Brute force attacks are a common way of compromising user credentials to steal valuable information from individuals and organizations. This article explains Brute Force Attacks, current trends, their impacts on organizations, the various types and how to prevent them.
(Already a Splunk user? Learn how to detect brute force behavior with Splunk.)
What's a Brute Force Attack?
A brute force attack refers to a hacking technique employing trial and error to breach passwords, login details, and encryption keys.
A brute force attack is a relatively old technique from threat actors and cyberattackers — but today it is widely used and remains highly effective. Attackers use brute force attacks to:
- Crack passwords
- Decrypt encrypted data
- Gain access to unauthorized systems, websites or networks
In this technique, attackers use trial and error to guess the information they require, testing every possible combination. For example, they repeatedly try many possible login credentials or password combinations. These attacks are often automated, depending on software to try a vast number of combinations in a short period of time.
The name ‘brute force’ makes sense: using brute force, for anything, is a way of achieving something by strength — not always with the best skills, strategy or aids (technology).
In hacking, attackers use undue force to achieve their goal. Attackers often use them as a last resort since they can be time-consuming and may not always be successful. There is one use case in particular for brute force attacks: they are particularly effective against systems with weak passwords or other vulnerabilities. Therefore, organizations must use strong, unique passwords and implement other security measures to protect against brute-force attacks.
Brute force trends
To be resilient against any cyberattack, organizations must ensure their workforce is well-educated on the latest cyberattacks. Splunk’s Top 50 Cybersecurity Threats provides the latest list of the most common cyber threats. With cutting edge knowledge from the Splunk Threat Research Team, the annual report includes:
- The 50 most common security threats mapped to the
- How they are being used
- Impacts on your organization
- Prevention mechanisms
In 2023, brute force attacks remain a common cyber threat that should inform your overall threat intelligence.
Consequences of brute force attacks
Like most attacks, the impact of a brute force attack varies depending on:
- The target
- The attacker's motivations
Once attackers gain access to the system and network of the user account of interest, they can steal valuable personal information like bank and credit account details, personal identity details, health information, etc. Attackers can sell that information to third parties for profit, with little regard for the harmed individuals.
Breaking into organizational database accounts can result in large-scale, sensitive data breaches, like the recent LastPass breach which has major complications for individuals and enterprises alike. (In the LastPass breach, CNET reports that “most sensitive data is encrypted”. That doesn’t solve the issue that the threat actors can use brute force to attack stolen local files.)
There’s the systems side of these attacks, too. Brute force attacks can…
- Consume significant computing resources like CPU time and bandwidth.
- Impact the performance of the targeted system, making it more difficult for legitimate users to access the system.
And then there's long-term fall out. Imagine that your company systems and data are compromised due to a brute force attack. Beyond the immediate loss, potential long-term ramifications may include damage to your company’s reputation, loss of customer trust in your data protection protocols — and ultimately lack of trust in your brand. Your organization may also face legal consequences, such as fines or imprisonment, based on the nature of the attack and applicable data protection laws.
Brute force attacks can also allow attackers to spread malware into your systems. Upon compromising a website, they can set website links to redirect to malicious websites infected with malware and entice users to download them. What's more: threat actors can put spam ads on compromised websites, earn money from them and install spyware to track the activities of website visitors.
Therefore, the impacts of a brute force attack can be significant and have far-reaching consequences for the targeted system or organization.
Types of brute force attacks
There are several types of brute force attacks. Threat actors might choose one based on their execution method and the targets they are designed to attack. Let’s take a look at some common types of brute force attacks:
- Simple brute force attacks
- Dictionary attacks
- Hybrid brute force attacks
- Reverse brute force attacks
- Credential stuffing
- Rainbow table attacks
- Password spraying
- Brute force attacks on RDP connections
Simple brute force attacks
In a simple brute force attack, attackers try to crack a small number of possible simple passwords or keys quickly. These attacks may be effective against systems with weak passwords or simple password policies. For example, this attack can easily and quickly guess simple passwords with common expressions like “name12345” and without a combination of upper- and lower-case letters.
Attackers can perform it manually or use automation and scripts. While automated attacks may be more efficient, they are also more likely to be detected and blocked by security systems. However, this technique is generally ineffective against stronger passwords or systems with robust security measures.
Dictionary attacks
A dictionary attack involves trying different possible passwords with a pre-arranged list of words, typically taken from a dictionary, against a username. The attacker will use a program to try different combinations of words and phrases to eventually guess the correct password. Apart from using unabridged or special dictionaries, attackers can also augment words by including numbers and special characters in the words to create passwords. Additionally, attackers can use passwords that have been leaked by earlier data breaches to perform dictionary attacks.
Dictionary attacks can be effective as many people choose passwords that are simply words or phrases. The program of the attacker can easily guess these kinds of passwords.
Hybrid brute force attacks
A hybrid brute force attack combines a dictionary attack with a traditional brute force attack. In a hybrid attack, the attacker will use a set of random characters like in a traditional brute force attack and a program to try a list of common words and phrases like in a dictionary attack.
Combining these two techniques can make a hybrid attack more successful than a single dictionary attack or a traditional brute force attack. The reason is that it allows the attacker to try both common and less common password options.
Reverse brute force attacks
In a usual BF attack, attackers do not know the password they are guessing. As the name implies, a reverse BF attack acts on in reverse. For example, if the attacker knows the PIN or password they are looking for, they will try to find the matching username by searching through millions of usernames.
For this approach, attackers usually use passwords leaked by earlier data breaches that can be found online. This process can also be automated to speed up the attack.
Credential stuffing
Many users can use the same credentials for multiple user accounts. Credential stuffing is reusing a stolen list of username and password pairs to gain unauthorized access to other accounts. The hackers use automated tools to try these stolen credentials on various websites. If they succeed, they can potentially gain access to sensitive personal and financial information.
Beware: these attacks can go undetected — hackers are using legitimate login credentials.
Credential stuffing attacks can be particularly damaging if the attackers perform malicious activities for a long time without the consent and awareness of the user. By the time the user has realized it, large damage that is not easily repairable might have been done.
(Get all the details on credential stuffing.)
Rainbow table attacks
Rainbow tables are the precomputed tables containing the hash values used to crack passwords. Rainbow table attacks can be used to crack hashes of passwords that have been hashed using a variety of hashing algorithms, including MD5, SHA-1, and NTLM. Attackers can quickly look up the corresponding plaintext for a given hash without executing the computationally intensive process of hashing all possible plaintexts and comparing the result with the target hash.
Password spraying
Password spraying is applying one common password to too many accounts. Here, the attacker tries several commonly used passwords against many accounts instead of trying all the possible combinations of characters. Password spraying attacks are often successful as many people use the same password for multiple accounts. They provide attackers access to many accounts with a relatively low level of effort by trying a small number of common passwords against many accounts
This approach also lets attackers escape lockout policies that restrict the number of password attempts. Single sign-on (SSO) and cloud-based apps that use federated authentication are the common targets of this type of attack.
(Learn how to detect password spraying attacks.)
Brute force attacks on RDP connections
With the switch to pandemic-era work-from-home for many employees, the use of remote desktop protocol (RDP) connections has increased significantly. With this increase, brute force attacks onRDP connections have also increased. If attackers can correctly guess the password to a remote RDP connection, they can spread laterally throughout the network, injecting malware.
Preventing brute force attacks
You’ll never be 100% protected from brute force. Still, lots of protection is better than none. Here are some ways you can prevent BF attacks.
Use strong and unique passwords
You must use strong, unique passwords that are not based on words or phrases in a dictionary. Strong passwords should be at least eight characters long and contain a mix of upper and lowercase letters, numbers, and special characters.
- Avoid using common words or personal information in your passwords, as they can be easily guessed.
- Ignore the most common passwords.
- Implement policies to reject weak passwords and enforce users to change their passwords frequently.
See what our SURGe team thinks about whether to use password managers (hint: YES), even in light of recent breaches:
Enable multi-factor authentication (MFA)
MFA provides an extra layer of security to your accounts by requiring you to provide more than one form of authentication in addition to your password. This could be a code sent to your phone, a biometric scan or a security token.
Regularly monitor login activity
Keep track of login activities, like the number of failed login attempts and the failed IP addresses of users and locations. Regular monitoring helps organizations identify and respond to brute force attacks before and as they are happening.
Use rate-limiting
Limit the number of login attempts made within a certain period and lock down the account after a certain number of login attempts. This makes it more difficult for the attacker to guess the password.
Use CAPTCHA
A CAPTCHA can determine whether the user is a human or a computer. You can make it more difficult for automated brute-force attacks to succeed by requiring users to complete a CAPTCHA before attempting to log in.
Detect Brute Force Attacks with Splunk
Stay up to date
Attacks surfaces grow by the day. Knowing what’s happening is key to prevention: Read expert-recommendedsecurity articles and books, attend in-person and onlinesecurity eventsand build resilience into everything across the enterprise.
(Learn more about cyber & digital resilience.).
An Expert's Perpsective
To get a better understanding of bruce force attacks, we spoke withKen Buckler, Research Director atEnterprise Management Associates.Ken has over 15 years of industry experience as a noted information and cyber security practitioner, software developer, author, and presenter, focusing on endpoint security and Federal Information Security Management Act (FISMA) and NIST 800-53 compliance. You can follow Ken@CaffSec on X,LinkedIn, orvisit his website.
In this section, we've included Ken's responses to our prompts.
What are the common motives behind a brute force attack?
Most commonly in my experience, brute force attacks are used to identify accounts with weak passwords or other misconfigurations. The goal could be to steal data or install ransomware, or simply to install a new copy of the malware and utilize the target server to continue with additional attacks against others. One of the most interesting cases I saw on my own honeypot was attempts to install a Counterstrike gaming server.
What types of tools are used in brute force attacks?
Many of the tools are malware bots with password crackers, often operating on compromised machines.
What are the best ways to prevent a brute force attack?
Account lockout after a set number of failed login tries (i.e. 3 tries) combined with IP address blocking of known brute force attempts is the best way. An alternative approach would be utilizing deception technologies. Instead of blocking the attacker's IP address, redirect their attacks to a honeypot designed to capture insights into their tactics, techniques, and procedures.
How common are brute force attacks?
When I ran a honeypot, brute force attacks against linux/unix root accounts were the most common attacks experienced. Likely they are the most common attacks outside of phishing email campaigns.
Fight brute force smartly
Bute force attacks remain an effective technique cyber attackers use to crack passwords, decrypt encrypted data, or gain access to unauthorized systems, websites, or networks. The rise of work-from-home specifically has created new opportunities for brute force attacks on RDP (remote desktop protocol) connections. Organizations should take steps to to be vigilant in detecting and preventing brute force attacks as part of their cybersecurity protocols.
Further Reading & Resources
To learn more about brute force attacks, we've compiled a list of some of our favorite resources and further reading:
- Bad news — many of today's top passwords can be brute force cracked in less than an hour bySead Fadilpašić
- Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials By Cisco Talos
- A recent abrupt change in Internet SSH brute force attacks against us by Chris Siebenmann
- Mandiant's X Account Was Hacked Using Brute-Force Attack byRavie Lakshmanan
- Brute force attacks against Windows Remote Desktop by Trunc
- Minimizing the effect of Brute Force Attack by Lalit Kumar, Neelendra Badal
- Resolution of brute force attacks: Using the Galois/Counter Algorithm: A Case Study by Landry Mate Gilden, Caleb Batata Ulungidila, Jessica Tshiabu Brenda
- Security of MPLS VPN Network Against Brute Force Attack by Gurpreet Juneja
