Definition of a brute force attack

A brute force attack is one of the most simple forms of hacking that exists. Unlike many other tactics used by hackers, brute force attacks don’t rely on vulnerabilities within websites. Instead, these attacks rely on users having weak or guessable credentials.

Usually, the motive behind this attack is to use the breached account to execute a large-scale attack, steal sensitive data, or shut down the system.  There are widely available automated tools that can submit several hundred password attempts per second, which makes this task easy for an attacker with very little imagination or knowledge.

Passwords are not the only resource that can be brute-forced.  Website directories and links, usernames, and emails are also common targets for attackers.

Identifying Brute Force Attacks

Here are conditions that could indicate a brute force attack or other account abuse:

• Many failed logins from the same IP address
• Logins for a single account coming from multiple IP addresses
• Logins with multiple usernames from the same IP address
• Logins with a referring URL of someone’s mail account
• Referring URLs that contain the username and password in the format http://username:password@www.examplesite.com/login.htm
• Failed login attempts from alphabetically sequential usernames or passwords

3 simple steps to limit exposure to a brute force attack

1.  Enabling 2-Factor Authentication (2FA) is considered to be the first line of defence against brute force attacks. If an attacker was able to successfully guess the password, this would not be enough. The attacker would also need access to your smartphone or email client. In most cases, this would be enough for an attacker to give up and search for an easier method.
2. Implement a strong password policy. According to OWASP guidelines, a password should be no less than 8 characters, contain numbers, special characters and uppercase letters. Avoid the use of dictionary words, avoid reusing passwords and restrict the use of breached passwords. A maximum password length should not be set too low. A typical maximum length would be 128 characters.
3. Introduce an account lockout policy with progressive delays. After three unsuccessful login attempts, the account is locked out for a set period of time. The lock-out time would increase with each subsequent failed attempt. This prevents automated tools from performing a brute force attack.

About SureCloud

SureCloud is a provider of cloud-based, Integrated Risk Management products and Cybersecurity services, which reinvent the way you manage risk.

SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.