What Is Password Spraying and How to Stop it?

How do Password Spraying Attacks Differ from Other Password Attacks?

Rather than targeting specific accounts and devices, a password spraying attack will target as many different accounts as possible and do so in a slow and controlled manner. Many IT systems will have primitive solutions in place to detect and block multiple failed logon attempts. By attempting to login to multiple accounts slowly and continuously, the attacker is less likely to get locked out of an account. As with other password attack vectors, once the attacker has gained access to an account, they will try to use their access to engage in reconnaissance activities in order to move laterally throughout the network.

The Anatomy of a Password Spraying Attack

There are typically three steps that attackers will take in order to successfully execute a password spraying attack, which includes;

1. Obtaining a list of usernames

Attackers will first try to obtain a list of usernames through various means. Companies often use a formalized convention for usernames, which is usually the users’ email addresses. For example, a commonly used email format is: firstname.lastname@company.com. Attackers can often find this information by looking for clues on the company’s website, or by browsing social media websites, such as LinkedIn. In some cases, attackers are able to purchase a list of usernames from the dark web. Attackers will typically use software that can verify the accuracy of the usernames before carrying out an attack.

2. Spraying Passwords

Once they have a list of usernames, they will obtain a list of the most commonly used passwords and begin spraying. They may also customize the list according to certain factors, such as the geographical region where the users are based, which may take into account regional dialects, popular regional sports teams/players, and so on. In order to avoid triggering any alarms, the attackers will typically wait at least 30 minutes before trying again.

3. Reconnaissance

Assuming the spraying attack was successful and the attacker now has access to one or more accounts, they will begin investigating the type of access they have, which includes which systems, data, and applications they have access to. They will also try to use their access to elevate their privileges, which typically involves exploiting software vulnerabilities, misconfigurations, or identifying any weak access controls. Given that they now have legitimate access to the network, including their “own” email account, they may also try to elevate their privileges by emailing colleagues with privileged accounts and trying to trick them into handing over their credentials. Basically, any additional information they can obtain about the network will give them a better chance of achieving their goal.

How to Respond to a Password Spraying Attack

Assuming you have one, you will need to execute your incident response plan as soon as you have detected a password spraying attack. At the very least, your incident response plan should prompt you to take the following actions;

Change passwords

The obvious first step would be to inform all employees about the attack and ask them to change their passwords. Some argue that it is good practice to adopt a solution that can periodically and automatically remind users to reset their passwords. If you are unable to enforce the use of strong passwords, you should at least strongly encourage your employees to adhere to certain guidelines about how to create a sufficiently complex password. Alternatively, you can provide them with a password generation tool.

Update/patch all software

As mentioned previously, attackers will often try to exploit software vulnerabilities in order to elevate their privileges. As such, you must ensure that all software updates and patches are installed as soon as they become available.

Review event logs

It would be a good idea to carry out a detailed forensic investigation into the incident to ensure that you know exactly what happened, how it happened, and when. You can use the information gathered from your investigation to improve your incident response plan. If you are using a real-time auditing solution, you will be able to easily obtain this information by reviewing the event logs via an intuitive interface. Otherwise, you will need to manually review the event logs, which will be a slow and painful process. It’s worth noting that some real-time auditing solutions are able to automatically detect and respond to events that match a pre-defined threshold condition, and some may have built-in settings to help identify password spraying attacks.

How to Prevent Password Spraying Attacks

Configure password security settings

Whichever platform you are using, make sure that you have carefully reviewed and configured any password security setting available. For example, if you are using Microsoft Azure, and you are using a cloud-only environment, you can take advantage of Azure AD Password Protection, free of charge. Azure AD Password Protection will detect and block known weak passwords, and can also block terms that are specific to your organization. Azure AD Password Protection can also work with on-premises and hybrid environments, although a license will be required in that scenario.

Carry out simulated attacks

Either carry out a simulated password spraying attack using attack simulation software or employ a third party to do it for you. This will give you a better insight into your password security posture. When testing a list of passwords, take into account any regional or industry-specific terms that your employees might use for their passwords.

Enable multi-factor authentication (MFA)

It is always a good idea to enable multi-factor authentication to ensure that a password alone is not enough to gain access to an account. If you want to be extra secure, consider implementing technology that allows for biometric or voice-activated authentication.

Use a real-time auditing solution

A real-time auditing solution will use machine learning techniques to detect and respond to anomalous events, which might include multiple failed logon attempts, or when someone tries to login to an inactive user account. As mentioned previously, some real-time auditing solutions are able to detect and respond to events that match a pre-defined threshold condition. Assuming you are aware of the conditions associated with password spraying attacks, you can specify the conditions and automate a response accordingly. This might include disabling a user account, stopping a specific process, changing the firewall settings, or shutting down the affected server.

If you’d like to see how the Lepide Data Security Platform can help you detect the signs of a password spraying attack, schedule a demo with one of our engineers or start your free trial today.