Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Credential Attack Recon Detection - How Tooling Fail and How to Reduce False Positives

Security BSides London via YouTube

Overview

Explore credential attack reconnaissance detection techniques and learn how to reduce false positives in User and Entity Behavior Analytics (UEBA) and Network Intrusion Detection (NID) tools. Discover the current limitations of these security tools and their filtering methods. Gain insights into effective strategies for identifying potential attackers, such as monitoring nonsense word usage, flagging standard password list compilations, and detecting rapid requests on webpages with unencrypted user IDs. Learn to establish baselines for normal versus suspicious behaviors, recognize sequential patterns in login attempts, and implement measures to thwart attacker persistence. Enhance your organization's security posture by understanding and applying these advanced detection methods to protect against credential-based attacks.

Syllabus

Credential attack recon detection: How current UEBA & NID tooling fail and how to reduce false positives
Current situation - UEBA and network defence tools - What they filter
Use of deliberately nonsense words as may show attacker testing the site responses
Valid username (with invalid password), followed by a login with a deliberately gibberish or invalid username
Flag the fist few entries of standard password/username list compilations
Monitor webpages containing unencrypted user IDs for rapid requests
Lists of publicly leaked accounts for an organisation
Flag repetitive backlinks and onward links by site users
Flagging non-existent subdomains and web directories in URLS
Baseline normal vs suspicious behaviours on applications post-registration
Sequential numbers/letters being used in password or username fields
Match non-existent site and postal addresses with other behaviours
Receipt of high number of 2FA, unknown device and forgot password verifications
Switchboard dial-in call behaviour
Blacklist or flag proxy service IP addresses
Flag identical interval times between each login attempt where user agent is the same.
Increase the length of time after when repeated login requests are blocked
Monitor email forwarding rules to thwart attacker persistence
Conclusion

Taught by

Security BSides London

Reviews

Start your review of Credential Attack Recon Detection - How Tooling Fail and How to Reduce False Positives

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.