A brute force attack, sometimes called brute force cracking, is the equivalent of trying every key on your keyring until you find the right one. Brute force attacks were responsible for 5% of verified data breach events in 2017 and encouraged various industries to find protection such as one-way data encryption in healthcare.
Brute force attacks are straightforward and dependable. Attackers let a machine do the work, such as attempting multiple login and password combinations until they discover one that works. Detecting and defeating a brute force attack in progress is the greatest defense: once attackers get access to the network, they become considerably more difficult to detect.
Brute Force Attack Types
A dictionary attack is the most basic type of brute force attack, in which the attacker goes through a dictionary of potential passwords and attempts them all. Dictionary attacks begin with certain assumptions about typical passwords to try to guess from a dictionary list. Given newer and more powerful tactics, these attacks are becoming rather obsolete.
Recent computers from the last ten years or so can brute force break an 8-character alphanumeric password with capital and lowercase letters, digits, and special characters in around two hours. Computers are sufficiently powerful that they can brute force decipher a weak encryption hash in a few months. An exhaustive key search is a type of brute force attack where a computer attempts every possible combination of every possible character to find the correct combination.
Credential recycling is another sort of brute force attack that attempts to break into other systems by reusing usernames and passwords from previous data breaches.
The reverse brute-force attack begins with a popular password, such as “password,” and then attempts to brute force a username to go with that password. Because “password” is one of the most often used passwords, this method is more effective than you would believe.
The Reasons for Brute Force Attacks
Brute force attacks often occur during the reconnaissance and penetration stages of the cyber death chain. Brute force approaches are a “set it and forget it” method of acquiring access to targets. Once within the network, attackers can employ brute force tactics to increase their privileges or carry out encryption downgrade operations.
Brute force attacks are also used by attackers to find hidden websites. Websites that exist on the internet but are not linked to other pages are known as hidden web pages. A brute force attack checks many addresses to determine whether they produce a legitimate webpage and then looks for a page to exploit. Things like a software flaw in the code that they might use for infiltration – such as the hole exploited to breach Equifax – or a website that exposes a list of usernames and passwords to the public.
Because a brute force attack requires minimal subtlety, attackers might automate many attempts to run in parallel to increase their chances of getting a positive outcome.
How to Protect Yourself Against Brute Force Attacks
Brute force attacks require time to execute. Some attacks might take weeks or even months to provide meaningful results. The majority of brute force defenses involve raising the time necessary for success beyond what is theoretically conceivable, however, this is not the only protection.
- Increase the length of your password. More characters mean more time to brute force crack.
- Increase password complexity. Having more alternatives for each character increases the time it takes to brute force crack the password.
- Login attempts should be limited. On most directory services, brute force attacks increase the number of failed login attempts – A useful protection against brute force attacks is to lock out users after a few failed attempts, effectively nullifying an ongoing brute force attack.
- Captcha should be used. Captcha is a standard mechanism used on websites to verify that a user is a person and can halt ongoing brute force attacks.
- Make use of two-factor authentication which adds a second layer of protection to each login attempt that involves human participation, potentially preventing the success of a brute force attack.
Monitoring is the first step in preventing brute force attacks. Varonis analyzes Active Directory activity and VPN traffic for ongoing brute force attacks. We have threat models that evaluate lockout patterns (which are frequently a symptom of a brute force attack), threat models that detect possible credential stuffing, all of which are meant to detect and block brute force attacks before they escalate.
It is preferable to identify an attack in progress and actively halt it than to assume your credentials are uncrackable. Once the attack has been detected and stopped, you can block IP addresses to prevent future attempts from the same machine.