Stories from the SOC: Compromised account detected

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the LevelBlue SOC analyst team for LevelBlue Managed Threat Detection and Response customers.

Executive Summary

The Managed Threat Detection and Response (MTDR) analyst team was notified of multiple logins from different countries. With the shift to a more remote workforce, multiple logins from different locations is not uncommon, but the team discovered the potentially compromised account belonged to a third-party and immediately took action. Every year businesses lose millions due to data breaches caused by third parties. Between 2017 and 2019, there was a 35% increase in third party breaches, with a staggering 13 million records exposed in each breach, including personally identifiable information (PII), financial data, and health records. (Dark Reading) The team took a deeper look and discovered the account was indeed compromised. The analyst team engaged the customer, who was able to take the appropriate actions and remediate the situation before anything more severe could occur.

Investigation

Initial Alarm Review

Indicators of Compromise (IOCs)

The initial alarm surfaced as the result of two login events originating from two different countries within nine minutes of each other. This irregular activity indicated that a user’s account was likely compromised.

Foreign logins are nothing new. We see dozens of alerts from multiple customers every day.  Most of them are false positives caused by legitimate Virtual Private Network (VPN) or other tunnel services, and multi-factor authentication (MFA) traffic from valid users traveling overseas, for example.

Expanded investigation

Alarm Detail

With the rise of work from home due to COVID-19, alarms for dual geographical logins have been on the rise as well.  With so much volume coming through for review, it’s imperative to self-police the natural human tendency to base our view of future outcomes on past outcomes.  Just because the last 200 were false positives does not mean the 201^st alarm will be.

Response

Building the investigation

One of the differences for this alarm that assisted in throwing off any predisposed notions was the domain used by the account.  It was not the standard customer email / account name domain.  A quick search of the company and I was able to see that the two companies were in the same industry, and it’s not uncommon for companies to allow vendors or industry partners to retain their domain for login IDs.  But still, it caught my attention.

Customer interaction

The obvious main consideration for these types of alarms are the geographies themselves.   But with a third party in the equation, even explicitly knowing the geographies did not provide much additional information.  Not knowing the full extent of the third party’s geographic business, I had no idea if the foreign country was a likely work location or not for their employees.

Customer Response(s)

Given all the unknowns, this had to be sent as an Investigation to the client to verify activity.  Upon review, it was determined that this was indeed a compromised account and the customer remediated the situation.  As we have seen from the history of breaches, third party vendor compromised accounts are a powerful attack vector and picking up on one through the noise of all the dual geographical logins, may have just prevented another one.