Re: Measures of detecting breached email accounts

[Keenan Martinez <0000004218ecec53-dmarc-request () LISTSERV EDUCAUSE EDU>]

Joseph,



Our user group is over 10,000. Although small compared to other Universities, the list filters out duplicated IP 
addresses to allow for a quicker lookup. The number will grow as we begin our Undergrad programme next year.



I agree with your mention of failed log notification as I believe it would overload the security team.



All the comments provided thus far are excellent.



Regards,





_______





On 05/12/2017, 8:55 pm, "The EDUCAUSE Security Constituent Group Listserv on behalf of Joseph Tam" <SECURITY () 
LISTSERV EDUCAUSE EDU on behalf of tam () MATH UBC CA> wrote:

    On Mon, 04 Dec 2017 23:19:28 +0000, Keenan Martinez said:



    > Following which, the IP address field is upload to

    > (http://www.bulkseotools.com/bulk-ip-to-location.php) allowing for the

    > conversion of an IP address to country.



    This has a 500 IP limit, which implies you have a relatively small

    userbase.  It's easier to characterize "unusual" for a small pool of

    users, rather than say, 30000 undergraduate students.



    I would suggest building your own GeoIP lookup system (you can cobble

    the data from free sources) and do the lookup real-time.



    On Mon, 4 Dec 2017, Valdis Kletnieks wrote:



    > Doing exception analysis on successful *and failed* logins is a good

    > start - and done a *lot* more frequently than "monthly".  You'll very

    > quickly learn to tell the difference between dictionary attacks trying

    > to get into *any* userid, and targeted attacks on a specific user - if

    > one of your VPs is hit overnight with 17 failed login attempts from

    > Ukraine while they're sleeping in the Carribean night, you have a

    > potential problem.



    Sounding the alarm on failed login attempt will have me looking at

    logs every minute, night and day.  Even at my modest installation,

    this happens far too frequently to be consider a useful trigger for

    notification: it's not anomolous, it's background radiation.



    In the context of Email account, here are some anomolous things you

    could look for:



               - unusual volume, especially at unusual times

               - unusual volume of failed deliveries (e.g. unknown user).

               - unusual login origin (Ukraine? Romania? Tunisia? etc.)

                               The larger and more diverse your userbase, the

                               harder this gets to discern.

               - number of different successful login locale within a

                               time interval (*)

               - blacklist monitoring

               - egress spam filtering/statistics



    I implemented (*) after stumbling on a compromised account that went

    undetected for months because the intruder kept their outbound volume

    low and stayed under the radar.  The account owner was not sophisticated

    enough to interpret the bounce messages and didn't report it.  Having 3

    logins within a hour on different continents is red-alert suspicious.



    Joseph Tam <tam () math ubc ca>



_____________________________________________________________________ Please note that this message and any attachments 
may contain confidential and proprietary material and information and are intended only for the use of the intended 
recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, 
dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received 
this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, 
whether electronic or printed. Thank you.