IT security is an important consideration for every organization, and the recent surge in cyberattacks across the globe—from both criminal organizations and state actors—has increased dramatically, fueled partly by bad actors starting to leverage AI to accelerate and enhance their attacks.
One of the more common cyberattacks is known as Password Spraying, a type of brute-force cyberattack where attackers attempt to access multiple accounts using a small commonly used password list. Password spraying differs from traditional brute-force password attacks, which focus on attempting to breach a single account with many password attempts. Password spraying attempts will throw a series of common, widely-used (or default) login credentials at a large number of accounts. Password spraying attempts are becoming increasingly easy for bad actors to automate and propagate, so this type of attack is one that Active Directory (AD) administrators need to pay special attention to.
How Does Password Spraying Work?
Partner with Microsoft experts you can trust
If it’s time to take that first step toward leveling up your organization’s security, get in touch with Ravenswood to start the conversation.
As mentioned above, password spraying attacks are all about reach and volume: the attackers want to test as many systems as possible as efficiently as possible. Attackers usually begin with a sizable list of usernames or email addresses, combined with another list of commonly-used passwords, which the attacker obtains from shady parts of the internet, or relies on a dictionary-based list that throws dictionary terms (and slight variations thereof) as targeted accounts. Microsoft has published some guidance that breaks this process down into three phases: Acquiring a list of usernames, spraying passwords, and gaining access to sensitive information.
Many attackers rely on automated scripts and tools to make their attacks easier, with software like Hydra, Medusa, or CrackMapExec used to power their breach attempts. (For a more exhaustive list of the tools attackers can use, Pedro Tavares at the Infosec Institute has written a comprehensive list of the top tools used in password spraying attacks.)
As with many other cyberattacks, password spraying attacks have a greater chance of success when attackers can exploit weak passwords and outdated security practices, such as using predictable or easily guessable passwords, or focusing on target accounts that don’t have updated account lockout policies.
Identifying Vulnerabilities in Your System
Speaking of weak passwords and outdated security practices, identifying vulnerabilities in your system is a vital part of a proactive defense against password spraying attempts. Regular, consistent security assessments to identify potential vulnerabilities, such as weak passwords, inactive accounts, or misconfigured security settings are a must, as is having clearly-defined password policies that are updated on a regular basis and communicated widely throughout your organization.
From an AD perspective, Ravenswood Technology Group offers a regular Active Directory Health Check service, which includes assessing password policies, reviewing account lockout settings, and auditing privileged accounts.
Preventing Password Spraying Attacks
The timeworn proverb that states “an ounce of prevention is worth a pound of cure” is especially true when it comes to defending against password spraying attacks. In addition to following existing guidance from Microsoft on the topic, here are some other important steps to follow that can help harden your organization’s IT defenses:
- Adopt strong password policies, including enforcing complexity requirements, and the avoidance of commonly used passwords. (See the latest NIST password guidance.)
- Implement multi-factor authentication (MFA), which is a critical step in preventing unauthorized access, even if passwords are compromised.
- Enforce account lockout policies that temporarily disable accounts after a certain number of failed login attempts, making it harder for attackers to succeed.
- Use monitoring and logging tools to detect suspicious activities, such as repeated failed login attempts across multiple accounts, which may indicate a password spraying attempt.
- Use the Attack Simulator feature in Defender for Office 365 which can help you run phishing and cyberattack simulations within your organization.
- Adopt passwordless authentication. That can be a difficult process for many organizations, so a more usable option may be to consider using Microsoft Entra ID (formerly Azure Active Directory) to help.
Brian Desmond, a Principal at the Ravenswood Technology Group, supports the idea that Microsoft Entra ID can be a valuable tool to help defend against password spray attacks.
“Entra ID has much larger data sets that make these [attack] patterns detectable. Microsoft does exactly this and curates password spray attack data in multiple forms for Entra ID Premium customers,” explains Desmond. “Through billions upon billions of authentication attempts, Microsoft can curate a list of some of the most common passwords that are used in password spray attacks. The company uses this data to prevent end users from choosing these passwords.”
Responding to a Password Spraying Attack
No security plan is 100% infallible, so it’s also important to have an action plan in place when a cyberattack is successful. While this topic warrants a blog post of its own, here are some key steps that should be part of any post-attack plan:
- Identify and isolate affected systems and accounts to prevent the attack from spreading and minimizing damage
- Assess the scope of the attack by reviewing system logs, identifying compromised accounts, and determining if any sensitive data was accessed
- Secure compromised accounts and reset passwords, including implementing a more complex password and reviewing access rights
- Conduct a thorough investigation and report the incident to relevant authorities or regulatory bodies, as required by law or industry standards
Educating Your Team and Adopting Security and Incident Response Plans
While all the steps outlined so far can help you defend against password spraying attacks, educating both IT and non-IT staff on cybersecurity best practices is a must. That should include regular training on cybersecurity best practices, including the importance of password security and the ability for employees to recognize and report phishing attempts, as well as raising awareness about password spraying among employees, including the consequences of using weak or reused passwords.
Establishing routinely-updated security policies and incident response plans (IRP) are a key part of any cybersecurity plans, with an emphasis on the need for clear procedures and the establishment of clearly-defined communication channels. While detailing what should be included in a full IRP is beyond the scope of this blog post, the Cybersecurity and Infrastructure Security Agency—part of the U.S. Department of Homeland Security—has published some IRP basics (PDF) that can help with your own IRP creation efforts.
Conclusion
We’ve explained what password spraying attacks are, covered some of the important steps you can take to defend your IT infrastructure against them, and discussed the importance of current security policies and procedures. It also bears restating the “ounce of prevention is worth a pound of cure” proverb that I mentioned at the start of this post, as being proactive about your organization’s approach to cyber security is one of the most important steps you can take to make your IT security defense plan successful.
Attacks are constantly evolving, and defense must evolve in parallel. If your organization needs an assessment of the current environment or are looking to implement a new solution, reach out to Ravenswood today.
