Threat hunters should always be cognizant of suspicious user behaviors. Insider threats are more common than one thinks and there are also threats that goes after specific users or computers. Cybersecurity analysts should be monitoring for activities like sudden downloads/transfers of multiple files, permission and name changes, multiple login attempts, and impossible travel.
Impossible travel is one of the best indicators of hacking attempts. For example, if you login to your platform from Atlanta, GA and there’s another person that attempts to login using your credentials at Dallas, TX within an hour of you logging in, it’ll flag security personnel of impossible travel. It will calculate the distance from the two login locations and calculate the time it will take to travel in order to do this. It also has additional security detection variables besides distance. It’ll identify if an IP address is risky, if there was multiple login attempts, identify hardware/software details, and activities.
At times, users may use VPN. This is why looking up IP addresses is an important task and what ISP and organization are associated to determine if the user is legitimate. There are a lot of false positives when it comes to impossible travel, so using IP tool to see if that IP address is associated with a legitimate service like microsoft azure server will help determine if the traffic is a threat or not.
HansITAcademy 