“Password Spraying”—What to Do and How to Avoid It

March 15, 2019, Bob Post, Senior Practice Director, Cyber Risk Advisory, Coalfire

Cyber breaches aren’t the only hot topic in the cyber media—sometimes the attack tactics themselves can claim the limelight when a significant breach gains media attention. One tactic getting some attention in the news is “password spraying.” We offer an overview of what it is, how to avoid it, and what to do if you think you were affected by an attack below; but note that a strong overall cybersecurity posture and adherence to best practices are always the best defense across the range of attack vectors, whether they are in the news or not!

What Is Password Spraying?

Password Spraying is a variant of what is known as a brute force attack. In a traditional brute force attack, the perpetrator attempts to gain unauthorized access to a single account by guessing the password repeatedly in a very short period of time. Most organizations have employed countermeasures, commonly a lock-out after three to five attempts. In a Password Spraying attack, the attacker circumvents common countermeasures (e.g., account lock out) by “spraying” the same password across many accounts before trying another password.

Typically used against single sign-on (SSO) and cloud-based applications using federated authentication protocols, this attack allows the malicious actor to compromise the authentication mechanisms. Once in, the attacker moves laterally, capitalizing on internal network vulnerabilities, to gain access to critical applications and sensitive data.

Common tactics, techniques, and procedures (TTPs) involved in this type of attack include:

  • Using online research and social engineering tactics to identify target organizations and user accounts
  • Using easily guessed passwords (e.g., “Password123”) to execute the password spray attack
  • Leveraging compromised accounts to obtain email address lists to attack even more accounts
  • Expand laterally within the compromised network and exfiltrate data

How to Avoid Being a Victim of Password Spraying Attacks

To avoid being a victim, it is recommended that you:

  • Enable and properly configure multi-factor authentication (MFA)
  • Enforce the use of strong passwords
  • Regularly review your password management program
  • Maintain a regular cadence of security awareness training for all company employees
  • Ensure your Help Desk has well-documented procedures for password resets for user lockouts

What to Do if You Suspect Your Organization Was Affected by a Password Spraying Attack

  • If you do not have MFA, consider resetting passwords for administrative and privileged domain accounts 
  • If you have a Security Logging platform, make sure it is configured to identify failed attempted logins across multiple systems and increase your response and investigation into these activities
  • Deploy an Endpoint Detection and Response technology (EDR—example: CrowdStrike) and/or Deception Technology (example: Illusive Networks) on end points to gain visibility of malicious activity and prevent attacker lateral movement
  • Review your incident response plan and alert appropriate members in a precautionary capacity
  • Contact Coalfire or another security firm with incident response and digital forensic capabilities and have them perform an investigation if you believe there are indicators of data loss or you need additional support

Additionally, monitor your networks for anomalous activity such as a spike in attempted logins on the enterprise SSO portal as well as web-based applications looking for logins inconsistent with your normal operations. This could be an indicator of an attack in progress. It’s also important to put proper focus and attention on your internal network security posture to limit an attacker’s capability to move laterally through the network. Regular penetration testing and red team testing can help to probe your organization for weaknesses before an attack occurs.

Remember, employing a strategy of defense in depth makes the attacker’s job more difficult.

Bob Post

Author

Bob Post — Senior Practice Director, Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics

Archives

Tags

2.0 3.0 access Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff cloud CoalfireOne Compliance credit cards C-Store Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Ed Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi wireless women XSS