Brute force attacks are nothing new in cybersecurity. As far back as 2015 (eons ago, in technology terms) the global coffee chain Dunkin’ Donuts suffered a brute force attack that targeted nearly 20,000 of its customers.
In this attack, cyber attackers used brute force to get unauthorized access to the accounts of more than 19,000 users and steal their money. Following the incident, Dunkin’ Donuts was slapped with a lawsuit, where it ended up paying more than $500,000 dollars in a settlement.
More recently, in 2020, the Canadian Revenue Agency (CRA) was the victim of a brute force attack that compromised roughly 11,000 government-related accounts. 2021 was a particularly bad year for brute force attacks, with one study stating that the volume of such attacks grew by a whopping 160 percent from May and June 2021 alone.
But what is a brute force attack? Why are such attacks such a severe problem for organizations? What can businesses do to prevent these attacks, and protect their mission-critical assets and data?
This article explores all these critical questions. It discusses how brute force attacks work and how you can prevent them from damaging your business.
What Is a Brute Force Attack?
A brute force attack is a specific type of cybersecurity threat. An attacker uses automated software to guess passwords or other login credentials to gain unauthorized access to a computer system or account. The software will try many possible passwords or passphrases – potentially millions of them – until it finds the one that allows the attacker to meet his or her goal.
Brute force attacks can be very successful, especially if users’ passwords are simple like “password,” “iloveyou,” or “123456.” The software can easily guess these passwords, opening doors for the cyber attacker to hack into multiple accounts. Simpler passwords make it easier for the intruder’s brute force attempt to succeed.
How Does a Brute Force Attack Work?
Unlike other more sophisticated or “thoughtful” cyberattacks, a brute force attack relies on sheer force combined with trial-and-error. Believe it or not, 80 percent of breaches in 2020 involved the use of brute force.
To launch such an attack, a bad actor tries to guess one or more users’ login information or encryption keys. The attacker works through all possible combinations, hoping that automated software will eventually guess the correct credential for access. After an attacker guesses the username, he or she will try different passwords until finding the one that works.
This method succeeds because the adversary only needs to guess the username correctly to gain access to a legitimate user’s account. The attacker doesn’t need to research other information about victims, such as their names, email addresses, or personal details.
Attackers typically rely on technology and software to launch a brute force attack. Some common brute force attack tools include:
- Password cracking applications
- Password recovery tool
- Wi-Fi network security assessment tools such as Aircrack-ng
Hackers may also use hardware solutions to increase computing power and accelerate password cracking, such as combining a CPU (central processing unit) with a GPU (graphics processing unit).
What Does an Attacker Gain from a Brute Force Attack?
By guessing a user’s password, a cybercriminal can wreak havoc in many ways:
- Steal personal information or sensitive data
- Install malware on a user’s system
- Access privileged enterprise accounts
- Penetrate an enterprise network and stay there, to exfiltrate data or cause other damage over a long period
- Collect user activity data to spy on users or their organization
- Install adware or spam ads on websites and make a profit every time the ad is clicked or viewed
- Infest a website with offensive content to ruin its reputation
Types of Brute Force Attacks
There are various forms of brute force attacks. These include:
Simple Brute Force Attack
In this “traditional” attack, attackers try to guess passwords manually. That is, they don’t use software. Sometimes these attacks can succeed, because many people don’t follow password best practices. For instance, many users:
- Use easy-to-guess and weak passwords like “1234”
- Don’t change passwords regularly
- Don’t change default passwords
- Repeat passwords across multiple accounts or web applications
- Share passwords with others or record passwords where someone can easily copy them
Dictionary Attack
Technically a dictionary attack is not a brute force attack, but it can help a threat actor crack passwords by using commonly used passwords or passphrases.
In this attack, the attacker cycles through multiple password combinations, which the attacker may source through a dictionary. Once a target is identified, the attacker runs these passwords against the target’s username to access his or her account.
Hybrid Brute Force Attack
A hybrid attack combines a brute force attack with a dictionary attack. The attacker first finds a username and then finds an account login combination. Instead of guesswork, the attacker uses advanced tools to discover complex passwords that are a mix of letters, numbers, and special characters.
Credential Stuffing
Credential stuffing attacks work because many of us use the same username and password combination for multiple accounts. In this type of attack, the attacker steals username and password combinations from one account or website. The attacker then tests these combinations on other accounts to gain access to them all.
Reverse Brute Force Attack
Most brute force attack methods are aimed at guessing a user’s password. A reverse brute force attack starts with a known password and then tries to guess the username. Attackers often use passwords gained through a data breach and then search through a database of usernames to find a match.
How to Prevent Brute Force Attacks
Here are some practical ways to protect your business from brute force attacks and other common cybersecurity vulnerabilities:
Use Strong, Unique Passwords
Most brute force attacks succeed due to users’ poor password hygiene. That’s why strong and longer passwords that are difficult to guess provide one of the most effective methods against such attacks.
Every password should use a combination of letters, numbers, and symbols. Avoid using common words or phrases. Users should not write down passwords or share them with others. They should also not reuse passwords across accounts. Educate users on all these password security practices.
Consider using a password manager. This tool allows users to create complex passwords and store them securely while minimizing the risk of theft or compromise.
Enable Two-Factor Authentication (2FA)
Unlike password-based systems, 2FA-based systems require users to provide two authentication factors to access an account. This additional factor could be:
- A one-time password sent to a mobile phone in a text message
- A physical authentication key
- Biometrics such as fingerprints, voiceprints, or face scans
These additional authentication steps, on top of strong passwords, prevent hackers from gaining access to enterprise accounts or systems.
Implement Strong Access Controls
It’s critical to restrict access to enterprise systems and sensitive information only to trusted users who need that access for their job duties. You should also delete unused accounts, such as the accounts of previous employees. These best practices reduce the potential attack surface that can be exploited in a brute force attack.
Limit Login Attempts
You can stop attackers from endlessly retrying passwords by limiting login attempts and implementing account lockouts after a specified number of tries. This can reduce the number of successful brute force attacks. Adding CAPTCHA to logins can also stop attackers from brute-forcing their way into accounts.
Strengthen the Enterprise Security Perimeter
Reduce cyber exposure by installing a firewall and an intrusion detection system (IDS) to help detect attacks. You can also use an updated Internet Protocol (IP) blacklist to protect the network and users from known attackers.
Protect Your Organization from Cybercrime with ZenGRC
ZenGRC is a comprehensive risk management and threat monitoring platform for modern enterprises. It provides a single source of truth, so you can identify the cybersecurity threats affecting your organization, including weaknesses that might allow brute force attacks – and then remediate those weaknesses before a brute force attack succeeds.
Security policies, incident response procedures, and internal controls must be documented and updated regularly to ensure they meet the evolving cybersecurity environment. With ZenGRC’s document repository, policies and procedures are revision-controlled and easy to find.
Workflow management features offer easy tracking, automated reminders, and audit trails. The ZenConnect feature enables integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption within your enterprise.
Insightful reporting and dashboards provide visibility to gaps and high-risk areas. By better understanding your risk landscape, you can take action to protect your business from cyberattacks, avoid costly data breaches, and monitor the security posture of your vendors.
Strengthen your cybersecurity posture by leveraging ZenGRC’s single source of truth to highlight critical threats and vulnerabilities affecting your organization. Strengthen your cybersecurity program with ZenGRC and Reciprocity Risk Intellect.
Download the ZenGRC solution brief or schedule a demo to see what ZenGRC can do for you.