How to Protect Your Business From a Brute Force Attack

Data breaches are every business’s worst nightmare. With every passing year, hackers find new ways to gain unauthorized access to enterprises’ IT environments and exfiltrate sensitive data. 

According to IBM’s Cost of a Data Breach 2023 report, the average cost of a data breach was $4.45 million. Fifteen percent of these data breaches involved stolen or compromised credentials. 

Furthermore, these credential-based data breaches took an average of 328 days to completely remediate, which is longer than any other kind of data breach. 

When cybercriminals have user account details and user passwords, gaining access to enterprises’ IT estates is easier, even if it takes a few attempts. That’s why brute force attacks are so dangerous. 

But what is a brute force attack? 

Brute force attacks are one of the most dangerous and relentless types of cyberattacks. This is because brute force attacks involve a trial-and-error style of hacking, where cybercriminals try every possible credential combination until they get the correct password. 

When cybercriminals obtain the correct credentials after trying numerous password combinations, they can enter IT environments and secretly remain there for long periods. 

Every second a cybercriminal lingers undetected in an enterprise’s IT environment, it adds to the scale of potential disaster. Brute force attacks are a major cybersecurity challenge and a vulnerability that all enterprises must elevate as a top priority. 

In this post, we’ll learn more about brute-force attacks and provide tips and tricks for protecting yourself from brute-force password-cracking methods. 

How and Why Brute Force Attacks Occur

To truly understand why brute force password attacks occur, it’s important to view it from the perspective of threat actors. For threat actors, the goal is to access and exfiltrate sensitive data from enterprises. 

Businesses store this data across complex, often cloud-based IT infrastructures and fortify them with myriad cybersecurity layers, authentication protocols (including two-factor authentication and multi-factor authentication), and methodologies like zero trust. 

In some cases, when businesses neglect their cybersecurity posture, threat actors might get even luckier because there may be just a single step to log in. Instead of complicating the process of getting into these environments, brute force attacks boil things down to the basics: threat actors try all possible passwords until they break in. 

The amount of time it takes to conduct a brute-force attack varies. However, a threat actor doesn’t have to sit at a computer for a long period of time, cracking passwords and keys. Most brute force attack methods involve botnets and password-cracking tools, which makes it easier for threat actors to try every possible combination of credentials without any manual labour. 

Botnets are computers that threat actors have taken over without their owners knowing in order to abuse their computing power for CPU-intensive crimes. These botnets facilitate multiple login attempts with passwords, passphrases, usernames, and keys that threat actors might have found or purchased on the dark web or through other data breaches. 

So, why do threat actors use brute-force methods to access enterprise IT environments? The primary reasons include stealing data, profiting from advertisements, injecting malicious code (malware, ransomware, spyware), manipulating website traffic, causing downtime and service disruptions, and taking over certain applications and networks within an IT estate to escalate attacks and cause even further damage. 

Another reason brute force attacks are so common is that threat actors find them easier than other forms of cyberattacks. With a wide range of open-source and affordable password-cracking tools, including John the Ripper, Hashcat, L0phtCrack, Medusa, THC-Hydra, and Aircrack-ng, to choose from, cybercriminals can cause damage across iOS, Linux, Windows,  and Mac OS systems. 

Weak Passwords: The Catalyst Behind Brute Force Attacks

Before delving into the different types of brute force attacks, it’s important to understand one of the main reasons threat actors often find them easier to pull off: weak passwords. When victims have weak password hygiene, the success rate for brute force attacks skyrockets. 

Modern IT environments comprise hundreds, perhaps even thousands, of digital identities. These identities, each with its own set of credentials, have varying degrees of access and administrative privileges. However, identity and credential management are not always up to the mark, leaving businesses susceptible to brute-force attacks. 

Numerous factors make a password or a password culture weak. When multiple business accounts use common passwords for extended periods, this leaves them vulnerable. Furthermore, certain users utilize the same passwords for different accounts, and this is a problem because threat actors can gain a wider entryway into an IT environment. Certain businesses also use default router keys and passwords, which makes it much simpler for threat actors to infiltrate Wi-Fi networks.  

In the modern world, people link their digital accounts (including email, business, and social media accounts) to multiple services. Therefore, if a cybercriminal manages to access one account, they can potentially break into and manipulate multiple services. 

It doesn’t help that numerous users across diverse industries and contexts resort to using weak passwords, including primarily lowercase letters (apple), a generic string of numbers (123456789), date of birth, names, and words without special characters. By not having strong password hygiene, enterprises essentially become collaborators in their own demise.   

The Different Types of Brute Force Attacks

Businesses must be aware of multiple types of brute force attacks and the nuances of each. Otherwise, defending themselves from such cyberattacks is incredibly challenging. The following are the main types of brute force password cracking attacks to be aware of.

Simple Brute Force Attacks

Devoid of any complex external logic or frameworks, a simple brute force attack involves meticulously trying one password after another. In this model, threat actors simply use varying combinations of words, numbers, and special characters until they find the right user password. 

Threat actors can orchestrate simple brute-force attacks manually. However, doing such attacks manually can take up a lot of time and resources. Therefore, threat actors have begun to use automation even with simple brute-force password cracking. 

Simple brute-force attacks work better with weak passwords because bots can easily crack them. For complex passwords, threat actors typically use other forms of brute-force password cracking.   

Reverse Brute Force Attack 

This form of attack is a sort of inversion of traditional brute-force password cracking. In normal brute-force attacks, threat actors typically try to find the correct passwords. In reverse brute-force attacks, threat actors already possess the passwords. Instead, they use known passwords to crack usernames. 

But how do they gain possession of passwords? 

During data breaches, threat actors often sell common passwords on illicit marketplaces on the dark web. Adversaries can purchase these passwords from the dark web and use them in reverse brute force attacks. 

Reverse brute force attacks are effective because enterprises generally neglect user IDs and focus on password hygiene. 

Credential Stuffing 

In the previous two models, we looked at how threat actors can conduct attacks with either a password or a username. But what happens if they have both? The obvious answer is that they can take over a particular account. 

However, credential stuffing involves using a known password and username across multiple accounts to see if users reuse their credentials across various services or web applications. 

Some common credential stuffing scenarios include e-commerce scams and the exfiltration of business secrets and personal data. With the increasing number of data breaches worldwide, vast libraries of stolen usernames and passwords are available on the dark web, making credential stuffing a popular type of brute-force attack. 

Dictionary Attacks 

Businesses might believe that they are safe from the usual brute-force attack tools by using unique passwords. However, threat actors use dictionary attacks to target victims who may have unique passwords. 

In a dictionary attack, threat actors use virtual dictionaries to find uncommonly used words. By using virtual dictionaries, threat actors can mix and match obscure words, including the same words in different languages and spellings. Therefore, even though using uncommon words in passwords may seem like a logical option to prevent brute force attacks, adversaries can counter those tactics with dictionary attacks. 

Hybrid Brute Force Attacks

Now that we have explored traditional brute-force password-cracking attacks and dictionary attacks, it makes sense to examine hybrid brute-force attacks. Hybrid brute-force attacks are essentially an amalgamation of normal brute-force attacks and dictionary attacks. 

This form of brute force password cracking is particularly effective when potential victims use a mixture of words, numbers, and special characters (for example, p@r@d1$e). Threat actors can’t crack a password like p@r@d1$e with a dictionary attack. However, by using hybrid brute force attacks, they can figure out passwords with complex characters, numbers, and words. 

Botnets 

While we mentioned botnets and bots earlier, it’s still important to categorize them as a separate type of brute force attack. This is because the potency and success rate of brute force password cracking largely depend on the volume of attempts a threat actor can make. 

If threat actors work manually or with a single computer, it might take months, perhaps even years, to get close to a correct password. However, threat actors can leverage massive CPU and GPU power by orchestrating numerous hijacked computers to deploy brute force password cracking attacks at scale and speed.  

SSH Brute Force Attacks 

Businesses use SSH (or Secure Shell) protocols to enable multiple computers to safely connect and collaborate over an unsecured network. SSH protocols encrypt traffic between endpoints and validate and authenticate connection requests via cryptography. 

With SSH brute force attacks, threat actors direct their crosshairs at remote servers to mine weak passwords and credentials. If a threat actor manages to hijack a remote server via brute force password cracking, the damage they can cause is unlimited. Once cybercriminals successfully pull off SSH brute force attacks, it’s much easier for them to escalate that into a full-fledged and large-scale data breach. 

Rainbow Table Attacks

Some businesses that are more conscious of password security may add an additional layer of security via password hashing. With password hashing, enterprises don’t save their passwords as plaintext. Instead, they hash them into an encrypted ciphertext (keep in mind that it’s not possible to decrypt password hashes). Therefore, when a user inputs a password, the system receives a hash value of the password rather than the password itself, which it then validates with existing hash values. 

A rainbow table is a repository of passwords along with their corresponding password hashes. In rainbow table attacks, threat actors don’t need passwords. All they need to breach an account is the right hash value. 

How Businesses Can Mitigate Brute Force Attacks 

Now that we know what brute force attacks are, how many types of brute force password cracking methods there are, and how and why they occur, let’s shift focus on what really matters: how can businesses defend themselves from brute force password cracking? 

The following are some important best practices businesses can adopt and implement to ensure safety from brute force attacks.

Use CAPTCHAs

CAPTCHA is a simple yet effective verification step that most internet users are familiar with. The majority of brute force attacks are automation-driven, which means there’s no actual human that can bypass verification processes like CAPTCHA. 

All enterprises, from large businesses to sole proprietorships with an online presence, must adopt CAPTCHA to combat automated brute-force attacks.

Improve Password Hygiene

It’s paramount for enterprises to use longer passwords that contain a mixture of complex words, numbers, and special characters. The time it takes to crack a 5-character password is incomparable to the time it takes to crack a 15-character password. 

Businesses should use password managers and generators to create strong passwords and ensure that they replace passwords regularly. They must also treat the security of their passwords, credentials, and encryption keys at the same level as crown jewel data.  

Implement MFA and 2FA.

Multi-factor authentication and two-factor authentication are essential. Furthermore, as numerous companies adopt zero-trust security models, it’s vital to introduce MFA and 2FA. 

By introducing these, threat actors can’t enter an enterprise’s IT environments with just a username and password. When a one-time password, facial recognition, or voice biometrics request is in place as an extra form of verification, threat actors will be unable to gain any further access.  

Restrict Login Attempts 

When companies don’t restrict the number of failed login attempts a user can make, they leave themselves open to potent brute-force attacks. Conversely, if they restrict login attempts, then it’s easier to red-flag a suspicious number of failed logins and place a temporary ban on accounts (known as account lockouts) and IP addresses with multiple failed login attempts. It’s also important to limit how many login attempts a user can make in a minute (known as rate limiting). 

Install VPNs

VPNs (Virtual Private Networks) are powerful tools for encrypting traffic. This is an especially useful form of network security because it protects businesses from threats in unsecured networks like public Wi-Fi. 

It’s especially important to protect users who log in from unsecured networks, which are rife with cybercriminals ready to conduct brute-force attacks. Furthermore, with the global increase in remote workers, it’s important to protect employees who log in from personal devices.  

Salt Passwords

In this context, “salt” describes the random characters added to passwords just before a password hashing process. For example, we mentioned earlier how rainbow table attacks can even harm companies that hash their passwords. In this scenario, by salting passwords, companies can specifically protect themselves from the dangers of rainbow table attacks and dictionary attacks. 

Prioritize Threat Intelligence and Analytics

By engaging in threat intelligence sharing and leveraging robust threat analytics, businesses will understand how brute force password cracking evolves and what they need to do to mitigate these attacks in the future. 

Dealing with the relentless nature of brute force attacks can be challenging, to say the least. However, by joining threat intelligence initiatives with various ecosystems, they can unite with other forces and keep threat actors at bay. 

Work with Managed Service Providers (MSPs)

While there is no single correct way of handling an IT environment, many businesses (particularly small and medium businesses) may benefit from utilizing the services of MSPs. 

MSPs have excellent IT and cybersecurity capabilities and can be powerful resources for fighting cyber threats, such as brute-force attacks.

Conclusion

In a brute force attack, threat actors relentlessly try to hijack accounts by trying all possible variations of usernames and passwords until they find the right one. Some brute force attacks are simple to implement, and others require a more robust backend infrastructure comprising botnets and automation capabilities. Brute force attacks are among the most dangerous and damaging cyberattacks. 

We highlighted eight different types of brute force attacks: simple brute force attacks, reverse brute force attacks, credential stuffing, dictionary arracks, hybrid brute force attacks, botnets, SSH brute force attacks, and rainbow table attacks. Any of these types of brute force attacks can severely harm an enterprise or individual. Therefore, it’s important to understand the risks of brute force password cracking and implement best practices to fight it. 

Best practices to prevent brute force password cracking include using CAPTCHAs, improving password hygiene, implementing MFA and 2FA, restricting login attempts, salting passwords, prioritizing threat intelligence, and working with MSPs. 

If businesses follow these best practices, they can innovate and operate confidently and without fear of deadly and dangerous brute force attacks.