Educause Security Discussion mailing list archives
Re: Measures of detecting breached email accounts
From: Valdis Kletnieks <valdis.kletnieks () VT EDU>
Date: Mon, 4 Dec 2017 21:56:56 -0500
On Mon, 04 Dec 2017 23:19:28 +0000, Keenan Martinez said:
I am inquiring about techniques members undertake to proactively detect breached email accounts and how the process of converting IP addresses to countries be simplified?
Doing exception analysis on successful *and failed* logins is a good start - and done a *lot* more frequently than "monthly". You'll very quickly learn to tell the difference between dictionary attacks trying to get into *any* userid, and targeted attacks on a specific user - if one of your VPs is hit overnight with 17 failed login attempts from Ukraine while they're sleeping in the Carribean night, you have a potential problem. Another thing to monitor is for unusual traffic patterns, both inbound and outbound. For instance, my userid gets a *lot* of inbound mail from software-related lists, and lots of usually small outbound mail to pretty much all over the planet. But if I suddenly send out a series of 28 outbound emails that are 17M in size each, it might indicate that my userid has been compromised and is being used to exfiltrate sensitive data. Also, look at traffic levels for things other than email - http/https, ftp, and so on. Suddenly high traffic levels from a user/machine that hasn't been historically very active is a possible sign of a problem - especially large volumes of outbound data indicating possible uploads of sensitive info. There's not a lot of "proactive detection" that you can really do - in most cases, you're either reacting to logs/audit trails, or doing proactive stuff up front to *prevent* the breach in the first place. Stuff like the SANS "Securing the Human" is helpful to get your users up to speed. Checking for easily broken passwords, enforcing stronger passwords and/or multi-factor authentication for users with critical access, making sure that your users have their machines patched and appropriate security/AV software installed and up to date.. etc etc etc. All the usual "how to keep your users from being hacked/phished" stuff....
Attachment:
_bin
Description:
Current thread:
- Measures of detecting breached email accounts Keenan Martinez (Dec 04)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 05)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Kevin Crider (Dec 07)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- <Possible follow-ups>
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 06)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 07)