Completed
Credential attack recon detection: How current UEBA & NID tooling fail and how to reduce false positives
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Credential Attack Recon Detection - How Tooling Fail and How to Reduce False Positives
Automatically move to the next video in the Classroom when playback concludes
- 1 Credential attack recon detection: How current UEBA & NID tooling fail and how to reduce false positives
- 2 Current situation - UEBA and network defence tools - What they filter
- 3 Use of deliberately nonsense words as may show attacker testing the site responses
- 4 Valid username (with invalid password), followed by a login with a deliberately gibberish or invalid username
- 5 Flag the fist few entries of standard password/username list compilations
- 6 Monitor webpages containing unencrypted user IDs for rapid requests
- 7 Lists of publicly leaked accounts for an organisation
- 8 Flag repetitive backlinks and onward links by site users
- 9 Flagging non-existent subdomains and web directories in URLS
- 10 Baseline normal vs suspicious behaviours on applications post-registration
- 11 Sequential numbers/letters being used in password or username fields
- 12 Match non-existent site and postal addresses with other behaviours
- 13 Receipt of high number of 2FA, unknown device and forgot password verifications
- 14 Switchboard dial-in call behaviour
- 15 Blacklist or flag proxy service IP addresses
- 16 Flag identical interval times between each login attempt where user agent is the same.
- 17 Increase the length of time after when repeated login requests are blocked
- 18 Monitor email forwarding rules to thwart attacker persistence
- 19 Conclusion
