{"id":99393,"date":"2021-10-26T09:00:22","date_gmt":"2021-10-26T16:00:22","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=99393"},"modified":"2023-05-23T21:31:47","modified_gmt":"2023-05-24T04:31:47","slug":"protect-your-business-from-password-sprays-with-microsoft-dart-recommendations","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/10\/26\/protect-your-business-from-password-sprays-with-microsoft-dart-recommendations\/","title":{"rendered":"Protect your business from password sprays with Microsoft DART recommendations"},"content":{"rendered":"
Over the past year, the Microsoft Detection and Response Team (DART), along with Microsoft\u2019s threat intelligence teams, have observed an uptick in the use of password sprays<\/a> as an attack vector. This threat is a moving target with techniques and tools always changing, and Microsoft continues to find new ways to detect these types of attacks and help protect its customers.<\/p>\n In this blog, we are going to define what password sprays are, detail DART\u2019s investigation techniques and approach to responding to password spray attacks, and outline our recommendations for protecting against them.<\/p>\n Previously, threat actors focused on attacking computers to gain access into an environment. As software becomes more intelligent at detecting abnormal programs and vulnerabilities, attacks against our customers are rapidly becoming more focused on breaking into identities rather than breaking into a network.<\/p>\n The approach to securing user accounts is well-intentioned, but it is often incomplete, with a large investment that typically goes into areas such as complex password policies and limiting access to resources from networks perceived as secure. While these mitigations are necessary best practices, in the case of a compromised trusted user, they are ineffective at preventing unauthorized access.<\/p>\n This is why identity attacks have become so popular. Once attackers have gained the credentials to an account, they can access any sensitive resources that users can access and have the malicious activity appear as normal. This creates a repeating cycle attack pattern, where one compromised account can lead to access to resources where additional credentials can be harvested, and thus even further resource access.<\/p>\n <\/p>\n Figure 1. Identity-based attack lifecycle.<\/em><\/p>\n To understand how to protect against, and investigate a password spray attack, it is important to understand what it is. Password spray attacks are authentication attacks that employ a large list of usernames and pair them with common passwords in an attempt to \u201cguess\u201d the correct combination for as many users as possible. These are different from brute-force attacks, which involve attackers using a custom dictionary or wordlist and attempting to attack a small number of user accounts.<\/p>\n Sophisticated password spray techniques include some of the following qualities:<\/p>\n Microsoft has implemented new and improved password spray detections<\/a> over the last year to help continue to address password spray attacks.<\/p>\n DART is no stranger to password spray attacks. When it comes to investigating cybersecurity incidents, our team\u2019s primary goal is to establish the facts and see where they lead us. Here are some of the questions our team typically considers at the start of each password spray attack incident:<\/p>\n Our password spray investigations playbook<\/a> contains in-depth guidance around investigating password spray attacks and offers information about Microsoft Active Directory Federation Services (ADFS), Microsoft’s solution for single sign-on (SSO), and web-based authentication.<\/p>\n It\u2019s important to understand the targets of the password spray to correctly determine the scope of the potential compromise. Recently, DART has seen an uptick in cloud administrator accounts being targeted in password spray attacks, so understanding the targets is a good place to start. Enumerate the users with the below permissions as the initial list to investigate, and then add users to it as the analysis proceeds:<\/p>\n In addition to privileged accounts such as these, identities with a high profile (such as C-level executives), or identities with access to sensitive data are also popular targets. It is easy to make exceptions to policy for staff who are in executive positions, but in reality, these are the most targeted accounts. Be sure to apply protection in a democratic way to avoid creating weak spots in configuration.<\/p>\n To perform a thorough cloud investigation, exportation of logs and installation of PowerShell modules is inevitable and discussed in detail in our password spray investigation playbook, but there are other methods to gain insights quickly.<\/p>\n The Microsoft Cloud App Security<\/a> portal is a great first place to check for suspicious activity. If you have Cloud App Security enabled, follow these steps to check for suspicious activity.<\/p>\n <\/p>\n Figure 2. Sample alerts in Cloud App Security related to possible password spray attacks.<\/em><\/p>\n Here are some alerts that could be associated with a password spray incident:<\/p>\n We describe additional Cloud App Security alerts in our documentation<\/a>.<\/p>\n For the accounts of interest, check the Cloud App Security investigation priority by navigating to the account under Users and accounts<\/strong>. The investigation priority score is based on security alerts, abnormal activities, and potential business and asset impact related to each user to help you assess how urgent it is to investigate each specific user.<\/p>\n <\/p>\n Figure 3. The user page in Cloud App Security shows the investigation priority.<\/em><\/p>\n Microsoft Azure Active Directory<\/a> (Azure AD) incorporates behavioral analysis algorithms into its detection logic natively, so there is a chance that an alert already exists about a password spray attack. Below are several places to check within the portals before going through the hassle of log exporting. Use the indicators of compromise (IOCs) from these alerts to further pivot such as user, IP address, time range, and more.<\/p>\n Identity Protection<\/a> is a tool in Azure AD designed to identify potential risky behavior surrounding authentication events. Users with an Azure AD Premium P2 license may follow these steps to check for suspicious activity:<\/p>\n <\/p>\n Figure 4. Azure AD can display a list of risky sign-ins to identify potential risky behavior.<\/em><\/p>\n If an identity is considered compromised, action should be taken immediately to ensure that access is revoked<\/a>. This should include disabling the user\u2019s device(s), a password reset, account disablement, and token revocation in Azure AD.<\/p>\n Password sprays are worrisome but when we look at the statistics according to the Digital Shadows report \u201cFrom Exposure to Takeover,\u201d there are over five billion unique credential pairs available for sale worldwide, with new caches of credentials being exposed on a regular basis.1<\/sup> This kind of volume tells us that we should assume that a breach will occur and consider that a compromised username or password in any given organization is inevitable.<\/p>\n This doesn\u2019t mean we should give up on passwords altogether, but the rabbit hole of password policies, and the potentially endless discussions about complexity, length, and \u201ccorrect battery horse staple\u201d (Don\u2019t know what we are talking about? Look it up!) should be avoided in favor of applying Zero Trust<\/a> logic to identity and authentication. This includes areas like:<\/p>\n <\/p>\n Figure 5. Conditional Access policy in Azure AD.<\/em><\/p>\n Password spray attacks<\/a> are the perfect combination of low effort and high value for attackers, and even the most secure companies are likely to fall victim to them. However, preventing catastrophic damage is not a hopeless endeavor. By assessing both sides of the situation, the protection against the attack as well as the capabilities to investigate and remediate an attack, you can ensure a substantial amount of coverage against password spray destruction.<\/p>\n DART utilizes these strategies for everyday investigations. We encourage our customers to adopt passwordless technology<\/a> and enable MFA<\/a>, regardless of the provider. While attackers are most likely continuously exploring new ways to break into an environment, by assuming breach, we can help to safeguard against inevitable detrimental harm.<\/p>\n Want to learn more about DART? Read our past blog posts<\/a>.<\/p>\n To learn more about Microsoft Security solutions, visit our website<\/a>. Bookmark the Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity<\/a> for the latest news and updates on cybersecurity.<\/p>\n <\/p>\nWhy are identity-based attacks suddenly so popular?<\/h2>\n
The anatomy of a password spray attack<\/h2>\n
Password spray methods:<\/h3>\n
\n
Password spray identifiers:<\/h3>\n
\n
\n
\n
Help! I\u2019ve been sprayed!<\/h2>\n
\n
Am I a target?<\/h2>\n
\n
How can I check for suspicious activity?<\/h2>\n
Microsoft Cloud App Security<\/h3>\n
\n
\n
User investigation priority<\/h3>\n
\n
Azure Active Directory<\/h3>\n
Identity Protection<\/h3>\n
\n
Revoke user access<\/h3>\n
Recommendations for protecting against password sprays<\/h2>\n
\n
\n
\n
\n
\n
\n
Assume breach<\/h2>\n
Learn more<\/h2>\n
\n