Brute Force Attacks: How to Detect and Prevent Them

The trial and error method has been used to crack passwords ever since systems started using passwords to restrict access. But even today brute force attacks remain a serious danger for organizations. The Threat Horizons Report by Google’s Cybersecurity Action Team [PDF] shows that brute force was the most common attack vector across cloud providers in the first quarter of 2022.

In this article, we’ll discuss what brute forcing is, take a look at its key dangers, and figure out how to detect a brute force attack on your organization. Plus, you’ll learn effective ways to prevent and detect such attacks.

What is a brute force attack and why is it so dangerous?

Brute forcing is a type of cyber attack that relies on the trial-and-error method: a malicious actor submits loads of passwords until they guess the correct character combination and gain access to a trusted user’s account. Such attacks are incredibly widespread for two reasons:

• It’s easy to execute them using free tools, automation scripts, and password databases
• Lots of users rely on weak passwords that take seconds to guess.

Experienced hackers use several types of brute force attacks to guess passwords. The most common are:

• Simple brute force attacks – downloading a database of common passwords and trying all of them on a single account
• Dictionary attacks – trying a list of words drawn from dictionaries, along with their variations amended with special characters and numbers to crack the account password
• Hybrid brute force attacks – employing external algorithms to generate the most probable password variations, and then trying an extensive range of these variations
• Reverse brute-force attacks – using a set of common passwords against many possible usernames
• Credential stuffing – utilizing known passwords acquired from data breaches to attempt to log in to various resources. This works when individuals reuse the same credentials across different platforms.

Despite the seemingly simple nature of such attacks, well-known organizations often fall victim to them. For instance, in December 2022, a brute force attack targeted GoDaddy, the world’s largest domain name registrar and web hosting company. As a result, an unauthorized third party gained access to the company’s hosting servers and installed malware redirecting random customer websites to malicious sites.

A brute force attack can result in the following consequences:

Most brute force attacks share common indicators that can help you detect the beginning of an attack and stop it before real harm is done. Let’s see which activities give hackers away.

6 brute force attack indicators

You can detect hints of an upcoming attack in increased network activity, access violations, and unusual user behavior. Brute force indicators differ slightly depending on the type of attack and toolset a hacker uses.

The following activities can be indicators of a brute force attack:

Now, we’ll examine how to investigate a brute force attack and protect your organization from them.

How to detect and prevent brute force attacks: Top 8 effective ways

We’ve put together eight key techniques you can implement for brute force attack detection and prevention. You can implement the majority of these practices with Ekran System – an all-in-one insider risk management platform that helps you ensure visibility into account activity and detect signs of brute force attacks.

1. Manage user credentials

Weak user passwords make brute force attacks successful. No matter how many cybersecurity awareness training sessions you conduct for your employees and how many policies you enforce, there will always be an employee who uses a “1234” password. So consider taking the matter into your own hands and deploying a dedicated password management tool.

Such tools securely manage passwords without involving a user. For example, Ekran System’s password management functionality allows you to create, rotate, and dispose of user credentials and secrets using a protected vault. Credentials stored in the vault are encrypted. This deployed password management tool prevents credential leaks and significantly reduces the chance of successful password guessing.

2. Limit the number of login attempts

Simple and hybrid brute force attacks rely on multiple login attempts to guess user passwords. This is highly unusual behavior for legitimate users: even if they forget their password, they don’t just try submitting any word they know. Monitoring and limiting the number of login attempts reduces a hacker’s chances of guessing credentials.

If an account exceeds the limit for login attempts, you can start a cooldown timer, force the user to authenticate with multi-factor authentication, or contact an administrator.

Real-Time User Activity Alerting and Incident Response with Ekran System

3. Enforce multi-factor authentication

Adding one more authentication factor also makes it much harder to brute force an account. Two-factor authentication (2FA) tools require unique authentication factors from a user that are hard to obtain or falsify. These factors can be an authentication token sent to the user’s phone or a biometric scan, among other options. With 2FA in place, a hacker won’t be able to log in to a user’s account even if they enter the correct login and password.

Ekran System’s two-factor authentication feature allows you to check a user’s identity with a code phrase sent to a verified mobile device. You can enforce two-factor authentication for regular, privileged, and remote employees, as well as for third parties.

4. Configure user access rights

Granular management of user access rights doesn’t stop brute forcing but it reduces the attack surface in case a hacker gains access to a user’s account. Proper access management allows you to limit a user’s access to only those resources they need for work. So, if a hacker obtains the credentials of a regular user account, they won’t be able to do much damage.

A zero-trust approach and just-in-time privileged access management allow you to establish a system that limits user access without interrupting the employee workflow. You can implement these with the following Ekran System features:

• Simple access configuration process via Ekran System’s web management tool
• Access request and approval workflow for granular access management
• One-time passwords to grant temporary access

5. Approve remote access to the most critical resources manually

Since hackers try to log in to a user account many times from the same IP address, it’s a good idea to maintain a whitelist of user IP addresses and deny access to all unknown connections. However, whitelisting IP addresses won’t work well for remote users who commonly connect to the organization’s network from personal devices and in different locations.

Instead, you can enforce manual login approval to provide access to sensitive resources. Each time a remote or in-house employee needs access, they send a request to the security officer and specify the reason for access. With Ekran System, the security officer can review the user session or enforce 2FA to make sure it’s not a hacker trying to gain access.

Privileged Access Management with Ekran System

6. Monitor all activity within your network

Monitoring both user and entity activity within your network helps to detect credential stuffing, lateral movement, repetitive access requests, and other indicators of a brute force attack. You can establish monitoring in two ways: by tracking events in the network or by keeping an eye on user activity.

Ekran System provides you with several valuable activity monitoring options. You can detect brute force attacks using the following features:

• User activity monitoring. On-screen recording and keystroke tracking allow you to monitor each user session. You can review any online and recorded session to detect lateral movement, abnormal user activity, or evidence of data theft by a hacker or insider.
• User and entity behavior analytics (UEBA). Ekran System’s AI-based UEBA module detects unusual user behavior that doesn’t break security rules but can indicate an attack. For example, it can alert your security team about attempts to connect to the organization’s network outside of working hours. A UEBA system is based on an algorithm that creates a baseline of normal user activity and then detects activity that deviates from this baseline.
• Alerts on security violations. Configure security rules and receive alerts on indicators of a brute force attack: numerous login attempts, lateral movement, and unusual user behavior. This way, you’ll find out about security events in real time without the need to monitor your users manually.

7. Educate your employees

Employees can be the strongest or the weakest link in your cybersecurity defense, so it’s in your best interest to educate them. Regular security awareness training sessions can help employees:

• Understand the importance of strong passwords
• Learn how to use password managers
• Remember the basic principles of cyber hygiene
• Recognize common types of hacking attempts, including brute force and social engineering attacks

Ekran System can help you raise employees’ cybersecurity awareness by:

• Providing you with reports on security violations and events in your network. You can analyze these reports to figure out what cybersecurity knowledge your employees lack.
• Showing warning messages to employees when they are breaking security rules. A lot of times this happens simply out of negligence. A timely warning compels an employee to stop what they’re doing and contact a security officer for a consultation.
• Showcasing real records of user activity to employees during cybersecurity awareness training sessions and introducing them to key indicators of malicious activity.

8. Implement passwordless authentication

Brute force attacks are built on the idea of guessing a user’s password. With no passwords, there’s simply nothing to guess. Therefore, you don’t have to devote time and resources to figuring out how to stop brute force attacks. This insight has led to the idea of passwordless authentication, and today many companies are trying to implement it with modern security technologies.

Passwordless authentication is an authentication method that substitutes passwords with some other authentication token. It can be implemented in the form of:

• MFA that requests a biometric scan and ownership confirmation
• A picture, pattern, or hardware token instead of a password
• Voice, face, or gesture recognition
• A combination of a user’s geolocation and network address
• And other methods

Implementing passwordless authentication technology can prevent brute force attacks and reduce friction between users and administrators. But it will probably require you to significantly rework your security system through trial and error before you figure out the best way to use it.

User Activity Monitoring with Ekran System

Conclusion

Hackers can leverage simple passwords and weak access protection measures in your organization to brute force their way into your network.

Use the best practices described in this article to detect and prevent brute force attacks and enhance your overall security posture. These security measures, coupled with the robust user activity monitoring, access management, and incident response capabilities of Ekran System, can help you substantially reduce the likelihood of unauthorized access to your organization’s critical assets.