BRUTE FORCE ATTACK: Explained
A brute force attack is a method where attackers use trial-and-error methods to crack login credentials, passwords, and encryption keys. Brute force refers to the use of relentless, excessive force directed at an account or application.
While simple and seemingly dated, it’s a tried and tested tactic for gaining unauthorized access to accounts, applications, and systems belonging to individuals, businesses, and organizations, and it remains very popular with attackers, despite there being more subtle and seemingly advanced options.
Using a computer to test a wide range of options, hackers try multiple usernames and passwords until they stumble upon the correct login credentials.
The motive behind brute force attacks
While the potential rewards can be huge and lucrative, brute force attacks require patience, as it can take weeks, months, and even years for an attacker to stumble onto the correct combination of login credentials.
- To steal personal data: The main reason for any cyberattack is the theft of personal or corporate information such as financial and banking details, corporate databases, or confidential personal information like family or medical records. This information can then be used to perpetrate wider attacks or sold to third parties for a lucrative fee.
- Earnings from ads: Like most cyberattacks, an attacker looks to profit financially, at least, from their endeavours. An attacker can surreptitiously install spam ads on popular sites or reroute traffic to illegitimate ad sites so that they can earn money whenever the ad is clicked. Or even better, they can install malware that tracks and records a user’s online activity, and the data mined can be sold to advertisers for a good fee.
- Business rivalry: often times an attacker can launch a series of attacks on an organization’s system in order to infiltrate and cause havoc to their whole business and operational system, a move aimed at destroying their reputation.
- Malware: At times, attackers target random accounts, and in whichever account they manage to penetrate, they install malware that can then mine data over time, which they can sift through for any potentially valuable information that they can sell or use to launch wider attacks.
Types of brute force attacks
. Simple brute force attacks
This is a simple kind of attack where an attacker attempts to guess a potential victim’s user account and password, or PIN, manually without the aid of any software tools.
Such attacks are possible and still in use because of user carelessness and ignorance of safe password practices or just plain laziness, such as the use of cliché passwords like “1234”, “password123”, “password@123” or using favourite names like spouse’s, child’s, or pet’s names and such.
Not only that, but many users have a habit of using the same credentials on multiple accounts for convenience.
- Dictionary attacks
With this type of attack, the attacker selects a particular target, possibly someone who is familiar to them, and tries to guess their password against their username.
Even though it’s not necessarily considered a brute-force attack, it’s still effective enough to be used by attackers. It can be time-consuming as an attacker typically runs through a dictionary trying to amend words with special characters and numbers, hence the term ‘dictionary’.
- Hybrid brute force attacks
When an attacker combines a simple brute force attack with a dictionary brute force attack, it is known as a hybrid attack.
It typically begins with an attacker knowing the victim’s username and then using a combination of the two methods to guess the login combination.
- Credential stuffing
With this tactic, an attacker takes advantage of the user’s weak password etiquette. A lot of users typically reuse the same passwords for multiple accounts, and once an attacker is able to steal the password from one account, they test the password against all other possible accounts to determine which ones they can access, and it’s surprisingly effective.
- Reverse brute force attacks
An attacker, after having gained possession of a password by whatever means, such as via network breaches, then tries to search for matching usernames by sifting through a list of usernames.
Alternatively, an attacker can begin with a cliché password like “Password@123@ and then sift through a database of usernames for a match.
Brute Force Attack tools
Since brute force attacks can be time-consuming and require a lot of patience, automated tools exist that can help expedite the process of cracking passwords and matching possible combinations for encrypted storage devices, wireless modems, and computer protocols. They include;
- John the Ripper is an open-source password recovery tool that can run on Windows, MacOS, and UNIX platforms.
- Aircrack-ng, is a suite of tools that can monitor and export an organization’s data through packet injection and fake access points, by assessing the organization’s Wi-Fi network security.
Preventing Brute Force Attacks
Businesses, organizations, and individuals can employ a number of measures to keep brute force and cybercriminals in general at bay. Such measures include:
Password creation best practices
Making passwords as hard as possible to crack is an obvious measure to begin with. End users would also have a role to play in ensuring applications and devices under their control conform to such laid-down password best practices. The harder it is to guess and crack a password, the more likely it is that the attacker will give up and go in search of easier prey.
Strong password practices and tactics include using long multi-character passwords, using elaborate passphrases or seemingly nonsensical words, avoiding cliché passwords, using unique passwords for each account or storage device, and using password managers.
Protection of user and account passwords
If an organization and individuals follow strong password creation practices but make no effort to protect the passwords, then it defeats the purpose.
Using encryption methods on passwords is one way to protect the strong passwords already created.
This can further be bolstered by using multi-factor authentication, where a user is required to provide additional information to verify their identity, thus removing total reliance on just the username and password.
Using CAPTCHA during logins can stop a brute force attack coming from online tools from proceeding to the login page of an application or resource since it requires actions that can’t be performed without direct human input.
Additional methods, such as limiting login attempts, can stop a brute force attacker in their tracks since the account would be automatically locked after, say, three successive failed attempts, which are likely coming from a brute force attacker.
Other measures include deleting any unused and dormant accounts, particularly those that belonged to former employees or had high-level permissions, which might provide an avenue for an attacker to gain entry into an organization’s system.
User education, sensitization and active monitoring
Providing periodic education and sensitization to staff and users about safe password practices can go a long way toward keeping attackers at bay. They can detect the telltale signs of an attempted breach and take measures to protect themselves or notify relevant parties for prompt action.
Real-time monitoring of an organization’s network and system can reveal unusual behaviour and activity that might signal a potential attempt at breaching the system. Such avenues can then be investigated and red-flagged.
— — — -
