Back to BlogTest SIEM Detections for Password Spraying
While many organizations may fail to fully deploy a SIEM solution due to complexity and lack of resources and staff to manage or fine-tune it, others may stand one up quickly for logging and compliance reasons. Learn more about how to replace your SIEM.
But can your SIEM actually detect and alert you on real security threats? We recently onboarded a customer and was able to test Blumira’s platform for a variety of detections across their endpoint detection and protection tools like VMware Carbon Black Managed Defense; Windows Active Directory and Windows Defender; a variety of cloud services – including Okta and Office 365; and other network tools such as Cisco Firepower Threat Defense (FTD) and Meraki.
Our testing process allows us to validate and determine the current state and impact of our service, while providing customers an understanding and assurance that we can detect certain threats within their environment.
Why Test for Password Spraying?
Password spraying is a common attack that can be prevented with the use of IP address blocking. Early detection can prevent unauthorized access by an attacker, limit lateral movement and stop a potential system compromise.
An attacker will attempt to authenticate to your network or applications by typing in multiple usernames paired with a single password, helping them evade detection by avoiding password lockouts. Password spraying can be used by attackers to discover weak passwords that can be used to move laterally throughout your environment.
In the example above, Blumira detected anomalous access attempts against several Cisco AnyConnect VPN users – which indicates that an attacker is using a password spraying attack to avoid password lockout and uncover weak passwords.
In addition to automatically detecting threats, Blumira’s platform includes threat response workflows that guide your team through response and remediation. In this case, we recommend blocking the source IPs of the attack easily with one click. Blumira easily integrates with Cisco ASA firewall and FTD (FirePower Threat Defense) to allow for easy collection of logs (including those from AnyConnect), security analysis and actionable response.
Learn more in Automating Detection and Response With Cisco Firewalls & VPN.
What Applications Should I Test for Password Spraying Detection?
Organizations should ensure their SIEMs are properly ingesting logs and events from all externally-facing applications, such as VPNs (virtual private networks), cloud applications, single-sign on (SSO) and identity providers (IdP). They should also test their Windows servers and Active Directory.
How Can I Test If My Solution Can Detect Password Spraying?
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users on a domain (from daft hack on GitHub).
Here’s an example from our engineering/security team at Blumira on how to test your password spraying detection for Windows OS/Active Directory, using DomainPasswordSpray:
- Download PasswordSpray.ps1 from https://github.com/dafthack/DomainPasswordSpray
- Right-click PasswordSpray.ps1 > click “Run PowerShell as Admin”
- CD **directory where script has been saved**
- Get-ExecutionPolicy
- Set-ExecutionPolicy Unrestricted
- Import-Module .\DomainPasswordSpray.ps1
- Invoke-DomainPasswordSpray -UserList usernames.txt -Domain YOURDOMAIN.local -PasswordList usernames.txt -OutFile sprayed-creds.txt–
Note: There is a risk of account lockout associated with running this test, something to keep in mind if you get notified after testing your SIEM. Additionally, Blumira’s detection requires at least
30 users to test this detection against. We recommend pulling a list of around 100 users and then saving as usernames.txt for sake of ease.
Questions? Sign Up For Our Webinar
Join Andrew King, CISO of BreachQuest, along with Blumira’s Amanda Berlin, Sr. Incident Detection Engineer and Erica Mixon, Content Marketing Manager, as they go through ways to test your SIEM. Sign up here.
