![](/style/images/good.png)
![](/style/images/bad.png)
Brute Force Attack: Definition, Types, and Prevention
source link: https://www.varonis.com/blog/brute-force-attack/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Brute Force Attack: Definition, Types, and Prevention
Inside Out Security Blog » Data Security » Brute Force Attack: Definition, Types, and Prevention
Updated: 12/8/2021
A brute force attack is a category of attack that leverages computers’ power to rapidly perform the same action millions of times to “guess” passwords, discover hidden URLs, or expose encrypted or hashed passwords. While there are easy and common ways to defend against this attack, it’s a low-effort attack on the part of hackers, making it easy to find a vulnerability within a company’s site.
In this article, we’ll go over exactly what a brute force attack is, how it can put you at risk, and how to best defend against this type of attack.
What is a Brute Force Attack?
A brute force attack is an attempt by an attacker to gain access into an account or secured system by repeatedly entering credentials manually or in an automated way. The attacker leveraging this kind of attack is often looking to uncover passwords to get into accounts, find hidden URLs to find sensitive or important data, or decrypt passwords from a leaked trove of data.
When and why are brute force attacks used?
Brute force attacks are relatively unsophisticated but have a big payoff. It’s the equivalent of a thief trying to get into a house and finding the front door unlocked. If that’s the case, why opt for a more complicated and risky method?
Here are a few types of attacks and what a hacker is trying to accomplish.
Account Takeover/Compromise
This is a classic use of brute force attack. A malicious actor finds their way into an important account via credential stuffing and can compromise the account in a variety of ways, steal important information, or impersonate the account holder.
Data Exfiltration/Leak
Data exfiltration is a common consequence of an account compromise but can also be the result of a compromised or discovered website, leaked passwords, or other sensitive data that can result from a brute force attack.
Website Access
Hackers may also try to get into the backend of your website or another public-facing website in hopes of compromising it or dropping some kind of malicious code. Some companies may accidentally have sites containing sensitive data exposed to the internet — hackers can uncover these sites via brute force attacks.
Ad Hijacking
Hackers may get into your advertising accounts in order to commit ad fraud. Because this isn’t necessarily a network compromise, your traditional security/visibility tools may not catch it.
Cryptojacking
Brute force attacks may lead to device or network compromise where malicious hackers leverage your device or network’s resources in order to mine cryptocurrency.
Botnet Conscription
The same kind of compromise that can lead to cryptojacking can also lead to your devices becoming part of a botnet, capable of contributing to DDoS attacks in the future.
Malware/Ransomware Distribution
Brute force attacks can just be a prelude to further attacks such as malware/ransomware attacks. If a malicious hacker has direct access to your devices or network, it makes it much easier to drop any kind of ransomware or malware on your network, further compromising your organization.
Types of Brute Force Attacks
Brute force attacks can be carried out manually but hackers can also leverage tools that will help them carry out brute force attacks in a more automated fashion, increasing their odds of success. Here are the types of brute force attacks to look out for.
Manual Credential Stuffing
Credential stuffing refers to hackers trying various login combinations in order to access an account. Depending on the type of hacker group or the targeted organization, this can be a manual process that may leverage a known data point, such as an email address or the email format for an organization’s email.
However, this tactic has largely been replaced by automated forms that exponentially increase the odds of success on the hacker’s part.
Data-Breach Informed Credential Stuffing
One of the unfortunate consequences of the various data breaches that have leaked millions and billions of email/password combinations is that common email addresses linked to accounts have been leaked as well as their associated passwords.
Because password reuse is a common practice among most people, hackers know they can try a password/email combination across multiple accounts in hopes of finding a successful attack. This makes targeted brute force attacks much more dangerous because key pieces of log-in data are known.
Data breaches have also provided insights into the most common passwords used across any type of accounts. These insights have revealed that password hygiene still needs improvement as passwords like “123456” or “password” are still commonplace. This gives hackers a strong starting point when attacking an organization.
Automated Credential Stuffing
Trying different email/password combinations can be an arduous process but hackers have access to tools and scripts that can automate the process.
These tools allow for hundreds of email/password combinations to be attempted in a matter of seconds. Without countermeasures to stop them, discovering a password is a matter of statistical probability. Given that log-in credentials such as email addresses are often known, it means a hacker can easily get into an account.
To get around lockout and attempt limitations, some tools can run at different time intervals and a list of passwords can be utilized in order to increase the odds of success within a smaller time frame.
URL Discovery
Many organizations that use popular cloud hosting/infrastructure services like AWS may not have it properly configured. This has led to a number of high-profile data leaks where databases containing sensitive data were exposed on the internet — anyone with the right URL could see it.
Hackers are taking advantage of this as well as other URLs within a domain that may house sensitive data that are publicly available by running scripts that try various URL combinations in order to find these sites.
Cryptographic Decryption
Most brute force attacks are attempts to get into an account. However, brute force attacks can also be used to decrypt passwords from a data breach. Many password leaks come in the form of encrypted password data which require decryption tools in order to transform the password data into plain text.
Organizations should never store passwords in plaintext. They’re “hashed”, meaning it’s been purposefully obfuscated into a different string of characters. However, various tools are available to hackers that have been developed to explicitly match the hash of stored password data, meaning they can reveal the actual password data.
This has led to a cat-mouse dynamic – new encryption and cryptographic obfuscating methods like hashing continue to be developed and applied to secure password data in case of a breach while hackers develop more and more advanced decryption tools.
Preventing Brute Force Attacks From Being Successful
Fortunately, due to the nature of brute force attacks, there are a few ways to protect against these attacks. Here are a few methods and tools to consider.
Use 2FA Whenever Possible
Two-factor authentication (also known as multi-factor authentication) is one of the most effective ways to defend against brute force attacks that seek to get into accounts via password compromises.
Even if a hacker is using an automated tool and winds up with the right password/email combination, it’s unlikely that they have access to the additional authentication factor, making 2FA incredibly effective.
Enable Captcha as Part of the Login Process
Requiring a captcha, even the most basic form of having someone confirm they aren’t a robot, can go a long way in stopping automated brute force attacks. Depending on the script or tool a hacker is using, the captcha may stop the automated password entry.
Even if the tool is designed to click-through a common captcha query, this method still adds extra seconds to attempts that may number in the thousands. This will dramatically slow down a hacker’s efforts and may make them give up and look for another company’s account to get into.
Throttle Log-In Attempts
Placing limits on how often someone can try and get into an account can prevent manual and automated brute force attacks. You can either limit how often someone can try and get into an account (say after 5 or 10 failed attempts) or trigger a password reset after a specific number of failed attempts.
A similar method that still protects against brute force attacks is adding a time interval between failed attempts. This could be 10-30 seconds before each consecutive attempt or you can use a scaling model that increases with each failed attempt (10 seconds, 30 seconds, 2 minutes, 5 minutes, for example).
Leveraging detection tools that will alert you to any behavioral anomalies such as multiple login attempts can also detect if someone is trying to brute-force their way into your network or accounts.
Require Stronger, Unique Passwords
With automated brute force attacks, figuring out a password will happen, given enough time.
However, the longer, more complicated, and unique the password is, the harder it will be for an attacker to figure out the password. Most automated tools use a list of passwords stolen from leaked data breaches in hopes of getting into an account— if unique passwords are used, they may not even be discovered by one of these automated tools.
Enforcing a strong password policy can significantly reduce your risk of exposure to these types of attacks (and makes decrypting password data also more difficult).
Sign up for HaveIBeenPwned
HaveIBeenPwned (HIBP) is a free service that checks whether your emails have been part of a past data breach, whether your password already exists in a data breach (meaning it can more easily be discovered) or if emails pertaining to a specific domain have been leaked as part of a breach.
It’s a great service that is great to encourage your employees to sign up for but it’s also worth subscribing (again, free) to their domain service. All of their features offer an alert function so that HIBP will let you know if any data breaches in the future contain emails tied to your organization’s domain.
Strong Security Hygiene Will Protect Against Brute Force Attacks
Brute force attacks take advantage of organizations with gaps in their overall security posture or who have low-hanging vulnerabilities, improperly implemented security controls or poor monitoring capabilities.
However, any organization that ensures they engage in strong password hygiene, have enabled 2FA, or placed limitations on account logins can prevent much of the risk posed by brute force attacks.
Recommend
-
19
In most cases, MySQL password instructions provide information on changing MySQL user passwords on the production system (e.g.,
-
12
Docker, ShutIt and the Perfect 2048 Game (3 – Brute Force Escapes) Now that I’m getting near the end of the highest tile on 2048, the air is getting thin. I often get into a state like this:
-
12
When all else fails, brute force it? Writing Software, technology, sysadmin war stories, and more. Monday, October 3, 2011 When all else fails, brute fo...
-
9
Mac upgrade opened sshd to brute force password attacks A couple of weeks ago, I read a post about how the "s...
-
7
Threat Update 43 – Ransomware Early Warning: Brute Force Threat Detection
-
4
Colbert always warned us about bears — Russian hackers are trying to brute-force hundreds of networks Moscow's Fancy Bear group has been on a password-guessing spree this whole time....
-
20
Inside Out Security Blog / Data Security...
-
4
Inside Out Security Blog / Data Security...
-
6
Not FoundYou just hit a route that doesn't exist... the sadness.LoginRadius empowers businesses to deliver a delightful customer experience and win customer trust. Using the LoginRadius Identity...
-
2
What is social engineering? Definition, types, attack techniques
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK