Brute force attacks use trial-and-error to infiltrate secure accounts and IT assets. They are most commonly used to breach passwords and login credentials, though they can also be used against encryption keys. Although the concept is simple, threat actors have developed sophisticated strategies for carrying out brute force attacks effectively. 

How do brute force attacks work? 

Brute force attacks work by trying every possible combination to authenticate successfully. A scammer who methodically attempts every possible four-digit PIN code to commit credit card fraud is executing a brute force attack. 

Since it only has 10000 possible combinations, a four-digit PIN code is among the simplest credentials to crack. A 14-character password with lowercase and uppercase letters, numbers, and punctuation marks has more than 3 octillion combinations — that’s a three with 26 zeros behind it. 

Unsurprisingly, brute force attacks can be time-consuming and resource-intensive. However, taking over a privileged account can turn an attacker into a high-severity insider threat. Threat actors have developed sophisticated tools to help reduce the number of possible combinations they need to use. 

Common tools used in brute force attacks 

Many password cracking tools are widely available open source technologies that anyone can use. These tools are often used in digital forensics, penetration testing, and other legitimate security use cases as well: 

• Aircrack-ng cracks Wi-Fi passwords and examines data packets sent over wireless networks. It can easily break Wi-Fi authentication protocols with known vulnerabilities, like WEP and WPA. 

• John the Ripper is a password cracker compatible with 15 platforms, including UNIX, Windows, DOS, and more. It can automatically detect password hash types, making it ideal for breaking encrypted password storage. 

• DaveGrohl is a macOS password cracker that comes with a wide variety of features, including support for distributed botnet attacks. 

• Hashcat is an advanced password recovery tool that executes brute force attacks using the device CPU. It works on Windows, macOS, and Linux and is available for free. 

• Rainbow Crack uses pre-generated rainbow tables to execute attacks. This approach dramatically reduces the time and computational power needed to carry out an attack. 

6 types of brute force attacks 

Here are some examples of common brute force attacks commonly encountered by IT security leaders: 

1. Simple brute force attacks. A simple brute force attack has no additional filtering or other features to speed up the guessing process. The feasibility of the attack depends entirely on the threat actor’s CPU power and the strength of the password. 

1. Reverse brute force attacks. In this attack, the threat actor starts with knowledge of the password, but needs to match it to a username or account number. This attack is common when testing whether breached passwords are re-used on multiple platforms. 

1. Dictionary attacks. These attacks use known combinations of common words and phrases. By checking frequently used passwords first, brute force attackers can significantly decrease the amount of time it takes to infiltrate a poorly secured account. 

1. Credential stuffing. Billions of username and password combinations have been breached over the years. Threat actors who use these credentials to breach accounts owned by people who reuse their passwords. 

1. Hybrid brute force attacks. This happens when an attacker combines a dictionary attack with a simple brute force attack. This is usually the preferred option when the attacker already knows some information about the target, or has an idea what their password might be. 

1. Password spraying. Instead of trying to guess the password for a single account, password spraying tries applying a known password to as many accounts as possible. This attack is more effective against cloud-based apps with federated authentication and assets that use Single Sign-On (SSO). 

How to prevent brute force attacks 

The best way to prevent brute force attacks is by leveraging multifactor authentication and strong password policies. MFA puts an extra layer of security around the authentication process, and good password policies make successful brute force attacks less likely. 

Examples of password policies that can prevent brute force attacks include: 

• Security awareness training. Employees should know what good passwords look like and understand the danger of reusing passwords across multiple accounts. 

• Automatically rejecting weak passwords. Many commercial web applications automatically reject passwords that don’t contain both upper and lower-case letters, numbers, and punctuation marks. 

• Implementing an enterprise password manager. Password managers keep employee credentials compliant with industry-wide compliance regulations and prevent users from reusing passwords across multiple accounts. 

How to detect brute force attacks 

True to their name, brute force attacks are not subtle. A well-equipped Security Operations Center (SOC) can detect brute force activity in multiple ways. The SOC Visibility Triad forms the foundation of operational security excellence against these kinds of attacks: 

• Security Information and Event Management (SIEM). This technology aggregates log data from across the organization and analyzes it. It presents security teams with a narrative timeline describing threat activities it detects. 

• Endpoint Detection and Response (EDR). When threat actors bombard secure endpoints—like mobile phones, desktops, or servers—with login requests, EDR can trigger an automatic response. 

• Network Detection and Response (NDR). Brute force attacks typically result in unusual network traffic flows. NDR solutions can detect these flows and trigger alerts that prompt security analysts to investigate. 

These technologies must be configured to trigger alerts when brute force activity occurs. Here are some examples of detection rule triggers that suggest an active brute force attack is taking place: 

• Multiple failed login attempts. This is one of the tell-tale signs of a brute force attack. The risk is greater if the login attempts correspond to multiple accounts and login credential combinations. 

• Failed login attempts in multiple accounts from a single source. This activity can suggest credential stuffing or password spraying. In this case, a threat actor may be trying their luck on multiple accounts or login pages. 

• Successful login from an unusual device or location. This activity must be contextualized to fit the organization’s security risk profile. A remote-first company may assign a much lower risk to this activity than one staffed by on-site employees. 

• A successful login after multiple failed login attempts. Many SIEM platforms include this as a default rule. However, security teams should adjust the threshold of login attempts to fit the security profile of different accounts. 

• Unusual user behavior after a successful login. This requires investing in User Entity and Behavioral Analytics (UEBA) technology. If users deviate from their established routine, your UEBA platform can trigger an alert and prompt an investigation. 

• Increased internet usage after a successful login. Dramatically high internet usage is a behavioral indicator that increases risk. It’s not always a sure sign of unauthorized activity, but it should be investigated promptly. 

Let Lumifi protect your organization from credential-based attacks 

Lumifi helps organizations deploy multi-layered security policies that protect from brute force attacks and their consequences. By leveraging best-of-breed technology and powering it with expert human insight, Lumifi dramatically improves operational security performance against credential-based attacks and insider threats. Schedule a demo to find out how.