One of my biggest use cases when working with GenAI apps is to leverage them to help with research in the area of Cyber Threat Intelligence - to stay aware of the latest cyber attack methods, tactics, techniques, and the ways that defenders can detect them.
Yesterday evening I cam across an article with an eye-catching title referencing a recent attack on Microsoft - attributed to a well-known Russian adversary group - that looks to have had significant impact. Here’s the headline in the post from Bleeping Computer:
Microsoft says Russian hackers breached its systems, accessed source code.
The post includes details on the success of this attack, the concerning impact of it, some weak security practices that the attackers took advantage of, and that the primary attack vector was a password spray attack.
So of course this morning I thought it would be fun to ask some of the GenAI chatbots I use for their suggestions on how to defend against an attack like this.
The AI apps I asked for guidance today are:
Copliot
Gemini Pro
Perplexity - using the Mistral Large model
Poe - using the Claude-3-Opus-200k model
Pi
The prompt I gave them is:
What are some of the security measures a large organization can use to defend against password spray attacks from a nation state level adversary?
All of the responses were strong on this query. Multi-factor authentication (MFA), enforcing strong password policies, and educating users were mentioned by all of the apps. Some other good recommendations included:
Account Lockouts
Resetting user passwords
Applying the principle of Least Privilege
Network segmentation and Access Control Lists (ACLs)
Geographical and Time-based Restrictions on logins
User education / awareness training
I think Gemini Pro offered the overall best response today, nicely broken down into three sections:
Core Protections:
Strong Password Policies: Mandate complex passwords (length, special characters, etc.) and regular changes.
Multi-Factor Authentication (MFA): Require an additional factor beyond a password (phone code, authenticator app, biometrics). This is the single most effective defense.
Account Lockout: Block user accounts after a limited number of failed login attempts.
IP Restrictions: Limit login attempts to specific IP ranges when possible.
Advanced Tactics:
Passwordless Authentication: Eliminate passwords entirely using methods like FIDO2 keys or biometrics.
Honeypots: Set up fake accounts to lure attackers and monitor their behavior.
Deception Technology: Deploy deceptive resources (fake files, credentials) to trick and expose adversaries.
Zero Trust Architecture: Assume no user or device is inherently trusted; continuously verify throughout the network.
Detection & Response:
Threat Intelligence: Use threat feeds to flag known malicious IPs and leaked password lists.
Behavior Analysis: Monitor for unusual login patterns (time of day, location, failed attempts) indicating an attack.
Active Directory Protection: Implement tools specifically for protecting and monitoring Active Directory, if used.
This morning’s response from these GenAI tools is another great example of AI in copilot mode. The suggestions are not perfect. They would likely not be put to use in a ‘right out of the box’ way. They do serve as an excellent starting point for a cybersecurity team’s discussion or review of their current defenses against password spray attacks though.