Why we shouldn't underestimate the power of 'brute force' attacks
Since the New Year, there have been many articles in the media focussing on the '25 most popular passwords of 2015', prompting a lot of criticism from journalists that maybe 'we’re all just idiots'.
Without wanting to accept that we’re all idiots, it does spawn the question: what could a hacker do with that list of popular passwords? The answer is a simple one and one that has worked time and again for cyber criminals looking to cash in on people’s compromised passwords – when hackers combine a list of the 25 most common passwords with a spammer’s directory of known good email addresses, they have a great list to run down on an organisation to look for a way in.
If they’re feeling particularly determined, they can just sit there trying to log in as different users, making sure to space them out well enough not to lock out the accounts (timing which can be learned with a test pass), and wait until a few of them get past the login page.
While images of a lone hacker in a basement with a laptop trying to sign into high value websites with their list of credentials and likely passwords may be conjured, the reality is they are not sitting there trying to break one thing at a time.
The internet is huge, therefore, cyber criminals use automation to help them capitalise on compromised credentials. In fact, a long, boring but potentially rewarding task like that is what computers are built for. In other words, it’s something anyone who knows technology would automate.
So herein lays the danger in the laziness of users choosing bad passwords. Criminal actors can make this work for them by taking advantage of a computer’s ability to execute mind-numbing tasks and ultimately they can monetise that laziness.
All it takes is a little bit of code and a lot of bad intentions. This type of attack is known as a brute force attack because it persistently tries to force a way in over and over until it finds the right combination of username and password. And contrary to primitive connotations in its name, a brute force attack is actually pretty clever.
When using phrases like 'brute force' and 'simple attacks' it may seem that the bad guys are pretty dumb. Many of them are. They pick up the tools they find and point them in the right directions.
The only original thought is to attack someplace new. However, the reason they are successful is because someone much smarter forged the path. Someone figured out how to automate these cyber attacks. Someone found the vulnerabilities to exploit. Someone did all the smart work up front and it’s that smart part that stings because more often than not, it’s the automation process and the persistence that will beat organisations’ defences.
But what if organisations could react with an automated defence to a brute force attack? This would take one clever IT or security professional to lead the way and realise that no one should have constant access to privileged accounts.
If organisations take control of privileged account management, it greatly reduces the attacker’s surface for compromise and eliminates lateral movement in the event the brute force attack is successful and they manage to get in the system with one of those popular passwords.
This is neither rocket science, nor is it original. After one of the major data breaches of last year - top 3 by notoriety - many consultants parachuted in from the biggest names in the IT security business. They sat and stared at tons of screens, drank lots of caffeine, and after 36 hours concluded that all the privileged credentials should be changed. Now imagine that was an automated response that would have happened the moment a breach was detected- of course that would have been better.
By simply rotating credentials at the point in time of an active attack as a response, it would cut off the attacker’s access to the privilege needed to succeed, without effecting legitimate users who were already going through a process to gain access on demand.
The key is that since the legitimate users wouldn’t have access to always on privilege in that scenario anyway, the only ones feeling the pain of the automated response are the bad guys.
Of course, organisations have to get the technology wired up to make it possible. But once that is all in place, it’s easy to push a button as an automated response, knowing you have the tools and the talent all lined up.
If attackers are successfully breaching organisations through using automated attacks such as brute forcing systems, organisations need to respond in kind and this will be the trick to making automation an ally instead of an enemy.
Sourced from Jonathan Sander, VP of product strategy, Lieberman Software