Password spraying detection: Where do I start?
Password spraying has been one of the hottest topics in cyber security in the last few years. Right off the heels of multiple high-profile breaches, it’s been getting a lot of attention from security vendors, reporters, and the security community as a whole. In this post, we’ll discuss why password spraying is increasing in prevalence, and steps your organisation can take to detect it.
What is password spraying?
Put simply, password spraying is when attackers attempt to gain access to a victim’s account by trying passwords that users are likely to use. This is not to be confused with password stuffing, wherein attackers use previously-compromised credentials for similar accounts from other services.
Why is password spraying on the rise?
Password spraying is becoming a significant issue for the industry due to a number of factors.
More users are leveraging more applications
More and more business applications and consumer services are moving to the cloud or increasing their online presence. In the case of consumer services, they range from social networking to loyalty programs or food delivery. Many of these services use their own identity for users. As a result, the number of user accounts consumers manage has gone up dramatically.
Compromised credentials have become more widely available
As of the time of writing, Have I Been Pwned counts 7,808,519,176 unique credentials that have been compromised and exposed. Where did these compromised accounts come from? How have so many been compromised? We actually have a new source of data in 2019 that helps us comprehend just how bad things are: GDPR.
In just 9 months (between May 2018 and February 2019) there were 206,326 cases reported to the European Data Protection Board, of which ~65,000 were, according to the report, “initiated on the basis of a data breach report by a Data Controller.” The kicker is, these breaches led to more compromised accounts, which, in turn, lead to more breaches. A vicious cycle.
Monetising accounts is easier than ever
A decade ago, most financially-motivated attacks targeted financial data. But since then, organised crime has found new ways to monetise access to new categories of services.
What’s more, in addition to the ability to sell personal data on the dark web, criminals have begun to monetise stolen data in new and novel ways. No longer is intellectual property being traded and sold on forums. It is being directly monetised through ransom and blackmail with payment through untraceable cryptocurrencies. Naturally, the value of corporate and consumer accounts has also gone up in recent years as a result.
Password reuse means lateral movement
Another element to consider is lateral movement. Password spraying of cloud services might not lead to network lateral movement in the traditional sense. But given the prevalence of password re-use, compromising credentials for one service often leads to the compromise of other cloud services.
Or in cases where a Single Sign-On (SSO) tool is used, falling victim to password spraying allows access to downstream services for the same user. In addition, password spraying could allow lateral privilege escalation within cloud services if the compromised account has the ability to modify or create new permissions for existing accounts.
The threat model
To put password spraying in context as an attack technique, we can turn to the MITRE ATT&CK Framework. For those of you not familiar with ATT&CK, it maps attacker techniques to various stages of an intrusion or breach. While password spraying is not listed specifically in the matrix, the eventual goal is access to user accounts, which is listed (“Valid Accounts” T1078).
If you look at the Valid Accounts technique, you will notice something interesting. It shows up 4 times: MITRE associates Valid Accounts with Initial Access, Persistence, Privilege Escalation, and Defense Evasion. This makes it one of the more common techniques in the matrix.
It could situationally also apply to the Discovery, Lateral Movement, and Collection stages as well. You can use valid accounts to access various services and data repositories and view internal documents, and you may also be able to use the compromised account to access other services. So password spraying into a valid account covers 7 out of 11 columns in the ATT&CK matrix.
Most companies invest heavily in security solutions such as firewalls, anti-virus, endpoint detection and response tools, asset management and patching, and system hardening. Password spraying into a valid user account allows attackers to bypass all of these, and which is why it’s so popular and effective. In addition, by looking at the MITRE ATT&CK framework we see that attackers can accomplish almost all of the things they would need to do during an intrusion using valid accounts.
So, ignore password spraying at your own risk.
How do you detect password spraying? First, we need to set the expectation that there is no “magic button”. Detecting password spraying involves resources and engineering. At a high level, it requires that you export your authentication and access logs to an external system that indexes them, and then utilise those logs for threat and intrusion detection. Then, you will need to review those logs continuously for patterns associated with password spraying or stuffing attacks.
Let’s talk about a few of these patterns that you can operationalise for your specific log monitoring technology. These patterns are frequently referred to as Indicators Of Compromise (aka IOCs). Here are a few examples:
- Attempting to login to unknown or invalid users
When attackers are conducting password spraying attacks, they may use out-of-date user lists or scrape emails from various places. They may also attempt to guess usernames based on a known naming schema such as “first.last”. Be on the lookout for remote hosts that are attempting to login to non-existent users.
- High volume of account lockouts
If the number of passwords being attempted in the spray exceeds the lockout threshold set within the service, it will trigger lockout events. While these are to be expected, they should be considered suspicious in a high volume and/or short time period.
- Remote hosts with high login failure rate
There are many reasons why a remote host would have a high login failure rate, but this can still be a good signal—especially when combined with a few other patterns such as the ones mentioned in this section.
- Spike in failed logins
Another good signal for detecting automated attacks is frequency and tempo. Look for spikes in events such as lockouts or failed logins. These could indicate an automated attack.
- Specific URI targeting
Another good signal is the targeting of a specific API endpoint or service. Normal users tend to click around and hit various pages and services. Bots and automated tools will hit the same URI repeatedly, often using the same HTTP User Agent.
- Authentication velocity checks
Review your logs for number of login attempts that occur at certain intervals. For example, it would be suspicious to see a single failed login for 90+% of your users within a 15-minute window. Also, it would be suspicious to see multiple failed logins by a human user in a matter of seconds. Attackers may experiment with different velocities and even utilise distributed infrastructure to identify the service lockout policy, and then avoid it.
Building your detection model
These signals are good places to start, but you will need to apply them to your log data in a way that is appropriate for your environment and risk tolerance. Along the way, you want to maintain a signal-to-noise ratio that works for your security operations team and doesn't overwhelm them. As your program matures, you can increase the number of IOCs while continuing to scale your capabilities and improve the quality of your alerts.
Based on the size of your organisation, you will also need to determine what thresholds you want to use for your alerting. For example, an organisation with 100 users would consider 50 failed logins pretty suspicious, but an organisation with 10,000 users probably wouldn't even notice. Take into account the number of users in the system, events per second, and average logins per day/hour. Use this to improve your indicators of compromise.
Finally, you know your organisation and the threats it faces better than anyone else. You can fine tune these detections to be even more actionable by applying them to or creating specific alerts for a subset of your users (such as highly privileged users or VIPs) or critical applications (such as your HR/payroll system).
The bottom line
Attackers will take the cheapest and shortest path to their objectives. Password spraying definitely fits that description. It is both easy to do at scale, effective, and when successful can allow attackers to gain access to valuable assets while bypassing traditional security controls.
Finally, password spraying is more accessible to the casual attacker because of all the open source tools that have been released in the last few years. The barrier to entry is pretty low. As long as we continue relying on passwords alone as authentication factors, password spraying will remain the method of choice to quickly and reliably compromise business accounts. To make things worse, the proliferation of IoT devices represents an exponential increase in the attack surface.
All this to say that today’s organisations should take the threat of password spraying very seriously by enforcing MFA everywhere and addressing IOCs applicable to their environments.
A very special thank you to Okta Security Engineer, Cameron Ero, for his contributions to this post. To learn more about how to prevent account takeover techniques such as password spraying, check out this blog on how to stop account takeovers before they happen.