Podcast: What is a Brute Force Attack? - Atomicorp - Unified Security Built on OSSEC

Podcast: What is a Brute Force Attack?

A Brute Force Attack is one of the oldest cyber attacks. It was even featured in the 1980’s thriller, War Games. In this episode, Mike Shinn walks through how a Brute Force Attack works, reviews some different flavors of attacks and how to defend against them

Atomicorp provides unified workload security for cloud, data center or hybrid platforms. Built on OSSEC, the World’s Leading Open Source Server Protection Platform. See our products.


Podcast Transcript: What Is A Brute Force Attack?

Bret Kinsella: [00:00:00]  This is Episode 1 of the Linux Security Podcast. Today’s topic: Brute Force Attacks.

Bret Kinsella: [00:00:15]  Welcome to the Linux Security Podcast. I’m your host Bret Kinsella. We’re speaking with Mike Shinn, CEO of Atomicorp. He’s an author, a developer who started his career protecting servers at the White House. Today we’re talking about brute force attacks. Mike good to talk to you.

Mike Shinn: [00:00:32]  Great to be here. Bret thanks.

Bret Kinsella: [00:00:34]  So tell me what is a brute force attack?

Mike Shinn: [00:00:36]  So brute force attack is one of the oldest cyber attacks that we have. If you’re old enough to remember the Matthew Broderick movie War Games, the character in that movie tried to break into The Whopper. That’s the big computer at Cheyenne Mountain. By typing in a series of passwords, one after the other. And in the movie he just types in a series of A’s and then the next password is all A’s and one B and then all A’s and one C in other words iterating through every potential password combination there is. Adversaries tend to be a little more sophisticated than that.

Mike Shinn: [00:01:15]  They will try passwords that are more common, things that people typically would use as a password maybe their user name as their password or the word “password” is password or one two three four five six or qwerty. But that’s basically what a brute force attack is it’s quite literally one of the oldest cyber attacks we have and surprisingly it’s still effective to this day.

Bret Kinsella: [00:01:39]  Well it’s great. So how does a brute force attack work?

Mike Shinn: [00:01:43]  So the name really belies the way the attack works the bad guys really just beating on whatever the authentication system is until they get a right answer. And as I said what’s surprising is that given how old this type of attack is is that it still works. And really without digressing too far that kind of speaks to where we are in the world in terms of cybersecurity that there are attacks that we understand really well, we know how to defeat them but yet we still continue to build things that are vulnerable to these types of attacks. And a brute force attack doesn’t have to be brutal. That is, it doesn’t have to be fast or even readily detectable. Sometimes brute force attacks or slow and methodical. We’ve seen you know fairly commonly that the bad guys understand that some of the countermeasures that are used to defend against brute force attacks, which many in listeners are probably already familiar with is, you type in your password too many times wrong in a row and it locks your account down. Most software has some type of a timer associated with that to count the number of failures that occur over some fixed window of time. So for example if you typed your password in wrong today and maybe you came back tomorrow typed it in wrong, came back the day after and typed it in wrong and maybe the threshold was set at three quite a number of software packages wouldn’t lock you out there would be an assumption that the window was far enough apart that you shouldn’t be penalized for that.

Mike Shinn: [00:03:20]  And so the bad guys take advantage of that where they can and they will slow their attacks down or they will bounce their attacks off of other systems to defeat brute force protection systems that try to pin the authentication failure to some other you know something like an IP address or a session or something. So it’s you know in as much as it’s reasonably easy to understand these types of attacks and applications should be well defended against them, it’s surprising the number of ones that aren’t just still a very, very effective attack and certainly credential theft or credential guessing which is what brute force attacks are are definitely up there in the top two or three ways that systems are compromised even to this day.

Bret Kinsella: [00:04:11]  So you talked a little bit about the brute force attack and you sort of intimated that there might be some rules or procedures you look at the pattern and to identify that it’s a brute force. It’s one thing if you see a number of logging failures over a very short like a thousand logging failures over a two minute period. That’s right. We understand what that is. Then you said the low and slow. But when you’re trying to defend against a brute force attack how do you set up defenses in order to be effective.

Mike Shinn: [00:04:44]  Yeah. I mean the most common at low cost an effective way of defending against brute force attacks which you just described is really just looking at the number of failures that occur over some period of time. You do need to have some logic in there to understand that brute force attacks may happen very quickly or they may happen very slowly. And a really good brute force defense protection system will understand when the user has successfully authenticated and when they haven’t successfully authenticated that is to say it will be able to adequately detect the difference between somebody who is just messing up their password versus someone who is trying over and over and over again with different passwords so a good system might look at what the passwords are that the user is using for that particular system or whatever the authentication credential is. It would look at what credentials were legitimate in the past which helps it to understand context that this might legitimately be that the actual user versus you know some bad guy who is just randomly guessing passwords. And that’s important too because any security measure has to be built for a world where users reasonably have a low tolerance for false positives. And if you’re not familiar with the term false positive very briefly that just means that the security software made a mistake it thought what you were doing was wrong. Thought that you were malicious and you’re not malicious. And what we find is that users become pretty frustrated with any security solution that has a greater possibility of false positives. So a good brute force defense system, it’s great if it can detect the brute force attacks but it needs to be smart enough to understand when something is not an attack.

Bret Kinsella: [00:06:39]  Brute force attacks I think are particularly troublesome for enterprises because when they’re successful the attacker then has credentials and they’re viewed as an inside user.

Mike Shinn: [00:06:52]  Yeah that’s exactly right. The thing about brute force attacks is first and foremost most security most organizations stops once a user is successfully authenticated and allowed into that enterprise. There is usually not much in the way to stop that user at that point. So that’s what bad guys want it. They want to be able to get into an organization using credentials of a legitimate user and then typically they’re able to move around fairly easily. And some of the things we’ve done in the past to defend against brute force attacks really are not viable in a highly cloud based environment. For example one of the strategies that was used in the past was if you had somebody trying to log into an account too many times, too many failures eventually it would lock the account out. And that’s not really viable if you’ve got bad guys trying all of your user accounts they’re just gonna lock out all of your users and they’re going to get very frustrated. So you need a much more sophisticated way of defending against brute force attacks. And unfortunately what we’ve seen is some organizations have just chosen to turn off the brute force protection altogether because of the high level of lockouts that are occurring from the bad guys attacking them.

Bret Kinsella: [00:08:09]  So if you want to defend against brute force what do you need to do?

Mike Shinn: [00:08:13]  Well you need to have a solution period that is designed specifically for that there. The idea of just kind of retrofitting the security solutions that you have in hopes that somehow they’ll be able to detect it is is not an answer you really have to have something that’s purpose built to help defend against brute force attacks. Honestly, you can’t rely on the vendor of that particular product and necessarily have a good solution to defend you from brute force attacks.

Bret Kinsella: [00:08:43]  That’s great Mike. Thank you.

Mike Shinn: [00:08:44]  Thanks Brett. Appreciate it.


Atomicorp provides unified workload security for cloud, data center or hybrid platforms. Built on OSSEC, the World’s Leading Open Source Server Protection Platform. See our products.