- All
- IT Services
- Information Security
Powered by AI and the LinkedIn community
1
Detect the attack
2
Contain the attack
3
Analyze the attack
4
Eradicate the attack
5
Recover from the attack
6
Learn from the attack
7
Here’s what else to consider
A brute force attack is a type of cyberattack that tries to guess passwords or encryption keys by systematically trying all possible combinations. It can be used to gain unauthorized access to accounts, data, or systems. If you are a victim of a brute force attack, you need to act quickly and follow some best practices to minimize the damage and prevent further attacks. Here are some of the steps you should take to respond to a brute force attack.
Key takeaways from this article
-
Implement passwordless authentication:
Moving away from traditional passwords and adopting FIDO2-compliant methods can greatly reduce the risk of brute force attacks. This tech uses devices or biometrics, making unauthorized access much tougher.
-
Limit login attempts:
To counteract brute force attacks, set up a system that locks accounts or slows down login attempts after a few failures. This helps to stop attackers in their tracks and keeps your data safer.
This summary is powered by AI and these experts
- Vishnu Mohan Sujatha Channel Account Manager @ Forcespot DMCC
- Sherif Koussa CEO @ Software Secured - Investor
1 Detect the attack
The first step is to detect the attack as soon as possible. You can use various tools and methods to monitor your network and system activity, such as intrusion detection systems (IDS), log analysis, firewall rules, and alerts. You should look for signs of unusual or excessive login attempts, failed authentication, or abnormal traffic patterns. You should also check your user accounts and permissions for any changes or anomalies.
Help others by sharing more (125 characters min.)
- Vishnu Mohan Sujatha Channel Account Manager @ Forcespot DMCC
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Eliminating passwords through implementing phishing-resistant FIDO2-compliant passwordless authentication. FIDO2 is a phishing proof, passwordless authentication protocol defined by the FIDO Alliance and the World Wide Web Consortium (W3C), W3C announced that WebAuthn is the official web standard for passwordless login.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Geraldo Alcantara, CISSP, CCISO, CCSK Red Team Tech Lead at ISH Tecnologia | Pentester | Cybersecurity | CISSP | CCISO | CEH Master | CCSK | Pentest+ | eWPTX | CRTP | eCPPT | eMAPT | eWPT | DCPT | Security+ | 34x CVEs | MBA | LPIC-1 | AZ-900 | ISFS | EHF
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Detecting a brute force attack is crucial for swift response:Early Threat Identification:Recognize attack patterns early for quick intervention.Timely Mitigation:Respond promptly to prevent unauthorized access and minimize impact.Credential Protection:Implement account lockouts swiftly to safeguard user credentials.Adjust Security Controls:Tailor security measures based on detected attacker tactics.User Experience Protection:Safeguard legitimate users by countering attacks without disruption.Forensic Evidence Collection:Gather essential data for analysis and legal purposes.Continuous Improvement:Learn from incidents to enhance overall security resilience.
LikeLike
Celebrate
Support
Love
Insightful
Funny
7
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Here are some best practices for responding to a brute-force attack:*Lock the account after a fixed number of failed attempts. *Delay the response time. The more time between permitted password attempts, the more difficult it becomes for the attacker to guess the password.*Use strong passwords.*Implement multi-factor authentication.*Employ the use of CAPTCHAs
LikeLike
Celebrate
Support
Love
Insightful
Funny
3
- Devin Price, MS, CISSP, CAPM Security Technical Program Manager @ Microsoft 👨🏾💻 | Protecting billions of customers from emerging security threats🔒 | Creator of "Vulnerability Submission Reviewer" GPT 🤖 | Host of "The Talking Tech Podcast"🎙️
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
If you can detect a brute force attack as it is happening, you can help mitigate its likely success. For example, if your company’s mobile application has a login page requiring a username and password, an attacker could conduct a brute force attack to successfully login. However, if you incorporate a CAPTCHA as part of the login process, this will mitigate an attacker’s use of bots to perform automated brute force login attempts. You could also implement rate limiting to automatically detect ,or even prevent, login success for any IP addresses performing dozens or hundreds of login attempts within the span of seconds. That would be a dead give away of a brute force attack in progress.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Sandesh Mysore Anand Co-founder, Seezo.io
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Here are a few levers that can help. 1. Implement Anti-automation techniques like CAPTCHAs into critical parts of your application. ( UX is less of a concern with the latest version of ReCAPTCHA)2. Define rate limits for specific routes in your application and enforce these (API gateway or WAF). For complex applications, set rate limits dynamically. Leverage data science to help decide.3. Implement robust alerting to detect attacks quickly. It helps you apply short-term fixes (e.g.: IP blocking). Once the attack stops, do an RCA and develop long-term solutions.Harder questions: Which lever do we use when? Which one should we apply first? The answer depends on your context and your company's threat model. Happy to chat more about this.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
Load more contributions
2 Contain the attack
The second step is to contain the attack and isolate the affected systems or accounts. You can do this by blocking the source IP address or range of the attacker, changing the passwords or keys of the compromised accounts, disabling or deleting any unauthorized accounts, and revoking any access tokens or sessions. You should also disconnect any devices or services that are not essential for your operations or recovery.
Help others by sharing more (125 characters min.)
- Sherif Koussa CEO @ Software Secured - Investor
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
From an application standpoint, things you can do to contain the attack is to:- After certain amounts of unsuccessful attempts, you can block access to that account.- Rate limiting or throttling against higher than usual number of API access or larger than usual file sizes
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Geraldo Alcantara, CISSP, CCISO, CCSK Red Team Tech Lead at ISH Tecnologia | Pentester | Cybersecurity | CISSP | CCISO | CEH Master | CCSK | Pentest+ | eWPTX | CRTP | eCPPT | eMAPT | eWPT | DCPT | Security+ | 34x CVEs | MBA | LPIC-1 | AZ-900 | ISFS | EHF
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Immediately lock affected user accounts to halt further login attempts. Enforce rate limiting to slow down the attack. Temporarily block the attacking IP address, but exercise caution to avoid disrupting legitimate users. Set up real-time alerts for immediate response. Isolate affected systems or networks to prevent lateral movement. Leverage Web Application Firewalls (WAFs) to filter and monitor web traffic. Temporarily suspend services or accounts to prevent further exploitation. Consider enabling Multifactor Authentication (MFA) for an additional layer of security. Conduct a rapid investigation to identify the attack vector and affected systems. Communicate with stakeholders to keep them informed about containment efforts.
LikeLike
Celebrate
Support
Love
Insightful
Funny
7
- Ravindra V. Security Architect at Amazon Web Services (India)
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Containment is most effective if done at the Edge of the network and not letting attack reach your system endpoint (be it load balancer or server directly). One way is to use AWS Cloudfront which contains the attack at the edge leading to better system performance and reduced cost of handling DDoS attack
LikeLike
Celebrate
Support
Love
Insightful
Funny
5
- Jordan Wiseman Consultant | Advisor | AI, XR, and other Emerging Technology Evangelist | Speaker | Fellow | Technologist | VCISO
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Slow down the attacker, for examlple, by rate limiting. This is the goal of account lockout settings, but it can be useful for all kinds of bruteforce attacks. If you can slow down how often or how many times in a row an attacker can attempt login with a password (or query an API, or use a token, or even try and authorize a credit card they've stolen or are trying to find from a partial account number) you'll make it very hard for them to succeed.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
It can be extremely helpful in this situation to "Black Hole" the traffic, as in, instruct the server, firewall, or IPS to not send a response to the source once a brute-force attack has been identified. IPS that are capable of this show more success because it causes the attack to time out and slow down significantly, even when proxies are in use.This also reduces load on the server itself because it does not waste resources by sending any responses to the attacker.From the attackers perspective, their target simply "disappears" and they will likely give up the attack very quickly if it is not intended to cause denial-of-service.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
Load more contributions
3 Analyze the attack
The third step is to analyze the attack and determine its scope, impact, and origin. You can do this by collecting and preserving evidence, such as logs, files, screenshots, and network packets. You should also use forensic tools and techniques to identify the attacker's methods, tools, and goals. You should document your findings and report any incidents to the relevant authorities or stakeholders.
Help others by sharing more (125 characters min.)
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
This is the job of the security analyst. You want to determine where the attackers IP is originating from. What accounts they are attempting to log into and if their were any successful attempts.
LikeLike
Celebrate
Support
Love
Insightful
Funny
2
- Manh Pham Cyber Security Guy
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
The third step is to analyze the attack and determine its scope, impact, and origin. You can do this by collecting and preserving evidence, such as logs, files, screenshots, and network packets. You should also use forensic tools and techniques to identify the attacker's methods, tools, and goals. You should document your findings and report any incidents to the relevant authorities or stakeholders.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Travis R. Well Site Supervisor
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
analyze the attack to grasp its scope, impact, and origin. Gather evidence like logs, files, screenshots, and network packets. Utilize forensic tools to identify the attacker's methods, tools, and goals. Document your findings and report incidents to relevant authorities or stakeholders.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Giang T. Regional Information Security Officer | CISM | CRISC
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
In terms of my perspective, this approach aligns with industry best practices and highlights the importance of a holistic response to cyber incidents. The emphasis on evidence collection, forensic analysis, and documentation reflects the need for a systematic and well-documented approach.Analyzing a cyber attack involves a comprehensive process that goes beyond technical investigation. It requires a strategic combination of understanding the scope, impact, and origin of the attack, coupled with thorough evidence collection, forensic analysis, and transparent communication. This approach is instrumental in not only mitigating the current incident but also in fortifying defenses against future threats.
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Sherif Koussa CEO @ Software Secured - Investor
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Logging is an art and science, most logs are either empty or too verbose. Getting the right level of logs at the right places is really key to analyzing the attack against the application.
LikeLike
Celebrate
Support
Love
Insightful
Funny
Load more contributions
4 Eradicate the attack
The fourth step is to eradicate the attack and remove any traces or remnants of the attacker's presence. You can do this by restoring your systems or accounts to a clean state, using backups, patches, or updates. You should also scan your systems or accounts for any malware, backdoors, or vulnerabilities. You should verify that your systems or accounts are functioning normally and securely.
Help others by sharing more (125 characters min.)
- Manh Pham Cyber Security Guy
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
The fourth step is to eradicate the attack and remove any traces or remnants of the attacker's presence. You can do this by restoring your systems or accounts to a clean state, using backups, patches, or updates. You should also scan your systems or accounts for any malware, backdoors, or vulnerabilities. You should verify that your systems or accounts are functioning normally and securely.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- José Eduardo Moreira Bergo🇧🇷🇮🇹 Conselheiro certificado IBGC
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
O ataque de força bruta é complexo tal qual a sua erradicação. No entanto, o risco é bastante mitigado se agir no sentido de se fortalecer preventivamente, com a aplicação de políticas rigorosas de senhas, que contemplem o uso de senhas fortes com combinação de segundo fator de autenticação, inclusive biometria, a manutenção das aplicações atualizadas, a utilização de ferramentas como firewalls e IDP/IPS, monitoramento de logs e, fundamentalmente, a conscientização continua dos usuários.
Translated
LikeLike
Celebrate
Support
Love
Insightful
Funny
- Sherif Koussa CEO @ Software Secured - Investor
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Similar to networks, you should always updated your 3rd party dependencies. Additionally, having working backups is key to restore the application to its previous state as soon as possible. Remember backups always work, restore not as much :)
LikeLike
Celebrate
Support
Love
Insightful
Funny
Load more contributions
5 Recover from the attack
The fifth step is to recover from the attack and resume your normal operations. You can do this by testing your systems or accounts for performance, functionality, and security. You should also communicate with your users, customers, or partners about the status and outcome of the attack. You should provide them with any information or guidance they need to protect themselves or their data.
Help others by sharing more (125 characters min.)
- Manh Pham Cyber Security Guy
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
The fifth step is to recover from the attack and resume your normal operations. You can do this by testing your systems or accounts for performance, functionality, and security. You should also communicate with your users, customers, or partners about the status and outcome of the attack. You should provide them with any information or guidance they need to protect themselves or their data.
LikeLike
Celebrate
Support
Love
Insightful
Funny
Load more contributions
6 Learn from the attack
The sixth step is to learn from the attack and improve your security posture and practices. You can do this by reviewing your incident response plan, policies, and procedures. You should also evaluate your security controls, tools, and measures. You should identify any gaps, weaknesses, or opportunities for improvement. You should implement any changes or recommendations that can help you prevent or mitigate future brute force attacks.
Help others by sharing more (125 characters min.)
- Manh Pham Cyber Security Guy
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
The sixth step is to learn from the attack and improve your security posture and practices. You can do this by reviewing your incident response plan, policies, and procedures. You should also evaluate your security controls, tools, and measures. You should identify any gaps, weaknesses, or opportunities for improvement. You should implement any changes or recommendations that can help you prevent or mitigate future brute force attacks.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Sherif Koussa CEO @ Software Secured - Investor
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Post-mortems are important to understand the attack surface and how hackers were able to get in. A threat modelling exercise to understand other possible areas in the application is an extremely helpful exercise too.
LikeLike
Celebrate
Support
Love
Insightful
Funny
1
- Giang T. Regional Information Security Officer | CISM | CRISC
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
This focus on continuous improvement is commendable. Cybersecurity is an ever-evolving field, and organizations that actively learn from incidents and adapt their strategies are better positioned to defend against future threats. This step underscores the importance of a cyclical approach to security, where each incident becomes an opportunity to enhance overall resilience.From my perspective, the sixth step of learning from a cyber attack emphasizes the importance of a reflective and adaptive security approach. By reviewing, evaluating, identifying opportunities, and implementing changes, organizations can turn the challenges posed by an incident into catalysts for strengthening their security posture.
LikeLike
Celebrate
Support
Love
Insightful
Funny
7 Here’s what else to consider
This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?
Help others by sharing more (125 characters min.)
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
If feasible, consider eliminating passwords. Though essential in the evolution of the internet, passwords are inherently flawed in accurately verifying a user's identity. It's time to shift towards more secure and innovative alternatives like passkeys and FIDO2 hardware keys. These passwordless options are more efficient and mark a significant step forward in enhancing online security.
LikeLike
Celebrate
Support
Love
Insightful
Funny
32
- Sarfaraz Muneer CISSP, CISM, CEH, CCIE UAE Top Digital Transformation Leader | Vice President Cyber Security | Top Cybersecurity Voice | Cloud Security Expert | Senior Cyber Security Architect | Public Speaker
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
If I had to address the brute force attacks 5 years back, traditional strategies such as the maximum number of failed login attempts and account lockout could be effective. Considering current threats supplemented by increasing automation by cyber criminals, eliminating passwords through implementing phishing-resistant FIDO2-compliant passwordless authentication is the most effective way to eliminate brute-force attacks. As a quick win organizations can consider implementing Windows Hello for Business (WHFB) which is available as a phishing-resistant passwordless solution in Windows 10/11 along with Microsoft Authenticator with seamless passwordless sign-in across mobile devices. MS authenticator with Passkeys is expected by Q1 2024 by MS.
LikeLike
Celebrate
Support
Love
Insightful
Funny
6
- Jeff Moore
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Responding to a brute force attack requires a proactive approach to protect your systems and data. Here are some best practices to consider:Implement strong passwords:Account lockout policyTwo-factor authentication (2FA)Rate limiting: Intrusion Detection and Prevention Systems (IDPS): Network segmentation: Update software and patchesLog monitoring and analysis: Implement CAPTCHA: Incident response plan: Remember, prevention is key. By implementing these best practices, you can significantly reduce the risk of successful brute force attacks on your systems and enhance your overall security posture.
LikeLike
Celebrate
Support
Love
Insightful
Funny
Load more contributions
Information Security
Information Security
+ Follow
Rate this article
We created this article with the help of AI. What do you think of it?
It’s great It’s not so great
Thanks for your feedback
Your feedback is private. Like or react to bring the conversation to your network.
Tell us more
Tell us why you didn’t like this article.
If you think something in this article goes against our Professional Community Policies, please let us know.
We appreciate you letting us know. Though we’re unable to respond directly, your feedback helps us improve this experience for everyone.
If you think this goes against our Professional Community Policies, please let us know.
More articles on Information Security
No more previous content
- You're balancing security protocols and customer demands. How can you find a seamless solution?
- Your team is hesitant to report security threats. How can you create a culture of trust and accountability?
- You're facing a data breach incident. How can you swiftly detect and contain it using technology and tools?
- You've experienced a data breach incident. How will you effectively communicate with regulators? 8 contributions
- Balancing client demands for easier authentication with data protection: Can you find the perfect harmony? 9 contributions
No more next content
Explore Other Skills
- IT Strategy
- System Administration
- Technical Support
- Cybersecurity
- IT Management
- Software Project Management
- IT Consulting
- IT Operations
- Data Management
- Information Technology
More relevant reading
- Business Networking Your business is under threat from hackers. What’s the best way to protect yourself?
- Information Security How can you protect your network security from rainbow table attacks?
- Network Security What are the best tools for detecting and preventing brute-force attacks?
- IT Services What do you do if your innovative technologies are at risk of security breaches?