In the digital landscape, brute force attacks remain a persistent threat. These attacks involve systematically guessing passwords until the correct one is found. They exploit weak or easily guessable credentials and can lead to unauthorized access to sensitive systems. In this blog, we will explore how enterprises can address different types of access to remove the ability to be brute forced. We will also discuss how to spot and stop these attacks, including specific steps to disable PowerShell commands that could be exploited by attackers.

Types of Access Vulnerable to Brute Force Attacks

1. Remote Desktop Protocol (RDP) Access: RDP allows remote access to Windows computers and is a common target for brute force attacks.
2. SSH Access: Secure Shell (SSH) is used for secure access to remote systems and can be vulnerable if not properly secured.
3. Web-Based Login Pages: Login pages for web applications are often targeted for brute force attacks.
4. Network Devices: Routers, firewalls, and other network devices with web interfaces can also be susceptible.

How to Spot Brute Force Attacks

1. Unusual Login Activity: Multiple failed login attempts from the same IP address or range.
2. Increased Network Traffic: A spike in traffic, particularly on ports associated with RDP (3389) or SSH (22).
3. Account Lockouts: Frequent account lockouts due to failed login attempts.
4. Event Logs: Monitoring event logs for multiple failed login attempts can help in identifying brute force attacks.

How to Stop Brute Force Attacks

Strengthen Authentication Mechanisms

1. Use Strong Passwords: Enforce the use of complex passwords that are difficult to guess.
2. Enable Multi-Factor Authentication (MFA): Adding an extra layer of security makes it harder for attackers to gain access even if they guess the password.
3. Limit Login Attempts: Configure systems to lock accounts after a specified number of failed login attempts.

Secure Remote Access

1. Change Default Ports: Change the default ports for RDP and SSH to non-standard ports to reduce the chances of automated attacks.
2. Use VPNs: Implement Virtual Private Networks (VPNs) to secure remote access and ensure that only authenticated users can connect.
3. Implement IP Whitelisting: Restrict access to known IP addresses to reduce the risk of unauthorized access.

Monitor and Respond

1. Set Up Intrusion Detection Systems (IDS): Use IDS to detect and respond to suspicious activities in real-time.
2. Regularly Review Logs: Continuously monitor and review logs for signs of brute force attempts.
3. Automate Responses: Use automated tools to block IP addresses after detecting multiple failed login attempts.

Disabling Malicious PowerShell Commands

Attackers often use PowerShell scripts to establish persistence and communicate with command and control (C2) servers. Here’s how you can disable PowerShell commands that could be exploited:

1. Identify Malicious PowerShell Activity:
• Look for unusual PowerShell command executions in the Event Viewer.
• Use tools like Sysmon to log and monitor PowerShell activity.
2. Remove Malicious PowerShell Commands:
• Open PowerShell as an administrator.

Execute the following command to find and remove scripts or commands that make your computer call out to attackers:
powershell
Copy code
Get-Command -Module PowerShellGet | Remove-Module PowerShellGet

Disable PowerShell remoting if not needed:
powershell
Copy code
Disable-PSRemoting -Force

Set execution policy to restrict running unsigned scripts:
powershell
Copy code
Set-ExecutionPolicy AllSigned

Example: The City of Atlanta Attack

In 2018, the City of Atlanta suffered a ransomware attack where attackers gained access through brute-forcing an open RDP port. The attackers then deployed ransomware that encrypted a significant portion of the city's data and disrupted numerous services. The attack cost the city over $17 million in recovery efforts. This incident highlights the importance of securing RDP access, using strong passwords, and implementing MFA to prevent such breaches .

Conclusion

Brute force attacks can be devastating, but with proactive measures, they can be effectively mitigated. Strengthening authentication mechanisms, securing remote access, and monitoring for suspicious activity are key strategies in preventing these attacks. By taking these proactive steps, your enterprise can significantly reduce the risk of unauthorized access and ensure the security of its systems and data.

If you found this informative and want to learn more, visit AMEOT and check out the rest of the "Proactive 101" series.

If your organization could benefit from developing an effective breach and ransomware strategy, book a 30-minute call with one of our security professionals.

Thank you for your time and attention. Implementing proactive security measures can save your organization from significant financial losses and operational disruptions. Let’s work together to secure your future.

References

1. City of Atlanta Ransomware Attack
2. How to Detect and Prevent Brute Force Attacks
3. Disabling PowerShell Commands