Re: Measures of detecting breached email accounts

[Keenan Martinez <0000004218ecec53-dmarc-request () LISTSERV EDUCAUSE EDU>]

Valdis,

Thank you for your feedback. Your recommendations will be added to my list of techniques.

All the best.

On 04/12/2017, 11:07 pm, "The EDUCAUSE Security Constituent Group Listserv on behalf of Valdis Kletnieks" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of valdis.kletnieks () VT EDU> wrote:

    On Mon, 04 Dec 2017 23:19:28 +0000, Keenan Martinez said:

    > I am inquiring about techniques members undertake to proactively detect
    > breached email accounts and how the process of converting IP addresses to
    > countries be simplified?

    Doing exception analysis on successful *and failed* logins is a good start -
    and done a *lot* more frequently than "monthly".  You'll very quickly learn to
    tell the difference between dictionary attacks trying to get into *any* userid, and
    targeted attacks on a specific user - if one of your VPs is hit overnight with 17 failed
    login attempts from Ukraine while they're sleeping in the Carribean night, you have
    a potential problem.

    Another thing to monitor is for unusual traffic patterns, both inbound and outbound.
    For instance, my userid gets a *lot* of inbound mail from software-related lists, and lots of
    usually small outbound mail to pretty much all over the planet.  But if I suddenly send out
    a series of 28 outbound emails that are 17M in size each, it might indicate that my userid
    has been compromised and is being used to exfiltrate sensitive data.

    Also, look at traffic levels for things other than email - http/https, ftp, and so on.  Suddenly
    high traffic levels from a user/machine that hasn't been historically very active is a possible
    sign of a problem - especially large volumes of outbound data indicating possible uploads
    of sensitive info.

    There's not a lot of "proactive detection" that you can really do - in most
    cases, you're either reacting to logs/audit trails, or doing proactive stuff up
    front to *prevent* the breach in the first place.

    Stuff like the SANS "Securing the Human" is helpful to get your users up to speed.
    Checking for easily broken passwords, enforcing stronger passwords and/or multi-factor
    authentication for users with critical access, making sure that your users have their
    machines patched and appropriate security/AV software installed and up to date..

    etc etc etc.  All the usual "how to keep your users from being hacked/phished" stuff....


_____________________________________________________________________ Please note that this message and any attachments 
may contain confidential and proprietary material and information and are intended only for the use of the intended 
recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, 
dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received 
this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, 
whether electronic or printed. Thank you.