Password spraying is a simple brute force attack. It attacks specific accounts where the attacker sprays across many passwords to find if any of them are correct. It is a similar process to what dictionary attacks do but much more targeted. There are many reasons hackers do password spraying: account takeover, account lockout circumvention, and intelligence gathering. Since passwords are frequently reused with various accounts, credential stuffing is often very successful.
You can do the following to protect yourself from password spraying attacks:
- Password complexity is enforced.
- Keeping password history, so that old passwords can’t be reused.
- Account lockout threshold is adjusted to a high number after the account fails authentication X times. It helps in avoiding brute force attacks like password spraying. Since they won’t lock out all accounts if one of them works.
- Require MFA for critical actions performed through a shared/service account. Hardening the Security of WordPress website can also help.
- Two-factor authentication with OTP is preferred, but not required.
- Make sure that users don’t reuse the same password across different accounts. Password history can be useful to enforce this concept since it remembers the last and used passwords.
- Password strength requirements are also necessary to make them strong enough that attackers can’t guess them.
What to Do if You Suspect Your Organization Was Affected by a Password Spraying Attack?
Check DNS for suspicious traffic:
Specially crafted requests for domain information might indicate a password spraying attack. You can use Sysmon to check DNS requests. It alerts you in real-time when there are spikes in the number of requests, typically not made by your users.
Investigate alerts:
Investigate the source of suspicious DNS requests and notify the administrative team in charge to take action to block those requests when necessary.
Check network traffic for unusual patterns:
Bad actors might be scanning your subnets or internal machines. Thus, you must check for vulnerabilities, check the traffic going in and out of your network for any unusual patterns.
Password spraying using internal tools:
It is necessary if you are hiring new employees or contractors. Be sure to check if they have the required administrative privileges to access systems and make changes. If so, ask them which tools they use when working remotely from home, on the road or their mobile devices to carry out tasks. If a password spraying tool is using tools like the protocol analyzer or Wireshark, then it’s likely that they have administrative rights.
We must move forward with the advancement in technology. There are no more benefits of using old methods as far as identity management is concerned. Examining your security posture and password policies regularly is required to remain agile and modify security procedures as new techniques emerge. Multi-factor authentication has only recently become popular. Passwords might still be one of the best and most essential lines of defence for your company if you take the appropriate precautions.