Brute Force (T1110) v2

These steps are a basic level of remediation of Brute Force Attacks on Windows, OSX, Linux, AWS, GCP, and Azure. As tool change, remediation advice changes. And the majority of these suggestions center around Password Attacks, and not other types of brute force. There are many. This entry maps to the MITRE code referenced in the entry. Please check back regularly for updates to this library entry.

Technical History of Brute Force Attacks

Early Brute Force Attacks (Late 1980s - Early 1990s):

In the early days of networked computing, brute force attacks were relatively simple due to weak password policies and a general lack of user awareness about cybersecurity. Early hacker groups and curious individuals exploring computer networking would use basic automated scripts to attempt multiple password combinations in quick succession. These scripts were often rudimentary, leveraging the limited computing power available at the time to test common passwords or simple variations of known information about the target.

Mid-1990s - Early 2000s:

This period saw significant advancements in brute force techniques and tools. L0phtCrack, released in 1997, became a popular Windows password cracker, leveraging rainbow tables and dictionary attacks. John the Ripper, introduced in 1996, offered a flexible and fast password cracker that supported various password hash types.

The Melissa Virus, which emerged in 1999, marked a notable incident during this era. While primarily known as a fast-spreading email worm, it also included a password-cracking feature, highlighting the growing integration of brute force techniques in malware.

Late 2000s - Early 2010s:

Attacks became increasingly sophisticated during this period. Tools like Rainbow Crack leveraged pre-computed tables to drastically reduce the time needed for password cracking. Cain & Abel provided a comprehensive suite of password recovery tools, while Hydra offered a network logon cracker supporting numerous protocols.

A significant event during this time was the 2010 Gmail brute-force campaign. Google's security team detected and thwarted a large-scale attack originating from China, which attempted to access Gmail accounts of Chinese human rights activists. This incident underscored the evolving nature of brute force attacks and their potential for targeted operations.

2013 - Present:

Recent years have seen brute force attacks become more diverse and widespread. Hacktivist groups like Anonymous and cybercriminal organizations like Lizard Squad have employed these techniques in high-profile attacks. Credential stuffing has emerged as a prevalent form of brute force attack, where attackers use large datasets of leaked credentials to attempt access across multiple services, exploiting users' tendency to reuse passwords.

Notable incidents include the Yahoo data breach (2013-2016), where brute force techniques, among other methods, led to the compromise of 3 billion user accounts. The Mirai botnet attack in 2016 demonstrated the vulnerability of IoT devices to brute force attacks, as it targeted devices with default or weak credentials.

Noted Tools and Techniques

Modern brute force attacks employ a variety of sophisticated tools and techniques:

Tools:

• John the Ripper: A flexible password cracker supporting hundreds of hash and cipher types.

• Hydra: A parallelized network login cracker supporting numerous protocols.

• Rainbow Crack: Implements rainbow table techniques for faster password cracking.

• Hashcat: A advanced password recovery tool supporting GPU acceleration.

Techniques:

• Dictionary Attacks: Using lists of common words and passwords to attempt access.

• Rainbow Table Attacks: Utilizing pre-computed tables to reverse cryptographic hash functions.

• Credential Stuffing: Automating login attempts using stolen username/password pairs.

As security measures continue to evolve, so do brute force techniques, making ongoing vigilance and adaptive defense strategies crucial in the cybersecurity landscape.

These steps are a basic level of remediation of Brute Force Attacks on Windows, OSX, Linux, AWS, GCP, and Azure. As tool change, remediation advice changes. And the majority of these suggestions center around Password Attacks, and not other types of brute force. There are many. This entry maps to the MITRE code referenced in the entry. Please check back regularly for updates to this library entry.

Windows Environments

To enhance security in Windows environments, several key measures should be implemented. First, enable account lockout policies by configuring them via Group Policy. Navigate to:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy

Here, set "Account lockout duration," "Account lockout threshold," and "Reset account lockout counter after" as required for your organization's security needs.

Implement Multi-Factor Authentication (MFA):

• Set up MFA for all user accounts using Azure or third-party solutions

• Ensure regular MFA updates by users

Monitor Failed Login Attempts:

• Enable auditing for account logon events

• Navigate to:

• Configuration Group Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy

• Enable success and failure auditing for "Logon/Logoff" and "Account Lockout"

Use Strong Password Policies:

• Enforce complexity requirements

• Navigate to

• Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy

• Set parameters such as "Minimum password length," "Password must meet complexity requirements," and "Maximum password age"

Linux

Enforce Strong Password Policies:

• Install and configure libpam-pwquality or pam_cracklib

• Edit /etc/pam.d/common-password to include: password requisite pam_cracklib.so retry=3 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

1. Account Lockout Configuration:

   • Edit /etc/pam.d/common-auth to include: auth required pam_tally2.so onerr=fail deny=5 unlock_time=900 audit

2. SSH Configuration:

   • Modify /etc/ssh/sshd_config to include: PermitRootLogin no and MaxAuthTries 3

   • Restart SSH: sudo systemctl restart sshd

3. Audit Login Attempts:

   • Check /var/log/auth.log

   • Configure auditd in /etc/audit/audit.rules

Amazon AWS

Enable AWS CloudTrail:

• Access the CloudTrail console and configure a trail

Configure IAM Policies and MFA:

• Enable MFA for root and IAM users

• Create strong password policies in IAM

Set up VPC Flow Logs:

• Enable VPC Flow Logs for traffic monitoring

Automate Monitoring with AWS Config and GuardDuty:

• Use AWS Config for policy compliance

• Enable GuardDuty for threat detection

Google GCP

Enable Cloud Audit Logs:

• Enable in the Logs Viewer for Admin Activity and Data Access

Use Identity and Access Management (IAM):

• Implement strong IAM policies and enforce MFA

• Apply custom roles with least privilege

Enable VPC Flow Logs:

• Activate VPC Flow Logs for traffic monitoring

Set up Security Command Center:

• Monitor and detect threats with the Security Command Center

Microsoft Azure

1. Enable Azure AD Identity Protection:

   • Monitor and mitigate identity risks

   • Enforce MFA for risky sign-ins

2. Custom Conditional Access Policies:

   • Create policies in the Azure AD portal to restrict risky access

3. Set up Azure MFA:

   • Require MFA for all users

   • Configure MFA settings in the Azure AD portal

4. Monitor Azure Security Center:

   • Monitor recommendations and enable just-in-time VM access