The analysis forms part of the Application Protection Report 2019, which explores the fact that most applications are attacked at the access tier, circumventing legitimate processes of authentication and authorisation. Brute force attacks are typically defined as either ten or more successive failed attempts to log in in less than a minute, or 100 or more failed attempts in a 24-hour period.
EMEA hit hardest
In 2018, the F5 Security Incident Response Team (SIRT) reported that brute force attacks against F5 customers1 constituted 18% of all attacks and 19% of addressed incidents.
Of all SIRT-logged attacks taking place in EMEA last year, 43,5% were brute force. Canada was a close second (41,7% of recorded attacks), followed by the USA (33,3%) and APAC (9,5%). The public services sector was most affected, with 50% of all incidents taking the form of brute force attacks, followed by financial services (47,8%) and the healthcare industry (41,7%). Education (27,3%) and service providers (25%) were also in the firing line.
“Depending on how robust your monitoring capabilities are, brute force attacks can appear innocuous, like a legitimate login with correct username and password,” said Ray Pompon, Principal Threat Research Evangelist, F5 Networks. “Attacks of this nature can be hard to spot because, as far as the system is concerned, the attacker appears to be the rightful user.”
Any application that requires authentication is a potential venue for a brute force attack, but F5 Labs mostly recorded attacks focusing on:
Overall, email is the most targeted service when it comes to brute force attacks. For organisations that do not rely heavily on ecommerce, the most valuable assets are often stored far from the perimeter, behind multiple layers of controls. In this case, email is often a powerful staging ground to steal data and gain access to the tools needed to wreak widespread havoc.
Breach data also pegged email as a primary target; it was involved in the top two subcategories of access breaches, representing 39% of access breaches and 34.6% of all breach causes. Email is directly attributed as a factor in over a third of all breach reports.
Staying safe
According to the Application Protection Report 2019, safeguarding against access tier attacks is still a major challenge for many organisations. Multi-factor authentication can be hard to implement and not always feasible in the required timeframe. Worryingly, while passwords are typically inadequate forms of protection, F5’s Application Protection Report 2018 found that 75% of organisations still use simple username/password credentials for critical web applications.
“While access attack tactics will certainly change as defensive technologies become more advanced, the core principles to stay safe will remain significant for the foreseeable future,” said Pompon.
“To start, make sure your system can at least detect brute force attacks. One of the main challenges is that confidentiality and integrity can sometimes find themselves at odds with availability. It is important to establish reset mechanisms that work for both the organisation and its users. It is not enough to set up some firewall alarms on brute force attempts and take a nap. You have to test monitoring and response controls, run incident response scenario tests, and develop incident response playbooks so that you can react quickly and reliably.”