In a brute force attack, a threat actor tries to gain access to sensitive data and systems by systematically trying as many combinations of usernames and guessed passwords as possible. If successful, the actor can enter the system masquerading as the legitimate user and remain inside until they are detected. They use this time to move laterally, install back doors, gain knowledge about the system to use in future attacks, and, of course, steal data.
Brute force attacks have been around as long as there have been passwords. They not only remain popular, but are on the rise due to the shift to remote work.
Prior to the global COVID-19 pandemic, most employees worked in offices with infrastructures that were monitored by security controls. Now that so many employees are using their own devices and networks to connect to their corporate networks, attackers are focusing on remote desktop protocol (RDP) and other remote access services as attack vectors. RDP is a particularly popular way to deliver ransomware, such as Maze.
Attackers can use brute force attacks to steal sensitive data, spread malware, hijack systems for malicious purposes, make websites unavailable, profit from ads, reroute website traffic to commissioned ad sites, and infect sites with spyware in order to collect data to sell to advertisers.
The level of technological skill required to launch a credential stuffing attack is extremely low, as is the cost. For as little as $550, anyone with a computer can launch a credential stuffing attack.
Adversaries use automated tools to execute brute force attacks, and those lacking the skill to build their own can purchase them on the dark web in the form of malware kits. They can also purchase data such as leaked credentials that can be used as part of a credential stuffing or hybrid brute force attack. These lists may be offered as part of a package, in which the seller includes the lists along with the automated tools, as well as other value-adds, such management consoles.
Once the attacker sets up their tools and seeds them with the lists, if relevant, the attack begins.
Brute force attacks can be conducted with botnets. Botnets are systems of hijacked computers that provide processing power without the consent or knowledge of the legitimate user. Like the malware kits mentioned above, bot kits can also be purchased on the dark web. Last year, a botnet was used to breach SSH servers belonging to banks, medical centers, educational institutions, and others.
Brute force attacks are resource-intensive, but effective. They may also be the first part of a multi-stage attack. An example of this is explained in detail on the CrowdStrike blog, examining a case where a brute force attack was part of a multi-step exploit that enabled unauthenticated privilege escalation to full domain privileges.
A simple brute force attack uses automation and scripts to guess passwords. Typical brute force attacks make a few hundred guesses every second. Simple passwords, such as those lacking a mix of upper- and lowercase letters and those using common expressions like ‘123456’ or ‘password,’ can be cracked in minutes. However, the potential exists to increase that speed by orders of magnitude. All the way back in 2012, a researcher used a computer cluster to guess up to 350 billion passwords per second.
A dictionary attack tries combinations of common words and phrases. Originally, dictionary attacks used words from a dictionary as well as numbers, but today dictionary attacks also use passwords that have been leaked by earlier data breaches. These leaked passwords are available for sale on the dark web and can even be found for free on the regular web.
Dictionary software is available that substitutes similar characters to create new guesses. For example, the software will replace a lowercase “l” with a capital “I” or a lowercase “a” with an “@” sign. The software only tries the combinations its logic says are most likely to succeed.
Over the years, more than 8.5 billion usernames and passwords have been leaked. These stolen credentials are sold between bad actors on the dark web and used in everything from spam to account takeovers.
A credential stuffing attack uses these stolen login combinations across a multitude of sites. Credential stuffing works because people tend to re-use their login names and passwords repeatedly, so if a hacker gets access to a person’s account with an electric company, there is an excellent chance those same credentials will provide access to that person’s online bank account as well.
Gaming, media, and retail businesses tend to be favorite targets, but credential stuffing attacks are commonly launched against all industries.
In a regular brute force attack, the attacker starts with a known key, usually a username or account number. Then they use automation tools to figure out the matching password. In a reverse brute force attack, the attacker knows the password and needs to find the username or account number.
A hybrid brute force attack combines a dictionary attack and a brute force attack. People often tack a series of numbers – typically four – onto the end of their password. Those four numbers are usually a year that was significant to them, such as birth or graduation, and so the first number is normally a 1 or a 2.
In a reverse brute force attack, attackers use the dictionary attack to provide the words and then automate a brute force attack on the last part – the four numbers. This is a more efficient approach than using a dictionary attack alone or a brute force attack alone.
Traditional brute force attacks try to guess the password for a single account. Password spraying takes the opposite approach and tries to apply one common password to many accounts. This approach avoids getting caught by lockout policies that limit the number of password attempts. Password spraying is typically used against targets with single sign-on (SSO) and cloud-based apps that use federated authentication.
A brute force attack is a numbers game, and it takes a lot of computing power to execute at scale. By deploying networks of hijacked computers to execute the attack algorithm, attackers can save themselves the cost and hassles of running their own systems. In addition, the use of botnets adds an extra layer of anonymity. Botnets can be used in any type of brute force attack.
Tools, many free, are available on the open internet that work against a wide variety of platforms and protocols. Here are just a few:
When users are required to offer more than one form of authentication, such as both a password and a fingerprint or a password and a one-time security token, a brute force attack is less likely to succeed.
Gain visibility into the use of credentials across the environment and require passwords to be changed regularly.
Longer passwords are not always better. What really helps is to require a mix of upper- and lowercase letters mixed with special characters. Educate users on best password practices, such as avoiding adding four numbers at the end and avoiding common numbers, such those beginning with 1 or 2. Provide a password management tool to prevent users from resorting to easily-remembered passwords and use a discovery tool that exposes default passwords on devices that haven’t been changed.
Threat hunting can expose the types of attacks that standard security measures can miss. If a brute force attack has been used to successfully enter the system, a threat hunter can detect the attack even though it’s operating under the guise of legitimate credentials.
is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside with other security tactics, is vital for organizations to prioritize possible threats and minimizing their “attack surface.”
Security vulnerabilities , in turn, refer to technological weaknesses that allow attackers to compromise a product and the information it holds. This process needs to be performed continuously in order to keep up with new systems being added to networks, changes that are made to systems, and the discovery of new vulnerabilities over time.
Vulnerability management software can help automate this process. They’ll use a vulnerability scanner and sometimes endpoint agents to inventory a variety of systems on a network and find vulnerabilities on them. Once vulnerabilities are identified, the risk they pose needs to be evaluated in different contexts so decisions can be made about how to best treat them. For example, vulnerability validation can be an effective way to contextualize the real severity of a vulnerability.
Generally, a Vulnerability Assessment is a portion of the complete Vulnerability Management system. Organizations will likely run multiple Vulnerability Assessments to get more information on their Vulnerability Management action plan.
At the heart of a typical vulnerability management solution is a vulnerability scanner. The scan consists of four stages:
Vulnerability scanners are able to identify a variety of systems running on a network, such as laptops and desktops, virtual and physical servers, databases, firewalls, switches, printers, etc. Identified systems are probed for different attributes: operating system, open ports, installed software, user accounts, file system structure, system configurations, and more. This information is then used to associate known vulnerabilities to scanned systems. In order to perform this association, vulnerability scanners will use a vulnerability database that contains a list of publicly known vulnerabilities.
Properly configuring vulnerability scans is an essential component of a vulnerability management solution. Vulnerability scanners can sometimes disrupt the networks and systems that they scan. If available network bandwidth becomes very limited during an organization’s peak hours, then vulnerability scans should be scheduled to run during off hours.
If some systems on a network become unstable or behave erratically when scanned, they might need to be excluded from vulnerability scans, or the scans may need to be fine-tuned to be less disruptive. Adaptive scanning
is a new approach to further automating and streamlining vulnerability scans based on changes in a network. For example, when a new system connects to a network for the first time, a vulnerability scanner will scan just that system as soon as possible instead of waiting for a weekly or monthly scan to start scanning that entire network.
Vulnerability scanners aren’t the only way to gather system vulnerability data anymore, though. Endpoint agents allow vulnerability management solutions to continuously gather vulnerability data from systems without performing network scans. This helps organizations maintain up-to-date system vulnerability data whether or not, for example, employees’ laptops are connected to the organization’s network or an employee’s home network.
Regardless of how a vulnerability management solution gathers this data, it can be used to create reports, metrics, and dashboards for a variety of audiences.
After vulnerabilities are identified, they need to be evaluated so the risks posed by them are dealt with appropriately and in accordance with an organization’s risk management strategy. Vulnerability management solutions will provide different risk ratings and scores for vulnerabilities, such as Common Vulnerability Scoring System (CVSS) scores. These scores are helpful in telling organizations which vulnerabilities they should focus on first, but the true risk posed by any given vulnerability depends on some other factors beyond these out-of-the-box risk ratings and scores.
Here are some examples of additional factors to consider when evaluating vulnerabilities:
Like any security tool, vulnerability scanners aren’t perfect. Their vulnerability detection false-positive rates, while low, are still greater than zero. Performing vulnerability validation with penetration testing tools
and techniques helps weed out false-positives so organizations can focus their attention on dealing with real vulnerabilities. The results of vulnerability validation exercises or full-blown penetration tests can often be an eye-opening experience for organizations that thought they were secure enough or that the vulnerability wasn’t that risky.
Once a vulnerability has been validated and deemed a risk, the next step is prioritizing how to treat that vulnerability with original stakeholders to the business or network. There are different ways to treat vulnerabilities, including:
Vulnerability management solutions provide recommended remediation techniques for vulnerabilities. Occasionally a remediation recommendation isn’t the optimal way to remediate a vulnerability; in those cases, the right remediation approach needs to be determined by an organization’s security team, system owners, and system administrators. Remediation can be as simple as applying a readily-available software patch or as complex as replacing a fleet of physical servers across an organization’s network.
When remediation activities are completed, it’s best to run another vulnerability scan to confirm that the vulnerability has been fully resolved.
However, not all vulnerabilities need to be fixed. For example, if an organization’s vulnerability scanner has identified vulnerabilities in Adobe Flash Player on their computers, but they completely disabled Adobe Flash Player from being used in web browsers and other client applications, then those vulnerabilities could be considered sufficiently mitigated by a compensating control.
Performing regular and continuous vulnerability assessments enables organizations to understand the speed and efficiency of their vulnerability management program over time. Vulnerability management solutions typically have different options for exporting and visualizing vulnerability scan data with a variety of customizable reports and dashboards. Not only does this help IT teams easily understand which remediation techniques will help them fix the most vulnerabilities with the least amount of effort, or help security teams monitor vulnerability trends over time in different parts of their network, but it also helps support organizations’ compliance and regulatory requirements
Threats and attackers are constantly changing, just as organizations are constantly adding new mobile devices, cloud services, networks, and applications to their environments. With every change comes the risk that a new hole has been opened in your network, allowing attackers to slip in and walk out with your crown jewels.