Brute Force Attack
In a Brute Force Attack, the adversary tries to guess the username-password combination repeatedly to gain access, without the risk of detection. Reverse Brute Force Attack may be unleashed through Password Spraying where multiple user accounts are sprayed with commonly used passwords such as “password”, “Password123” etc. Also, credentials obtained from dark web are used to hack other accounts that could very possibly be using the same password – a classic case of Credential Stuffing.
Types of Brute Force Attacks
Simple Brute Force Attacks
A simple brute force attack occurs when a hacker attempts to guess a user’s login credentials manually without using any software. This is typically through standard password combinations or personal identification number (PIN) codes.
These attacks are simple because many people still use weak passwords, such as “password123” or “1234,” or practice poor password etiquette, such as using the same password for multiple websites. Passwords can also be guessed by hackers that do minimal reconnaissance work to crack an individual’s potential password, such as the name of their favorite sports team.
A dictionary attack is a basic form of brute force hacking in which the attacker selects a target, then tests possible passwords against that individual’s username. The attack method itself is not technically considered a brute force attack, but it can play an important role in a bad actor’s password-cracking process.
The name “dictionary attack” comes from hackers running through dictionaries and amending words with special characters and numbers. This type of attack is typically time-consuming and has a low chance of success compared to newer, more effective attack methods.
Hybrid Brute Force Attacks
A hybrid brute force attack is when a hacker combines a dictionary attack method with a simple brute force attack. It begins with the hacker knowing a username, then carrying out a dictionary attack and simple brute force methods to discover an account login combination.
The attacker starts with a list of potential words, then experiments with character, letter, and number combinations to find the correct password. This approach allows hackers to discover passwords that combine common or popular words with numbers, years, or random characters, such as “SanDiego123” or “Rover2020.”
Reverse Brute Force Attacks
A reverse brute force attack sees an attacker begin the process with a known password, which is typically discovered through a network breach. They use that password to search for a matching login credential using lists of millions of usernames. Attackers may also use a commonly used weak password, such as “Password123,” to search through a database of usernames for a match.
Credential stuffing preys on users’ weak password etiquettes. Attackers collect username and password combinations they have stolen, which they then test on other websites to see if they can gain access to additional user accounts. This approach is successful if people use the same username and password combination or reuse passwords for various accounts and social media profiles.
- Attackers can sneak into a host and launch offline attacks that tend to be more effective but all the more difficult to detect and thwart.
- Lack of security hygiene, particularly for password creation and maintenance, can lead to an easy win for Brute Force Attack.
- Connections to applications and servers without VPN or strong SSL could make it easier for attacker to take advantage of online mode.
It is crucial for a solution to presume Zero-Trust and rely on contextual awareness and behavioral Analytics to identify attacks. This solution takes into consideration geo location, IP address, time-of-day, device, login frequency and policy violations, along with anomalous user behavior by the leveraging Machine Learning. Also, the platform looks for signs like new login at the host, new connection and new command to identify a potential case for credential stuffing.
Additional scenarios of Brute Force Attack tracked and detected by aiSIEM and aiXDR:
- Large number of failed logins from single/multiple IPs, internal or external, against a single/multiple usernames.
- Failed logins from new geo locations or new user device.
- Large number of Account Lockouts.
- Password spraying brute force attack to breach accounts with simple password.
The solution goes a step further and determines if the attacker has successfully breached the account. Beyond raising alerts, the solution helps eliminate attacks from being successful by pushing policies to the firewalls to block the IP address(s) from where the attacks are originating, or disable the user by pushing the policy to domain controller.