Completed
Flag identical interval times between each login attempt where user agent is the same.
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Credential Attack Recon Detection - How Tooling Fail and How to Reduce False Positives
Automatically move to the next video in the Classroom when playback concludes
- 1 Credential attack recon detection: How current UEBA & NID tooling fail and how to reduce false positives
- 2 Current situation - UEBA and network defence tools - What they filter
- 3 Use of deliberately nonsense words as may show attacker testing the site responses
- 4 Valid username (with invalid password), followed by a login with a deliberately gibberish or invalid username
- 5 Flag the fist few entries of standard password/username list compilations
- 6 Monitor webpages containing unencrypted user IDs for rapid requests
- 7 Lists of publicly leaked accounts for an organisation
- 8 Flag repetitive backlinks and onward links by site users
- 9 Flagging non-existent subdomains and web directories in URLS
- 10 Baseline normal vs suspicious behaviours on applications post-registration
- 11 Sequential numbers/letters being used in password or username fields
- 12 Match non-existent site and postal addresses with other behaviours
- 13 Receipt of high number of 2FA, unknown device and forgot password verifications
- 14 Switchboard dial-in call behaviour
- 15 Blacklist or flag proxy service IP addresses
- 16 Flag identical interval times between each login attempt where user agent is the same.
- 17 Increase the length of time after when repeated login requests are blocked
- 18 Monitor email forwarding rules to thwart attacker persistence
- 19 Conclusion
