Thanks to recent events involving certain celebrities’ stolen pictures, “brute-force attack” is now one of the hot buzz words making its rounds on the intertubez. However, if you asked most people, they probably couldn’t even hazard a guess as to what is actually involved in a brute force attack. As an IT professional - do you know what a brute force attack is, how to spot one when it happens, or even how to prevent it?
A brute-force attack is, simply, an attack on a username, password, etcetera that systematically checks all possible combinations until the correct one is found. Scripts are usually used in these attacks, sometimes run from purpose built cracking machines loaded with custom chips and/or GPU arrays. In the worst case scenario, this process involves going through every single available character in the key space so, the more processing and memory handling, the faster the key gets generated.
In the world of cryptography and encryption, there is a theoretical limit to code cracking since the resources required grow exponentially as the key space increases. The current data encryption standard (AES), in fact, has a 256-bit key length and is essentially unbreakable via brute force with modern tech. Today’s brute force attacks, however, come in two flavors: either the attacker has a dump of encrypted passwords and is attempting to crack them or they are simply trying repeated authorization attempts against a service. In the latter example, low hanging fruit is picked up first with the dictionary attack, compromising systems 'secured' with passwords like “password” and “12345” (that’s amazing. I have the same combination on my luggage). If the dictionary attack is unsuccessful, the attacker can move to plan B: running through every possible combination until a match is found.
The reason that these common passwords are so dangerous is that, while an exhaustive search through a key space can take hours, days, etc., a dictionary attack that runs through a list of these common passwords will take a fraction of the time, allowing an attacker to get in and get out faster, possibly undetected. Yes. Your users, possibly even some of the IT staff, maybe even YOU use easily predictable passwords that make securing your web based or even local environments extremely difficult. Implementing password policies such as minimum length, required characters/numbers, password expiration, etc. is a great first step but preventing brute force attacks can be tricky at best.
The other scenario described, cracking a password hash dump, involves an attacker using "rainbow tables" (precomputed hashes for large sets of passwords) to run through the hashes until a match is found. They then lookup the match in the rainbow table to see what the un-hashed password is. A good defense here would be to salt the hash, injecting extraneous data when hashing the password to prevent precomputed tables from being used. Unfortunately, most folks storing their passwords this way do not salt the hashes, making it a viable attack even today.
The recent “celebrity nude pictures” exploit was possible due to a flaw in iCloud’s “FindMyiPhone” where Apple neglected to define a password retry limit. This is a true facepalm moment, as setting a retry limit is numero uno in the list of things to do to help prevent brute force attacks. You can also be tricky with how your webserver responds to failed logins, like randomizing the return code for unsuccessful login or even issuing a successful http return code but taking the user to a secondary login page to re-enter the password.
Additional countermeasures include requiring secret questions be answered, the use of CAPTCHAS (everybody loves those, right?), account lockouts, limiting access to certain accounts by binding them to an IP address, or even blocking IPs related to multiple failed login attempts. While none of these methods are easy to implement or even ensure that a brute force attack will never be successful, the good news is that it’s relatively simple to detect these attacks.
Brute force attacks are one of the few hacks detectable by their volume, rather than their type. In your web (or proprietary app) logs, you’ll usually see a crazy amount of failed login attempts, usually originating from the same IP address. You might even see the same account logging in over and over with different passwords from different IP addresses. The login url will show unusually high amounts of volume, and you might see odd and/or malformed referring urls (e.g. http://user:password@website.com/login.html). In some cases, the attacker might run user names and/or password attempts sequentially, providing a nice identifiable trend for your host intrusion detection or log correlation systems to pick up. False positives should be considered as well but should be easy to weed out. For instance, multiple login attempts from the same IP trying to access the same account with the same password might just be a web/mobile app that has yet to be updated or was not supplied the correct credentials in the first place.
While hackers may not be interested in your nude photos, they are certainly interested in your users' data, intellectual property, credit card data or just a way in to wreak havoc in your environment. Brute force attacks are some of the easiest to defend against. The "hard" part is finding a solution that is both comprehensive and easy to use. While there are several solutions out there that can help detect these attacks, none of them provide the single console with integrated threat intelligence and intuitive UI that AlienVault’s Unified Security Management (USM) provides. Defeating Brute Force Attacks is only a part of what you get with USM.
