SOC analysts get 4,484 (average) alerts daily and can’t deal with 2/3 of them.
Read the 2023 State of Threat Detection Report
Lateral movement

Brute-Force

Brute-Force

Attackers might employ brute force techniques to gain entry into accounts when passwords are unknown or when they have acquired password hashes. When lacking the actual password, adversaries systematically attempt to guess it through repetitive or iterative methods. This process can occur by interacting with a service that validates credentials or offline, comparing guesses against previously obtained credential data, like password hashes.

Brute force attacks on credentials can occur at different stages of a breach. For instance, adversaries might try to forcefully access valid accounts within a target environment, drawing on information gathered from post-compromise activities like OS Credential Dumping, Account Discovery, or Password Policy Discovery. Additionally, adversaries may integrate brute force tactics with activities such as External Remote Services as part of their initial access strategy.

What is Brute Force?

A brute force attack involves systematically checking all possible combinations until the correct one is found. This method can be used to crack encrypted data, such as passwords or PIN codes. It's a straightforward approach: if you have a lock with a three-digit code, a brute force method would involve trying every combination from 000 to 999 until it opens.

Why attackers use Brute Force

Attackers use brute force attacks because they are simple and effective against weak security systems. They don't require sophisticated skills or tools. If a password or encryption key is short or not complex, a brute force attack can quickly find the right combination. Moreover, automated tools can perform these attacks at high speeds, trying thousands or even millions of combinations per second.

How to Detect a Brute Force Attack

What are the signs of a brute force attack

  • Unusually High Login Attempts: An initial red flag is an internal host making an abnormally high number of login attempts. This behavior aligns with a brute-force password-guessing attack on external servers. The sheer frequency of attempts is indicative of a systematic effort to breach security measures.
  • Versatility in Protocols: Brute force attacks can manifest through various protocols such as RDP, VNC, SSH, and may even utilize techniques like Heartbleed attacks involving memory scraping. This adaptability makes it imperative for cybersecurity analysts to be vigilant across a spectrum of communication channels.
  • Internal and External Threats: Be wary of an infected host within the network attempting to guess passwords on internal systems. Additionally, the common botnet behavior involves infected hosts trying to breach external systems, serving as waypoints for command and control and potential data leakage.

How to investigate and mitigate a brute force attack

Once the signs of a brute force attack are identified, a systematic investigation is paramount to neutralize the threat effectively.

  1. Verify Connection Legitimacy: Start by determining whether the internal host should be connecting to the target host. If not, it is likely a malicious attempt. Investigate the legitimacy of the connection to discern whether it aligns with regular business processes or if it's an anomaly that demands immediate attention.
  2. Trace the Traffic Origin: Pinpoint the process responsible for sending traffic to external IP addresses and ports. On Windows systems, a combination of netstat and tasklist commands can reveal this information. This step is crucial for understanding the source and nature of the attack, enabling a targeted response.
  3. Validate Process Integrity: Lastly, verify that the process on the infected host should indeed be running. Assess whether the process is configured correctly, ensuring that it adheres to established security policies. Any deviation could signify compromise, requiring prompt remediation.

Brute Force Attack targeting SMB (Server Message Block)

SMB, or Server Message Block, is a network communication protocol primarily used for providing shared access to files, printers, and serial ports, and miscellaneous communications between nodes on a network. It's a critical component of Microsoft's network file sharing architecture and has been included in all versions of Windows since Windows for Workgroups 3.1.

Attackers may choose to brute force SMB (Server Message Block) protocol for several reasons:

  1. Gaining Network Access: The primary goal of brute-forcing SMB is often to gain unauthorized access to a network. Since SMB is commonly used for sharing files and printers within a network, compromising it can provide access to a wealth of sensitive information.
  2. Exploiting Weak Passwords: SMB may be vulnerable if users on the network use weak or default passwords. Attackers use brute force attacks to guess these passwords, exploiting this vulnerability.
  3. Lateral Movement: Once inside a network, attackers can use SMB to move laterally across the network. SMB can be used to connect to different systems and devices, and compromising it can give attackers a way to spread their reach within the victim's network.
  4. Installing Malware or Ransomware: After gaining access through SMB, attackers can install malware, ransomware, or other malicious software to exploit the network further, steal data, or encrypt files for ransom.
  5. Capturing Sensitive Data: By gaining access to the SMB shares, attackers can potentially capture sensitive data being transferred over the network, leading to data breaches.
  6. Exploiting SMB Vulnerabilities: Certain versions of SMB have known vulnerabilities (like the one exploited by the WannaCry ransomware attack). Attackers may brute force older, unpatched versions of SMB to exploit these vulnerabilities.
  7. Credential Harvesting: Successful brute force attacks can also reveal valid user credentials, which attackers can use for other malicious activities, both within the compromised network and potentially on other systems where users have reused their passwords.
Detection of a SMB brute force attack in the Vectra AI UI

The business impact of a Brute Force attack

Brute force attacks can have severe impacts on businesses:

  • Security Breach: Successful attacks can lead to unauthorized access to sensitive data.
  • Operational Disruption: These attacks can overload systems, causing them to slow down or crash, disrupting business operations.
  • Financial Loss: Costs associated with responding to the attack, legal fees, and potential fines for data breaches can be substantial.
  • Reputation Damage: A successful attack can damage a company's reputation, leading to loss of customer trust and business.
  • Compliance Issues: Businesses may face non-compliance penalties if the attack compromises data protected by regulations like GDPR or HIPAA.

Brute force attacks are a rudimentary yet potent threat to digital security, primarily affecting weak or poorly protected systems. Businesses must implement strong, complex passwords and consider additional security measures like two-factor authentication and monitoring tools to detect and prevent such attacks.

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections
Download
Vectra AI detections