Brute forcing. Password spraying. Credential stuffing. The similarities between these attacks on passwords extend beyond their expressive names. In this article, we will look at how and why each of these techniques exist, as well as explore some of the best practices to mitigate them.
What is a brute force attack?
Brute force attacks have existed since the dawn of the password. But what exactly are they? If an attacker can access a service that provides a login, then they can attempt to guess the password for that login by entering password guess, after password guess, after password guess. It might look a little something like this:
The first guess on an authentication endpoint could be:
If that isn’t it, the next guess might be:
As you might expect from such a well-established password attack, most authentication systems have pretty good defenses against them. For Active Directory, those defenses are policies that temporarily lock out an account after a certain number of failures to log in within a specified period of time. This dramatically limits the number of guesses that an attacker can make in a given period of time.
But even without account lockout policies, these kinds of patterns – bad password after bad password being used on an account as fast as it can process them – are easy to detect using most auditing tools.
Given those limitations on attackers, most successful brute force attacks have moved “offline,” leveraging systems where it is possible to try random passwords over and over again at very high rates of speed without ever interacting with a central network, triggering account lockout policies, or being detected by auditing software. “Kerberoasting” is an example of this type of brute force attack.
To be successful in attacking a live network, attackers usually need to find something more sophisticated.
Enter the password spray
What is password spraying? Password spraying is a form of brute force attack. It relies on the fact that during early phases of reconnaissance, an attacker can use any Active Directory account to better understand the target environment and map out its weaknesses.
Just like in a brute force attack, password spraying involves an attacker trying to guess passwords. But unlike a brute force attack, which focuses on a single account, in a password spraying attack, the target is many accounts. Here is a simple example:
The first guess on an authentication endpoint might be:
When that fails, the next guess might be:
In practice, password spraying holds a few key advantages over simple brute-forcing for an attacker.
First, it is playing a numbers game where a limited set of “likely” passwords can be tried across a whole bunch of users. If one were attacking a company headquartered in Minneapolis, it might be unlikely that any one account has a password of V!kings2022 – but if the company is large enough there is a decent chance that someone has that password.
Secondly, the bigger an organization is, the more susceptible it is to password sprays. With a large enough data set, the chances of someone having a password that is easy to guess goes way up. And the bigger an organization is, the easier it is to hide password spraying activity.
Third, it is harder to “see” password spraying activity through audit logs. Because a single account isn’t failing authentication over and over again, it doesn’t trigger the account lockout threshold. Because it’s common for users to occasionally fat-finger their password, password sprays can easily blend into the background noise of typical user activity.
One challenge that attackers face when leveraging password sprays is that they need a list of usernames to spray against. But it would be a mistake to think that this challenge provides any real protection to targeted organizations. For many organizations, the names of employees aren’t considered highly protected information, and once an attacker figures out the username pattern (i.e. first initial/last name above) it isn’t hard to work out a fairly accurate user list to spray against.
The close cousin: Credential stuffing
Credential stuffing is similar in many ways to password spraying. A series of password guesses are tried against a long list of accounts. But credential stuffing takes advantage of the fact that many users reuse passwords for different services to increase the chances that the attacker can guess the correct password.
Lists of username and password combinations find their way onto the internet quite regularly. Perhaps an insecurely configured forum or e-commerce site has its credentials stored in an easily crackable format (or even in cleartext!) When attackers gain access to sites like these, they may dump the poorly secured credentials onto sites that are freely accessible to attackers. Or they may sell the credential file.
An attacker, armed with a file with a great many username and password combinations, can look for usernames that correspond to the organization that they are looking to attack. So, if I want to get a foothold into vintonlabs.net, I could do a search through these credential dump files to find any entries that have the vintonlabs.net email address.
My next step as an attacker is to try those username and password combinations (and their derivatives!) on the organization that I want to attack, knowing that users very often reuse good passwords between sites.
Preventing password spraying, credential stuffing and brute force attacks
Given the tried-and-true effectiveness of these techniques, what are the most effective ways to defend against them?
Fortunately, because these techniques are closely related, the following three pieces of advice can help mitigate risk from each of them.
1. Reduce the importance of passwords
What do all three of the password attacks we profiled have in common? They are focused on passwords!
A great way of making your organization less vulnerable to attacks like these is to make the importance of an individual password less important.
The most common way to do this is to add a second factor to passwords. There are a lot of different two-factor authentication systems, from SMS messages (which aren’t great), through authenticator apps, and into FIDO keys.
Modern authentication platforms like Azure AD also offer “passwordless” logins. In these systems, the accessing device becomes very important. The combination of a properly registered device alongside a local PIN or biometric identifier is used instead of a password to access organization data and systems.
There are a couple challenges with moving to a two-factor or passwordless system. First, passwords are still useful to an attacker. They are usually one of the two authentication factors, and if attackers can get their hands on passwords, they can move to social attacks to get the second factor. Secondly, most organizations still need to leverage legacy authentication systems like Active Directory that do not have built-in two-factor authentication. This means leveraging a third-party tool, which can introduce a whole mess of implementation and compatibility challenges.
2. Tighten up your endpoints
For brute force, password spraying, or credential stuffing attacks to be successful, the right authentication endpoints need to be available to an attacker. Ideally, an attacker is going to be looking for an endpoint that can be scripted against and validate whether a username and password worked. Websites that expose some type of Active Directory authentication are perfect for this.
Don’t make this easy on your attackers. Regularly audit all of your touchpoints, and if at all possible, add two-factor authentication to them, either directly or through federation.
This can be difficult to do, and it is even harder for large organizations that may have many internet-facing presences for employees, contractors, customers, and partners.
3. Use smarter auditing tools
Many modern auditing tools are making it easier to derive signals from auditing static. They can see that while any individual account may not have an unusual amount of authentication failures, the organization as a whole does.
For this to work, auditing tools must be able to automatically establish baselines of activity that are “normal” so they can spot activity that is “abnormal.” After all, not only does “typical” constantly evolve, but it can vary greatly by time of day and day of the week.
If your organization uses multiple directories at the same time, like Azure Active Directory and Active Directory, it’s a good idea for your audit tool to be able to consider the behavior of both of them. If not, you may find yourself in a situation where you have a significant blind spot.
I hope this post has helped solidify the concepts of brute force attacks, password spraying attacks, and credential stuffing. It is important to think of defending against them, not as one-time-mitigations but rather techniques to constantly revisit and use in layers.