The U.S. Department of Homeland Security has just released an advisory from The Australian Cyber Security Centre (ACSC) on password spraying attacks. This is an unusual move - we haven't seen this collaboration before.
The reality is that cybersecurity attacks know no boundaries and it is just as easy to hit one country as another - especially when they use the same language.
Password spraying is a type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.
The ACSC provides recommendations for organizations to detect and mitigate these types of attacks against their external services, such as webmail, remote desktop access, or cloud-based services.
Here are core elements businesses and other organizations should be aware of:
1) How to choose and protect passwords
Why you need strong passwords
You probably use a number of personal identification numbers (PINs), passwords, and passphrases every day: from getting money from the ATM or using your debit card in a store, to logging in to your email or into an online retailer. Keeping track of all of the number, letter, and word combinations may be frustrating at times, but you’ve seen enough news coverage to know that hackers represent a real threat to your information. Often, an attack is not specifically about your account, but about using the access to your information to launch a larger attack.
One of the best ways to protect information or physical property is to ensure that only authorized people have access to it. Verifying that those requesting access are the people they claim to be is the next step. This authentication process is more important and more difficult in the cyber world. Passwords are the most common means of authentication, but only work if they are complex and confidential. Many systems and services have been successfully breached because of insecure and inadequate passwords. Once a system is compromised, it’s open to exploitation by other unwanted sources.
How to choose good passwords
Avoid common mistakes
Most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them. Consider a four-digit PIN. Is yours a combination of the month, day, or year of your birthday? Does it contain your address or phone number? Think about how easy it is to find someone’s birthday or similar information. What about your email password—is it a word that can be found in the dictionary? If so, it may be susceptible to dictionary attacks, which attempt to guess passwords based on common words or phrases.
Although intentionally misspelling a word ("daytt" instead of "date") may offer some protection against dictionary attacks, an even better method is to rely on a series of words and use memory techniques, or mnemonics, to help you remember how to decode it. For example, instead of the password "hoops," use "IlTpbb" for "[I] [l]ike [T]o [p]lay [b]asket[b]all." Using both lowercase and capital letters adds another layer of obscurity. Changing the same example used above to "Il!2pBb." creates a password very different from any dictionary word.
Length and complexity
The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should consider using the longest password or passphrase permissible (8–64 characters) when you can. For example, "Pattern2baseball#4mYmiemale!" would be a strong password because it has 28 characters. It also includes the upper and lowercase letters, numbers, and special characters. You may need to try different variations of a passphrase—some applications limit the length of passwords, some do not accept spaces or certain special characters. Avoid common phrases, famous quotations, and song lyrics.
Dos and don'ts
Once you’ve come up with a strong, memorable password it’s tempting to reuse it – don’t! Reusing a password, even a strong one, endangers your accounts just as much as using a weak password. If attackers guess your password, they would have access to all of your accounts. Use the following techniques to develop unique passwords for each of your accounts:
- Do use different passwords on different systems and accounts.
- Don't use passwords that are based on personal information that can be easily accessed or guessed.
- Do use the longest password or passphrase permissible by each password system
- Don't use words that can be found in any dictionary of any language.
- Do develop mnemonics to remember complex passwords.
- Do consider using a password manager program to keep track of your passwords. (See more information below.)
How to protect your passwords
Now that you've chosen a password that's easy for your to remember, but difficult for others to guess, you have to make sure not to leave it someplace for people to find. Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Don't tell anyone your passwords, and watch for attackers trying to trick you through phone calls or email messages requesting that you reveal your passwords. (See Avoiding Social Engineering and Phishing Attacks for more information.)
Programs called password managers offer the option to create randomly generated passwords for all of your accounts. You then access those strong passwords with a master password. If you use a password manager, remember to use a strong master password.
Password problems can stem from your web browsers’ ability to save passwords and your online sessions in memory. Depending on your web browsers’ settings, anyone with access to your computer may be able to discover all of your passwords and gain access to your information. Always remember to log out when you are using a public computer (at the library, an Internet cafe, or even a shared computer at your office). Avoid using public computers and public Wi-Fi to access sensitive accounts such as banking and email.
There's no guarantee that these techniques will prevent an attacker from learning your password, but they will make it more difficult.
For more information on passwords, multi-factor authentication, and related password topics, see Supplementing Passwords.
Don’t forget security basics
- Keep your operating system, browser, and other software up-to-date.
- Use and maintain anti-virus software and a firewall. (See Understanding Anti-Virus Software and Understanding Firewalls.)
- Regularly scan your computer for spyware. (Some anti-virus programs incorporate spyware detection.)
- Use caution with email attachments and untrusted links.
- Watch for suspicious activity on your accounts.
To increase the likelihood of detecting password spray attacks the ACSC recommends organisations create alerting rules in their Security Information and Event Management (SIEM) solution or similar, in the following circumstances:
- High number of authentication attempts within a defined period of time
Typically during a password spray attack the amount of failed attempts over a period of time (such as an hour) will be significantly higher than normal failed login events. Malicious cyber actors may attempt a set number of logins based on the default, or expected lockout threshold for a system or service. If you are reviewing logs from a cloud based service, excluding your organisation’s IP address ranges will help to narrow your search. The ACSC has also noticed that in some cases password sprays against user account logins have been attempted in alphabetical order.
- Large number of bad usernames
Some password spray attacks may be attempted using generic username lists, or a username generators. The threat of such a technique is dependent on the username naming policy used on the system. Most systems utilised by organisations will use a standard naming convention so detecting this technique and assessing the threat posed by it can be readily achieved.
- High number of account lockouts over a defined period of time
Depending on the method of spraying, some actors may try multiple passwords per account without regard or awareness of the lock-out policy, leading to corporate accounts being locked out. To prevent a denial of service from occurring organisations with ADFS should consider implementing a smart lock feature with windows Server 2016 (see Microsoft guidance “Description of the Extranet Smart Lockout feature in Windows Server 2016”).
- In the case of using Microsoft cloud infrastructure, review standard users authenticating with Azure Active Directory PowerShell
Standard controls in Office 365 allow any user to use PowerShell to authenticate with your Microsoft Azure services. This gives the actor an automated way to enumerate your active directory hosted on the cloud, enabling them to spray against additional accounts or using that information to craft more sophisticated spear-phishing emails. While there is a legitimate purpose for interacting with services using Azure Active Directory PowerShell such usage is would be unexpected for standard, non-administrator users. For Azure Active Directory logging this can be identified if the user is authenticating with ‘appDisplayName: Azure Active Directory PowerShell’.
- Looking at the ratio of login success verses login failure per IP address
Often spray attacks will yield more failures then successes. If a password spray attack is happening over a long period of time in an attempt to avoid detection, you can look at the ratio of failures versus successes per IP address and determine if an IP has a significantly high login failure rate.
The ACSC recommends organisations consider the following actions to reduce the effectiveness of actors utilising password spray attacks:
- Implement multifactor authentication (MFA) on all external access systems
MFA is highly effective at mitigating brute force and password spray attacks due to the additional complexity injected to the authentication process (see ACSC guidance document titled “Multi-factor Authentication”).
- Enforce complex passwords as well as a strong password reset policy
Weak and popular passwords are targeted through this form of attack so enforcing strong passwords will decrease the likelihood of successful authentication. Often when setting up a new user account or resetting credentials, administrators set the password to a generic easy to guess password. The ACSC recommends generating a random, more complex password (see ACSC guidance document titled “Passphrase Requirements”).
- Increased alerting and monitoring
Implementing and ensuring your IT Security Staff or Security Information and Event Management (SIEM) solution has the ability to perform correlation of logs from multiple sources such as threat intelligence. This will enable organisations to detect and actively block password spraying against your externally facing services in a timely manner which can prevent further follow on attacks (see section “Mitigation strategies to detect cyber security incidents and respond” in ACSC guidance Titled “Strategies to Mitigate Cyber Security Incidents – Mitigation Details”).
- Additional access controls and hardening
Consider the use case for your externally facing service. Assess whether it is possible to place additional security controls to prevent unauthorised access such as geo blocking, IP whitelisting or requiring users to first connect via a Virtual Private Network (VPN).
- Reset credentials of affected accounts
In the event that a password spray attack is successful, the ACSC recommends identifying compromised accounts and resetting the associated passwords. Resetting affected user account credentials in line with a strong password policy can prevent repeated malicious access to a compromised account.
Reporting a cyber security incident
Australian organisations who have been the victim of a successful password spray are encouraged to report the incident to the Australian Cyber Security Centre. Australian organisations can also report unsuccessful password spray attacks, either ongoing or completed.
What else should you know?
We have put together cybersecurity essentials – a simple list which will help most organizations become far more secure.
Please go to a phishing simulation vendor now and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360 are all great.
We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately.