Many organizations have cyber security measures in place to prevent threat actors from breaching defenses and launching their attacks. However, there may be a gaping hole in your organization’s security: untrained employees.
Threat actors can take advantage of the poor security habits of your network and system users through a technique known as password spraying in order to gain access and wreak havoc on your organization. Below, we’ll discuss password spraying attacks — demonstration video included — and what you can do to mitigate the risks.
Unlike other password attacks, password spraying is when a threat actor tries one password against multiple usernames with the hope of the password being correct for at least one user account.
OWASP reports that this attack is common when “the application or admin sets a default password for the new users.” Other easy targets are organizations that don’t have password standards for their cloud-based applications and platforms.
Password spraying is far more effective than the traditional forced entry — brute force — methods. In traditional password attacks, a threat actor will use a hacking tool to try several passwords against a single account. However, throwing multiple passwords at one account is not always effective because many login processes have a limited number of password attempts until the account is temporarily locked.
Password spraying prevention is more difficult because the threat actor is only making one attempt per user account, which means the system will not deny access after a failed attempt.
Since a threat actor only tries one password at a time, this is considered a low and slow method of password hacking, and is generally done in three steps:
Kevin Mitnick, founder of Mitnick Security and Chief Hacking Officer of KnowB4 demonstrates password spraying in the below video:
As Kevin says, password spraying works “because people choose poor passwords.” With this in mind, organizations should look to technologies that can strengthen login security while making their employees aware of potential threats and prevention methods.
Password spraying attack prevention starts with eliminating weak passwords. By enforcing password best practices at your organization, employee accounts will be far more difficult to compromise with a password spraying technique.
For example, employees should not reuse passwords for all of their accounts. Should a threat actor gain access to one account, they will likely try the same password across other accounts to expand their control and more easily compromise your organization’s internal systems.
Multi Factor authentication (MFA) requires a user to provide at least two factors for verification in order to gain account access. With MFA, a threat actor cannot gain entry just because they guessed a password correctly. Requiring MFA for your organization’s applications is an effective way to prevent password hacking.
To protect your organization, you can use Endpoint Detection and Response (EDR) technology, so you’ll have visibility of malicious activity and can prevent lateral movement by an attacker. Since EDR systems vary, it’s important to make sure you know what tools and processes your EDR can use to detect threats.
Finding out that your organization was the victim of a password spraying attack is never good news. A cybersecurity professional can test your network and systems for vulnerabilities, including weak passwords so that you can help your employees harden security standards.
Taking steps to mitigate security risks is crucial to safeguarding your organization’s operations. Password spraying attack prevention is only possible if you are aware of best practice adherence.
Mitnick Security offers services to detect vulnerabilities before the threat actors do. With our help, you can understand where you stand and strengthen your organization's security posture. Contact us for more information.