Educause Security Discussion mailing list archives
Re: Measures of detecting breached email accounts
From: Joseph Tam <tam () MATH UBC CA>
Date: Tue, 5 Dec 2017 16:54:50 -0800
On Mon, 04 Dec 2017 23:19:28 +0000, Keenan Martinez said:
Following which, the IP address field is upload to (http://www.bulkseotools.com/bulk-ip-to-location.php) allowing for the conversion of an IP address to country.
This has a 500 IP limit, which implies you have a relatively small userbase. It's easier to characterize "unusual" for a small pool of users, rather than say, 30000 undergraduate students. I would suggest building your own GeoIP lookup system (you can cobble the data from free sources) and do the lookup real-time. On Mon, 4 Dec 2017, Valdis Kletnieks wrote:
Doing exception analysis on successful *and failed* logins is a good start - and done a *lot* more frequently than "monthly". You'll very quickly learn to tell the difference between dictionary attacks trying to get into *any* userid, and targeted attacks on a specific user - if one of your VPs is hit overnight with 17 failed login attempts from Ukraine while they're sleeping in the Carribean night, you have a potential problem.
Sounding the alarm on failed login attempt will have me looking at
logs every minute, night and day. Even at my modest installation,
this happens far too frequently to be consider a useful trigger for
notification: it's not anomolous, it's background radiation.
In the context of Email account, here are some anomolous things you
could look for:
- unusual volume, especially at unusual times
- unusual volume of failed deliveries (e.g. unknown user).
- unusual login origin (Ukraine? Romania? Tunisia? etc.)
The larger and more diverse your userbase, the
harder this gets to discern.
- number of different successful login locale within a
time interval (*)
- blacklist monitoring
- egress spam filtering/statistics
I implemented (*) after stumbling on a compromised account that went
undetected for months because the intruder kept their outbound volume
low and stayed under the radar. The account owner was not sophisticated
enough to interpret the bounce messages and didn't report it. Having 3
logins within a hour on different continents is red-alert suspicious.
Joseph Tam <tam () math ubc ca>
Current thread:
- Measures of detecting breached email accounts Keenan Martinez (Dec 04)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 05)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Kevin Crider (Dec 07)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- <Possible follow-ups>
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 06)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 07)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 07)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 08)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 09)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 13)