4 Protections Against Password-Spray Attacks

News Desk -


By: Morey Haber, Chief Security Officer, BeyondTrust

Nothing reinforces the “it could happen to any of us” mindset of the modern CISO like a good headline, especially when the victim is a Big Five tech player. Surely, they are protected to the hilt. Surely, they are impervious. But no. The echo of the New Year gong had barely faded when security leaders in the GCC, and around the world, were reading about Microsoft’s tangle with Midnight Blizzard. Alternatively known as “Nobelium”, “APT29”, “UNC2452”, and the somewhat cuddly “Cozy Bear”, the Russian state-sponsored (according to Microsoft) social-engineering specialist was reportedly behind the 2021 SolarWinds infiltration. In January, this decidedly non-cuddly “Bear” compromised the tech giant with a simple password-spray attack that began in November. From the hijack of a test tenant account, Midnight Blizzard moved laterally to take over several other corporate accounts, including those of top executives — even those of cybersecurity leaders.

So, let the lesson-learning begin. First, the classics still work. Password-spray attacks have been around forever. They differ from a brute-force attack, in that they hit a large quantity of accounts with the most common passwords — “12345678”, “Passw0rd”, and so on — rather than focusing on a single account by trying every possible password. The attack method also tries one chosen password at a time against each account on the attackers hit list, which is stealthier because it prevents lockouts. Second, the threat gang (may have) made off with some (undisclosed) data, indicating, once more, that even the largest enterprises are at risk. Third, Microsoft’s own investigation concluded that the attack was not tied to a vulnerability but rather to the absence of multifactor authentication (MFA) in legacy systems. So, “practices make perfect”, as in “best practices”. So, let’s look at some now to ensure the region’s enterprises do not fall prey to a Microsoft-style drama.

1. Password management

It is crucial to understand that the absence of robust passwords, multifactor authentication, and other standards is, by definition, the absence of strong management principles. If we want to talk in terms of blast radius, we minimize damage by minimizing the number of accounts that are not following the right protocols. Strong passwords are the enemy of spray attacks so good password management is the enemy of spray attacks. Such attacks succeed more commonly when targeting cloud-native applications because they are seldom monitored for failed logon attempts and also tend to not use modern practices such as MFA.

Password management is as straightforward as it sounds. It provides a digital means of looking over each user’s shoulder to ensure they change their passwords regularly, use sufficiently complex ones when they do so, and do not duplicate them across resources. Enterprise password management solutions are available for such purposes and are well worth the investment, especially if one considers Microsoft is not the only cautionary tale that illustrates the potential consequences of inaction. These platforms are hygiene enforcers and best-practice disciplinarians for human and machine accounts alike. Apart from password oversight, they are capable of managing privileged sessions in real time to flag potential threats and, if necessary, pause or terminate a session to protect the environment.

2. Multifactor authentication

Password-spray attacks can sometimes be defused by password hygiene alone. But to really frustrate the threat actor, security teams should implement MFA. While this is important for all users, it becomes all the more critical for privileged accounts. While no cybersecurity measure is foolproof and bench-testing reports on MFA do vary, some results show protection factors of above 99.99%, meaning less than one in 10,000 attempts on an MFA-protected corporate account will succeed.  MFA is a concrete hurdle for attackers and provided phishing-resistant variants such as FIDO2 (which uses public-key cryptography and is stronger than SMS-based OTPs) are implemented, an organization can consider itself strongly protected.

3. Endpoint privilege management

Once an attacker has compromised the right account, they can do the kind of damage that makes headlines. They can poke around intellectual property, plant ransomware in multitier backup systems, send convincing emails from genuine corporate accounts, and much more. Assuming an organization has effective password management and MFA in place, we are now discussing a highly unlikely occurrence, but that does not mean we should not prepare ourselves. If an attacker does get this far, our next objective is to limit their opportunities for lateral movement. This can be achieved by adhering to the principle of least privilege (PoLP), where every user and machine account is granted only those permissions necessary to carry out their function. PoLP also happens to be one of the pillars of zero-trust environments, which are becoming increasingly popular in the GCC, and is most commonly implemented through an endpoint privilege management solution.

4. Identity threat detection and response

When basic security controls such as MFA and password enforcement are not in place, your organization is vulnerable. These problems are inflated if you do not have the means to promptly detect and close security gaps. Any lag between the start of attack-related activities and their detection by the enterprise is a boon to the attacker and a risk to the target. Identity threat detection and response (ITDR) can proactively mitigate poor identity controls by flagging gaps before they are exploited. ITDR goes further though because it can also swiftly detect and respond to attacks as they occur.

Spray calm

Password-spray attacks do not target system vulnerabilities; they target us. The human capacity to settle for what keeps the gears of our lives turning — personal, commercial, governmental — is understandable. But it is exactly this tendency that spray attacks exploit. And all that stands between threat actors and those aforementioned life gears are the best practices mentioned here. Microsoft endured a lot of inconvenience to teach us some valuable lessons about the basics of cybersecurity. It would be a shame to let that go to waste.

Leave a reply