Password Spraying Remains A Major Cyber Threat

If you’re wondering if that classic car you’ve been scoping out on Bring a Trailer or eBay Motors is as authentic as posited by the seller – specifically re: the common claims of “original paint” or “high quality respray” – you’re going to want to take a closer look around the edges.

This is because a talented painter can make a second or 30th-hand vehicle look pretty snazzy with a well-affected, if not super high-quality, repaint. That’s why the experts are always pulling back the carpet, diving into the engine bay and generally poking around the bodywork looking for signs of undocumented makeovers. The dead giveaway is usually “overspray” or places where the painters have been slightly over-aggressive in attempting to pretty up the ride.

What is Password Spraying? Spray and Pray, Cyber Redux

What does this have to do with infosec, you say? Much like overspray remains the bane of auto collectors and barn find hunters, the technique of Password Spraying – while well-known and typically at least somewhat accounted for among security practitioners – has retained its potency and prevalence when it comes to hacking techniques.

Look no further than the recent report that password management company LastPass – touted as the “world’s most popular password manager” – likely fell prey to such an attack. This isn’t to take anything approaching a shot at LastPass; the reality is that despite being a longstanding and well-known expert in the field, password spraying still works.

What continues to evolve in the world of password spraying, and of course most cyberattacks, is the relative firepower available to attackers in the form of automation and machine learning. Much as security teams continue to redouble the efforts to enlist these underlying technologies to stave off threats, the attackers are, of course, utilizing the same practices.

How Slow and Low Can You Go?

Perhaps the biggest threat when it comes to the password spraying attack however is the process of “slow and low” threats that are engineered NOT to throw off automated triggers looking for high volume blasts. This also flips the script against defenses looking for concentrated attacks against a specific user by employing numerous IP addresses to attack multiple accounts at the same time, with a smaller number of password spraying variants.

As researchers at Microsoft noted in late 2021:
“Instead of trying many passwords against one user, they try to defeat lockout and detection by trying many users against one password.” This technique is aimed squarely at avoiding rate limiting controls that will block IP addresses generating too many failed attempts. Microsoft also goes on to postulate that password spraying accounts for a full third of all account compromises.

Specific Techniques Demand Tailored Monitoring and Retention

In the way of addressing this issue – a form of menace that, as documented, will continue to work around even the most staunch cyber defenses – the issue then comes down to smarter monitoring. If the attackers are going to keep trying to get in, and likely succeed at some point, your organization has to be prepared, and watching closely.

As MITRE lays out in the de facto ATT@CK standards, organizations should therefore “Monitor authentication logs for system and application login failures of Valid Accounts”… as well as monitor their logs for many different types of events [ex. Authentication Service Success & Failure]. But, given the slow and low approach this model has to be further extended.

At Logz.io, we find that our customers have the most success when they also play the long game, both developing advanced visualizations that trend activity over time to create necessary context and detection, as well as retaining the right logs for longer periods of time [practically 30 days at a minimum, but often longer]. Continuing to maintain and advance tight integration between their SIEM and key data sources such as identity and access management is also crucial.

Once security teams have the right combination of data, visualization, alerting and data retention aligned, they become far more efficient at building the full picture needed to catch these sneaky slow and low techniques. This is very different from visualizing massive password targeting attempts, with – as always it seems these days – far greater emphasis on controlling data volumes and enlisting more of a trended analysis approach.

As we continue to evolve our Cloud SIEM solution, Logz.io is laser focused on enabling customers to balance the precision of monitoring and the cost of data retention – cutting through the noise and optimizing resources to focus on the analysis that matters most.

If any of this makes sense to you we’d love for you to start a free trial or to show you a demo if you’re interested.

Until then, see you at the local swap meet!