What are the best practices for responding to a brute force attack? (2024)

Key takeaways from this article

• Implement passwordless authentication:

  Moving away from traditional passwords and adopting FIDO2-compliant methods can greatly reduce the risk of brute force attacks. This tech uses devices or biometrics, making unauthorized access much tougher.

• Limit login attempts:

  To counteract brute force attacks, set up a system that locks accounts or slows down login attempts after a few failures. This helps to stop attackers in their tracks and keeps your data safer.

This summary is powered by AI and these experts

• Vishnu Mohan Sujatha Channel Account Manager @ Forcespot DMCC
• Sherif Koussa CEO @ Software Secured - Investor

• Vishnu Mohan Sujatha Channel Account Manager @ Forcespot DMCC

  • Report contribution
  Eliminating passwords through implementing phishing-resistant FIDO2-compliant passwordless authentication. FIDO2 is a phishing proof, passwordless authentication protocol defined by the FIDO Alliance and the World Wide Web Consortium (W3C), W3C announced that WebAuthn is the official web standard for passwordless login.

  Like
• Geraldo Alcantara, CISSP, CCISO, CCSK Red Team Tech Lead at ISH Tecnologia | Pentester | Cybersecurity | CISSP | CCISO | CEH Master | CCSK | Pentest+ | eWPTX | CRTP | eCPPT | eMAPT | eWPT | DCPT | Security+ | 34x CVEs | MBA | LPIC-1 | AZ-900 | ISFS | EHF

  • Report contribution
  Detecting a brute force attack is crucial for swift response:Early Threat Identification:Recognize attack patterns early for quick intervention.Timely Mitigation:Respond promptly to prevent unauthorized access and minimize impact.Credential Protection:Implement account lockouts swiftly to safeguard user credentials.Adjust Security Controls:Tailor security measures based on detected attacker tactics.User Experience Protection:Safeguard legitimate users by countering attacks without disruption.Forensic Evidence Collection:Gather essential data for analysis and legal purposes.Continuous Improvement:Learn from incidents to enhance overall security resilience.

  Like

  7

• • Report contribution
  Here are some best practices for responding to a brute-force attack:*Lock the account after a fixed number of failed attempts. *Delay the response time. The more time between permitted password attempts, the more difficult it becomes for the attacker to guess the password.*Use strong passwords.*Implement multi-factor authentication.*Employ the use of CAPTCHAs

  Like

  3

• Devin Price, MS, CISSP, CAPM Security Technical Program Manager @ Microsoft 👨🏾💻 | Protecting billions of customers from emerging security threats🔒 | Creator of "Vulnerability Submission Reviewer" GPT 🤖 | Host of "The Talking Tech Podcast"🎙️

  • Report contribution
  If you can detect a brute force attack as it is happening, you can help mitigate its likely success. For example, if your company’s mobile application has a login page requiring a username and password, an attacker could conduct a brute force attack to successfully login. However, if you incorporate a CAPTCHA as part of the login process, this will mitigate an attacker’s use of bots to perform automated brute force login attempts. You could also implement rate limiting to automatically detect ,or even prevent, login success for any IP addresses performing dozens or hundreds of login attempts within the span of seconds. That would be a dead give away of a brute force attack in progress.

  Like

  1

• Sandesh Mysore Anand Co-founder, Seezo.io

  • Report contribution
  Here are a few levers that can help. 1. Implement Anti-automation techniques like CAPTCHAs into critical parts of your application. ( UX is less of a concern with the latest version of ReCAPTCHA)2. Define rate limits for specific routes in your application and enforce these (API gateway or WAF). For complex applications, set rate limits dynamically. Leverage data science to help decide.3. Implement robust alerting to detect attacks quickly. It helps you apply short-term fixes (e.g.: IP blocking). Once the attack stops, do an RCA and develop long-term solutions.Harder questions: Which lever do we use when? Which one should we apply first? The answer depends on your context and your company's threat model. Happy to chat more about this.

  Like

  1

• Sherif Koussa CEO @ Software Secured - Investor

  • Report contribution
  From an application standpoint, things you can do to contain the attack is to:- After certain amounts of unsuccessful attempts, you can block access to that account.- Rate limiting or throttling against higher than usual number of API access or larger than usual file sizes

  See Also

  Brute Force: Algorithm, Technique & MeaningThe Essential Brute Force Attack Guide: Definition, Types, & PreventionWhat is a brute-force attack? - Definition from TechTarget

  Like

  1

• Geraldo Alcantara, CISSP, CCISO, CCSK Red Team Tech Lead at ISH Tecnologia | Pentester | Cybersecurity | CISSP | CCISO | CEH Master | CCSK | Pentest+ | eWPTX | CRTP | eCPPT | eMAPT | eWPT | DCPT | Security+ | 34x CVEs | MBA | LPIC-1 | AZ-900 | ISFS | EHF

  • Report contribution
  Immediately lock affected user accounts to halt further login attempts. Enforce rate limiting to slow down the attack. Temporarily block the attacking IP address, but exercise caution to avoid disrupting legitimate users. Set up real-time alerts for immediate response. Isolate affected systems or networks to prevent lateral movement. Leverage Web Application Firewalls (WAFs) to filter and monitor web traffic. Temporarily suspend services or accounts to prevent further exploitation. Consider enabling Multifactor Authentication (MFA) for an additional layer of security. Conduct a rapid investigation to identify the attack vector and affected systems. Communicate with stakeholders to keep them informed about containment efforts.

  Like

  7

• Ravindra V. Security Architect at Amazon Web Services (India)

  • Report contribution
  Containment is most effective if done at the Edge of the network and not letting attack reach your system endpoint (be it load balancer or server directly). One way is to use AWS Cloudfront which contains the attack at the edge leading to better system performance and reduced cost of handling DDoS attack

  Like

  5

• Jordan Wiseman Consultant | Advisor | AI, XR, and other Emerging Technology Evangelist | Speaker | Fellow | Technologist | VCISO

  • Report contribution
  Slow down the attacker, for examlple, by rate limiting. This is the goal of account lockout settings, but it can be useful for all kinds of bruteforce attacks. If you can slow down how often or how many times in a row an attacker can attempt login with a password (or query an API, or use a token, or even try and authorize a credit card they've stolen or are trying to find from a partial account number) you'll make it very hard for them to succeed.

  Like

  2

• • Report contribution
  It can be extremely helpful in this situation to "Black Hole" the traffic, as in, instruct the server, firewall, or IPS to not send a response to the source once a brute-force attack has been identified. IPS that are capable of this show more success because it causes the attack to time out and slow down significantly, even when proxies are in use.This also reduces load on the server itself because it does not waste resources by sending any responses to the attacker.From the attackers perspective, their target simply "disappears" and they will likely give up the attack very quickly if it is not intended to cause denial-of-service.

  Like

  1

• • Report contribution
  This is the job of the security analyst. You want to determine where the attackers IP is originating from. What accounts they are attempting to log into and if their were any successful attempts.

  Like

  2

• Manh Pham Cyber Security Guy

  • Report contribution
  The third step is to analyze the attack and determine its scope, impact, and origin. You can do this by collecting and preserving evidence, such as logs, files, screenshots, and network packets. You should also use forensic tools and techniques to identify the attacker's methods, tools, and goals. You should document your findings and report any incidents to the relevant authorities or stakeholders.

  Like
• Travis R. Well Site Supervisor

  • Report contribution
  analyze the attack to grasp its scope, impact, and origin. Gather evidence like logs, files, screenshots, and network packets. Utilize forensic tools to identify the attacker's methods, tools, and goals. Document your findings and report incidents to relevant authorities or stakeholders.

  Like
• Giang T. Regional Information Security Officer | CISM | CRISC

  • Report contribution
  In terms of my perspective, this approach aligns with industry best practices and highlights the importance of a holistic response to cyber incidents. The emphasis on evidence collection, forensic analysis, and documentation reflects the need for a systematic and well-documented approach.Analyzing a cyber attack involves a comprehensive process that goes beyond technical investigation. It requires a strategic combination of understanding the scope, impact, and origin of the attack, coupled with thorough evidence collection, forensic analysis, and transparent communication. This approach is instrumental in not only mitigating the current incident but also in fortifying defenses against future threats.

  Like
• Sherif Koussa CEO @ Software Secured - Investor

  • Report contribution
  Logging is an art and science, most logs are either empty or too verbose. Getting the right level of logs at the right places is really key to analyzing the attack against the application.

  Like

• Manh Pham Cyber Security Guy

  • Report contribution
  The fourth step is to eradicate the attack and remove any traces or remnants of the attacker's presence. You can do this by restoring your systems or accounts to a clean state, using backups, patches, or updates. You should also scan your systems or accounts for any malware, backdoors, or vulnerabilities. You should verify that your systems or accounts are functioning normally and securely.

  Like

  1

• José Eduardo Moreira Bergo🇧🇷🇮🇹 Conselheiro certificado IBGC

  • Report contribution
  O ataque de força bruta é complexo tal qual a sua erradicação. No entanto, o risco é bastante mitigado se agir no sentido de se fortalecer preventivamente, com a aplicação de políticas rigorosas de senhas, que contemplem o uso de senhas fortes com combinação de segundo fator de autenticação, inclusive biometria, a manutenção das aplicações atualizadas, a utilização de ferramentas como firewalls e IDP/IPS, monitoramento de logs e, fundamentalmente, a conscientização continua dos usuários.

  Translated

  Like
• Sherif Koussa CEO @ Software Secured - Investor

  • Report contribution
  Similar to networks, you should always updated your 3rd party dependencies. Additionally, having working backups is key to restore the application to its previous state as soon as possible. Remember backups always work, restore not as much :)

  Like

• Manh Pham Cyber Security Guy

  • Report contribution
  The fifth step is to recover from the attack and resume your normal operations. You can do this by testing your systems or accounts for performance, functionality, and security. You should also communicate with your users, customers, or partners about the status and outcome of the attack. You should provide them with any information or guidance they need to protect themselves or their data.

  Like

• Manh Pham Cyber Security Guy

  • Report contribution
  The sixth step is to learn from the attack and improve your security posture and practices. You can do this by reviewing your incident response plan, policies, and procedures. You should also evaluate your security controls, tools, and measures. You should identify any gaps, weaknesses, or opportunities for improvement. You should implement any changes or recommendations that can help you prevent or mitigate future brute force attacks.

  Like

  1

• Sherif Koussa CEO @ Software Secured - Investor

  • Report contribution
  Post-mortems are important to understand the attack surface and how hackers were able to get in. A threat modelling exercise to understand other possible areas in the application is an extremely helpful exercise too.

  Like

  1

• Giang T. Regional Information Security Officer | CISM | CRISC

  • Report contribution
  This focus on continuous improvement is commendable. Cybersecurity is an ever-evolving field, and organizations that actively learn from incidents and adapt their strategies are better positioned to defend against future threats. This step underscores the importance of a cyclical approach to security, where each incident becomes an opportunity to enhance overall resilience.From my perspective, the sixth step of learning from a cyber attack emphasizes the importance of a reflective and adaptive security approach. By reviewing, evaluating, identifying opportunities, and implementing changes, organizations can turn the challenges posed by an incident into catalysts for strengthening their security posture.

  Like

• • Report contribution
  If feasible, consider eliminating passwords. Though essential in the evolution of the internet, passwords are inherently flawed in accurately verifying a user's identity. It's time to shift towards more secure and innovative alternatives like passkeys and FIDO2 hardware keys. These passwordless options are more efficient and mark a significant step forward in enhancing online security.

  Like

  32

• Sarfaraz Muneer CISSP, CISM, CEH, CCIE UAE Top Digital Transformation Leader | Vice President Cyber Security | Top Cybersecurity Voice | Cloud Security Expert | Senior Cyber Security Architect | Public Speaker

  • Report contribution
  If I had to address the brute force attacks 5 years back, traditional strategies such as the maximum number of failed login attempts and account lockout could be effective. Considering current threats supplemented by increasing automation by cyber criminals, eliminating passwords through implementing phishing-resistant FIDO2-compliant passwordless authentication is the most effective way to eliminate brute-force attacks. As a quick win organizations can consider implementing Windows Hello for Business (WHFB) which is available as a phishing-resistant passwordless solution in Windows 10/11 along with Microsoft Authenticator with seamless passwordless sign-in across mobile devices. MS authenticator with Passkeys is expected by Q1 2024 by MS.

  Like

  6

• Jeff Moore

  • Report contribution
  Responding to a brute force attack requires a proactive approach to protect your systems and data. Here are some best practices to consider:Implement strong passwords:Account lockout policyTwo-factor authentication (2FA)Rate limiting: Intrusion Detection and Prevention Systems (IDPS): Network segmentation: Update software and patchesLog monitoring and analysis: Implement CAPTCHA: Incident response plan: Remember, prevention is key. By implementing these best practices, you can significantly reduce the risk of successful brute force attacks on your systems and enhance your overall security posture.

  Like