Whenever we talk about cyberattacks, there are three basic ways in which attackers gain access to a victim network:
- Phishing – they use emails’ ability to logically infiltrate a network, potentially giving attackers a foothold should the attack be successful in infecting an endpoint.
- Vulnerabilities – using either zero-day or known vulnerabilities (that have not been patched), attackers can gain elevated privileges on systems and applications they can leverage as a jumping point into the rest of a network.
- RDP/Remote Access – Attackers use either Compromised credentials or brute force password attacks, using the remote access as the conduit to gain entrance into a network.
Most of the focus is usually placed on the first to attack vectors above. And whenever we talk about the third, we’re usually focused on RDP itself, rather than looking at how insecure the authentication is once an attacker jumps onto a remote logon session.
So, in this article, I want to dig a bit deeper into what happens when an attacker finds and utilizes a remote access session (RDP or otherwise – herein generically referred to as remote access). In this article, I’ll take a look at the brute force attack methods used to compromise a credential, how prevalent it is, why users are actually making it easy for the attacker, and what you can do about it.
Brute Force Attacks are a Problem
Anytime you see a story or an industry stat about RDP being involved in a cyberattack, keep in mind that, at the time of the attack, the attacker either did or did not have a working username and password with which to log on. In those scenarios where the attacker is starting off from scratch – as in the case with initial access brokers – the goal is to not just gain access but to also derive a working credential set that will either be used in the current attack or sold on the dark web to another attacker looking for initial access. That means that sometimes it’s necessary for attackers to use brute force password attacks to figure out what the password is that goes with a given username.
Think of the act of brute force password attacks as systematically trying every possible combination of letters, numbers, and symbols until the correct combination is discovered.
According to the MITRE ATT&CK Framework (pronounced “ATTACK”) which outlines nearly every malicious tactic, technique, and procedure used by cybercriminals, there are four types of brute force attack methods:
- Password Guessing – Systematically guess the password using a repetitive or iterative mechanism based on a list of common passwords.
- Password Spraying – An attacker acquires a list of usernames, and then attempts logins across all usernames using the same password.
- Password Cracking – Using rainbow tables or guessing passwords and computing hashes to crack password hashes.
- Credential Stuffing – Using credentials obtained from breach dumps of unrelated accounts to gain access to target accounts.
The decision to use one method over another is largely based on whether the attacker has any knowledge of usernames and/or passwords on the victim network.
But, just how prevalent are brute force password attacks?
According to U.K. cyber insurer Hiscox, 17% of the ransomware attacks they saw as part of cyber insurance claims started with a brute force attack. That’s nearly 1 in 5. We’ve also seen brute force attacks en masse last year with 47 million attacks in Southeast Asia targeting remote workers.
So, it’s a very real problem… for a number of reasons.
There are Plenty of Password Sources
There are several sources for the passwords being used in the guessing/spraying/stuffing types of attacks: first, any data breach that has involved usernames and email addresses; one of the most prolific was the May 2016 LinkedIn data breach, where 164 million email addresses and passwords were exposed. Second, there are pwned databases that list the most common passwords that have been identified (it’s not like you’re the only person who has ever used a relatively simple password like “[email protected]!”). Lastly, there are plenty of opportunities to guess a password when the attack is focused on a particular user. According to Spycloud’s 2023 Identity Exposure Report, over 7 million of the compromised passwords gathered during breaches involve a love or family theme (meaning, for example, if I know your spouse’s name, I can begin guessing there, etc.).
Users Aren’t Helping Either
According to the same Spycloud report, 72% of users in 2022 breaches were reusing previously exposed passwords, with 61% of users in the U.S. reusing passwords. This reusage of passwords takes place an average of 13 times. Part of the reason is the number of systems, applications, and platforms today’s user needs to maintain a logon for – in smaller businesses, it’s an average of 85 passwords; in larger businesses, it’s only 25.
With computing power today giving attackers the ability to test as many as 1 billion passwords per second as part of a brute force attack, anything less than a secure password isn’t going to cut it.
Remote Access Gives Attackers Entrée
Let’s add Remote Access into the discussion, as brute force attacks are only the means of gaining access; the means of gaining entry is your method of remote access that enables your hybrid workforce to engage with corporate resources. Some organizations are still (still!) relying on RDP (the protocol that won’t die the horrible cybersecurity death it deserves!). This is why 44% of ransomware attacks start with an RDP attack. And even if you aren’t using RDP, 16% of data breaches began with the compromise of RDP or another remote access application.
What this means is that any method of remote access is an attack vector for cybercriminals. And since 50% of organizations don’t rate their organization as highly effective in mitigating remote access risks, you need to be ensuring the authentication of remote users goes beyond the simple use of a password.
Remote Access Beyond the Password
Sure, we’re certainly not at a point yet where we can all go completely passwordless, but we most definitely are able to implement multi-factor authentication (MFA) into your remote access authentication efforts. Even if you’re using the most insecure RDP possible – the forward of an externally-accessible port to a Windows workstation with RDP enabled – you still have the ability to require MFA for all logons. For those of you using something more mature than RDP for remote access, it’s probably a safe bet that the solution you employ supports MFA.
I’ve tried to spend some time educating those of you that have read this entire article on the problem of brute force attacks so you can clearly see how it impacts your remote access. The punchline, however, is far more succinct – want to stop brute force attacks across remote access? Implement MFA. It’s just that simple.