Sprocket Attended Cyphercon on April 4

Sprocket was thrilled to be a proud sponsor of CypherCon in Milwaukee, WI. From its inception, CypherCon has been dedicated to uniting the globe's foremost hackers and technology enthusiasts in Wisconsin. It is the largest technology conference in the state and an annual hacker conference. This extraordinary event was held at the Baird Center (formerly known as the Wisconsin Center).

Sprocket's own Nicholas Anastasi will present "What the Hell is Azure Ad Smart Lockout?" at the conference this year.

Abstract

Password spraying has always been one of the cornerstones of any penetration tester’s tool belt. With the advent of cloud-hosted services and a diabolical plot by Microsoft to lock all organizations into a lifelong monthly subscription service, attackers have begun to face modern security controls that are on to our nefarious tactics. Microsoft has built controls into their authentication endpoints to detect and block password spraying attempts at scale. The controls are on by default and protect every organization utilizing their services. The days of spraying Microsoft Exchange, accessing the VPN, and grabbing domain admin in under eight hours are over.

Microsoft has bragged for years now that they process millions of login attempts daily and have built security controls to detect even the most evasive password-spraying methodologies. These detection techniques depend on supervised machine-learning models. They have coined this machine learning model, which is mainly shrouded in mystery, Azure AD Smart Lockout. Let’s try to beat it.

Machine learning models used for detection always have an edge case and breaking point. Using modern web scraping technologies and unique evasion techniques, it is possible to very closely mimic real work user authentication attempts, making detection of password spraying extremely difficult for Microsoft.

During this talk, we will be breaking down what we believe is the process Microsoft uses to facilitate Azure AD Smart Lockout and attempt to bypass it to allow for password spraying attacks at scale. Using these techniques tactfully, an attacker could successfully guess their way into user accounts like in the olden days. We might not get domain administrator access, but we can still show a lot of impact.

Even if Microsoft successfully begins to detect these evasion techniques, and they will, you should walk away from this talk with a better knowledge of what SaaS platforms are doing to protect your user accounts. If we just figured this all out, actual threat groups and APTs probably have been doing it for years. At the end of the presentation, it should become clear that an in-depth defense strategy is critical to securing an organization, and depending on the big five to protect your users out of the box isn’t the way to go.

About Nicholas Anastasi

Nicholas Anastasi started his career in cybersecurity at Sprocket Security and hasn’t looked back. Continuous Penetration Testing is all he knows, and during his day-to-day, he leads the penetration testing team, writes a ton of Python, and works tirelessly to improve the Continuous Penetration Testing process. In his free time, Nicholas enjoys running, eating too much candy, and working on his homelab.

About Cyphercon

CypherCon is the largest technology conference in the state and an annual hacker conference based in Milwaukee, Wisconsin. We enjoy puzzles, mystery, and discovery. We pride ourselves with a unique culture that focuses heavily on retro-futuristic 70s,80s,90s,00s hacker culture blending the art of dancing between fantasy and reality. Our core event consists of several tracks of speakers about computer- and hacking-related subjects, as well as cyber-security challenges and competitions. In addition we publish puzzles made by the community in unique story worlds. Lastly, we offer a blank canvas for hacker specializations ran by volunteers called villages.

Presentations topics include Cyphers, Hacking, Information Security, Cryptography, Forensics, and other hacker, cypherpunk, and cyberpunk oriented topics. We also offer presentations for career development, security leadership, and risk.

For tickets, agenda information, and more please visit https://cyphercon.com/

---

Media Contact

Marketing, Sprocket Security
marketing@sprocketsecurity.com