The Easiest Way to Commit a Cyberattack – Protecting Your Business Against Brute Force Attacks

Brute forcing a password is a crude, ineffective and inefficient tactic. Nevertheless, attackers commonly use brute force attacks, and are often successful enough that it remains a common tactic. With brute force attacks, a threat actor will use automated software designed to attempt to log in to an account on a web application by trying password after password until they log in. 

There is a good chance that an attacker has already tried to brute force their way into your organisation, since this type of attack is so easy to carry out. There are many highly developed brute force tools out there on underground markets, with some being very cheap or even free. These free brute force programs will usually use crude methods like basic dictionary attacks (brute forcing with every word in the English dictionary), but even these can be successful if password security is poor enough. 

Brute force attacks are basic in their premise, and very simple to attempt. Because these attacks are often time consuming, many attackers will try to scope out information before they start a brute force attack to improve success rate. Some attackers will try to breach your organisation in other ways first to probe for information such as password lengths or usernames to make the process a little easier. They may also use this information to start a reverse brute force attack which is trying one password against a list of employee usernames. 

Types of Brute Force Attack 

There are several methods of brute force attack that threat actors use. While every type of brute force attack follows the same premise – to try every possible password until access is granted – the method an attacker uses to find the password differs. Here is a list of some of the more common methods: 

Simple Brute Force Attack 

Simply trying every possible password combination within the character limit. This is extremely time consuming and very outdated as a lot of modern sites have login attempt limits. This tactic is usually used on outdated websites and password protected files. 

Reverse Brute Force Attack 

 As mentioned earlier, a reverse brute force attack uses a known password or a list of common passwords against employee usernames. This requires some knowledge of the usernames perhaps garnered from a different data breach, and is used to target specific networks. 

Credential Stuffing 

This type of attack uses login details that have already been breached beforehand. The attacker will use these details to try and log in to other sites and applications, as people regularly use the same username and password. 

Rainbow Table Attack 

This type of brute force attack targets encrypted passwords rather than the passwords themselves. For security, passwords are hashed. This means that they are encrypted randomly using a precomputed mathematical process known as a hash. A rainbow table contains the solutions to many hashes, and by brute forcing an encrypted password with these solutions, an attacker may eventually be able to decrypt the password. 

Detecting a Brute Force Attack 

Brute force attacks are usually very easy to detect early on, and can act as a warning sign that you may be the target of other cyberattacks in the future. As described above, many brute force attacks use data that has already been breached to help ease the process. If the attacker hasn’t already got the data they need, a brute force attack can be a sign for you to shore up your defences for future attacks. 

A brute force attack will often look very obvious when monitored, but it is important to be able to distinguish an attack from someone who has forgotten their password. Many failed logins in a row from the same IP address are something to look out for. Sometimes these login attempts will appear sporadic and start at different times of the day – this could be a sign that an attacker is trying to avoid being detected or is trying to bypass the lockout timer of failed login attempts. Usernames or passwords that attackers use will also be able to identify an attacker, as brute force programs will often try different passwords in a sequential order. 

Preventing Brute Force Attacks 

Thankfully, since brute force attacks are often very simple in nature, they are usually fairly simple to prevent. Below is a list of ways you could stop brute force attacks: 

Limited Login Attempts 

One of the most straightforward ways to prevent brute force attacks. These attacks rely on sheer volume of repeated attempts. By setting a limit on the number of times an IP address can attempt to login, you force attackers to jump through more hoops such as having to wait for the lockout timer, or having to go for a distributed attack using multiple IPs. 

Multi Factor Authentication 

Multi Factor Authentication (MFA) is the groundwork for good security. MFA improves security against most cyberattacks, but will also make it much more difficult to brute force. Having an extra step in place such as a magnetic stripe card or an authentication token means an attacker can’t access an account even after brute forcing. 

Use a Password Manager or Different Passwords 

Making sure to use different passwords all across the internet can stop credential stuffing. Even if attackers manage to get the details for one account, others won’t be compromised. Password managers can help you keep unique, secure passwords across different accounts. 

Using Basic Password Security Techniques 

You can use some basic password security measures to minimise the likelihood of a hacker brute forcing your password. Avoiding the complete spelling of English words can prevent dictionary attacks. Using upper case, lower case, and special characters, as well as avoiding numerical sequences such as ‘1234’ can make it harder for brute force programs to guess the password. 

How Securiwiser Can Help 

Our goal is to help you improve your cybersecurity posture as an organisation. With Securiwiser, you can monitor the strength of your organisation’s defences and take steps to improve. 

Securiwiser will identify the strength of individual areas of your organisation’s network using a robust scoring system, and will provide you with in depth tips and information so you can stay secure. 

[C]lick here for a free cybersecurity evaluation, and learn how your organisation can become more secure.](https://www.securiwiser.com/)