Let’s walk through an example of a password guessing attack, and then explore how you can assess your vulnerability and strengthen your cybersecurity. You might be surprised at just how well this strategy works. These weak passwords leave the organization vulnerable to one of the simplest attacks that adversaries use to gain a foothold in a network: guessing. Even with these controls in place, many people choose easily guessable passwords like Winter2017 or because they comply with company standards but are easy to remember.
In particular, they use Active Directory password policy to enforce password length, complexity and history requirements, and they establish a policy to lock out an account after a certain number of failed logon attempts. Most organizations know this, and take steps to protect user credentials. After logging on as a legitimate user, they can move laterally to other systems and escalate their privileges to deploy ransomware, steal critical data, disrupt vital operations and more.
Knowing the credentials for any user account in your network gives an adversary significant power.