RSA Product Set: ID Plus
RSA Product/Service Type: Cloud Access Service

Password spraying and credential stuffing are common threats that can occur when authentication practices are not sufficiently robust. These attacks can be facilitated by the Tor (The Onion Router) network, which provides anonymity and a range of tools that allow attackers to bypass detection while targeting vulnerable systems.
Password spraying involves an attacker using common passwords or usernames across multiple accounts to gain access, "spraying" the same passwords across many accounts to avoid triggering account lockouts. Credential stuffing uses stolen login credentials to automate login attempts across multiple platforms, exploiting users’ tendency to reuse passwords.

RSA identifies potential password spray attacks by tracking authentication attempts in which the provided user ID does not match a valid user in the system. A small volume of such traffic is normal, for example, when a valid user mistypes their username. However, for some customers, the volume of this traffic cannot be explained by such "normal" activity. In these instances, RSA has implemented alerting systems to notify administrators of a potential attack, and they can refer to the security features outlined in this advisory to assess the situation and implement any necessary mitigations. 

To address these threats, the following security features have been implemented in ID Plus to enhance overall protection:

• Rate Limiting: To prevent system overload and maintain service integrity, rate limiting has been applied to authentication attempts that result in the "20300" error code. Rate limiting applies to  "user not found" events and is reflected in both the User Event Monitor and the event log. When these failed authentication attempts exceed a defined threshold, the system will summarize the events to improve log clarity and reduce noise.
• Monitor and Alert on Suspicious Activity: Automated alerts notify administrators when suspicious activity, such as repeated "user not found" errors, is detected.  Administrators receive email notifications about the relevant events, ensuring they are notified of potential attacks or unusual patterns. If administrators receive an alert, they can analyze the System Event Monitor and User Event Monitor.  In the System Event Monitor, administrators can review events with ID "20307" that will provide an estimate of the scale of the issue and when it occurred. The message will read, "Possible password spray attack detected," along with an estimate of how many such events occurred within the past hour. Next, administrators can review the User Event Monitor. While most "20300" events are suppressed by rate limiting, a small percentage will still be logged each hour. Administrators can analyze these messages to identify targeted endpoints or applications and determine which ones need better security. Administrators can filter the User Event Monitor by Event Code (for example, 20300) for easier review.
• RADIUS Authentication Rate Limiting for Failed Attempts: Rate limiting has been applied to RADIUS authentication for failed login attempts, including "User Not Found" attempts. Administrators are encouraged to keep Identity Routers (IDRs) up-to-date with the latest versions to benefit from this feature. 
• Network Zone Configuration: A Network Zone is a defined boundary that allows you to control access to computers and devices within your organization based on the IP addresses requesting access. In the Cloud Administration Console, administrators can create and configure a network zone by specifying individual IP addresses or IP address ranges to either grant or restrict access accordingly. Trusted zones allow access from specified IPs, while restricted zones block access from untrusted or unauthorized sources. To use this feature, administrators are encouraged to update their IDRs to the latest version. Various system configurations can utilize network zones. For example, you can set a network zone for API clients to control which clients are permitted to use the API key. 
• Authentication Dashboard Monitoring: The Authentication Dashboard gives administrators visibility into authentication attempts, helping to identify trends or failed login attempts. By regularly monitoring this dashboard, administrators can better understand system behavior, identify potential security threats, and respond early to any issues. However, password spray attempts are detected and blocked early, before they reach the Authentication Dashboard, so they do not appear in the graphs.
• Cloud Administration Console Notification: To improve awareness and response, a warning notification will be displayed on the Cloud Administration Console Dashboard, ensuring administrators are promptly alerted to potential password-spraying attack threats. 

Specific Mitigations for Remote Access VPN Services

To protect Remote Access VPN services from password-spray attacks, the following mitigations are recommended.  Work with your VPN vendor, as they may have custom solutions, but there are common strategies to leverage, such as the following: 

• Enable Logging: Ensure detailed VPN access logs are captured and forwarded to a remote syslog server for centralized analysis and improved incident response.
• Monitor for Abnormal Behavior: Use syslog monitoring to detect password-spray attacks through patterns, such as repeated failed login attempts across multiple user accounts. Early detection helps prevent attacks from consuming system resources and ensures valid user access is not impacted.
• Rate Limiting & Account Lockout: Enforce rate limiting and account lockout after multiple failed attempts to prevent brute-force attacks. After a set number of failed attempts, accounts are temporarily locked, preventing further access attempts.
• Use Multi-Factor Authentication (MFA): Enforce MFA to add an additional layer of protection, ensuring unauthorized access is blocked even if passwords are compromised.