Be aware of ‘Password Spray’ style attacks which target ADFS. Attackers no longer simply launch ‘Brute Force Attack’ to guess someone’s password to gain access – they are adopting a stealthier approach to automate this process over a longer time frame so they don’t trigger any alerts.
The FBI released this Alert in late March 2018: Brute Force Attacks Conducted by Cyber Actors. This “Slow and Low” method is evermore commonplace and one area in particular tat has been targeted to externally facing ADFS. Malicious traffic can be hidden/masked amongst genuine traffic and when successful this offers very valuable credentials possibly even across more than one organisation .
ADFS must be connected to the public internet to work so it offers an attack vector. Review the informative article from Beau Bullock @ BlackHills InfoSec. Once you have determined the valid accounts, simply try all accounts with one password at a time and this should leave enough time between each attempt to allow the “lockout threshold” timeout to expire.
If ADFS itself is could be compromised to gain entry, then how can we improve the security around this authentication mechanism?
On 5 March 2018, Microsoft released an article on Azure AD and ADFS best practices –’ Defending against password spray attacks’, which covers how multi-factor authentication (MFA) and a number of other elements can be applied to improve security. Subsequently Microsoft released an updated and more improved article – ‘Monitor your ADFS sign-in activity using Azure AD Connect Health’s risky IP reports’.
With Azure AD Connect Health, Microsoft’s “Risky IP Reports” :
– Easily detect risky external IP addresses that are generating large numbers of failed logins
– Get instant email notifications when risky IP addresses are detected
– Download detailed reports to perform offline analysis or share within your organisation
– Customise your threshold settings to match the security policy of your organisation
A mechanism to differentiate a single user attack pattern versus multi-user attack pattern.
One simple indicator of malicious activity is: “Unique Users Attempted” ( a count of unique user accounts attempted from the IP address during the detection time window. This provides a mechanism to differentiate a single user attack pattern versus multi-user attack pattern.)
