Posted October 5, 2017
Everyday, hackers are finding new and sophisticated techniques to compromise networks, yet one of the most tried and true attack methods – brute force attacks – remains popular.
It is such a common password-cracking method because it can be used against nearly any type of encryption, and threat actors have access to a myriad of tools to carry out these attacks. This, combined with the fact that people are still using simple, insecure passwords (“123456” is still one of the most popular passwords), is aiding threat actors’ success.
Recently, hackers used a brute force attack to crack passwords of Microsoft Office 365 users at multiple organizations. The perpetrators used popular cloud service platforms to conduct a persistent attack against corporate Office 365 accounts of high-value targets. And earlier this year, a brute force attack compromised the email accounts of 90 members of the British Parliament.
Brute force attacks are becoming faster and more efficient, so organizations need to couple prevention with the ability to quickly recognize and thwart these attacks before one results in a system compromise.
The Anatomy of a Brute Force Attack
In a brute force attack, hackers use software that tries different character combinations in quick succession to crack passwords. The algorithm uses trial and error to guess as many character combinations as possible. Hackers often use a high-performance computer that can check a large number of combinations in a short amount of time.
Short and simple passwords—those that only use alphabetical characters—are easier to crack. Longer ones are more difficult, but hackers often persist for hours, days, or even years. The Microsoft 365 attack used a slow and measured pace to avoid detection.
The most common brute force attacks use a password dictionary that contains millions of words to test. Successful brute force attacks not only give hackers access to data, apps, and resources, but can also serve as an entry point for further attacks.
Detecting Brute Force Attacks
Though brute force attacks are difficult to stop, they aren’t difficult to spot. Each failed login attempt records an HTTP 401 status code, so monitoring log files can let you know if you’re under attack. Here are other signs of a brute force attack:
- Several failed login attempts from the same IP address
- Logins with multiple username attempts from the same IP address
- Logins for a single account from many different IP addresses
- Failed login attempts from alphabetically sequential usernames and passwords
- Logins with a referring URL of someone’s mail or IRC client
- Excessive bandwidth consumption over the course of a single session
- A large number of authentication failures
It’s important to understand user behavior patterns when detecting these attacks. Normal users have consistent login activity and rarely have more than a few wrong password attempts. Understanding the specific patterns within your organization can help you identify anomalous activity quicker.
How do you prevent brute force attacks from compromising passwords? The simplest defense is cyber hygiene. Users should have complex passwords that are long and use a combination of letters, special characters, numbers and upper- and lower-case letters.
From an IT perspective, prevention measures include locking a login page for a certain amount of time after failed logins, extending the time between two logins when a wrong password is entered, two-factor authentication, using CAPTCHA to prevent automated attacks, and locking out an IP address with multiple failed logins.
Though these steps may hinder some attacks, for persistent hackers, it may just slow down their efforts, not stop them. And more sophisticated hackers—particular those using botnets—can circumvent some of these measures.
In fact, some prevention methods, such as locking accounts, can backfire. Perpetrators can abuse the security measure and lock out hundreds of user accounts and launch a denial of service (DoS) attack.
While not all cyber attacks can be thwarted, we can make it more difficult for them to follow through with malicious activity. Having a good cyber safety awareness training in place can at least arm your employees with the basic knowledge, such as best practices for a strong password, to prevent a network breach.