I was recently asked to weigh in on brute force attacks with Motley Fool’s The Blueprint, which was meant to help small businesses understand the concept as well as offer mitigations. Brute force attacks present a ubiquitous threat to small, medium and large enterprises alike in terms of frequency of occurrence. Anytime a business presents a virtual door from the outside in, that door will get knocked on, beat on, slammed against or otherwise “jimmied” to the point of success or concession, depending on the motivations of the actor. That scenario essentially describes the nature of, and conditions for, a brute force attack.
Simply put, a brute force attack generally means an attacker is methodically applying or guessing possible passwords or passphrases with a username in the hopes of finding a successful combination to gain access. The attack can be applied manually, or it can entail the use of an automated program or programs to exhaust the attempt. The stronger the password, the more combinations that will need to be tested.
What can bad actors gain in a brute force attack?
Bad actors tend to use brute force as an illegitimate means of gaining entry through a legitimate access path. The main reason an attacker would initiate a brute force attack is simply because they can, as the act in itself typically presents little risk and almost zero attribution if even the least bit of obscurity is applied. The rationale for its use, which is subtly different, can be expressed more as conditions of opportunity that further the ultimate goal of the attacker and include:
- Expediency: Picture a person of malfeasance coming upon, or knowing of, a door, window, or other means of ingress. If they are determined to get inside, regardless if the host is a target of intent or opportunity, they will often try those means first as it lends expediency, and if the ingress points are locked, they may use some level of force to make way. Bad actors in cyberspace will do the same thing, albeit with a bit more sophistication and a lot of different methods and tools at their disposal.
- Simplicity: Simplicity is a complementing condition to expediency. I can only imagine that any actor would be remiss if they didn’t at least try the front door, or look in the most obvious places where a spare key might be. This is analogous to the cyberspace actor not first trying known, acquired or default username and password combinations that require very little effort to employ. Keeping it simple can also yield further gains in expediency and efficiency.
- Efficiency: Whether targeting a single entity or a host of entities, the state of efficiency is important if a critical success factor is related to the attack time. After employing some of the obvious attempts without success, a determined attacker will begin to employ programs that lend to efficiency. Just like a lobster fisherman laying many pots instead of hunting the crustaceans individually, an attacker may set a brute force program, or combination of programs, in motion to gain time and expend less effort with potentially more positive outcomes. This is particularly true if they’ve enabled a series of bots across the web to execute multiple brute force attacks against multiple hosts, particularly if the attacker is simply seeking out an opportunity of weakness to exploit.
How can an organization prevent a brute force attack?
The best advice here is to give up trying to prevent a brute force attack. Bear in mind that the barbarians are always at the gates, and so long as an access path is presented to the Internet, you can be sure that someone will be out there testing its security. As it’s likely not feasible to seal your business off from the Internet in all regards, the focus should be placed on mitigation. Specifically, the organization should focus on measures that can limit the success of a brute force attack rather than prevent it. The implementation of these methods should not be considered mutually exclusive, as singular control provides only one level of defense or deterrence, nor is the list exhaustive. They are, however, easy methods that any organization can apply. Pondurance can help your organization develop a concerted plan that helps implement these and other controls necessary to protect your environment:
- Ensure that the default username and password for any system, device or component is either immediately changed or disabled. Remember when you set up your home router, and the username ROUTERBRAND and password PASSWORD1 were conveniently in print for you to get YOU access to the device and bring it online. If you do not change those credentials, it’s sure to be the first combination tried by an attacker. I would recommend this step as a practical security measure, regardless if it is Internet facing or not.
- An automated lockout mechanism after so many attempts in a set amount of time can be a deterrent (for example, five failed access attempts every 30 minutes locks that access path to the system for one hour). Ensure to take into consideration the critical nature and need for being able to legitimately access the system, though “criticality” should not be a free-pass for no control. Even limiting the lockout period for 15 or 30 minutes can disrupt the state of “efficiency” an attacker is trying to gain, thereby potentially discouraging further brute force attempts. Also, consider providing enough gratuitous attempts to allow for “fat fingering,” or else you may spend a lot of time on the phone with angry users.
- One of the most effective controls is implementing multi-factor authentication. If successful login requires not only something I know (like a password), but also a second factor such as either something I am (like a biometric) or something I have (like a randomized token), the success for standard brute force attack goes down exponentially to the point of discouragement or defeat, as the attacker likely does not have the ability to apply the second factor.
- Enabling a CAPTCHA is a practice to consider, if available, as it often allows a system to discern whether a human or a bot is attempting to gain access. This is important to disrupt the rhythm of efficiency and limit the success that might be gained by a bot set out to execute brute force attacks across the Internet.
- Vulnerability Management becomes an important process as well, as it facilitates time-based scans to find vulnerable systems (i.e., in this case if a system or device is subject to weak or default passwords) that can be remedied before they are found by an attacker. Other configuration weaknesses can also be remedied through a vulnerability management program that might otherwise make it easier to facilitate a brute force attack.
For instance, a vulnerability scan may detect that the Remote Desktop Protocol (RDP on port 3389) is enabled and accessible to the Internet. RDP essentially provides a direct access path to a specific system inside the network, and it is an absolute favorite vector for attackers to attempt brute force attacks. It should be said that a vulnerability scan on its own merits may not call out RDP as a “high risk,” as it is intended to be a legitimate program to provide an easy means of access to a system, ostensibly for maintenance or other needs, even if it is directly accessible to the Internet. It is, therefore, important to discern the business need for enabling RDP and, if deemed necessary, provide additional mitigating controls such as multi-factor authentication.
Without a defense-in-depth strategy, a brute force attack can go on for days, weeks or months without detection. This is true even if the events are being logged as simply logging the events only provides an anecdotal reference that is reactive. It is important to ensure that logs are reviewed in a time-based manner in line with the results of your assessed risk (e.g., daily, hourly, etc.). A review of your logs allows you to assess the state of your controls that may limit the success of a brute force attack, and if you have applied the compensating controls outlined above, you have substantially lowered your risk.
While it can be postured that any system can ultimately be exploited given enough skill, time and resources to the attacker, a brute force attack is only as good as the program being used and the skill of the person using it. And even then, they won’t always be successful.
Read more about the best ways to protect your organization from cyber attacks in our new whitepaper: The Domain Controller…An Achilles Heel.