The article concludes the series of ‘Growing Cybersecurity Threats’. We shall now explain the most common, non-technical type of cyber threat, i.e., Brute Force.
While defining cyber threats, brute force attacks can be explained as repetitive successive attempts of trying various password combinations to gain access. The attacker performs this attempt vigorously. They install bots in other systems and use them to boost the computer power so that the attack can be executed successfully.
A brute force attack is a trial-and-error method to gain access. This attack is aimed at cracking the password, encryption key, API key, and SSH login. A script or bot targets a website login page and makes several attempts to retrieve information. The main difference between a brute force attack and other attacks is that they are aimed at cracking the password in the ‘absence of an intellectual strategy.’
Types of Brute Force Attacks
1. Dictionary attacks
This is the most basic form of brute attack. The attacker goes through a dictionary of possible passwords until the right one clicks.
| In a survey by the UK’s National Cyber Security Centre (NCSC), the most common password is “123456” which is used by 23.3 million accounts followed by “123456789” by 7.7 million, while “qwerty” and “password” is used by more than 3 million accounts. [1] |
The computers manufactured in the last ten years can brute force decode an 8-character alphanumeric password that includes, capital and lowercase letters, numbers and special characters, in two hours duration approximately.
2. Exhaustive key search
Present computers are capable of decrypting a well-encrypted hash in mere months. In this type of attack, the computer tries every possible combination of all the characters until it finds the right one.
3. Credential recycling
Credential recycling picks up the username and password from other similar data breaches and reuses them to break other systems, using the same pattern.
4. Reverse brute force
The attacker uses common passwords to brute force a username in combination with that password.
Why are Brute Force Attacks Performed?
Brute force attacks are performed at the early stages of the cyber kill chain, i.e., at the time of infiltration and reconnaissance stages. When attackers want to gain access to the particular targets, they implement the ‘set it and forget it’ method. After they gain entry to the network, attackers can escalate encryption downgrade attack to impose their privileges.
Motives for Brute Force:
To reach and gain access to hidden web pages. Hidden web pages are those that are live on the internet and are not linked to from any other page. In short, their presence is not popularized and hence, they can be accessed only by those that are aware of their existence.
Attackers make their attempts using different addresses until they gain access to a valid webpage that they can exploit.
| In the case of Equifax, the attackers gained illegitimate access to the credit report databases which led to the breach of personally identifiable information of over 148 million people, in the U.S. [2] |
The best thing about a brute force attack is that the attackers can automate several attacks once they gain the password. They can run several parallel attacks to achieve their intention.
Defending against brute force attack:
Brute force attacks are time-consuming; they may take weeks or months to gain access to the targeted information. The combating measure of brute force increases the duration of attack time beyond what is technically possible.
Measures to combat brute force attack:
Increase the complexity of the password:
Use different options in your passwords, such as switching between lower and upper case alphabets, special characters, and numbers. Ensure that the alphanumeric string is not predictable.
Increase password length:
Password must be more than eight characters. Short passwords give fewer probabilities and therefore, can be brute force attacked more easily.
Implement Captcha:
Captcha verifies the human presence and restricts automation. Usually, attackers use an automation predictability software that runs until it cracks the passwords. Having a captcha bans the automation process.
Multi-factor authentication:
This is considered to be the best and easiest way to secure your accounts. Always opt for multi-factor authentication that adds a second layer to the security every time the user login.
Restrict login attempts:
As a brute force attack makes a large number of failed attempts before succeeding with the right one, a good defense would be to enforce a limited number of login attempts on the account. This nullifies the brute force attack methodology.
The proactive way to combat brute force attacks is through continuous monitoring and taking appropriate security measures. Brute force is a crucial cybersecurity threat which is based on a non-technical strategy, whereas, the defensive measures require a technical and analytical strategy by the cybersecurity expert. A Bachelor of Science in Cybersecurity from EC-Council University prepares you to learn the skills needed for ethical hacking and penetration testing. EC-Council University also offers a Master of Science in Cybersecurity with a Security Analyst specialization that focuses on various growing cybersecurity threats. By specializing as a Security Analyst, you will be trained in various domains, through specialized online ethical hacking and penetration testing methods.
EC-Council University is dedicated to creating superior educational programs in the discipline of cybersecurity. The programs will equip graduates with the knowledge to assess the latest IT security risks and expert skills to handle them successfully. The university offers bachelor’s and master’s programs. The Bachelor of Science in Cybersecurity (BSCS) gives required exposure, builds cybersecurity skills, and develops leadership abilities that help any candidate to grow as a cybersecurity professional. Master of Science in Cybersecurity (MSCS) makes you an expert in desired skills and helps you in gaining domain knowledge to stand ahead in the competition.
ECCU is accredited by the Distance Education Accrediting Commission (DEAC) which is a recognized accrediting agency by the U.S. Department of Education and is also an acknowledged member of the Council for Higher Education Accreditation (CHEA).
ECCU has industry practitioners as faculty members who also serve as mentors for the students when they aspire to get into cybersecurity. The iLabs facility from the university helps in gaining hands-on practice to the students.
Sources:
- https://edition.cnn.com/2019/04/22/uk/most-common-passwords-scli-gbr-intl/index.html
- https://fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/
