Many people are working from home (WFH) now and will be for at least the next few weeks. The VPN and TLS connections that remote workers rely on allow for secure access, and although these are not new connection types to monitor, the current WFH situation has created a significant increase in the number of these connections you must monitor.
This new WFH scenario has made one thing easier: mobile users are no longer mobile. No one is flying to different locations and even working from multiple nearby locations would be unusual.
This makes looking for “Superman” or “Captain Marvel” behavior easier to detect, a scenario that is indicative of account compromise. This search is simply looking for logins from locations that are far apart but happen in a short period of time; only a superhero could travel that fast! This is sometimes called “Geographically Improbable Access.”
Corporate users are just as vulnerable to ATO (account takeover) as customers. Phishing attacks and password reuse are common sources of account compromise, and the recent Zoom credential list that was published included some email addresses from well-known companies and universities.
Lucky for us, this “superhero” behavior is easy to detect with Splunk, and we turn to Splunk Security Essentials (our no cost library of security detections for Splunk) where we can find some ready to use examples. Using versions 3.x we get to the search box by clicking on the Security Content Menu, and selecting Security Content from the drop down:
Using the search bar in the top middle, search for “geographically.” Three examples will be returned – let’s pick the middle one “Geographically Improbable Access for Privileged Accounts”:
I am using the demo data. This example has some complex looking SPL, but let’s click on the button for “Line-by-Line SPL Documentation” below the SPL box:
Now the SPL makes a lot more sense. In a nutshell we compare the current IP address to the previous IP address on a per user basis, get the ip geolocation, and calculate the distance and time between those logon events using the haversine formula. We are doing this for when the IP addresses are different, and the logins are less than 8 hours apart. Notice the 3rd and 4th blocks reference privileged users and risk scores? You could remove the risk score criteria and run the search for all users that match our “superhero” behavior. Also notice that the author of this search references where he got the distance calculation code (block 7) in case you want more information:
Our results show 2 users that each traveled thousands of kilometer in less than an hour:
Admittedly this kind of search could generate false positives if users were logging in from wifi at one location (maybe a coffee shop) and then using a mobile device as a hotspot, but with shelter-in-place orders for most of the population, we should not observe this current behavior often or at all. And if you do expect this behavior from critical employees, you may “whitelist” them using a lookup.
As mentioned before Splunk Security Essentials is available at no cost as a download from Splunkbase. Play with the demo data or change the code to use your own data source. This doesn’t have to be just for VPN logins, it could be for any login that has public IP addresses in the details. You could even schedule this search to run regularly and alert you if a violation is detected. If you have Splunk Enterprise Security, this search is already included. This is just another way to detect account compromise, hopefully before any damage is done.