Re: Measures of detecting breached email accounts

[Joseph Tam <tam () MATH UBC CA>]

On Wed, 6 Dec 2017, Valdis Kletnieks wrote:

> > > Doing exception analysis on successful *and failed* logins is a good
> > > start - and done a *lot* more frequently than "monthly".  You'll very
> > > quickly learn to tell the difference between dictionary attacks trying
> > > to get into *any* userid, and targeted attacks on a specific user - if
> > > one of your VPs is hit overnight with 17 failed login attempts from
> > > Ukraine while they're sleeping in the Carribean night, you have a
> > > potential problem.
> >
> > Sounding the alarm on failed login attempt will have me looking at
> > logs every minute, night and day.  Even at my modest installation,
> > this happens far too frequently to be consider a useful trigger for
> > notification: it's not anomolous, it's background radiation.
>
> I did say *exception* analysis, didn't I? Look for stuff that doesn't
> look like background radiation. ;)

I've seen both diffuse and intensive failed logins -- neither are
worth looking at from a security standpoint.  It's not uncommon for
me to see thousands of guesses against one account, especially against
administrative accounts.

The only situation I can possibly think of worth investigating is if the
source of attack came from your network, or somehow it can be inferred
password guesses are targetted (i.e. typographically close to the actual
password).

What are the *exceptional* circumstances that would allow you differentiate
any particular failed authentication versus the thousands of other attempts?

Joseph Tam <tam () math ubc ca>