Barbarians Are Always at the Gates, Testing Cybersecurity

I was recently asked to weigh in on brute force attacks with Motley Fool’s The Blueprint, which was meant to help small businesses understand the concept and offer mitigations. Brute force attacks present a ubiquitous threat to small, medium, and large enterprises alike in terms of frequency of occurrence. Anytime a business presents a virtual door from the outside in, that door will get knocked on, beat on, slammed against, or otherwise jimmied to the point of success or concession, depending on the motivations of the actor. That scenario essentially describes the nature of, and conditions for, a brute force attack. Let’s dive deeper into what it is and how to prevent a brute force attack.

Simply put, a brute force attack generally means an attacker is methodically applying or guessing possible passwords or passphrases with a username in the hopes of finding a successful combination to gain access. The attack can be applied manually, or it can entail the use of an automated program or programs to exhaust the attempt. The stronger the password, the more combinations that will need to be tested.

What Can Bad Actors Gain in a Brute Force Attack?

Bad actors tend to use brute force as an illegitimate means of gaining entry through a legitimate access path. The main reason an attacker would initiate a brute force attack is simply because the attacker can, as the act itself typically presents little risk and almost zero attribution if even the least bit of obscurity is applied. The rationale for its use, which is subtly different, can be expressed as conditions of opportunity that further the ultimate goal of the attacker and include:

1. Expediency: Picture a person of malfeasance coming upon or knowing of a door, window, or other means of ingress. If determined to get inside, regardless if the host is a target of intent or opportunity, the person will often try those means first, as it lends expediency. If the ingress points are locked, the person may use some level of force to make way. Bad actors in cyberspace will do the same thing, albeit with a bit more sophistication and a lot of different methods and tools at their disposal.
2. Simplicity: Simplicity is a complementing condition to expediency. I can only imagine that any actor would be remiss if he or she didn’t at least try the front door or look in the most obvious places where a spare key might be. This is analogous to the cyberspace actor not first trying known, acquired, or default username and password combinations that require very little effort to employ. Keeping it simple can also yield further gains in expediency and efficiency.
3. Efficiency: Whether targeting a single entity or a host of entities, the state of efficiency is important if a critical success factor is related to the attack time. After employing some of the obvious attempts without success, a determined attacker will begin to employ programs that lend to efficiency. Just like a lobster fisherman laying many pots instead of hunting the crustaceans individually, an attacker may set a brute force program, or combination of programs, in motion to gain time and expend less effort with potentially more positive outcomes. This is particularly true if the attacker has enabled a series of bots across the web to execute multiple brute force attacks against multiple hosts, particularly if the attacker is simply seeking out an opportunity of weakness to exploit. 

How Can an Organization Prevent a Brute Force Attack?

The best advice is to give up trying to prevent a brute force attack. Bear in mind that the barbarians are always at the gates, and so long as an access path is presented to the internet, you can be sure that someone will be out there testing its security. As it’s likely not feasible to seal your business off from the internet in all regards, the focus should be placed on mitigation. Specifically, the organization should focus on measures that can limit the success of a brute force attack rather than prevent it. The implementation of these methods should not be considered mutually exclusive, as singular control provides only one level of defense or deterrence, nor is the list exhaustive. They are, however, easy methods that any organization can apply. Pondurance can help your organization develop a concerted plan that helps implement these and other controls necessary to protect your environment:

1. Ensure that the default username and password for any system, device, or component is either immediately changed or disabled. Remember when you set up your home router, and the username ROUTERBRAND and password PASSWORD1 were conveniently in print for you to get you access to the device and bring it online. If you do not change those credentials, it’s sure to be the first combination tried by an attacker. I would recommend this step as a practical security measure, regardless if it is internet-facing or not. 
2. Use an automated lockout mechanism with only so many attempts in a set amount of time as a deterrent. (For example, five failed access attempts every 30 minutes locks that access path to the system for one hour.) Take into consideration the critical nature and need to legitimately access the system, though criticality should not be a free pass for no control. Even limiting the lockout period for 15 or 30 minutes can disrupt the state of efficiency an attacker is trying to gain, thereby potentially discouraging further brute force attempts. Also, consider providing enough gratuitous attempts to allow for “fat fingering,” or else you may spend a lot of time on the phone with angry users.
3. Implement multi-factor authentication as an effective control. If successful login requires not only something I know (like a password) but also a second factor such as either something I am (like a biometric) or something I have (like a randomized token), the success for standard brute force attack goes down exponentially to the point of discouragement or defeat, as the attacker likely does not have the ability to apply the second factor.
4. Consider enabling a CAPTCHA, if available, as it often allows a system to discern whether a human or a bot is attempting to gain access. This is important to disrupt the rhythm of efficiency and limit the success that might be gained by a bot set out to execute brute force attacks across the internet. 
5. Use Vulnerability Management as an important process, as it facilitates time-based scans to find vulnerable systems (e.g., in this case, if a system or device is subject to weak or default passwords) that can be remedied before they are found by an attacker. Other configuration weaknesses can also be remedied through a vulnerability management program that might otherwise make it easier to facilitate a brute force attack.
   For instance, a vulnerability scan may detect that the remote desktop protocol (RDP) on port 3389 is enabled and accessible to the internet. RDP essentially provides a direct access path to a specific system inside the network, and it is an absolute favorite vector for attackers to attempt brute force attacks. It should be said that a vulnerability scan on its own merits may not call out RDP as a high risk, as it is intended to be a legitimate program to provide an easy means of access to a system, ostensibly for maintenance or other needs, even if it is directly accessible to the internet. It is, therefore, important to discern the business need for enabling RDP and, if deemed necessary, provide additional mitigating controls such as multi-factor authentication.

Without a defense-in-depth strategy, a brute force attack can go on for days, weeks, or months without detection. This is true even if the events are being logged, as simply logging the events only provides an anecdotal reference that is reactive. It is important to ensure that logs are reviewed in a time-based manner in line with the results of your assessed risk (e.g., daily, hourly, etc.). A review of your logs allows you to assess the state of your controls that may limit the success of a brute force attack, and if you have applied the compensating controls outlined above, you have substantially lowered your risk.

While it can be postured that any system can ultimately be exploited given enough skill, time, and resources to the attacker, a brute force attack is only as good as the program being used and the skill of the person using it. And even then, the attacker won’t always be successful.

Read more about the best ways to protect your organization from cyberattacks in our new whitepaper: The Domain Controller… An Achilles Heel.