Connecting Technology and Business.

Password Spray attacks and Four sure steps to disrupt them

As long as we’ve had passwords, people have tried to guess them. Let us get up to speed on a common attack called password spray which has become MUCH more frequent recently.  There are some best practices that we can adopt to defend against this sophisticated attack.

In a password spray attack, the bad guys try the most common passwords across many different accounts and services to gain access to any password protected assets they can find. Usually these span many different organizations and identity providers.

Four easy steps to disrupt password spray attacks:

Step 1: Use cloud authentication

In the cloud, we see billions of sign-ins to Microsoft systems every day. Microsoft’s security detection algorithms allow them to detect and block attacks as that are happening. Because these are real time detection and protection systems driven from the cloud, they are available only when doing Azure AD authentication in the cloud (including Pass-Through Authentication).

Smart Lockout

In the cloud, Microsoft uses Smart Lockout to differentiate between sign-in attempts that look like they’re from the valid user and sign-ins from what may be an attacker. They can lock out the attacker while letting the valid user continue using the account. This prevents denial-of-service on the user and stops overzealous password spray attacks. This applies to all Azure AD sign-ins regardless of license level and to all Microsoft account sign-ins.

Tenants using Active Directory Federation Services (ADFS) will be able to use Smart Lockout natively in ADFS in Windows Server 2016 starting in March 2018. They can look for this ability to come via Windows Update.

IP Lockout

IP lockout works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP lockout finds IP addresses acting maliciously and blocks those sign-ins in real-time.

Attack Simulations

Now available in public preview, Attack Simulator as part of Office 365 Threat Intelligence enables customers to launch simulated attacks on their own end users, determine how their users behave in the event of an attack, and update policies and ensure that appropriate security tools are in place to protect an organization from threats like password spray attacks.

Step 2: Use multi-factor authentication

A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password. To stop them, we need to use something more than just a password to distinguish between the account owner and the attacker. The three ways to do this are below.

Risk-based multi-factor authentication

Azure AD Identity Protection uses the sign-in data mentioned above and adds on advanced machine learning and algorithmic detection to risk score every sign-in that comes in to the system. This enables enterprise customers to create policies in Identity Protection that prompt a user to authenticate with a second factor if and only if there’s risk detected for the user or for the session. This lessens the burden on your users and puts blocks in the way of the bad guys.

Always-on multi-factor authentication

For even more security, Enterprises can use Azure MFA to require multi-factor authentication for their users all the time, both in cloud authentication and ADFS. While this requires end users to always have their devices and to more frequently perform multi-factor authentication, it provides the most security for the enterprise. This should be enabled for every admin in an organization.

Azure MFA as primary authentication

In ADFS 2016, Microsoft has the ability use Azure MFA as primary authentication for passwordless authentication. This is a great tool to guard against password spray and password theft attacks: if there’s no password, it can’t be guessed. This works great for all types of devices with various form factors. Additionally, enterprises can now use password as the second factor only after an OTP has been validated with Azure MFA.

Step 3: Better passwords for everyone

Even with all the above, a key component of password spray defence is for all users to have passwords that are hard to guess. It’s often difficult for users to know how to create hard-to-guess passwords. Microsoft helps you make this happen with these tools.

Banned passwords

In Azure AD, every password change and reset runs through a banned password checker. When a new password is submitted, it’s fuzzy-matched against a list of words that no one, ever, should have in their password (and l33t-sp3@k spelling doesn’t help). If it matches, it’s rejected, and the user is asked to choose a password that’s harder to guess. Microsoft builds the list of the most commonly attacked passwords and updates it frequently.

Custom banned passwords

To make banned passwords even better, Microsoft is going to allow tenants to customize their banned password lists. Admins can choose words common to their organization—famous employees and founders, products, locations, regional icons, etc.—and prevent them from being used in their users’ passwords. This list will be enforced in addition to the global list, so enterprises don’t have to choose one or the other. It’s in limited preview now and will be rolling out this 2018.

Banned passwords for on-premises changes

This spring, Microsoft is launching a tool to let enterprise admins ban passwords in hybrid Azure AD-Active Directory environments. Banned password lists will be synchronized from the cloud to the on-premises environments and enforced on every domain controller with the agent. This helps admins ensure users’ passwords are harder to guess no matter where—cloud or on-premises—the user changes his/her password. This launched to limited private preview in February 2018 and will go to GA this year.

Change how you think about passwords

A lot of common conceptions about what makes a good password are wrong. Usually something that should help mathematically actually results in predictable user behaviour: for example, requiring certain character types and periodic password changes both result in specific password patterns. If an enterprise is using Active Directory with PTA or ADFS, they have to update their password policies. If they are using cloud managed accounts, enterprises need consider setting their passwords to never expire.

Step 4: More awesome features in ADFS and Active Directory

If an enterprise is using hybrid authentication with ADFS and Active Directory, there are more steps they can take to secure their environment against password spray attacks.

The first step: for organizations running ADFS 2.0 or Windows Server 2012, plan to move to ADFS in Windows Server 2016 as soon as possible.  The latest version will be updated more quickly with a richer set of capabilities such as extranet lockout. Microsoft has made it really easy to upgrade from Windows Server 2012R2 to 2016.

Block legacy authentication from the Extranet

Legacy authentication protocols don’t have the ability to enforce MFA, so the best approach is to block them from the extranet. This will prevent password spray attackers from exploiting the lack of MFA on those protocols.

Enable ADFS Web Application Proxy Extranet Lockout

If enterprises do not have extranet lockout in place at the ADFS Web Application proxy, they should enable it as soon as possible to protect their users from potential password brute force compromise.

Deploy Azure AD Connect Health for ADFS

Azure AD Connect Health captures IP addresses recorded in the ADFS logs for bad username/password requests, gives admins additional reporting on an array of scenarios, and provides additional insight to support engineers when opening assisted support cases.

(To deploy, admins must download the latest version of the Azure AD Connect Health Agent for ADFS on all ADFS Servers (2.6.491.0). ADFS servers must run Windows Server 2012 R2 with KB 3134222 installed or Windows Server 2016).

Use non-password-based access methods

Without a password, a password can’t be guessed. These non-password-based authentication methods are available for ADFS and the Web Application Proxy:

  • Certificate based authentication allows username/password endpoints to be blocked completely at the firewall.
  • Azure MFA, as mentioned above, can be used to as a second factor in cloud authentication and ADFS 2012 R2 and 2016. But, it also can be used as a primary factor in ADFS 2016 to completely stop the possibility of password spray.
  • Windows Hello for Business, available in Windows 10 and supported by ADFS in Windows Server 2016, enables completely password-free access, including from the extranet, based on strong cryptographic keys tied to both the user and the device. This is available for corporate-managed devices that are Azure AD joined or Hybrid Azure AD joined as well as personal devices via “Add Work or School Account” from the Settings app.
- Based on a blog from Microsoft Security