“Password Spraying”—What to Do and How to Avoid It

March 15, 2019

Cyber breaches aren’t the only hot topic in the cyber media—sometimes the attack tactics themselves can claim the limelight when a significant breach gains media attention. One tactic getting some attention in the news is “password spraying.” We offer an overview of what it is, how to avoid it, and what to do if you think you were affected by an attack below; but note that a strong overall cybersecurity posture and adherence to best practices are always the best defense across the range of attack vectors, whether they are in the news or not!

What Is Password Spraying?

Password Spraying is a variant of what is known as a brute force attack. In a traditional brute force attack, the perpetrator attempts to gain unauthorized access to a single account by guessing the password repeatedly in a very short period of time. Most organizations have employed countermeasures, commonly a lock-out after three to five attempts. In a Password Spraying attack, the attacker circumvents common countermeasures (e.g., account lock out) by “spraying” the same password across many accounts before trying another password.

Typically used against single sign-on (SSO) and cloud-based applications using federated authentication protocols, this attack allows the malicious actor to compromise the authentication mechanisms. Once in, the attacker moves laterally, capitalizing on internal network vulnerabilities, to gain access to critical applications and sensitive data.

Common tactics, techniques, and procedures (TTPs) involved in this type of attack include:

  • Using online research and social engineering tactics to identify target organizations and user accounts
  • Using easily guessed passwords (e.g., “Password123”) to execute the password spray attack
  • Leveraging compromised accounts to obtain email address lists to attack even more accounts
  • Expand laterally within the compromised network and exfiltrate data

How to Avoid Being a Victim of Password Spraying Attacks

To avoid being a victim, it is recommended that you:

  • Enable and properly configure multi-factor authentication (MFA)
  • Enforce the use of strong passwords
  • Regularly review your password management program
  • Maintain a regular cadence of security awareness training for all company employees
  • Ensure your Help Desk has well-documented procedures for password resets for user lockouts

What to Do if You Suspect Your Organization Was Affected by a Password Spraying Attack

  • If you do not have MFA, consider resetting passwords for administrative and privileged domain accounts 
  • If you have a Security Logging platform, make sure it is configured to identify failed attempted logins across multiple systems and increase your response and investigation into these activities
  • Deploy an Endpoint Detection and Response technology (EDR—example: CrowdStrike) and/or Deception Technology (example: Illusive Networks) on end points to gain visibility of malicious activity and prevent attacker lateral movement
  • Review your incident response plan and alert appropriate members in a precautionary capacity
  • Contact Coalfire or another security firm with incident response and digital forensic capabilities and have them perform an investigation if you believe there are indicators of data loss, or you need additional support

Additionally, monitor your networks for anomalous activity such as a spike in attempted logins on the enterprise SSO portal as well as web-based applications, looking for logins inconsistent with your normal operations. This could be an indicator of an attack in progress. It’s also important to put proper focus and attention on your internal network security posture to limit an attacker’s capability to move laterally through the network. Regular penetration testing and red team testing can help to probe your organization for weaknesses before an attack occurs.

Remember, employing a strategy of defense in depth makes the attacker’s job more difficult.