In August last year, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), prompted by the advisory released by the Australian Cyber Security Centre (ACSC), advised the American public to be watchful of their passwords with the threat of a new form of brute force attack known as password spraying, which targets businesses and other organizations in particular.
Definition
A password spraying attack is carried out by throwing anything against the wall to see what sticks. Attackers try out one password at a time against targeted user accounts until they find one that works. And by avoiding rapid or frequent account lockouts, they are able to stay under the radar.
Detection
The ACSC urges organizations to “create alerting rules” in the event of the following circumstances:
1. High number of authentication attempts within a defined period of time
This is characterized by a significantly higher number of failed login attempts over a period of time (e.g., an hour).
Tip 1: For IT reviewing logs from a cloud based service, one way to narrow your search for failed logins is by excluding your organization’s IP address ranges.
Tip 2: In some cases, password sprays against user account logins have been attempted in alphabetical order.
2. Large number of bad usernames
Some password spray attacks may be attempted using generic username lists, or username generators. The threat here depends on a given system’s username/naming policy, and most organizations use systems that employ a standard naming convention that facilitate threat detection and assessment.
3. High number of account lockouts over a defined period of time
This occurs because some attackers either disregard or don’t know the lockout policy of the system used by their targeted organization and go on to try multiple passwords per account, causing corporate accounts to be locked out.
Tip: Organizations with ADFS (Active Directory Federation Services) can implement a smart lock feature with windows Server 2016 to avoid account lockouts.
4. Disproportionate ratio of login success versus login failure per IP address
An individual IP address will have a significantly high login failure rate, because spray attacks will often yield more failures than successes, particularly in protracted password spray attacks carried out in an attempt to avoid detection.
5. Interactions with services using Azure Active Directory PowerShell by non-admin users
Tip: This can be identified if the user is authenticating with “appDisplayName: Azure Active Directory PowerShell.” While there is a legitimate purpose for interacting with services using Azure Active Directory PowerShell, standard, non-administrator users are generally not expected to do so.
The ACSC suggests reviewing standard users authenticating with Azure Active Directory PowerShell for those using Microsoft cloud infrastructure. Standard controls in Office 365 allow users to use PowerShell to authenticate with Microsoft Azure services, allowing attackers to automatically enumerate active directory hosted on the cloud and enabling them to spray against additional accounts or to use that information to generate more sophisticated spear-phishing emails.
Mitigation
Below are recommended options to avoid password spraying attacks for businesses.
Enforce complex passwords as well as a strong password reset policy.
Because passwords are easy to hack, it’s even more important to improve your password management. ACSC recommends generating a random, more complex password when setting up a new user account or resetting credentials.
Implement increased alerting and monitoring
Make sure you have an IT security staff or security information and event management (SIEM) solution in place, with the ability to perform correlation of logs from multiple sources (e.g., threat intelligence), which enables prompt detection and blocking of password spraying against externally facing services to prevent follow-on attacks.
Impose additional access controls and hardening
Determine the use case for your externally facing service, and whether you can prevent unauthorized access by putting in place additional security controls like geo blocking, controlling IP addresses, or requiring users to first connect via a virtual private network (VPN).
Reset credentials of affected accounts
If a password spray attack is successful, immediately identifying and resetting affected user account credentials is a must. Doing this in line with a strong password policy can prevent repeated malicious access to a compromised account.
Implement multifactor authentication (MFA) on all external access systems
Because MFA is a complex authentication process, it is a highly effective mitigating measure against brute force and password spray attacks.
Passwordless MFA is an even better option because it removes the very means of attack used by hackers.
TraitWare can help you transition into passwordless multifactor authentication for a secure and seamless login experience. Ensure the safety and usability of your Enterprise applications and WordPress websites with Traitware solutions.