Basic cyber hygiene: Protect against “password spray”

This blog is part of the Cybersecurity Tech Accord’s ongoing efforts to advance responsible cyber hygiene in accordance with our commitment to the principles of the Paris Call For Trust and Security in Cyberspace. 

Over the last three months, the unprecedented COVID-19 pandemic has prompted multiple reports on increased advanced persistent threats (APT) from cybercriminals and state actors alike. One specific method often used is worth highlighting: “password spraying.” The use of this technique has been so problematic that it has recently become the subject of a joint warning issued by the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA).  

Password spraying refers to a type of cyberattack in which a malicious actor attempts to break into online accounts by testing a small number of commonly used passwords, such as Password123, 123456, or 00000, against different accounts on a domain. Advanced attackers can use this method against a large number of different accounts in a single attack, repeating the login attempts multiple times with different passwords while remaining undetected by staying below the maximum number of allowable password attempts on the domain. 

Typically, these attacks involve hackers gaining access to an organization’s usernames through information readily available online or on individuals’ personal accounts. Compromised or commonly used passwords are then used to attempt a login against different accounts on the network, in hopes that hackers might be successful with at least one of them. Once they infiltrate the system, they can often obtain additional email addresses, change passwords, and even expand laterally within the network to achieve their goals – whether that is data exfiltration or something even more nefarious.  

This stealthy attack, used by some of the most advanced adversaries, is not easy to detect, and victims often don’t even realize they’ve been targeted. Last November, Microsoft reported that a state actor known as Holmium or APT33 used password spraying to target industrial control system suppliers for electric utilities, as well as oil and gas facilities, among other industrial environments. The report warned that such attacks could be a first step toward sabotage attempts and highlighted how it took less than a week from initial access to obtaining “unhampered access and full domain compromise.”  

Password spraying has become more common in recent years, not only because passwords are easy to guess, but also because compromising credentials have become widely available and methods for automating or executing large-volume tasks are easier to establish. Think about how often you have read about large breaches in which hackers procured personal information and passwords. Because users today are leveraging an increasing number of services and applications, reusing passwords is a common way to manage the inconvenience of having to remember multiple, complex passwords. As a result, compromised credentials for one service often give hackers an easy way to access others. 

In the last few weeks, the Cybersecurity Tech Accord has highlighted cyber hygiene practices in line with our commitment to the Paris Call on Trust and Security. As malicious cyber activity accelerates around the COVID-19 crisis, it’s critical that individuals and organizations are aware of their cyber risk and ensure good cyber hygiene practices to proactively defend themselves. Here’s a few helpful signs to determine whether you or your organization have become a victim of password spraying, and how to respond before the attack is successful:   

  • An increase in bad usernames. Malicious actors will likely try and guess at least some of the user names based on a generic formula ([email protected]) or pull email addresses from various lists that may be out of date.   
  • An increase in account lockouts or authentication attempts. Malicious actors may try multiple passwords per account, resulting in account lockout.  
  • A spike in failed logins. An increase in failed logins within a short time span can signal an automated attack.  

A question you may ask yourself is how to make sure you and your organization do not become victims in the future. As with most things in cybersecurity, you can never be 100 percent sure you are protected. However, the following cyber hygiene practices can definitively reduce your cyber risk and exposure:  

  • Enable multi-factor authentication (MFA) by default across your organization. Having a secondary layer of authentication eliminates the ability to compromise an account by guessing a password. This action requires that users sign in with at least two authentication factors that include a password or PIN, biometrics and/or a trusted device. Most consumer authentication services now offer some variation of this feature. 
  • As a stronger layer of protection and second link of trust, integrate an IT centralized password manager with Password Authentication Infrastructure (PAI) to alleviate employee-managed passwords.  
  • Implement a “Managed Detection and Response” (MDR) solution to help detect signals for password spraying. A mature cybersecurity program may collect all the data into centralized systems called Security Incident and Event Managers (SIEMs), which can be reviewed via a combination of automation and human analysis. 
  • Put a virtual private network (VPN) in place. As highlighted in a previous blog, this is a helpful tool to protect from man-in-the-middle attacks and malicious actors gaining access to your system.  Organizations must carefully monitor activity on their VPN and maintain security patching to avoid this layer of network access also becoming a threat vector. 
  • Implement an effective password policy for your organization, balancing usability and security, and blacklisting the most common and compromised passwords, as well as rejecting password reuse over time. Enforce periodic password resets. Moreover, make sure that new account passwords are not generic and change any current generic passwords. As an individual, use a password generator service to ensure your passwords are secure and unique to each account.  
  • Set account lockout policies to prevent passwords from being guessed after a certain number of failed login attempts. However, make sure you don’t give away critical information by ensuring applications return a generic error message no matter the incorrect log in entered.  
  • Finally, spread the word. As an organization, implement security training that ensures users are aware of bad password habits and act responsibly, not just when it comes to their work, but for their personal accounts as well. As an individual – tell your friends and ensure we all take steps to be more secure online.