If a single password was the barrier between an attacker and your network, would it hold up against brute force?
While Credential Harvesting is popular in both phishing scams and in advanced attacks, attackers don’t always have to “harvest” or collect legitimate credentials in order to gain access to an account or a system. Password cracking is just as common in the current threat landscape, and like many of the other tactics covered in the Cyberattack Series, it can be used in each of the stages of an attack.
- Cracking passwords as an entry-point
Whether the attacker is attempting to access a device in-person or remotely, they may use a computer algorithm to crack passwords or use information about their target to guess the password without using a repetitive, detectable program to get into an account.
- Cracking passwords post-exploitation
Password cracking can also be used after an attacker has already gained access to their target device in some way, usually as a technique to move laterally in a network or escalate their privileges to gain further access. Again, password cracking in this stage can either be done through the use of an advanced computer program or through strategic guesses or deductions made by the attacker.
While you can’t prevent someone from trying to guess your passwords, you can make it more difficult for a password-guesser to be successful. We recommend keeping passwords secure by avoiding common words like pet names, family names, or words or phrases that could be easily associated with your organization, and never storing passwords in plain text. However, these surface-level protections aren’t guaranteed to withstand the advanced intelligence of the computer programs that perform Brute Force password attacks.
What is a Brute Force attack?
A brute force attack is a tactic that utilizes advanced computer algorithms to crack passwords. As the name suggests, this tactic is not sneaky or complex—a computer program simply attempts to guess a password by trying multiple options until it gets it right.
This tactic is relatively “loud” in a cyberattack. What that means is if a network has log collection, alerting, or security monitoring in place, the multitude of failed login attempts are quickly and easily guaranteed to raise red flags and reveal the attacker’s place in the network. However, if the attacker has an idea of the security measures they are up against and they know that the evidence of brute forcing will not be identified or noticed immediately—as they would if alerting and 24/7 security monitoring was in place—then they are more likely to go for the brute force approach without fear of being caught.
Brute force attacks have a few methods for cracking passwords:
- Checking passwords against a list of dictionary words, also known as a Dictionary Attack.
- A combination of dictionary words and “complex” number and symbol combinations.
- Checking against a list of known or common user passwords, like the RockYou.txt file made public from the 2009 RockYou breach.
- Using a rainbow hash table—a pre-computed lookup table for password hashes—which is also known as a Rainbow Table Attack.
Each of these methods still uses the “brute force” approach of trying password-after-password until the right combination is found and the account is unlocked.
Brute-Forcing in action
In the short video below, watch as Security Engineer Derrick demonstrates how easily an attacker could run a brute force attack on their target.
Cybersecurity Game Plan
If an attacker has the chance to perform a brute force attack in your network, you want to be able to identify the signs and begin taking action as quickly as possible.
With the combination of active security monitoring and intelligent detection technology, a brute force attack can be identified by the unusually large string of failed login attempts and the attacker’s actions can be investigated in real-time. With further investigation through network log collection using SIEM, security professionals can discover where an attack began, what accounts have been compromised, and create a game plan for your organization’s next steps to eradicate the threat and recover your systems.
Protect yourself from brute forcing and eliminate the possibility of success by securing your accounts with strong, complex passwords and Multi-Factor Authentication (MFA). If an attacker is able to crack your password, stop them in their tracks with MFA—if they don’t have access to the message, email, or code generator paired with the account they’re trying to hack, they’ll be out of luck. Be sure to secure your passwords by avoiding common words and phrases in your passwords, including symbols and numbers, and never storing lists of passwords in plain text.
As you already know from the Cyberattack Series, other important protections include strong perimeter security, email security, and end-user training. These layers help build a barrier between your organization and the bad guys, eliminating the "low-hanging fruit" of network vulnerabilities and making it harder for an attacker to reach the advanced stages of an attack.
With the combination of hard-to-crack passwords and layers of security—both in your user account setup and your network infrastructure—brute force attacks can be prevented and detected.