What are brute force attacks - and how can you protect yourself from them?
by Tina Siering
What is a brute force attack - and how do you prevent them?
There are elegant, sneaky and sophisticated cyber attacks - and there are brute force attacks. In brute-force attacks, hackers take a comparatively blunt approach by automatically trying out as many password combinations for a user account as possible. They always hope that one of the tried combinations will lead to success. The success or failure of brute force attacks depends on only two factors: Time and available resources. In principle, any password can be solved by simply trying out possible combinations. The time required for the hack increases proportionally to the complexity of the password used. Modern high-performance computers, such as those used primarily by organized cybercriminals, can try out billions of combinations in a very short time.
What methods are used in brute force attacks?
Method 1: Simple brute force attacks
With minimal computing power, a little skill on the part of the attacker, and patience, simple brute force attacks can be carried out. Here, the attacker(s) systematically go through word combinations, number sequences, or a mix of both until the attack is successful. Many passwords can be guessed with a simple bot, and even executed manually, many attacks are still successful. The reason lies in the laziness of users. Passwords like "12345", one's own birthday or the absolute password classic "password" are not dead even in 2022.
Method 2: Dictionary attacks
Many users try to secure their accounts with complex words that no one but themselves can associate with their account. In fact, simple brute-force attacks quickly run out of steam with complex passwords. Cyber criminals know this, too, and rely on so-called dictionary attacks. Here, digital dictionaries or word lists are used as an aid and processed fully automatically. Single words, word combinations, different or outdated spellings and foreign languages: Users who rely on a single word as a password lose their protection in just a few seconds - and the account is in the hands of the cybercriminals.
Method 3: Hybrid brute force attacks
In the hybrid form of brute force attacks, attackers combine techniques of simple brute force attacks with dictionary attacks. This method combines commonly used passwords with randomly generated characters and dictionary entries. Thanks to lists purchased on the Darknet, statistical mapping of individual population groups and behavioral observations, cybercriminals find out who uses which word combinations most often and where. If you think that your chosen password "ITS3CUri7y-22" is safe, we have to disappoint you. Because this is exactly the kind of combinations hybrid brute force attacks specialize in.
Method 4: Reverse brute force attacks
Once compromised, passwords often end up as leaks on the darknet. An inspiring source for cybercriminals, who then only have to find out the matching username to the passwords. A great many users do not observe the most basic security requirements for a login ID - which makes hacking usernames a rather lucrative business. With reverse brute force attacks, cyber attackers get the matching name to a password by simply reversing the order of the "classic" brute force attack. The hackers start with a known password and automatically try all possible (and impossible) user IDs for it.
Method 5: Credential Stuffing
Credential stuffing exploits the power of habit - and has thus become an incredibly efficient method, to which we had already dedicated a separate blog article almost exactly a year ago. Credential stuffing relies on the fact that many users have a "favorite password" that they use to log in to various sites. The favorite password is usually not even particularly secure - or if it is, it is gladly saved directly in the browser. Cybercriminals know about the power of habit and like to go shopping on the darknet. There are numerous lists here that have found their way onto the net through cyberattacks or leaks and list credentials neatly sorted. Credential stuffing involves feeding bots with the available credentials - and unleashing them on a wide variety of websites. Successful login attempts are recorded by the hackers and then either used for further cyberattacks or sold on the darknet.
Why do cybercriminals use brute force attacks?
The motivation behind brute force attacks is extremely varied. Many hackers use the method to take control of a system or to gain access to pages that are actually hidden. The distribution of malware is also high on the cyber attackers' "to-do list". Let's take a look at the motivation in detail.
Spam, spam and more spam
Advertising on the Internet is always annoying - but still extremely lucrative. Using illegally obtained access to websites, hackers can bombard unsuspecting visitors with advertisements - and earn money per click or insertion. Another popular method is to redirect visitors to a pharming website without them noticing. This looks deceptively similar to the original, but delivers spam instead of the desired added value.
Malware
Brute force attacks are often used to spread malware of all kinds within a system. In harmless cases, "only" adware is smuggled onto the compromised system, which then inundates the user with advertising. In more delicate cases, malware can gain access to sensitive personal data.
Stealing data
Once hackers have gained access to a system through a brute force attack, they can in many cases grab data of all kinds without hindrance. From account information to trade secrets, hackers read compromised systems like an open book.
Ordering products
In January 2022, a brute-force attack from abroad took place on the major online bookseller Thalia. Numerous credentials were hacked in the attack, which ran for several hours. Although Thalia was unable to detect any conspicuous orders placed via the hacked accounts, ordering products on someone else's account is one of the most common motivations for brute force attacks. Immediately after the hacker attack became known, extensive countermeasures were initiated and the passwords of affected accounts were reset.
Protection against brute force: How to secure yourself and your company.
The good news first: you don't need highly specialized IT security to put a stop to cyberattacks using brute force methods! With the following actions, you are already securing your access and your company well:
Establish password policies
Established policies reliably prevent a company's employees from using passwords that are too weak or from reusing passwords once they have been used after a time limit has expired. The policy should also include that passwords should not be written down or stored or sent unencrypted.
Password management software
Automated password setup and management significantly increases access security. Password management software provides highly complex passwords, offers centralized password management and, last but not least, recognizable time and cost savings.
Multi-factor authentication
A strong password is good - multi-factor authentication is better! With MFA, two or more credentials are required to gain access to a system. For example, a combination of password entry and code sent to the smartphone is common.
Act actively instead of reacting passively
If brute force attacks are detected in the early stages of the attack, the vast majority of major problems can be prevented. With Active Cyber Defense, the managed service for early attack detection from Allgeier secion, attack activities in the network are detected in time for efficient countermeasures to be initiated.
Conclusion
Brute force attacks are neither complex nor intelligent - but all the more successful. Yet no expensive, highly specialized IT security is needed to put a stop to the attacks. Regularly changing passwords, using password managers and two-stage authentication procedures still do not make it impossible to tap into user data, but these small measures at least make it more difficult for cyber attackers to carry out their machinations.
Allgeier secion's 24/7 Threat Hunting and Incident Response Service is recommended for effective early detection of attacks, especially brute force attacks. Active Cyber Defense proactively and continuously analyzes the corporate network for anomalies. In the event that the networks are compromised, the ACD team immediately informs and provides concrete recommendations for action to avert damage from the attackers - for reliable detection of cyber attacks in the early stages.