CAPEC-112

Meta Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Severity: High
Brute Force

Description

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

Prerequisites

The attacker must be able to determine when they have successfully guessed the secret. As such, one-time pads are immune to this type of attack since there is no way to determine when a guess is correct.

Mitigations

Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space.

Use a secret space that is well known and with no known patterns that may reduce functional size.

Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext.

Skills Required

[Low] The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located.