Play all

Credential attack recon detection: How current UEBA & NID tooling fail and how to reduce false positives

Current situation - UEBA and network defence tools - What they filter

Use of deliberately nonsense words as may show attacker testing the site responses

Valid username (with invalid password), followed by a login with a deliberately gibberish or invalid username

Flag the fist few entries of standard password/username list compilations

Monitor webpages containing unencrypted user IDs for rapid requests

Lists of publicly leaked accounts for an organisation

Flag repetitive backlinks and onward links by site users

Flagging non-existent subdomains and web directories in URLS

Baseline normal vs suspicious behaviours on applications post-registration

Sequential numbers/letters being used in password or username fields

Match non-existent site and postal addresses with other behaviours

Receipt of high number of 2FA, unknown device and forgot password verifications

Switchboard dial-in call behaviour

Blacklist or flag proxy service IP addresses

Flag identical interval times between each login attempt where user agent is the same.

Increase the length of time after when repeated login requests are blocked

Monitor email forwarding rules to thwart attacker persistence

Conclusion

Description:

Explore credential attack reconnaissance detection techniques and learn how to reduce false positives in User and Entity Behavior Analytics (UEBA) and Network Intrusion Detection (NID) tools. Discover the current limitations of these security tools and their filtering methods. Gain insights into effective strategies for identifying potential attackers, such as monitoring nonsense word usage, flagging standard password list compilations, and detecting rapid requests on webpages with unencrypted user IDs. Learn to establish baselines for normal versus suspicious behaviors, recognize sequential patterns in login attempts, and implement measures to thwart attacker persistence. Enhance your organization's security posture by understanding and applying these advanced detection methods to protect against credential-based attacks.

Credential Attack Recon Detection - How Tooling Fail and How to Reduce False Positives

Security BSides London

Add to list

#Conference Talks #Security BSides #Information Security (InfoSec) #Cybersecurity #Business #Marketing #Digital Marketing #Web Analytics #User Behavior Analysis