When you hear the words “brute force,” subtlety is probably not the first thing that comes to mind. Indeed, the classic brute-force cyberattacks use the simplest of tactics – i.e., trial and error – to pursue a strategy of gaining entry to a protected system. The most common manifestation is an attacker attempting to run through all the possibilities of a password.
While that goal sounds ominous, in practice brute-force attacks have limited efficacy:
- They are generally only useful for short, simple passwords. Complex ones that include a diverse mix of character types (e.g., symbols, numbers and upper- and lower-case letters) can literally take years to crack by brute force for even the most powerful computing infrastructure.
- A lot of modern cryptographic algorithms, such as bcrypt, are specifically designed to be “slow,” meaning that they require considerable computing resources to convert plaintext input into a hash. Accordingly, the guessing process is positively glacial and performance-intensive.
- Many systems also have automatic security mechanisms that lock users out of further password entry if they provide a certain number of consecutive wrong guesses.
So is there still reason to worry about such attacks, especially since they have been superseded by multifaceted strategies, such as dictionary attacks? The short answer is “yes.” A recent tightly coordinated campaign against Microsoft Office 365 demonstrated how brute-force tactics can be combined with the subtle “slow and low” characteristics of modern advanced persistent threats.
“Brute-force tactics can be combined with the ‘slow and low’ traits of modern APTs.”
How Sustained Brute-Force Attacks Were Launched Against Office 365
The attack in question targeted 48 Office 365 accounts. More than 100,000 failed logins were ultimately attempted before the scheme was discovered and brought under control.
Compared to traditional brute-force attacks, this one was relatively sophisticated. For starters, it was supported by a previously acquired list of corporate usernames and passwords for various cloud services, which was cross-referenced during the guessing process. The underlying logic was that credentials were routinely recycled across accounts – an assumption backed up by widespread user reuse habits that have made the password “the weakest link in even the most secure system,” according to an executive at 1Password.
Beyond that, the attackers paced themselves by staggering the number of guesses and using multiple IP addresses to make their activities seem less suspicious. The limited scope of their attack was also key; instead of drawing immediate attention by going after all Office 365 accounts at the different Fortune 2000 organizations that were the targets of the campaign , they went after only a handful.
Hedging Against This New Wave of Brute-Force Cyberattacks
On the bright side, there were a few mechanisms that, if present, could have thwarted even this complex new spin on the age-old brute-force attack. For example, either two-factor authentication or single sign-on would have stopped the attackers in their tracks.
However, the difference-maker in this case was actually a monitoring system that eventually spotted and reported on several anomalies. The ability to proactively search the network for vulnerabilities – including ones not documented yet in databases of known threats – is essential for rapid detection and response.
SOC-as-a-Service is the ticket to such comprehensive and continuous monitoring of IT infrastructure. It is constantly maintained by expert engineers who assess and compile security intelligence. This level of attention ensures that your security posture is always evolving to keep pace with the changing threat environment.
Brute-force attacks still have to be taken seriously. With SOC-as-a-Service, you have the tools you need to defend against it as well as other dangers such as ransomware and APTs.