Over the past decade-and-a-half, social media has evolved from a curiosity piece to a colossal…
How To Defend Against Brute Force Attacks
Every day, hackers are discovering innovative and elaborate techniques to compromise networks. Nevertheless, one of the most time-tested strategies — brute force attacks — continues to be popular.
It’s such a commonplace password-cracking method because it can be used against nearly any type of encryption, and cybercriminals have a wealth of tools at their disposal to carry out these attacks. This – paired with the fact that people are still using basic, insecure passwords – is assisting in the success of these bad actors.
Brute force attacks are becoming nimbler and more systematic, so organizations need to combine prevention with the ability to readily recognize and prevent these attacks before one of them sabotages their systems.
What Is A Brute Force Attack?
A brute force attack is a trial-and-error method that hackers use to access information such as usernames, passwords, passphrases, or PINs (personal identification numbers), or to decode sensitive data such as encryption keys or hidden webpages.
Think of it as the cyberattack equivalent of trying every key on your keyring until you ultimately find the right one. Hackers plow through every potential combination in hopes of correctly guessing a targeted username and/or password in an attempt to gain unauthorized access to an account or system.
Unlike many other maneuvers used by bad actors, brute force attacks don’t look to vulnerabilities within websites. Rather, these attacks rely upon users having weak or easily guessable credentials in order to obtain them.
Automated software is widely used to produce a myriad of consecutive guesses as to the value of the sought-after data. While they can still be incredibly time-consuming, brute force attacks are considered to be an infallible approach. This is probably why security analysts often employ these techniques to test an organization’s network security.
Why Do Hackers Execute Brute Force Attacks?
There are any number of reasons why cybercriminals would want to perform a brute force attack on an individual or an organization. Unsurprisingly, the majority of these reasons are nefarious in nature.
It’s All About the Benjamins
Hackers have to eat, too – at least, in theory. When they can manipulate someone’s website in order to earn advertising commissions for themselves, why wouldn’t they? Cybercriminals accomplish this underhanded monetary gain by placing spam ads on well-traveled sites so that they’ll “earn” money each time an ad is clicked or viewed by visitors. They might also reroute a website’s traffic to commissioned ad sites, where – of course – they’ll also get a kickback. Alternatively, hackers might infect a site or its visitors with activity-tracking malware (commonly referred to as spyware). This data, in turn, is sold to advertisers without users’ consent in order to help advertisers improve their marketing efforts.
Steal Your Stuff
From bank accounts to tax information, practically everything about you can be found online. A successful smash-and-grab could allow a cybercriminal to steal your identity, your money, or sell your private data for profit. In corporate-level data breaches, sensitive databases from whole organizations could be uncovered.
Spread Malware Simply to Cause Disruptions
Some hackers may choose to redirect a website’s traffic to malicious sites for no particular reason, other than that they find it to be fun or entertaining. These bad actors may cloak their activities under the guise of “practicing their skills,” but, in reality, they probably just enjoy causing trouble.
Hijack Your System for Malevolent Activity
When one machine isn’t sufficient, hackers may mobilize an army of unsuspecting devices referred to as a “botnet” to expedite their efforts. Malware can be used to infiltrate your computer, mobile device, or online accounts for spamming, phishing, advanced brute force attacks, and more. You may be at greater risk of infection if you haven’t deployed an antivirus system.
Wreck Your Website’s Reputation
A cybercriminal might opt to sabotage an organization’s website by marring it with obscene content, including text, images, and audio of a violent, pornographic, or racially insensitive nature.
6 Common Types of Brute Force Attacks
There are at least six common types of brute force attacks that hackers employ for their various purposes:
Simple Brute Force Attack
In this line of attack, the hacker adopts a systematic, logic-based approach in an effort to guess your credentials, utterly unassisted by software tools or other means. Extraordinarily basic passwords (for example, “guest123”) and PINs are the most susceptible to this kind of attack. This tactic is typically implemented on local files, where there are no limitations to the number of attempts you have.
When a hacker has targeted a specific username to exploit, they will often run a sequence of possible passwords against that name utilizing a “dictionary” of frequently used words and passwords (for example, “admin” or “123456”), instead of diving in at random. A solid password list can help enhance the attacker’s success rates, but this sort of technique often requires a substantial number of attempts against potential targets. Considering newer and more effective techniques, dictionary attacks have become somewhat outdated nowadays.
Hybrid Brute Force Attack
A hybrid attack employs a combination of dictionary and simple brute force attacks to attempt a break-in. Instead of testing literally every potential password, minor modifications are made to words in a dictionary, like adding numbers or changing the case of letters. This kind of attack is deployed to crack combo passwords that blend common words with random characters. Examples of the type of password this attack tempts to crack include “NewJersey1994” or “Jerry911.”
Reverse Brute Force Attack
In this type of attack, a hacker doesn’t single out a specific username, but instead uses a generic group of passwords or an individual password against a list of likely usernames. The attacker starts with a known password or collection of passwords (often leaked online from existing data breaches), then searches millions of usernames until they discover a match. A common password like “password” can be paired with a username far more easily than you’d think.
When a hacker decodes a username-password combination that succeeds for one website, they’ll test it for a variety of other sites as well. Many internet users recycle their login info across a number of websites for the sake of simplicity. As a result, these users become the primary targets of credential stuffing attacks. That this method of attack has any degree of success whatsoever relies heavily on the fact that these users ignore practical admonition imploring them to create a different username and password for each different network resource they use.
Exhaustive Key Search
Modern computers – manufactured within the last decade or so – can crack an eight-character alphanumeric password (upper and lowercase letters, numbers, and special characters) by brute force in approximately two hours. Computers are so fast, in fact, that they can brute-force decrypt a weak encryption in mere months. This kind of attack is commonly referred to as an exhaustive key search, where the computer tries every possible combination of every possible character in order to unearth the proper combination.
The Tools of the Trade
Depending on its length and complexity, cracking a password for a particular user or site can take anywhere from a few seconds to several years. While some attackers still perform brute force attacks manually, today almost all of these attacks are performed by automated software known as bots. Attackers accumulate lists of commonly used credentials, or actual user credentials, typically obtained via security breaches or the dark web. Bots systematically attack targeted websites and try these lists of credentials and notify the attacker when they gain access.
Some of the most popular “tools of the trade” include:
- Aircrack-ng: Uses a dictionary of widely used passwords to breach wireless networks. Can be used on Windows, Linux, iOS, and Android.
- John the Ripper: Tries all possible combinations using a dictionary of possible passwords. Runs on 15 different platforms, including Unix, Windows, and OpenVMS.
- L0phtCrack: Uses rainbow tables, dictionaries, and multiprocessor algorithms. Used on Microsoft Windows.
- RainbowCrack: Uses rainbow tables. Works on Windows and Linux.
- Hashcat: Performs simple brute force, rule-based, and hybrid attacks. Works on Windows, Linux, and Mac OS.
- DaveGrohl: An open-source tool used for cracking Mac OS. Can be distributed across multiple computers.
- Ncrack: A tool for cracking network authentications. Can be used on Windows, Linux, and BSD.
How to Defend Against Brute Force Attacks
Brute force attacks need time to work. Some can go on for weeks or even months before they provide anything useful. Perhaps the most common way to fend off these attacks is to increase the amount of time required for success beyond what is technically feasible. But that’s not the only defense.
By and large, brute force attacks hinge on users’ weak passwords and reckless network administration. These are both aspects that can easily be improved in order to minimize vulnerabilities that could bring your network or website resources to their knees.
High Encryption Rates
To make it more difficult for brute force attacks to succeed, network admins should ensure that system passwords are encrypted with the highest encryption rates possible, such as 256-bit encryption. The more bits in the encryption scheme, the harder the passwords will be to
Two-Factor or Multi-Factor Authentication
Enacting 2FA and MFA measures adds a second layer of security to each login attempt. This process requires users to follow up a login attempt with a second factor (namely, human intervention), such as a physical USB key or fingerprint biometrics scan.
Engineering your system so that it locks out users after a set number of failed attempts can countermand a brute force attack while it’s in progress. Creating a delay between each single login attempt can further slow an attacker’s efforts. Progressive delays lock the user’s account for a limited amount of time upon a failed login. Each further login attempt lengthens the delay. This added lag time allows your real-time monitoring team to spot and work on stopping the threat. Some hackers might even stop trying if the wait isn’t worth their while.
Lock Down Accounts After Excessive Attempts
If a hacker can continuously keep retrying passwords even after temporary lockouts, they will likely return to take another stab at it. Locking the account and requiring the user to contact an administrator for an unlock can forestall this activity. While short lockout timers may be more convenient for users, sometimes convenience can be a vulnerability.
This is a common challenge-response test used to verify whether or not a user is human. CAPTCHA comes in many forms, including retyping the text in an image, identifying objects in photos, or checking a checkbox. This system is designed to prevent bots from executing the automated scripts that appear in brute force attacks, while still being easy for a human to bypass. To further protect your system from being breached, employ a CAPTCHA tool before the first login and after each failed attempt.
Be on the lookout for abnormal activity, including out-of-the-ordinary login locations, excessive login attempts, etc. Work to identify trends in unusual activity and take precautions to deflect any possible cyberattacks in real time. Keep an eye out for IP address blocks and account lockdowns, and reach out to users to determine whether seemingly questionable activity is legitimate.
Enforce a Strong Password Policy
For hackers, cracking weak passwords is like shooting fish in a barrel. But the longer and more complex a password is, the more combinations will need to be tested, further increasing the amount of time it will take to crack the password.
Establish a company-wide policy that compels users to come up with lengthy and complex passwords and require periodic password changes. For example, some organizations require user passwords to be 8 to 16 characters in length, including at least one letter, one number, and one special character; some even refuse to allow users to incorporate their name, username, or ID into their password.
Along with a robust password policy, it’s important to educate employees on the importance of password strength and information security habits. Even with a solid password, employees can sometimes fall prey to insider threats if security isn’t a fundamental part of your culture.
With all the advanced techniques available to online scammers today, it’s remarkable that one of the most commonplace and effective attacks has a decidedly human element to it. Thwarting brute force attacks can simply be a matter of altering your online habits, such as employing stronger passwords and not reusing them all over the internet.
Dedicate your efforts toward bolstering security by setting up two-factor or multi-factor authentication and/or putting your website behind a web application firewall. A firewall essentially stops bad actors dead in their tracks.
As mentioned previously, real-time monitoring can go a long way toward preventing these types of attacks, even as they’re happening. To enjoy the benefits of real-time monitoring by certified IT professionals, give us a call at 252.329.1382 today! We’ll be more than happy to explain how we can help simplify IT for your business!
Blog post text…
Blog post text…
Blog post text…