What Are Brute Force Attacks And How Can You Protect Your Organization Against Them?
What are brute force password crack attacks, what makes them so effective, and how can you defend your organization against them?
Expert Insights / Mar 22, 2021By Caitlin Jones
Hacking – or account compromise – isn’t a new concept. For as long as people have been using passwords to protect their data, there have been bad actors trying to crack those passwords and steal that data, either to sell on the dark web or to hold ransom until their victim pays up.
According to Verizon’s 2020 DBIR, 80% of hacking breaches involve brute force attacks or the use of stolen credentials. And no wonder: the combination of poor password practices and increasingly sophisticated – and widely available – hacking tools make login credentials an easy and lucrative way in to a company’s data.
In addition to this, organizations are currently tackling the challenges presented by a shifting work environment as they consider sending their employees back to the office or implementing a hybrid work environment. This means securing a combination of on-prem and cloud-hosted systems, as well as securing the evolving device fleet being used to access those systems, and ensuring that all of the passwords on all of those devices accessing all of those systems are secure.
And breathe. Sound like a logistical nightmare? That’s because, for many security teams that don’t have the infrastructure in place to automate these processes for them, it is.
Hackers thrive in times of turbulence, and password cracking relies on human error to be successful – be that in terms of falling for a phishing attempt, or not creating a strong enough password in the first place, which too many of us are guilty of. Unfortunately, the factor of human error is amplified when the workplace is unstable, which makes these crack attacks all the more likely to succeed.
For the purposes of this article, we’re going to focus specifically on password cracking via brute force attacks, not social engineering. If you’re looking for information on how to defend against phishing attacks, we’ve put together a separate guide, which includes details of different attack methods and ways to mitigate against them.
So how exactly are hackers cracking your employees’ passwords, and what can do you do to stop them?
What Are The Most Common Password Cracking Methods?
For a hacker to be able to compromise one of your employees’ accounts, all they need is that employee’s email address. In the modern digital age, it’s easy for bad actors to get hold of professional email addresses via employees’ social media accounts, such as LinkedIn. Failing that, they can purchase a list of accounts that are known to have been compromised on the Dark Web. Once they’ve got this information, the hacker can target that person’s corporate accounts with a crack attack.
Today, almost all hackers program computers to perform their attacks for them, rather than carrying them out manually. This could involve using an application or script, or it could involve finding a session ID to access a web application. When the computer gains access to the target account, it notifies the hacker, who can then log in and intercept critical business data.
The following methods are amongst the most common used by hackers to gain access to your employees’ corporate accounts:
1. Brute Force Attacks
Brute force attacks are the easiest for a hacker to carry out, which makes them very popular, particularly among hacking novices. They also form the foundation for a few other methods in this list. To perform a brute force attack, the hacker programs a computer to guess their target’s password, starting with the most common combinations and working systematically through all letters, numbers and symbols character-by-character until it gains access to the account.
Brute force attacks are particularly effective against organizations that don’t have a strong password policy in place that enforces good practices such as updating passwords and using passphrases instead of traditional eight-character codes.
According to Dallas Hackers Association member Tinker, any eight-character password can be cracked in less than 2.5 hours, no matter no complex it is. If “h6d*£hL!” can be cracked in the time it takes to watch The Matrix, imagine how long “Password1” would last in the ring with a supercomputer.
2. Dictionary Attacks
Dictionary attacks are a type of brute force attack that uses a dictionary of possible word strings or phrases to guess a password. Rather than by-character combinations, the computer cycles through common words, including modifications such as swapping out letters for numbers, and gradually works through more complex options until it cracks the password.
For dictionary attacks to run more quickly, hackers often program their computers to use a dictionary of commonly used or known compromised passwords, which can be found online or on the dark web respectively. Hackers often combine dictionary attacks with classic brute force attacks; these are known as “hybrid”attacks.
3. Spraying Attacks
Spraying attacks work similarly to dictionary attacks, except that they target thousands of accounts at once, trying a few commonly used passwords. If just one account is “protected” with one of the passwords the hacker is using, the whole business could be compromised.
This method enables the attacker to target multiple organizations at once, and to avoid being caught out by account lockout policies triggered by repeated failed login attempts.
4. Reverse Brute Force Attacks
Reverse brute force attacks do exactly what they say on the tin: rather than trying a lot of different passwords against one username, they try one password against multiple usernames. This is similar to a spraying attack, except that it works best when the hacker is trying to target just one organization, rather than multiple companies at once. These attacks are also most effective when the hacker has already collected employee username data.
Like spraying attacks, reverse brute force attacks are particularly good at evading account lockout policies.
5. Rainbow Table Attacks
Rainbow table attacks are a little more complicated – to explain them, you first need to understand what hashing is.
Hashing is the process of mathematically converting plain text passwords into random cryptographic strings of characters that can’t be read without being decrypted. Hashing is usually a strong way of securing your businesses passwords, and may be enough for some smaller organizations. However, it doesn’t provide sufficient protection for larger enterprises, which present a much more lucrative target for hackers who may be willing to spend a little more effort in order to tap into that data mine. Rainbow table attacks are the method by which they do this.
Rainbow tables are lists of precomputed hash functions: they contain the solutions for all possible password combinations for the most common hash algorithms. This means that hackers can use rainbow tables to accurately guess a function of a certain length, and consisting of a certain set of characters.
It might seem like you’re up against the world here, but a basic understanding of how hackers actually carry out these attacks will help you identify vulnerabilities in your organization’s access security from a hacker’s perspective. This brings us onto our next section: understanding the tools hackers use, and the environments in which they work.
How Do Hackers Carry Out Brute Force Attacks?
Most hackers use computers to run brute force attacks for them in order to save time and effort. Once the computer has successfully cracked a password, it notifies the hacker so that they can tap into the account themselves.
In order to protect against these attacks, you need to have an understanding of how they work and the extent that an attacker will go to in order to access your data. This means understanding the tools that they deploy. There are a number of freely available tools out there that hackers can use to crack your employees’ credentials, but we’ve put together a list of the most common ones used to carry out the attacks we outlined above:
THC Hydra is a tool that performs simple brute force attacks and dictionary attacks against more than 30 different protocols and multiple operating systems. Because Hydra is an open-source tool, hackers are constantly developing its technology to make it more effective and run more efficiently.
John the Ripper is a password cracking favorite, due to the fact that it’s free and works against fifteen different platforms, including Unix and Windows. John the Ripper is a dictionary attack tool, but it can automatically detect the type of hashing used to secure a password. This means that hackers can use it to crack into stores of encrypted passwords.
Hashcat is a free, open-source password cracking tool that supports a variety of attack methods, including brute force, dictionary, hybrid, combinator, rule-based and table-lookup attacks. It works against Linux, Windows and Mac OS, and is known for its speed and versatility.
Rainbow Crack, as the same suggests, generates rainbow tables to perform brute force attacks. These tables are pre-computed, and some organizations have published these tables for download to use in attacks. This makes it much quicker for a hacker to set up and carry out an attack.
Aircrack-ng is a free tool that uses dictionary attacks to crack WiFi passwords and gain access to your wireless network. Aircrack-ng is available for Windows, Linux, iOS and Android operating systems. Like other dictionary-based attack tools, its effectiveness relies on the strength of the dictionary the hacker programs it to use.
0phcrack is a free, open-source tool that uses rainbow tables to crack Windows passwords. 0phcrack uses LM hashes to crack passwords, and can do so in as little as a few minutes. However, by default it can only crack passwords under 14 characters long and which only contain letters and numbers. This means that a strong password policy can help you defend your data against 0phcrack hacking attempts.
DaveGrohl is an open-source tool that uses brute force and dictionary attacks to crack Mac OS passwords, and supports attacks against all versions of this operating system. Hackers can distribute DaveGrohl across multiple computers, which enables them to gain access more quickly.
Ncrack is a popular tool for cracking network authentications. It can be used against Linux, Windows and BSD, and supports various protocols, including RDP, SSH, HTTP and FTP.
How Common Are Brute Force Attacks?
As we’ve already discussed, 80% of data breaches caused by hacking involve brute force or the use of stolen credentials. And, according to the same report by Verizon, hacking and account compromise are currently the number one cause of data breaches globally, with 45% of data breaches in 2020 featuring hacking.
These alarming statistics show us that brute force attacks are a very real threat, but who exactly are they targeting?
Many of us might assume that hackers only go after larger enterprises, because that’s where they’re likely to gain the most profit, or hit a bigger ROI, if you will. This common misconception is added to by regular headlines of multi-million- or even billion-dollar nation state-backed breaches.
However, in reality, small- and medium-sized businesses (SMBs) are just as likely to suffer from a data breach caused by hacking as any larger organization. Some hackers choose specifically to target SMBs because they’re less likely to have the generous security budget or sophisticated infrastructure in place to be able to defend themselves against cyberattacks. According to Verizon, 28% of data breaches last year were suffered by small businesses.
Finally, it’s important to consider the severity of these breaches. According to IBM, the average cost of a data breach is $3.86 million – that’s enough to cause most large enterprises to shudder, let alone small businesses, who would likely fold under such financial pressure.
With this in mind, it’s clear that you need to implement strong measures to defend against hacking-related breaches. But where should you start?
How Can You Protect Your Organization Against Credential Hacking?
No matter what size your organization is or how limited (or extensive) your budget, there are a number of ways in which you can tackle the threat of credential theft. Here are four steps that we recommend you take in order to protect your company from brute force attacks:
1. Implement A Password Policy
A password policy is a set of rules that help improve your data security by encouraging employees to create strong passwords, and then to store, share and use them securely. We recommend that you enforce your policy, rather than advising it, to ensure that all employees are following the rules that you’ve put in place. You should also include your password policy as part of your induction and security awareness training programs.
Your password policy should include the following rules:
Users must change their password if there’s evidence of a compromise
Passwords/passphrases must be of a certain length
Common, weak passwords are added to a deny list and automatically blacklisted
Accounts are locked after a certain number of failed login attempts
Inactive accounts are locked after a certain amount of time
Implementing a password policy is relatively quick, easy and – best of all – costs absolutely nothing. If you haven’t yet got one in place, or would like to improve your existing rules, check out our guide to creating a secure password policy.
2. Use A Password Manager
Password managers secure corporate accounts by storing employee passwords in an encrypted vault personal to each user. Employees need only remember one master password in order to access their vault and, through the vault, all of their work accounts.
Password managers also generate unique, random passwords for new user accounts, and many managers also feature a password health tool that encourages employees to update weak or compromised passwords.
Password management solutions make it easy for employees to access their accounts securely, whilst enabling security teams to monitor their organization’s password health.
3. Enforce Multi-Factor Authentication (MFA)
Multi-factor authentication is an identity and access management method that requires each employee to verify their identity via two or more ways before they’re granted access to any corporate websites, applications or networks.
There are three methods of authentication used in MFA. These are something the user knows, such as a PIN or secret answer; something the user has, such as an authenticator app; and something the user is, which refers to their biometric data, such as a fingerprint scan.
Risk-based or adaptive MFA solutions add a further layer of technology that makes the login process a little more user-friendly for your employees than traditional MFA, by increasing the level of verification required based on the context of the login. Risk-based authentication tools calculate a risk score for each login attempt based on contextual factors such as login time, geolocation and device type. The higher the risk score, the more levels of verification are required. This means that users logging in on their usual device, during work hours, from their usual location, don’t need to verify themselves multiple times before being granted access to their accounts.
Implementing MFA means that a hacker couldn’t access an employee’s account, even if they managed to crack that employee’s password. After all, it’s much more difficult to scan someone’s iris without them knowing than it is to program a dictionary attack!
4. Invest In Privileged Access Management (PAM)
Privileged access management is a security measure that enables organization to monitor and control the activity of their privileged users. This includes not only how they access privileged accounts, but also what they’re allowed to do once logged in. Privileged accounts provide administrative levels of access to critical corporate systems, based on higher levels of access permissions. PAM solutions ensure that these accounts remain secure.
It’s particularly important that you protect your privileged accounts, because these are the most lucrative for hackers to break into, thus present the most appealing target.
Your data is the heart of your corporate kingdom, and your employees’ credentials are the keys to that kingdom. Brute force attacks are some of the most common and most effective methods by which bad actors are trying to break into your data kingdom. A data breach can have incredibly severe financial and reputational impacts on your business and your employees, so it’s crucial that you put measures in place to protect against the threat of credential theft.
We recommend that you implement a combination on human-centric measures, such as enforcing a strong password policy, and technical solutions, such as implementing a password manager, MFA or PAM, in order to keep your data as secure as possible from the most commonly used attacks methods currently in use.