Microsoft Touts Multifactor Authentication To Block Password Spray Attacks
Tips to protect against "password spray attacks" were expounded by Microsoft's Detection and Response Team (DART) in a Tuesday announcement.
In a nutshell, organizations can best protect against such attacks by turning on multifactor authentication, which is a secondary means of validating user identities besides a password. A lot more tips were offered as well in the DART announcement.
Password spray attacks attempt to gain an initial foothold by trying commonly used passwords across an organization. It used to be the case that attackers were targeting "legacy authentication protocols" for such attacks, but now these attacks use the REST API. Typical app targets, per DART, include:
- Exchange ActiveSync
- IMAP, POP3, SMTP Auth
- Exchange Autodiscover
Exchange Autodiscover automatically configures client accounts to make logging into Exchange easier for end users, but security solutions firm Guardicore Labs recently discovered a vulnerability that leaked "tens of thousands" of Windows domain credentials.
DART argued that the current trend of attackers is to compromise user credentials, rather than try to attack the network itself to gain access. To that end, attackers can just try passwords extracted from all of the leaked credentials available on the "dark Web" and expect some success because people tend to reuse their passwords.
The main targets of password spraying are "C-level executives." IT pros also are a top target, as they have access to administrative accounts with the greatest network privileges.
DART offered the following advice to IT pros with admin accounts:
These are the keys to the kingdom and should have an extra level of protection. Ensure that administrative accounts are cloud-only and are not synchronized from Activity Directory. MFA should always be applied, and emergency access accounts should be created also.
Organizations should have the ability to export log data and perform investigations to detect possible password spray attack activities. To that end, Microsoft promoted its own tools, including the Microsoft Cloud App Security portal to check for suspicious activities, Azure Active Directory for behavioral analyses, and Identity Protection (in Azure AD) for checks on potentially risky behaviors and dubious sign-ins.
DART argued that organizations should adopt a "zero-trust" and "assume breach" approach, which means that compromised passwords are assumed to be the case.
If possible, organizations should use passwordless authentication approaches, such as enabled by "the Microsoft Authenticator App, Windows Hello for Business, and Fast Identity Online (FIDO) keys," the announcement indicated. Last month, Microsoft announced the ability of Microsoft account users to dispense with passwords. This month, Microsoft argued for an overall passwordless approach in a 1.5-hour presentation.
Organizations still using passwords should just block the commonly used ones, as well as ones that reference the organization. They should not necessarily rely on password complexity as a protection by compelling the use of special symbols and uppercase letters in passwords.
Here's DART's expression of that notion:
If a password must be used, ensure that the password policy does not allow key phrases related to the organization or commonly used passwords. Having a password policy of eight characters with an uppercase, lowercase, number, and symbol, is no longer secure with today's graphics processing unit (GPU) capabilities. Attackers can crack a password with these elements in a matter of hours. 20-character small sentences may be easy for users to remember and are more secure than a complex 8-character password!
A few years ago, Microsoft also had argued against compelling frequent password changes because people just used predictable seasonal words in the new passwords, which made them easier to guess.
Multifactor authentication is effective against password spray attacks except when end users aren't compelled to complete the registration process. In those cases, attackers can complete the process themselves and gain credentials that are trusted. Organizations should enforce multifactor authentication use via policy.
"DART recommends that customers configure an MFA registration policy if possible to ensure that all enabled users register for MFA," the announcement explained.
Identity Policy Misconfiguration
Organizations should check to see that they haven't misconfigured identity policies. For instance, an organization may have Azure AD Conditional Access policies in place that fail to cover all cloud apps.
DART offered the following "real-world example" to explain this concept:
A DART customer experienced a cloud identity breach and had in place an MFA policy for administrative accounts, applied to the Office 365 cloud app. However, the threat actor used the Azure Service Management API to connect to the environment. This cloud app was outside of the scope of the MFA Conditional Access policy, giving the threat actor access to the environment without requiring MFA.
Apparently, IT pros need to check a radio button for "All cloud apps" to properly configure the Azure AD Conditional Access service.
Organizations should be wary of setting up policy exceptions for accounts. It sometimes gets done for privileged accounts, but those are the sorts of accounts that are targeted by attackers, DART argued.
"If they [accounts with policy exceptions] must remain, put in place some mitigating controls to reduce the attack surface of that particular account," the announcement suggested.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.