Brute Force Attack

Brute-force attack: Simple yet difficult 

Understanding what Brute Force Attack is fairly simple, but protecting against it is quite difficult.

Brute Force Attack

A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (with some exception). Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data.

For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers.

An attack of this nature can be time- and resource-consuming. Hence the name "brute force attack" success is usually based on computing power and the number of combinations tried rather than an ingenious algorithm. However, Encryption is math, and as computers become faster at math, they become faster at trying all the solutions and seeing which one fits.

Defend against Brute Force Attack

• Restrict the use of default usernames and passwords
• Requiring users to have complex passwords
• Limiting the number of times a user can attempt to log in
• Temporarily locking out users who exceed the specified maximum number of login attempts

Detection of Brute Force Attack

With the evolution of faster and more efficient password cracking tools, brute force attacks are on a high against the services of an organization. As a best practice, every organization should configure logging practices for security events so that any possible attack underway will get noticed and treated before the attack succeeds.

To check for brute force pattern, enable auditing on logon events in the Local Security Policy and then feed Windows Security Event log to the SIEM product used.

Below are the correlation search that is created in Splunk and LogPoint against Win:Security logs to monitor real time login attempts. In this search, brute force criteria gets matched with two failure attempts.

Splunk:

sourcetype="WinEventLog:Security" (EventCode=4625 AND "Audit Failure") NOT (User_Name="*$" OR Account_Name="*$") NOT Failure_Code=0x19 | stats count by Account_Name | where count > 2

LogPoint:

MSWinEventLog event_id=4625 -target_user=*$ -caller_user=*$ -failure_code=0x19 | rename target_user as Account, caller_user as user | chart count() as Event by Account | search Event > 2