Attacks/Breaches

2/21/2019
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Researchers Propose New Approach to Address Online Password-Guessing Attacks

Recommended best practices not effective against certain types of attacks, they say.

Automated online password-guessing attacks, where adversaries try numerous combinations of usernames and passwords to try and break into accounts, have emerged as a major threat to Web service providers in recent years.

Next week, two security researchers will present a paper at the Network and Distributed System Security Symposium (NDSS Symposium) in San Diego that proposes a new, more scalable approach to addressing the problem.

The approach — described in a paper titled "Distinguishing Attacks from Legitimate Authentication Traffic at Scale" — is designed specifically to address challenges posed by untargeted online password-guessing attacks. These are attacks where an adversary distributes password guesses across a very large range of accounts in an automated fashion.

Such "breadth-first" attacks are typically a lot harder to address for a large organization than a more targeted "depth-first" attack, where an attacker might try lots of password guesses against a relatively small number of online accounts, the research paper noted.

The typical approach to addressing online password attacks currently is to block or throttle repeated guesses against an account. The approach can work in depth-first attacks but is not very effective when password guesses are distributed against a wide range of accounts, the researchers said. "At large providers with tens, or hundreds, of millions of accounts, breadth-first attacks offer a way to send millions or even billions of guesses without ever triggering the depth-first defenses," they noted.

Cormac Herley, principal researcher at Microsoft Research and primary author of the report, says the challenge for organizations is figuring out a way to reliably distinguish legitimate traffic from attack traffic. "The traffic at an authentication password server is an unknown mixture of traffic from good users and attackers," he says.

Each request contains a username, password, and other data, such as IP address and browser information. It can be hard to distinguish requests from legitimate users attempting to log into their accounts with those from attackers trying to guess their way in, especially when attack volumes are large, Herley says. Companies like Microsoft, for instance, detect several million credential attacks against its identity systems on a daily basis.

The way to address this problem starts with figuring out the percentage of traffic on the network that is benign and the percentage that is attack traffic. "This sounds hard but is actually easy," Herley says.

Both attackers and legitimate users can a fail a login attempt. "However, legit users fail maybe 5% or so of the time, while an attacker who is guessing fails [over] 99% of the time," he says.

Herley's research shows how organizations can use this fact to estimate the ratio of good to bad traffic among login requests. It shows how they can then use the estimate to identify the segments of traffic that contain the most attack traffic and the segments that have little or none. "Finding some portions that look clean allows us to learn what the traffic from legit users looks like so that we can punish traffic that deviates from that pattern more," Herley says.

The impetus for developing a new approach that addresses online password attacks was prompted by the lack of innovation in the area. Account lockout approaches have been recommended for a very long time, with little effort put into understanding how effective they really are, Herely says.

There's little science or analysis, for instance, to show that a single, fixed account lockout threshold — for example, after 10 failed guesses — can work equally well for small organizations and those with massive user bases, such as Microsoft and Google, he says.

"We concluded that this problem needed a ground-up, systematic approach instead of the rag-bag of heuristics that were much-used but little studied," Herley says. The approach described in the paper is pretty easy for organizations to implement, he adds, and hinges on their gathering the right statistics from incoming traffic.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
3/1/2019 | 8:24:11 AM
Re: Breadth vs. Depth
Did not think of that but some sites have about 5 increase time-out periods before locked.  And some are damn hard to get into anyway.  Social Security asked about 5 questions about old loans that I totally forgot about or were sold to different financial carriers.  Bad answers?  Locked for 24 hours.  Not easy to get into.  Let's also get rid of admin/admin accounts for starters and default device passwords - inclusive of printers.  Web hosts by printers is a great way to gain entry and an internal IP address.  There was a Google search string years ago that provided the internal page of Office Jet printers around the world!  With internal IP too.  Oh, that is an open door.  So passwords - make 'em complex and change every 3 months or even 2 better.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/27/2019 | 2:12:08 PM
Re: Breadth vs. Depth
3 might be rather stringent. There are times I can't get it right in 6 tries.

But one bit of advice I heard once was to have gradually increasingly long pauses/periods for each successive attempt. Need 5 tries to get your password right? No big deal. Need 3,000? Then you're obviously a bot and the login will be effectively DDoS'd.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/27/2019 | 1:32:09 PM
Re: Breadth vs. Depth
This may seem really basic  but account lockout periods work too.  3 attempts and the account is locked for, oh 15 or 20 min.  
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2019 | 8:13:11 PM
Breadth vs. Depth
At the same time, aren't breadth-first attacks more common insofar as attackers seek/prefer low-hanging fruit?

I suppose certain targets are juicier than others, but assuming all things being equal and you don't have a red dot on you, preparing against breadth-first attacks first seems like a good idea, no?
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.