Imunify360 Blog

Proactive Security and Brute-Force Attacks on Applications

Written by Maria Medvedeva | Jul 14, 2021 1:32:00 PM

Reactive security is no longer practical to stop attackers and leaves your organization vulnerable to data exfiltration that can persist for months. It only takes a few minutes for an attacker to compromise and exfiltrate data, and afterward, your organization is left to perform clean-up.

If  you don’t proactively catch threat actors, they could go undetected for months on your network, exfiltrating data silently until you finally contain the threat. An advanced persistent threat (APT) could maintain a presence on your network even when you think it’s contained. Any threat that compromises your system causes monetary loss, potential brand damage, and future legal issues. A better way of cleaning up after a compromise is to put up a better defense and implement proactive security that catches, blocks, and contains threats before they damage your systems. Imunify360 team created an article based on Igor Seletskiy's speech, the CEO of CloudLinux Inc., "Proact, not overreact", keep on reading to learn more about proactive cyber security and watch Igor's speech in the end.

Proactive Cyber Security article covers the following:

What Makes Applications Vulnerable to Brute Force?

The primary reason applications are vulnerable to brute force attacks is weak passwords. The number of “guesses” a computer program needs to determine a password depends on the password’s complexity and length. To illustrate, let’s use a simple character set. The English alphabet has 26 characters. Suppose that a user creates an 8-character password with only lowercase letters, no number, and no special characters. The calculation to determine the number of possible values is:

 

 

You might think that over 208 billion iterations would take a lot of time, but for a computer to iterate through each possible password value would take very little time. The time it would take depends on computing power, but more powerful machines can guess over one billion values per second. 

 

This means it would merely take a powerful computer system just over 208 seconds or 3.5 minutes to crack the password in this example.

 

Other factors play into password guessing programs. Dictionary words and personal information also factor into password cracking. Users often use personal information like the name of their pets or children with birthdays for numeric values. With enough phishing, the attacker could guess a user’s password from knowing their personal information. Threat actors also create lists of common words used in dictionary attacks to add to their ability to crack a password.

Weak passwords that don’t follow complexity and length rules and those that use common dictionary terms are what makes brute-force attacks effective. Without the right security in place, threat actors with brute-force programs can spend as long as they need guessing user passwords. It could take days or weeks, but brute-force programs run unattended and continuously when there is nothing to stop them. But, you can take proactive steps to stop them within seconds!

Once an attacker has the password for a user account, he can scan hundreds of domains using the same username and password combination. Users often use the same credentials across several websites, including e-commerce, WordPress dashboards, and financial accounts. This mistake gives attackers access to several accounts from just one brute-force campaign.

 

Why IP Bans Don’t Work

In older systems, an administrator or intrusion detection system might simply block the IP address permanently or for a specific amount of time. This discouraged threat actors from continuing their attacks in some cases, but in others the attacker would simply change to another IP address. Current access to cloud servers allows attackers to harness thousands of IP addresses for automated brute-force campaigns.

Using IP bans has several more issues than attackers bypassing any blocks. When legitimate users access an application behind a router on an internal network, the router’s public IP address is disclosed. The router’s public-facing IP address could represent hundreds of users within a corporate network. If you ban this IP address, you ban all users within the internal network behind the router’s public IP address. In most cases, blocking multiple users is not intended and can create customer service overhead as these users call to find out why they can’t access the application.

A more real-world example happens when a user behind a network address translation (NAT) router attempts to change their password. Most applications have limits set on the number of password attempts a user can make before defense systems block the IP. This one user could cause hundreds of users to be blocked as they reach the threshold on the number of retries and trigger an IP block.

Better Defenses Using Application Aware Cybersecurity

Instead of banning based on IP address, a better method is blocking requests based on username and IP address. This combination limits an attacker's abilities to guess the password of any single user, but should a legitimate user make the mistake of triggering intrusion detection systems, application-aware cybersecurity distinguishes between a real user and automated scripts running brute-force attacks.

Automated scripts usually work with multiple IP addresses and leave footprints as they iterate through a list of password values. Humans leave their own footprints when entering the wrong password. A real user would enter passwords at random intervals, but a scripted brute-force program would be more systematic in the ways it sends password requests to application servers. A good application-aware cybersecurity system detects these distinguishing characteristics and blocks the attacker but not a legitimate user.

For a true attack, simple IP blocks usually provide a warning that tells a threat actor the IP was banned. This gives the attacker notification to switch to a new IP address. Instead of notifying the attacker, a better method is to use a non-application protocol block so that the attacker thinks their IP address still works. However, the application returns a message that the password is still invalid. Attackers can be behind thousands of IP addresses, so tricking them into thinking an IP still works will slow down brute-force automated campaigns.

Using non-application level blocking, an attacker might continue their attack, never switching their IP address. CAPTCHAs are another way to slow down attackers, but attackers have sophisticated methods of bypassing CAPTCHA, so it should not be the only method used in brute-force cyber-defenses.

WordPress and Application Security

Automated attacks are common against WordPress websites. Plugins and the main dashboard itself use administrator credentials to manage site functionality, and it’s these credentials attackers want. It’s uncommon for WordPress administrators to work with software that detects brute-force and other application-level attacks. PHP vulnerabilities, server misconfigurations, and malware also pose a threat to a WordPress website, and it takes more than a web application firewall (WAF) to stop them.

A WAF blocks many common application-level attacks, including SQL injection, malformed input such as cross-site scripting (XSS), and cross-site forgeries. These firewalls work by collecting data on current threats and blocking known attacks, but this means that zero-day threats are often missed. When attackers find new threats never before detected in the wild, it renders the WordPress set defenseless.

Once an attacker has access to the site via a compromise, they commonly use advanced persistent threats to continue with backdoors and malware. Even when you think the threat is removed, a sophisticated attacker will ensure that backdoors exist and your site is still open to data exfiltration as malware runs undetected on the system.

Because WordPress is a favorite for attackers, it must be heavily monitored and protected from brute-force and malware threats. It is critical for site administrators to detect and block them proactively.

 

Imunify360 Protects from All Level Threats

Whether it’s PHP vulnerabilities, poorly coded plugins, malware, or brute-force attacks, Imunify360 provides all-level enterprise protection. It scans your system for malware, blocks ongoing brute-force attacks, and cleans up injections from your code. With Imunify360, you can proactively protect your applications from sophisticated attacks that would otherwise silently compromise your system, inject malicious code, and potentially exfiltrate data for months.

 

 

Igor Seletskiy, CEO of CloudLinux Inc., gives a speech about multi-layered security protection and the proactive approach of Imunity360 at CloudTalk Online 2021 in May 2021. The speech will discuss the many ways hackers exploit vulnerabilities to take over servers and the multi-layered approach administrators can take using Imunify360. 

 

 

It’s fully automated and works on WordPress sites to detect malicious requests, code injection, and malware so that you don’t need to stop attacks manually. Should Imunify360 detect brute-force password attacks, it uses a sophisticated system to block attackers without alerting them to being blocked. It cleans databases and code so that you can focus on your business rather than cybersecurity. Learn more about Proactive vs. Reactive Security: 5 Tips for Proactive Cyber Security.

Recommended articles: