2020欧洲杯投注备用Many people are working from home (WFH) now and will be for at least the next few weeks. The VPN and TLS connections that remote workers rely on allow for secure access, and although these are not new connection types to monitor, the current WFH situation has created a significant increase in the number of these connections you must monitor.
This new WFH scenario has made one thing easier: mobile users are no longer mobile. No one is flying to different locations and even working from multiple nearby locations would be unusual.
This makes looking for “Superman” or “Captain Marvel” behavior easier to detect, a scenario that is indicative of account compromise. This search is simply looking for logins from locations that are far apart but happen in a short period of time; only a superhero could travel that fast! This is sometimes called “Geographically Improbable Access.”
Corporate users are just as vulnerable to ATO (account takeover) as customers. Phishing attacks and password reuse are common sources of account compromise, and the recent that was published included some email addresses from well-known companies and universities.
Lucky for us, this “superhero” behavior is easy to detect with Splunk, and we turn to (our no cost library of security detections for Splunk) where we can find some ready to use examples. Using versions 3.x we get to the search box by clicking on the Security Content Menu, and selecting Security Content from the drop down:
2020欧洲杯投注备用Using the search bar in the top middle, search for “geographically.” Three examples will be returned – let’s pick the middle one “Geographically Improbable Access for Privileged Accounts”:
2020欧洲杯投注备用I am using the demo data. This example has some complex looking SPL, but let’s click on the button for “Line-by-Line SPL Documentation” below the SPL box:
2020欧洲杯投注备用Now the SPL makes a lot more sense. In a nutshell we compare the current IP address to the previous IP address on a per user basis, get the ip geolocation, and calculate the distance and time between those logon events using the formula. We are doing this for when the IP addresses are different, and the logins are less than 8 hours apart. Notice the 3rd and 4th blocks reference privileged users and risk scores? You could remove the risk score criteria and run the search for all users that match our “superhero” behavior. Also notice that the author of this search references where he got the distance calculation code (block 7) in case you want more information:
2020欧洲杯投注备用Our results show 2 users that each traveled thousands of kilometer in less than an hour:
2020欧洲杯投注备用Admittedly this kind of search could generate false positives if users were logging in from wifi at one location (maybe a coffee shop) and then using a mobile device as a hotspot, but with shelter-in-place orders for most of the population, we should not observe this current behavior often or at all. And if you do expect this behavior from critical employees, you may “whitelist” them using a .
As mentioned before is available at no cost as a download from. Play with the demo data or change the code to use your own data source. This doesn’t have to be just for VPN logins, it could be for any login that has public IP addresses in the details. You could even schedule this search to run regularly and alert you if a violation is detected. If you have Splunk Enterprise Security, this search is already included. This is just another way to detect account compromise, hopefully before any damage is done.