Brute force attacks are just that: brutal! They are one of the most common security exploits, and they will trample over everything in their path until they’re able to find a way into a network. With brute force attacks, it’s really a game of trial and error; all possibilities are tried systematically in a predetermined sequence, such as alphanumerical, until an access route is found.
There are two types of brute force attack: online and offline. Online is the more common attack type, and usually consists of hackers trying to discover a usable password through an online resource or service, such as an e-mail service.
Offline brute force attacks, on the other hand, typically involve trying to decrypt a file (such as a UNIX password file). This explains why they are less common as they require having physical possession of the file in the first place.
Brute force attacks are second only to denial of service attacks, amounting to approximately 25% of all attacks, according to a 2015 McAfee Security Report. WordPress sites are common victims of such attacks as hackers are able to gain control of the publishing platform and then utilise it for malicious purposes.
> See also: Why we shouldn't underestimate the power of 'brute force' attacks
In the vast majority of cases, the motive behind brute force attacks is to gain privileged access to restricted data, applications, or resources. However, a successful brute-force attack can also become a stepping-stone or pivot point for further attacks.
For example, by brute-forcing access to point A, it might then be possible to launch subsequent exploits (perhaps of a different type) to get to points B-Z. A hacker may also launch a brute force attack to install something such as a rootkit, add a new bot to a botnet, create a command and control centre for a botnet, or simply steal money or sensitive information, such as credit card numbers or banking credentials, for financial gain.
Unfortunately, there isn’t one, simple, straightforward clue that signals when a brute force attack is happening. However, there some useful indicators to look out for, such as a string of failed log-ins from the same IP address.
However, if the attacker is using a botnet, IP addresses can vary, so it’s important to be able to recognise other clues, such as: logins with multiple username attempts emerging from the same IP address, logins for a single account coming from many different IP addresses, excessive bandwidth consumption over the course of a single session and failed login attempts from alphabetically sequential usernames or passwords.
There may also be a referring URL drawn from someone's mail or IRC client, a referring URL that contains the username and password in this format: http://user:password@www.example.com/login.html, or a referring URL drawn from known password-sharing websites. Failed log-in attempts can also include passwords commonly used by users and hackers alike (123456, password, qwerty, pwnyou, etc.)
So how can you defend yourself?
There are a variety of ways to fend off such attacks, such as locking the account after a fixed number of failed attempts. Apple’s failure to implement this initially in its iCloud service led to the successful brute force hacks and mass distribution of embarrassing celebrity photos back in 2014. Delaying the response time is also a good defence technique.
The more time between permitted password attempts, the more slowly a brute force attack will proceed, and the more time is available for sysadmins to discover that an attack is underway.
> See also: How attackers are quietly creeping inside your perimeter using covert attack communications
Additionally, IP address should be locked-out if the number of failed attempts from the given IP address exceeds a maximum predefined number. Unfortunately, if the attacker is using a botnet, this approach will be inadequate, due to the many different IP addresses used in bots.
Based on the key indicators listed above, tools such as OSSEC can sometimes detect that a brute force attack is underway and take direct action to block it, notify administrators of it, or both. Brute force site scanners can also be used to go through site logs looking for signs that a brute force exploit has recently been attempted.
While the horse may be out of the barn in such a case, it’s still worthwhile to know that it happened, so that effective measures can be implemented to prevent a recurrence.
Sadly, brute force attacks aren’t going away; on the contrary, they are likely to become both more prevalent and more effective. The more computational power you have, the faster and more successful a brute force attack can be, all other factors being equal. And in today’s world of botnets, not to mention scalable grid and cloud architectures, computational power is relatively cheap and easy to access.
We may even soon see artificial intelligence being used to simplify and prioritise the brute force process by focusing on the most promising possibilities first. This being the case, security professionals will have to stay on their toes.
Sourced from Garrett Gross, Senior Manager, Solutions Architecture, AlienVault