What is a brute force attack?
A brute force attack is a cybersecurity threat where a hacker attempts to access a system by systematically testing different passwords until a correct set of credentials is identified.
These attacks are a simple and effective method to exploit weak passwords and poorly secured accounts. They leverage computational power and persistence to try numerous combinations, often using automated tools, and are incredibly effective. According to 2021 data from Verizon, 89% of attacks against web applications entail stolen credentials or brute force attacks.
Due to the persistently exposed nature of websites and cloud providers, brute force attacks have become the most common attack vector. Anything online protected by passwords, such as login pages, data encryption, and other security mechanisms, can become a target for malicious actors using this method, making it crucial for businesses to understand how these attacks work and how to stop them.
The Cloud Threat Landscape
A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques
Explore
How does a brute force attack work?
Brute force attacks in their most basic form iterate through every possible combination of characters until a password or encryption key is identified. More advanced versions attempt to get a faster match by starting with simple and commonly used passwords from a file and then resorting to an exhaustive search. Automated tools help speed up this process by generating and testing thousands of combinations per second.
Simple and easy-to-guess passwords are quickly discovered, while longer, more complicated passwords are time-consuming and resource-intensive. However, if the targeted system has no mechanism to detect or block repeated failed login attempts, the attacks can continue indefinitely, increasing the hacker’s chances of eventually finding the correct combination.
These attacks go far beyond traditional login pages. They can target cloud service APIs using automated scripts to repeatedly guess API keys or credentials. They can also be used to guess database login credentials or even cloud admin accounts, giving attackers in-depth access to cloud infrastructure.
Once an attacker is in, they can grab sensitive data, disrupt services by altering configurations, or even launch further attacks on other organizations from the compromised system.
How the Microsoft security breach leveraged brute force techniques
Get a detailed analysis of the entire attack chain of Microsoft's breach by Midnight Blizzard (APT29), as well as detection and mitigation recommendations.
Read more
Why do attackers resort to brute force attacks?
Contrary to common misconceptions, brute force attacks are not just a last-resort tactic for hackers. They often start with brute force, given their remarkable effectiveness, especially against targets with weak or reused passwords. Despite being well-known as a risky practice, 75% of people globally have poor password habits including weak or reused passwords.
Unfortunately, these bad practices are not just limited to personal accounts. Cloud services and other infrastructure elements frequently rely on machine credentials to facilitate system interconnections. Improper configuration of these services can lead to the use of weak passwords.
For example, a common scenario is speeding up the configuration process by using a simple password like “password1” during setup. Unfortunately, due to inadequate configuration controls, these weak passwords may inadvertently remain in use, even in production environments.
However, even for systems that have hardened security, there are a few core reasons why attackers may still leverage brute force attacks:
Simplicity: These attacks are straightforward to execute via automated tools and do not require sophisticated hacking skills.
Effectiveness: Despite being basic, they can be effective, especially against weak passwords and systems without adequate security measures like account lockouts or rate limiting.
Ability to exploit security weaknesses: Brute force attacks can exploit the lack of strong password policies or lack of security features like multi-factor authentication.
Broad applicability: They can be used against any system protected by a password, making them a versatile tool in a hacker’s arsenal.
Access to valuable data: Successful access to a cloud account can give malicious actors valuable information and control over sensitive cloud resources and services.
Types of brute force attacks
Brute force attacks have evolved significantly over the years, creating different variations to creatively shorten the number of guesses a hacker has to make to gain access.
Traditional brute force attacks
The most basic version of a brute force attack, this method will attempt every possible combination of characters to discover a password. It relies on the fact that a solution will eventually be found if given enough time, although the time necessary increases with more complex and longer passwords.
Dictionary attacks
To speed things up, attackers can use words from a dictionary or common passwords from breaches. These dictionaries are not the same as traditional dictionaries; instead, they are pre-computed files of passwords to iterate through when implementing a brute force attack.
A more complex variant is called a rainbow table attack, which uses a combination of passwords and their hashes to target stolen hash values, enabling a creative way to crack these files.
Reverse brute force attacks (password spraying)
A more advanced variant of the dictionary attack, these use a handful of common passwords against many accounts. Reverse brute force attacks target users who commonly utilize birthdays, names, cities, sports teams, and a selection of easy-to-guess passwords such as “password1,” “qwerty,” and “123456.”
Testing just a few passwords against many different accounts circumvents protections that lock out accounts after several missed password attempts.
Credential stuffing
Like password spraying, credential stuffing uses a trick to speed up the attack. These attacks use stolen usernames and passwords from different breaches to target people and systems that reuse credentials. With 62% of people reusing passwords for multiple online accounts, these attacks have become a common attack vector.
Cloud-specific attacks
As cloud infrastructure is often more exposed to the outside, malicious actors may implement brute force attacks to specifically target cloud operations. These brute force attacks prey upon different aspects of cloud operations, such as:
Cloud management interfaces: Attackers may attempt to access cloud administration panels to gain control over cloud resources.
API endpoints: Brute force attacks can target API keys or credentials crucial for accessing cloud services.
Cloud-based databases: Repeatedly guessing database login credentials can allow hackers to gain access to stored data.
Common tools used for brute force attacks
A wide range of tools exist to automate brute force attacks and support the different attack types. Some offer broad flexibility, while others are laser-focused on a specific attack style or user skill level.
| Tool | Description |
|---|---|
| Hydra | A highly versatile tool operated via the command line and a globally unique identifier (GUID), Hydra supports many protocols, including FTP, SSH, and HTTP(S). Its key strength is its ability to conduct parallelized attacks, significantly speeding up the brute force process. However, this tool is not simple to use, especially for beginners. |
| Aircrack-ng | This specialized tool for breaking Wi-Fi security codes effectively cracks WEP, WPA, and WPA2-PSK keys. It can also perform packet capture and injection attacks, making it a versatile wireless security tool. |
| John the Ripper | Despite being almost 30 years old, this tool is effective at complex password cracking and supports numerous hash types and platforms, including Unix, Windows, and OpenVMS. It uses different brute force methods such as dictionary attacks and rainbow tables to quickly identify weak passwords. However, this tool’s complexity requires technical expertise. |
| Hashcat | Well known for speed, Hashcat can leverage GPU support to target specific algorithms, including MD4, MD5, and the SHA family. While GPU acceleration makes it extremely fast for certain algorithms, not all are optimized for GPU processing, making them slower to crack. |
| Ncrack | Ncrack enables network authentication cracking across several protocols, such as SSH, RDP, FTP, Telnet, and HTTP(S). Its flexible engine adapts its behavior based on network feedback and can conduct simultaneous attacks on multiple hosts, efficiently identifying weak passwords on networked systems. |
Top countermeasures for brute force attacks
In addressing brute force attacks, the primary goals of countermeasures are to decelerate the attack process and curtail repeated unauthorized attempts. These are pivotal to enhancing a system’s resilience against such intrusions.
By focusing on hindering the speed and frequency of attacks, the strategies below will significantly increase the difficulty of a breach—as well as the resources required to make it successful—thereby safeguarding sensitive data and maintaining the integrity of a system’s security framework.
Strong password policies
Making sure users are required to create robust passwords is key to protecting a system against brute force attacks. Policies should mandate passwords that include lowercase and uppercase letters, special characters, and numbers. Regularly encouraging or requiring users to change their passwords also plays a critical role in boosting security.
Account lockout mechanisms
Account lockout mechanisms are crucial in enhancing your defense against brute force attacks. By temporarily disabling accounts after a set number of failed login attempts, these mechanisms deter repeated guessing and alert administrators to potential suspicious activities.
Complementing this, rate limiting controls the number of login attempts within a specific time frame; this slows down the response time after a failure, making automated attacks less efficient. A variant of this is the implementation of captchas, which challenge users with an image or text-based puzzle difficult for bots to solve, slowing down the speed of login attempts.
Two-factor authentication (2FA)
2FA provides an additional verification step and comes in a variety of forms, which may involve using SMS, email, or app-based authentication codes. Alternatively, biometric factors (e.g., facial recognition or fingerprints) add an even higher level of security but come with privacy challenges.
Using 2FA ensures that even if a hacker gets their hands on a password, access to a system or account will still effectively be barred. This is because they would also need that second factor, which is typically only accessible to the legitimate user.
Monitoring and alerting solutions
These systems are set up to identify unusual login patterns, such as repeated failed attempts, indicative of a brute force attack. Upon detecting such patterns, they will promptly send alerts to administrators, allowing for swift action.
This immediate response mechanism is crucial in mitigating potential attacks, ensuring that any unusual activity is quickly addressed to maintain a system’s integrity and security.
Some monitoring tools are designed specifically to address the challenges of cloud environments:
Cloud access security brokers (CASBs) monitor and enforce security policies.
Advanced cloud-native monitoring tools detect unusual access patterns or login attempts in real time.
Password managers
Password managers allow users to securely store their passwords. This eliminates the need to write them down, as well as the habit of using easy-to-remember (i.e., easy-to-guess) passwords. They can also create robust passwords, ensuring each account has one that is unique and hard to crack, greatly enhancing your overall security posture.
User training
Regular training sessions on the importance of cybersecurity help raise awareness among users about potential threats and the crucial role they play in protecting a system. Keeping users updated on the latest security threats and safe practices also makes sure they are well informed and prepared to adopt secure habits, like creating strong passwords and recognizing suspicious activities.
Detecting brute force attacks in the cloud
Wiz’s CNAPP solution plays a pivotal role in the detection and response to brute force attacks in cloud environments. Wiz's Cloud Detection and Response (CDR) features allows customers to detect emerging cloud threats in real-time, including successful brute-force attacks on specific user accounts. Furthermore, Wiz can alert organizations about SSH brute force attacks attempted on publicly exposed assets that allow password authentication and have high permissions.
Security Graph: Wiz utilizes a Security Graph to discover and correlate events across an organization's cloud environment. This allows Wiz to identify patterns indicative of brute force attempts, such as a high volume of login failures from a single source.
Contextualization: Wiz doesn't just detect the attack; it provides context. For instance, Wiz can alert on an SSH brute force attack targeting a publicly exposed server with high permissions. This critical context helps security teams prioritize and respond to the most impactful threats.
Integrations: Wiz integrates with security tools like Google Cloud's Security Command Center (SCC). This integration allows security teams to view brute force attacks detected by SCC within the Wiz Security Graph, providing a unified view of security events.
See Wiz in action. Get a personalized demo today to learn how to protect your cloud infrastructure against brute force attacks.
Learn why CISOs at the fastest growing companies choose Wiz to help secure their cloud environments.
