Brute force attacks utilise automated techniques such as credential stuffing and card cracking, continually testing large quantities of information on a website to gain entry to a user’s account.
For instance, in a credential stuffing attack, a threat actor will continually inject illegally acquired usernames and passwords to validate the credentials. Once a valid match is acquired, the threat actor can takeover the account, either accessing the contents for their own gain or selling the validated details on for a profit.
How to prevent brute force attacks
This validation process is purely a numbers game and requires multiple, consecutive attempts. Automation dramatically reduces the time required on the threat actor’s part to find correct username and password combinations, enabling the perpetrator to inject hundreds of credential combinations every minute.
Preventing brute force attacks can be achieved using methods such as:
A Completely Automated Public Turing test to tell Computers and Humans Apart, aka a CAPTCHA form, requires users to prove they are human by solving a puzzle related to a grid of images or typing out a sequence of numbers and letters.
Strong customer authentication (SCA)
SCA requires customers to provide at least two forms of identification to access their account, such as a password and a fingerprint, or a password and a one-time authentication code sent to the user’s mobile phone.
Limiting login attempts
Limiting the number of login attempts to three makes the use of brute force techniques exceptionally difficult but not impossible, and also introduces a fresh challenge when genuine customers take multiple attempts to successfully access their account.
If you’re able to identify the IPs commonly used by bad bots attacking your web-facing infrastructure, it’s possible to block these IPs from your network. It’s worth noting that most bot operators will switch their IPs using variable IP addresses and this technique is only effective against known IPs used by bad bots.
Web Application Firewalls (WAFs)
WAFs protect web applications from common software vulnerabilities. However, most sophisticated threat actors are creating bots that mimic normal human behaviour and while WAFs will effectively block large volumes of malicious traffic, they are not complex enough to capture traffic that looks ordinary.
Detecting surges of traffic to your web-facing infrastructure can be indicative of unusual and potentially malicious behaviour such as that used in a brute force attack. It’s vital to accompany rate limiting with behavioural analysis that will determine the intent of the traffic.
Sophisticated bot detection
Collaborate with a bot management vendor who can quickly and accurately distinguish bots from humans, using technology that learns and adapts as quickly as the bots do to ensures it is always effective and efficient. Learn more about sophisticated bot management from Netacea.