EMEA is a global hotspot for brute force access attacks, according to research from F5 Labs.
The analysis forms part of the Application Protection Report 2019, which explores the fact that most applications are attacked at the access tier, circumventing legitimate processes of authentication and authorisation. Brute force attacks are typically defined as either 10 or more successive failed attempts to log in in less than a minute, or 100 or more failed attempts in a 24-hour period.
EMEA hit hardest
In 2018, the F5 Security Incident Response Team (SIRT) reported that brute force attacks against F5 customers1 constituted 18% of all attacks and 19% of addressed incidents.
Of all SIRT-logged attacks taking place in EMEA last year, 43,5% were brute force. Canada was a close second (41,7% of recorded attacks), followed by the USA (33,3%) and APAC (9,5%). The public services sector was most affected, with 50% of all incidents taking the form of brute force attacks, followed by financial services (47,8%) and the healthcare industry (41,7%). Education (27,3%) and service providers (25%) were also in the firing line.
“Depending on how robust your monitoring capabilities are, brute force attacks can appear innocuous, like a legitimate login with correct username and password,” said Ray Pompon, principal threat research evangelist, F5 Networks. “Attacks of this nature can be hard to spot because, as far as the system is concerned, the attacker appears to be the rightful user.”
Any application that requires authentication is a potential venue for a brute force attack, but F5 Labs mostly recorded attacks focusing on:
- HTTP form-based authentication brute force (29% of logged attacks globally). Attacks against web authentication forms in the browser. Most of the traditional logins on the web take this form.
- Outlook web access (17,5%), Office 365 (12%) ADFS (17,5%) brute force. Attacks against authentication protocols for Exchange servers, Microsoft Active Directory and Federated Services. Since these services are not accessed through a browser, users authenticate to them through separate prompts. Due to the single sign-on capabilities of AD and federation, successful access attacks of these protocols encompass mail, as well as entire intranets and significant amounts of sensitive information.
- SSH/SFTP brute force (18%). SSH and SFTP access attacks are among the most prevalent, partly because successful SSH authentication is often a quick path to administrator privileges. Brute forcing SSH is hugely attractive to cyber criminals as many systems still rely on default credentials ease of use.
- S-FTP brute force (6%). S-FTP brute force is dangerous as it is a method to drop malware, which presents a wide range of disruptive options, including escalation of privilege, keylogging or other forms of surveillance and network traversal.
Overall, email is the most targeted service when it comes to brute force attacks. For organisations that do not rely heavily on e-commerce, the most valuable assets are often stored far from the perimeter, behind multiple layers of controls. In this case, email is often a powerful staging ground to steal data and gain access to the tools needed to wreak widespread havoc.
Breach data also pegged email as a primary target; it was involved in the top two subcategories of access breaches, representing 39% of access breaches and 34.6% of all breach causes. Email is directly attributed as a factor in over a third of all breach reports.
According to the Application Protection Report 2019, safeguarding against access tier attacks is still a major challenge for many organisations. Multi-factor authentication can be hard to implement and not always feasible in the required timeframe. Worryingly, while passwords are typically inadequate forms of protection, F5’s Application Protection Report 2018 found that 75% of organisations still use simple username/password credentials for critical web applications.
“While access attack tactics will certainly change as defensive technologies become more advanced, the core principles to stay safe will remain significant for the foreseeable future,” said Pompon.
“To start, make sure your system can at least detect brute force attacks. One of the main challenges is that confidentiality and integrity can sometimes find themselves at odds with availability. It is important to establish reset mechanisms that work for both the organisation and its users. It is not enough to set up some firewall alarms on brute force attempts and take a nap. You have to test monitoring and response controls, run incident response scenario tests, and develop incident response playbooks so that you can react quickly and reliably.”
1SIRT data points represent current F5 customers calling for SIRT response help. Given the size and scope of F5’s installed base, they are indicative of general brute force attack trends.