Brute force is a type of cyber attack when threat actors try to exploit the old, but still reliable method of password hijacking.
They simply try out every possible combination from stolen login credentials on the targeted system and see if there’s a match.
Of course, today threat actors use an automatic process of credentials matching using large bases of previously stolen login credentials from various victims.
Such a method of trial and error to crack not only passwords but also encryption keys, login credentials proves itself to be a reliable old method of getting access to users’ accounts, networks and organizations’ systems.
Because of such a simplified and direct method of password guessing the method got the name of brute force attack.
What Are The Various Types Of Brute Force Attacks
Although the brute force method might be simple but there are actually many different types of it meaning various ways on how threat actors can come to their goals:
- Credential Stuffing. When threat actors get to have one of the victim’s passwords or logins they will try to use them on the victim’s other accounts to see if there can also be a match. This type of brute force attack bases itself on poor password hygiene where people tend to use one password or login on multiple accounts;
- Reverse Brute Force Attacks. This type of brute force attack works the way in which threat actors having password to some account will use large pools of stolen username credentials to see a match with user’s login credential username;
- Hybrid Brute Force Attacks. To guess victim’s login details threat actors in addition to simply literally trying to figure out password or username they will also use a known specifically used for this matter dictionaries and choosing for a match different words that might be the password or username;
- Dictionary Attacks. May be considered one of the most time consuming brute force attacks. Though it is not a technical method as threat actors need to go through pages of dictionaries just to find the right word. Nowadays more technically sophisticated methods replace this one;
- Simple Brute Force Attacks. The simple method of threat actors trying to guess password and username by just guessing the match. Usually they will start with the simplest guesses like ‘123456’ or ‘qwerty’ because even these days some people still use these passwords or usernames.
Why Threat Actors Do Brute Force Attacks
Brute force attacks can sometimes be pretty time consuming so the final goal of it should be rewarding enough. Several goals can be in mind for threat actors doing the brute force attack like:
- Bring damage to a company’s or website reputation. Usually brute force attacks are done in order to steal valuable and sensitive information from organizations or companies, but also threat actors can inflict significant damage to the reputational side of the target not only causing it financial losses.
Threat actors can post obscene and offensive texts, images thus forcing the take down of targeted website and bringing the needed damage to company or organization that run this website;
- Take control of a system for further cyber threats activity. Threat actors may do brute force attack to help conduct further cyber attacks like creating botnet of compromised accounts and then launch DDoS attacks aiming to disrupt target’s security defenses and systems;
Conduct malware attacks. If threat actors gain access to the victim’s account they can send malicious attachments to the contact list in the target’s account and so make a successful spread of malware.
Or they can use Short Message Service (SMS) to create malicious links and redirect recipients to infected website or also install malware;
Steal valuable and sensitive information. If threat actor manages to get an unauthorized access to various kinds of sensitive and valuable information like financial details, medical records, etc and use it to their own advantage in spoofing victim’s identity, sell the stolen information, steal victim’s money or they can use the obtained information for further cyber attacks campaigns;
- Advertisement scamming. When conducting brute force attack on some website in case of a successful attack threat actors may try to exploit illegal advertisement activity like rerouting traffic back from the legitimate website to illegally filled with ads website, infect the targeted website itself or its users with different kinds of malware or place a spam email on targeted website for visitors to click on it and thus earning for threat actors profit;
How To Prevent Brute Force Attacks
You can reduce the risk of falling victim to a brute force attack by following the next steps simple and useful tips on how to prevent brute force attacks:
- Using Web Application Firewalls (WAFs). Besides setting a limit on how many times a request from outside sources can be made to a specific URL it also will block attempts of any strange vulnerability scanning tools to scan your network for weaknesses.
In addition to this functionality WAFs prevent DoS attacks that can significantly exhaust server resources;
- Using Unique Login URLs. A step which not necessarily prevents brute force attacks but which can deter those threat actors who will not be unwilling to spend more than needed time trying to break through this security measure.
Because creating different login URLs for each user ensures threat actors would waste great amount of time and the thing which not many of them are not going to deal with;
- Disabling Root SSH Logins. See your sshd_config file and enable “PermitRootLogin no” together with “DenyUsers root” options.
Brute force attacks are made possible on the Secure Shell (SSH) protocol and via the root user. The settings will ensure that no root user could be accessed via SSH;
- Using CAPTCHAs. This rather long term stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” and help to block bots or spam exploiting websites.
Its hard for automated computer programs to complete this mechanism tasks but easy for humans to click on a specific area on a webpage or spot patterns;
- Using Two-Factor Authentication (2FA). If you have 2FA it means you need to provide additional verification before you will be granted access, for example, to your email account. It can be code sent to your phone that you need as an additional security measure to type in;
- Monitoring IP addresses. Set a monitoring and alerts of any login attempts that come from an unusual ip address and block them. This could be especially useful if some of your employees work remotely and you need to set what specified IP address or ranges can’t reach your website;
- Using Strong Passwords. And finally the most important rule to keep to is to always have long complex passwords. People might actually not realize but so much of your cybersecurity wellness depends on having proper passwords in place.
Always remember when creating passwords don’t forget about both cases of letters, numbers and different characters.
And in order not to worry that you might forget such a long and complex password use password manager; there are plenty of them to choose from.