Educause Security Discussion mailing list archives
Re: Measures of detecting breached email accounts
From: Keenan Martinez <0000004218ecec53-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Wed, 6 Dec 2017 01:12:16 +0000
Joseph, Our user group is over 10,000. Although small compared to other Universities, the list filters out duplicated IP addresses to allow for a quicker lookup. The number will grow as we begin our Undergrad programme next year. I agree with your mention of failed log notification as I believe it would overload the security team. All the comments provided thus far are excellent. Regards, _______ On 05/12/2017, 8:55 pm, "The EDUCAUSE Security Constituent Group Listserv on behalf of Joseph Tam" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of tam () MATH UBC CA> wrote: On Mon, 04 Dec 2017 23:19:28 +0000, Keenan Martinez said: > Following which, the IP address field is upload to > (http://www.bulkseotools.com/bulk-ip-to-location.php) allowing for the > conversion of an IP address to country. This has a 500 IP limit, which implies you have a relatively small userbase. It's easier to characterize "unusual" for a small pool of users, rather than say, 30000 undergraduate students. I would suggest building your own GeoIP lookup system (you can cobble the data from free sources) and do the lookup real-time. On Mon, 4 Dec 2017, Valdis Kletnieks wrote: > Doing exception analysis on successful *and failed* logins is a good > start - and done a *lot* more frequently than "monthly". You'll very > quickly learn to tell the difference between dictionary attacks trying > to get into *any* userid, and targeted attacks on a specific user - if > one of your VPs is hit overnight with 17 failed login attempts from > Ukraine while they're sleeping in the Carribean night, you have a > potential problem. Sounding the alarm on failed login attempt will have me looking at logs every minute, night and day. Even at my modest installation, this happens far too frequently to be consider a useful trigger for notification: it's not anomolous, it's background radiation. In the context of Email account, here are some anomolous things you could look for: - unusual volume, especially at unusual times - unusual volume of failed deliveries (e.g. unknown user). - unusual login origin (Ukraine? Romania? Tunisia? etc.) The larger and more diverse your userbase, the harder this gets to discern. - number of different successful login locale within a time interval (*) - blacklist monitoring - egress spam filtering/statistics I implemented (*) after stumbling on a compromised account that went undetected for months because the intruder kept their outbound volume low and stayed under the radar. The account owner was not sophisticated enough to interpret the bounce messages and didn't report it. Having 3 logins within a hour on different continents is red-alert suspicious. Joseph Tam <tam () math ubc ca> _____________________________________________________________________ Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Thank you.
Current thread:
- Measures of detecting breached email accounts Keenan Martinez (Dec 04)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 05)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Kevin Crider (Dec 07)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- <Possible follow-ups>
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 06)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 07)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 07)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 08)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 09)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 13)