Choose your topics

The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
The Simple Way to Combat Phishing

SureCloud Cybersecurity Practice Director Luke Potter shares his tip to stay ahead of attackers phishing for your downfall.

Penetration Testing
See Yourself in Cyber With Janhavi Deshpande

See Yourself in Cyber With Janhavi Deshpande - SureCloud

Cyber Security
Vector (7)
Cyber Security

What is a brute force attack? I Identifying & preventing | Consultant Corner

What is a brute force attack? I Identifying & preventing | Consultant Corner
Written by


Published on

30 Oct 2020

What is a brute force attack? I Identifying & preventing I Consultant Corner


Welcome to Consultant Corner

During this time of lockdown and remote working, many are brushing up on their extra reading and learning. We have asked our expert cybersecurity consultants to write up 5-minute reads on trends they’re seeing and tips for IT teams to stay protected. These topics aren’t COVID-19 specific and vary from VPN to brute-force attacks to barcodes.

You can stay alerted to new blogs from ‘Consultant Corner’ as soon as they are made available just register in our pop-up form below. After all, a cybersecurity blog a day keeps the malicious attackers at bay.

This blog is focused on brute force attacks and is written by, Tom Hulme, Cybersecurity Consultant at SureCloud.

Definition of a brute force attack

A brute force attack is one of the most simple forms of hacking that exists. Unlike many other tactics used by hackers, brute force attacks don’t rely on vulnerabilities within websites. Instead, these attacks rely on users having weak or guessable credentials.

Usually, the motive behind this attack is to use the breached account to execute a large-scale attack, steal sensitive data, or shut down the system.  There are widely available automated tools that can submit several hundred password attempts per second, which makes this task easy for an attacker with very little imagination or knowledge.

Passwords are not the only resource that can be brute-forced.  Website directories and links, usernames, and emails are also common targets for attackers.

Identifying Brute Force Attacks

Here are conditions that could indicate a brute force attack or other account abuse:

  • Many failed logins from the same IP address
  • Logins for a single account coming from multiple IP addresses
  • Logins with multiple usernames from the same IP address
  • Logins with a referring URL of someone’s mail account
  • Referring URLs that contain the username and password in the format
  • Failed login attempts from alphabetically sequential usernames or passwords


Circles Connected | Compliance Management | Risk Management

3 simple steps to limit exposure to a brute force attack

  1.  Enabling 2-Factor Authentication (2FA) is considered to be the first line of defence against brute force attacks. If an attacker was able to successfully guess the password, this would not be enough. The attacker would also need access to your smartphone or email client. In most cases, this would be enough for an attacker to give up and search for an easier method.
  2. Implement a strong password policy. According to OWASP guidelines, a password should be no less than 8 characters, contain numbers, special characters and uppercase letters. Avoid the use of dictionary words, avoid reusing passwords and restrict the use of breached passwords. A maximum password length should not be set too low. A typical maximum length would be 128 characters.
  3. Introduce an account lockout policy with progressive delays. After three unsuccessful login attempts, the account is locked out for a set period of time. The lock-out time would increase with each subsequent failed attempt. This prevents automated tools from performing a brute force attack.

If you would like to learn about how to protect your businesses from attacks such as these and more discover SureCloud’s full portfolio of Cybersecurity services here.

About SureCloud

SureCloud is a provider of cloud-based, Integrated Risk Management products and Cybersecurity services, which reinvent the way you manage risk.

SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.

Discover SureCloud’s new Cyber Resilience Assessment Solution here.