Brute-force attack is simply to continuously attempt to discover your password by combining all possible passwords it can guess. That said, human can guess a password by trying to brainstorm all possibilities such as birthday, girlfriend name, a memorable location or even a combination of birthday and full name. The problem is that our brain cannot come up with a million of guesses and type the guessed password into the login form. Unless you are so-called a time-billionaire. With a tool, it can guess and automatically fill into the login form. Whenever it receives a message like “Successful login” it will stop the guessing process.
This article is not going to purposely show you how to perform a brute-force attack. You can find many sample scripts and tools over the Internet.
Attackers often choose brute-force technique because it’s exploited against security unawareness of human. People tend to pick a simple password (sometimes I did too in order to quickly get into a system) that can be easily guessed. A few common ones include “12345678“, “pass@word1“, “iloveyou“. They even keep the password by default that we see almost from setting up a new router. They don’t mind to change to different password.
While setting up a simple password is a bad behavior, this results to huge security incident which damages to your business. Imagine your salesman’s password is compromised to a bad guy, he can access to download all financial and sales report which can be sold to different competitor. Or simple password set by an administrator can allows attacker to perform an attack to try to RDP to virtual machine. Recently a colleague of mine used a simple password to work on Amazon AWS virtual machine via SSH. The attacker managed to grab the password after his brute-force attempt. As a result, he successfully logged into the virtual machine and uploaded the bash shell for further exploitation.
Normally when managing a virtual machine, an administrator uses Remote Desktop Protocol (for Windows) or SSH (for Linux) to remotely connect. The problem we have seen with these types of protocols is that attackers can use brute-force techniques to try to guess the password. As mentioned in my principle of security awareness, if password does not meet complexity level, it can be easily guessed. And you have heard of millions of pawned passwords, haven’t you? To establish a secure remote connection more than just direct remote desktop protocol, you should consider disabling public IP address (if you do not need it), then using one of the following ways:
- Point-to-site VPN
- Site-to-site VPN
Point-to-site VPN and Site-to-site VPN are Azure VPN Gateway options typically for hybrid deployment. Point-to-site VPN requires a client certificate before you can connect to your private virtual network. It is considered a multi-authentication from network layer.
The illustration above shows you the Point-to-site VPN setup to secure the remote from the administration PC to Microsoft Azure hosted system. After the administration keys in his password, he can use RDP to connect to the virtual machines. Twice authentication does strengthen your security.
There can be a jump server which adds an extra hop before you have access to your virtual machines in the virtual network. The administrator must remotely connect to the jump server first. From this jump server, he must remotely connect to virtual machines with RDP.
In many cases, people are unaware of securing this jump server. They consider it just a jump server without hardening. Thus, this server is easily compromised. Make sure the jump server is always included in your hardening plan.
Azure VM Just In Time
Normally administrators often open port 3389 (Remote Desktop Connection) if using Windows OS and 22 (SSH) if Linux to remotely connect to the bastion host (which is used to remotely connect to private virtual network). If attacks know the VM’s public IP address, they can try to guess password with brute-force password technique. You cannot block the 3389 because it is mainly used for the mentioned protocols above. How can we deal with this matter?
Azure provides you a feature named Just in time (JIT) which allows you to control inbound traffic in a specific time. JIT allows you to specify port to be used, and time range to permit the inbound traffic.
The request to use predefined port is upon the role-based access control the requestor have. For configuration, read this article https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
DMZ implementation can be an approach to securing your virtual machine. If you do not expose your virtual machine to the Internet, attackers cannot perform a brute-force attack against the RDP. He has to perform escalation technique to try to exploit the external network first. This is how we call the discouragement of attack in defense in depth.
You should combine with Azure Network Security to not allow inbound network traffic on port 3389 from the Internet.
Brute-force attack targets to simple password. Hence, if password complexity is applied we are going to have more good feeling on this stuff. We can enable password complexity and force people to use it. The article here provided by Microsoft shows you the password complexity requirements for accounts stored in Azure Active Directory.
Azure Active Directory Lockout Policy
Lockout policy is considered one of acceptable practices to mitigate brute-force attack. Unfortunately, right now the default value of attempt is 10 and you cannot modify it.
From this source we know that after 10 unsuccessful sign-in attempts (wrong password), the user will be locked out for one minute. Further incorrect sign-in attempts will lock out the user for increasing duration.
However, it the attacker knows the lockout policy, he can make a denial-of-service on lockout service for group of accounts. In this case, targeted accounts are locked. The unavailability is also considered part of a successful attack. In the SharePoint case, if the service account is known, the attacker can take down the entirely SharePoint farm by just trying as enough attempts as the lockout policy is applied. OWASP already listed out the disadvantages of lockout approach here
Enable Multi-factor Authentication
Another approach is to enable multi-factor authentication to mitigate brute-force attack. Even when password is successfully guessed, the attack cannot get into the system without being successfully authenticated at the second authentication
Consider that business users really hate security policy. They seem not to worry about security breach loss. But if you ask them to be authenticated one more time, they would blame you. They are not comfortable when having to enter passwords many times. We all know that so consider that multi-factor authentication enforcement can potentially affect user experience. But if the loss is huge then there is no reason not to enforce.
When you centralize your identity in Microsoft Azure, your team is given access to different Azure resources. In this case, you need to monitor and manage them. With Azure Active Directory Premium, you take fully advantages of building a risk-based policy to automatically protect identities. These can include:
- Leaked credentials
- Impossible travel to atypical locations
- Sign-ins from infected devices
- Sign-sin from anonymous IP addresses
- Sign-ins from IP addresses with suspicious activity
- Signs in from unfamiliar locations
More information about these capabilities, read here https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection
Conditional Access Policy
Conditional access policy in Azure Active Directory Premium allows you to control access based on policy. Although this is not related to brute-force attack, it can be a good choice to monitoring your identity and forcing corporate identities to be authenticated by your own policies. Attacker without knowing policies cannot make a successful attack.
There are four conditions:
- Client App
Each condition provides a scope to apply. For example, with device policy you can choose to set the login from a specific device platform such as iOS, Android. Or from a location you can set a trusted IP addresses. This does help to block attacker’s IP address when he tries to discover and log into from his location.
Brute-force attack is not new, but this is a common used technique because human mistake happens all the time. One solution cannot address all problems like we very often say that security is not a silver bullet. To prevent brute-force attack, you must combine all possible solutions.
Azure Security Center can help detect brute-force attack with its Detection capability. However, as of this writing the Detection capability has not been shifted to Azure Active Directory. You can still beneficial from the RDP Brute-force detection for your Azure virtual machine.