Identity attacks are common in this digital age. A threat actor tries multiple ways such as credential stuffing, phishing, cold calling, hacking, etc. to break into accesses. However, ‘Password Spraying’ has particularly become a major cause of concern in cybersecurity over the last few years.
Organizations that become victim to Password Spraying face some significant damages. For instance, when Citrix Systems, Inc. became a victim of the Password Spraying attack, here’s what happened-
FBI contacted Citrix Systems and said that a successful cyberattack was evident in its network and told them the hackers probably used password-spraying, a type of attack similar to brute-forcing and credential-stuffing. Citrix shared an update on its website saying, “They principally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice,”
This incident created a wave of awareness among organizations and security vendors. So, let’s understand the nitty-gritty of Password Spraying and see how you can safeguard your organization from the same.
What is Password Spraying, and How Does it Work?
According to Justin Jett, Director of Audit and Compliance at Plixer, “Password spraying is an attack that will, usually, feed a large number of usernames into a program that loops through those usernames and tries several passwords. As the name implies, you’re just spraying, hoping that one of these password combinations will work. Deep down, it’s a brute force attack.”
Most people often confuse Password Spraying with Credential Stuffing; they are certainly not the same. Let us clear the confusion with an example below.
X is an employee who has access to multiple applications like Office 365, AWS management console, Gmail, etc. and the attacker assumes that he uses the same password for all the applications. The attacker tries to ‘stuff’ as many credentials to the username until he finally cracks one and breaks into all the accounts. This kind of attack is known as Credential Stuffing.
On the other hand, a Password Spraying attack usually targets an entire organization. The attacker tests out a small number of commonly used passwords on a large number of accounts and targets single sign-on, cloud-based applications, webmail, ADFS, remote access desktops, etc.
National Cyber Security Center conducted a study that allowed organizations to determine how vulnerable their passwords would be to Password Spraying. It was found that 75% of participant organizations used passwords that featured in the top 1000 passwords and 85% of accounts had passwords that featured in the top 10000! Such organizations are easy targets for a Password Spraying attack.
How do you Detect Password Spraying?
Primarily, Password Spraying attackers have a limited chance of breaking into access. Essentially, they must be able to get access within 3-5 login attempts, failing which they get locked out of the system, and they will have to discontinue their endeavor. Therefore, you can indicate a potential Password Spraying attack with the following:
- Multiple Login attempts
If a frequent user of applications has trouble logging in, it could signal a Password Spraying attack. Generally, a user who knows his credentials well would not require multiple login attempts. - Increased number of account lockouts
A user getting locked out of his account very often could indicate something fishy. The user may get locked out even if he enters the right password because the hacker has tried logging into his account 3-5 times already. - Spike in the login failure rate
There are genuine reasons for login failure. Maybe, the user is unable to remember the password but, it could very well indicate a Password Spraying attack as the ratio of login failure to success is a mismatch; login failure attempts are more than successful logins.
So, if there are repeated login abnormalities within your organization, it is recommended to create an alert about Password Spraying within your organization’s security management systems.
Protect your organization from Password Spraying
According to information derived from FBI investigations, malicious cyber actors are increasingly using password spraying against organizations in the United States and abroad.
Should a threat actor succeed in Password Spraying, they will effortlessly get access to confidential and sensitive business documents; this will be detrimental to an organization’s growth and goodwill.
However, it is certainly not difficult to defend your organization against a Password Spraying attack. All you must do is, deploy efficient security measures as follows-
- Multi-factor authentication: This is a simple authentication mechanism that verifies more than two independent credentials via biometrics, challenge-response questions, tokens, etc. Usually, Password Spraying attackers do not touch accounts that are secured with MFA as it adds extra security barriers which are difficult to overcome in limited login chances.
- Strict password policies: Weak passwords are a gateway to cybercrimes. Strong password policies such as using alpha-numerical passwords, using different passwords for different logins, using MFA or 2FA, reducing helpdesk dependencies for password resets, etc. should be an inevitable part of the organization.
- Passwordless authentication: Best still, eliminating the use of passwords and opting for Passwordless Authentication would be highly beneficial. Passwordless Authentication methods include Biometrics, tokens, magic login links, OTP, etc. Since no passwords are involved, there is no question of Password Spraying.
- Design a detection system: Every organization, irrespective of its size is vulnerable to Password Spraying attacks. Therefore, a well-designed detection system should be a part of every organization in place. The threshold of alerts can differ as per each organization’s security requirements.
You may also want to read the Australian Cyber Security Center Password Spray attacks – detection and mitigation strategies to help you design an effective detection system.
We have always been alerted by the security community about the rise in Password Spraying attacks.
Alex Simons, director of program management for the Microsoft Identity Division called password spraying “A common attack which has become much more frequent recently,” he declared, “Password spray is a serious threat to every service on the Internet that uses passwords.”
Therefore, it is about time we build a solid defense mechanism against Password Spraying attacks and keep the organization’s security uncompromised and intact.
