automated tools.

Enforcing a strong password policy can significantly reduce your risk of exposure to these types of attacks (and makes decrypting password data also more difficult).

Sign up for HaveIBeenPwned

HaveIBeenPwned (HIBP) is a free service that checks whether your emails have been part of a past data breach, whether your password already exists in a data breach (meaning it can more easily be discovered) or if emails pertaining to a specific domain have been leaked as part of a breach.

It’s a great service that is great to encourage your employees to sign up for but it’s also worth subscribing (again, free) to their domain service. All of their features offer an alert function so that HIBP will let you know if any data breaches in the future contain emails tied to your organization’s domain.

Strong Security Hygiene Will Protect Against Brute Force Attacks

Brute force attacks take advantage of organizations with gaps in their overall security posture or who have low-hanging vulnerabilities, improperly implemented security controls or poor monitoring capabilities.

However, any organization that ensures they engage in strong password hygiene, have enabled 2FA, or placed limitations on account logins can prevent much of the risk posed by brute force attacks.