Password Spraying

Password spraying is a variant of a brute-force attack method that takes a large number of usernames and loops them with a single password, applying that to multiple accounts over a period of time to gain access into an environment.

Threat actors commonly start by using this technique on VPNs, cloud services and other applications. Once in an environment, threat actors might also perform password spraying to get access to other accounts and move laterally.

How To Prevent Password Spraying

The most effective way to prevent password spraying is by using two-factor or multifactor authentication.

Organizations can also monitor for persistence use — attempting to log in to multiple accounts via the same IP address — via their identity platforms. For Windows hosts, it’s important to also enable more robust logging capabilities to get visibility into password spraying attacks.

A dynamic blocklist can stop an attack in its early stages by automatically block IP addresses that are attempting to perform password spraying.

 

How To Remediate a Password Spraying Attack

To remediate an attack, IT should revoke the credential and issue a new credential or password, and rotate out the multifactor authentication token.