Microsoft has created a new “guided hunting notebook” for Microsoft Sentinel users that’s designed to detect so-called “low and slow” password spray attacks, according to a Thursday announcement.
With the password spray attack scenario, commonly used or leaked passwords are tried across an organization by an attacker to gain a foothold. Organizations may have blocking mechanisms in place for repeated password-guessing attempts, and so attackers have been switching using slower approaches to avoid such lockouts.
The low and slow password spray attack method has “become more common,” explained Amritpal Singh, a Microsoft Threat Intelligence Center data scientist. Attackers are using various open source tools for these attacks, as well as proxy services to disguise themselves, he added.
Singh suggested that “sophisticated adversaries,” namely nation-state attackers, have been using these low-and-slow attack methods. They can extend for as long as “months or years.”
Low and slow sprays are a variant on traditional password spray attacks that are being increasingly used by sophisticated adversaries such as NOBELIUM, STRONTIUM and HOLMIUM. These adversaries can randomize client fields between each sign in attempt, including IP addresses, user agents and client application. Some adversaries are willing to let the password spray campaigns run at a very low frequency over a period of months or years, making detection challenging.
The new hunting guide notebook for low and slow password spray attacks uses machine learning to sort through obfuscations used by attackers. It detects anomalous fields for failed sign-in attempts and checks for “invariant properties,” too. Organizations can run the notebook in Sentinel, Microsoft’s security information and event management solution, “from the ‘Templates’ tab in the Notebooks blade.”
The notebook needs to churn through “lots of historical log data (typically going back at least several months).” It may have to check through “over 100,000 log data files,” Singh noted. It’s potentially costly to run it, but Singh suggested that organizations could optimally use the Microsoft Synapse Spark pool to massively parallelize this operation.
“The Azure ecosystem acts as the single pane of glass providing SIEM, data ETL, big data analytics and ML,” Singh stated.
Organizations using the notebook can get a list of suspect user agents that can be monitored or blocked, Singh suggested.
These user agents could be used as the basis of a custom Sentinel analytic rule to monitor for success. Alternatively, the user agents could be blocked using conditional access.
It’s also possible to correlate the targeted accounts with Sentinel security alerts “to determine if a successful compromise has taken place.”
About the Author
Kurt Mackie is senior news producer for 1105 Media’s Converge360 group.