Educause Security Discussion mailing list archives
Re: Measures of detecting breached email accounts
From: Kevin Crider <kcrider () SKIDMORE EDU>
Date: Thu, 7 Dec 2017 18:04:59 +0000
We are an O365 shop and have been using the built-in location feature that Keenan mentions. What it does is flag when an account is accessed from 2 different geographic locations (that aren’t physically possible at or near the same time). For example, a login at from New York and/then a login from Nigeria. Not only has this been helpful with us being proactive, but it has been VERY informative. Like, we have found that 99.9% of the bad stuff we see/get come from Nigeria…AND many times there is an initial login from New Jersey (always NJ) using the compromised account, then the Nigerian login…then the flurry of spam… Anyway…this does not help us always block bad (mostly phishing is what we see) messages…it does help, but mainly to detect and protect accounts not manage spam. I’d be very interested to hear from a MS shop that is configuring spam protection outside of what’s delivered or “default”… Kevin From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Keenan Martinez Sent: Wednesday, December 6, 2017 7:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Measures of detecting breached email accounts Frank, I requested information from Microsoft and they confirmed the feature is available. Please view comments below. Action Plan: * The block for logins on location is possible, if you have Azure AD Premium 2 licenses. * Please check the below article on how to have the conditional access over the tenant with Azure AD Premium license https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-conditional-access-azure-portal&data=01%7C01%7Ckcrider%40SKIDMORE.EDU%7Cae352c6c961d423fc76f08d53cada3fb%7Cfdd86edf062048a2a66abe4daf7bf919%7C1&sdata=UsKXwoOmqY0yVMn8vMbk8uZBGNh8WyxCcnesHWzr2yo%3D&reserved=0> From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Tuesday, 5 December 2017 at 4:39 pm To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Measures of detecting breached email accounts Keenan, that depends on what services you are using. I'm not familiar with Office365, but depending on the login types that they allow, (ADFS, SAML) you would control the login page, and could filter ahead of people getting to the login page. Frank On Tue, Dec 5, 2017 at 3:33 PM, Keenan Martinez <0000004218ecec53-dmarc-request () listserv educause edu<mailto:0000004218ecec53-dmarc-request () listserv educause edu>> wrote: Frank, Thank you for your feedback, I garner the procedure can be automated but is not 100% successful. I question if there is more we can do besides enabling MFA, DKIM, DMARC and other procedure Universities utilise in reducing account breaches and spamming. At our University, our policies govern that all employees must utilise MFA. However, due to limited resources I am reluctant to expand the policy to our student accounts. It leads the team to perform the process mentioned in my first email, of sorting logs via country. I believe there should be (if a system already exists), which allows you to allow logins only via region. I.e. email account will only accept logins from your region (mine being the Caribbean) and deny login from other areas, with an option to request access. My view may be far fetched, but I think it would assist greatly with account breaches. Regards, From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Frank Barton <bartonf () HUSSON EDU<mailto:bartonf () HUSSON EDU>> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Tuesday, 5 December 2017 at 9:50 am To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Measures of detecting breached email accounts We put a spam-filter on our outbound email queue, and have found that that is a pretty good indicator of detecting compromised accounts. The filter also emails us (me) on blocked outbound spam, and when I start hearing my phone go ding-ding-ding-ding-ding-ding-ding, it's never a good time. We've also found that compromises tend to come in waves, and be "trackable". Once we identify a compromised account, we then look at logins, and start looking for patterns in other accounts. Matching IP addresses in a short window is a good indication. We also then found that there was typically a 2-step compromise pattern. The initial compromise would show up as a single login from an IP address that was not in the normal use pattern. a couple days later we would see the login that would then try to flood spam out to the interwebs. We've tried to automate this as much as possible, but a lot of it falls under the german word "Gefuhlsache" it's a matter of feeling. That being said, I did write a script that would pull down the last couple weeks of Google logins logs, and look for out-of-the country IPs, this had some success among our staff and faculty members during the academic year, but a lot less over breaks, and when looking at students. Stepping away from account compromise, we run a, very locked down, SFTP server on the amazon cloud, one of the things I have installed is fail2ban. I've build up a manual list of netblocks that we just block outright from accessing the server. I am somewhat hesitant to expand that to other services, but the thought has crossed my mind. Frank On Mon, Dec 4, 2017 at 9:56 PM, Valdis Kletnieks <valdis.kletnieks () vt edu<mailto:valdis.kletnieks () vt edu>> wrote: On Mon, 04 Dec 2017 23:19:28 +0000, Keenan Martinez said:
I am inquiring about techniques members undertake to proactively detect breached email accounts and how the process of converting IP addresses to countries be simplified?
Doing exception analysis on successful *and failed* logins is a good start - and done a *lot* more frequently than "monthly". You'll very quickly learn to tell the difference between dictionary attacks trying to get into *any* userid, and targeted attacks on a specific user - if one of your VPs is hit overnight with 17 failed login attempts from Ukraine while they're sleeping in the Carribean night, you have a potential problem. Another thing to monitor is for unusual traffic patterns, both inbound and outbound. For instance, my userid gets a *lot* of inbound mail from software-related lists, and lots of usually small outbound mail to pretty much all over the planet. But if I suddenly send out a series of 28 outbound emails that are 17M in size each, it might indicate that my userid has been compromised and is being used to exfiltrate sensitive data. Also, look at traffic levels for things other than email - http/https, ftp, and so on. Suddenly high traffic levels from a user/machine that hasn't been historically very active is a possible sign of a problem - especially large volumes of outbound data indicating possible uploads of sensitive info. There's not a lot of "proactive detection" that you can really do - in most cases, you're either reacting to logs/audit trails, or doing proactive stuff up front to *prevent* the breach in the first place. Stuff like the SANS "Securing the Human" is helpful to get your users up to speed. Checking for easily broken passwords, enforcing stronger passwords and/or multi-factor authentication for users with critical access, making sure that your users have their machines patched and appropriate security/AV software installed and up to date.. etc etc etc. All the usual "how to keep your users from being hacked/phished" stuff.... -- Frank Barton Security+, ACMT IT Systems Administrator Husson University _____________________________________________________________________ Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Thank you. -- Frank Barton Security+, ACMT IT Systems Administrator Husson University _____________________________________________________________________ Please note that this message and any attachments may contain confidential and proprietary material and information and are intended only for the use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any review, use, disclosure, dissemination, distribution or copying of this message and any attachments is strictly prohibited. If you have received this email in error, please immediately notify the sender and destroy this e-mail and any attachments and all copies, whether electronic or printed. Thank you.
Current thread:
- Measures of detecting breached email accounts Keenan Martinez (Dec 04)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 05)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Kevin Crider (Dec 07)
- Re: Measures of detecting breached email accounts Frank Barton (Dec 05)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 04)
- <Possible follow-ups>
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 05)
- Re: Measures of detecting breached email accounts Keenan Martinez (Dec 06)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 06)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 07)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 07)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 08)
- Re: Measures of detecting breached email accounts Valdis Kletnieks (Dec 09)
- Re: Measures of detecting breached email accounts Joseph Tam (Dec 13)