Detection
To increase the likelihood of detecting password spray attacks, the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) recommends organisations create alerting rules in their Security Information and Event Management (SIEM) solution or similar, in the following circumstances:
- High number of authentication attempts within a defined period of time
Typically during a password spray attack the amount of failed attempts over a period of time (such as an hour) will be significantly higher than normal failed login events. Malicious cyber actors may attempt a set number of logins based on the default, or expected lockout threshold for a system or service. If you are reviewing logs from a cloud based service, excluding your organisation’s IP address ranges will help to narrow your search. The ASD's ACSC has also noticed that in some cases password sprays against user account logins have been attempted in alphabetical order. - Large number of bad usernames
Some password spray attacks may be attempted using generic username lists, or a username generators. The threat of such a technique is dependent on the username naming policy used on the system. Most systems utilised by organisations will use a standard naming convention so detecting this technique and assessing the threat posed by it can be readily achieved. - High number of account lockouts over a defined period of time
Depending on the method of spraying, some actors may try multiple passwords per account without regard or awareness of the lock-out policy, leading to corporate accounts being locked out. To prevent a denial of service from occurring organisations with ADFS should consider implementing a smart lock feature with windows Server 2016 (see Microsoft guidance “Description of the Extranet Smart Lockout feature in Windows Server 2016”). - In the case of using Microsoft cloud infrastructure, review standard users authenticating with Azure Active Directory PowerShell
Standard controls in Office 365 allow any user to use PowerShell to authenticate with your Microsoft Azure services. This gives the actor an automated way to enumerate your active directory hosted on the cloud, enabling them to spray against additional accounts or using that information to craft more sophisticated spear-phishing emails. While there is a legitimate purpose for interacting with services using Azure Active Directory PowerShell such usage is would be unexpected for standard, non-administrator users. For Azure Active Directory logging this can be identified if the user is authenticating with ‘appDisplayName: Azure Active Directory PowerShell’. - Looking at the ratio of login success verses login failure per IP address
Often spray attacks will yield more failures then successes. If a password spray attack is happening over a long period of time in an attempt to avoid detection, you can look at the ratio of failures versus successes per IP address and determine if an IP has a significantly high login failure rate.
Mitigations
The ASD's ACSC recommends organisations consider the following actions to reduce the effectiveness of actors utilising password spray attacks:
- Implement multifactor authentication (MFA) on all external access systems
MFA is highly effective at mitigating brute force and password spray attacks due to the additional complexity injected to the authentication process (see ASD's ACSC guidance document titled “Multi-factor Authentication”). - Enforce complex passwords as well as a strong password reset policy
Weak and popular passwords are targeted through this form of attack so enforcing strong passwords will decrease the likelihood of successful authentication. Often when setting up a new user account or resetting credentials, administrators set the password to a generic easy to guess password. The ASD's ACSC recommends generating a random, more complex password (see ASD's ACSC guidance document titled “Passphrase Requirements”). - Increased alerting and monitoring
Implementing and ensuring your IT Security Staff or Security Information and Event Management (SIEM) solution has the ability to perform correlation of logs from multiple sources such as threat intelligence. This will enable organisations to detect and actively block password spraying against your externally facing services in a timely manner which can prevent further follow on attacks (see section “Mitigation strategies to detect cyber security incidents and respond” in ASD's ACSC guidance Titled “Strategies to Mitigate Cyber Security Incidents – Mitigation Details”). - Additional access controls and hardening
Consider the use case for your externally facing service. Assess whether it is possible to place additional security controls to prevent unauthorised access such as geo blocking, controlling IP addresses or requiring users to first connect via a Virtual Private Network (VPN). - Reset credentials of affected accounts
In the event that a password spray attack is successful, the ASD's ACSC recommends identifying compromised accounts and resetting the associated passwords. Resetting affected user account credentials in line with a strong password policy can prevent repeated malicious access to a compromised account.
Reporting a cyber security incident
Australian organisations who have been the victim of a successful password spray are encouraged to report the incident to the Australian Cyber Security Centre through cyber.gov.au/report Australian organisations can also report unsuccessful password spray attacks, either ongoing or completed.