Page 79 - Cyber Defense eMagazine - October 2017
P. 79

How to Detect The Alternate Inbox Method
               We use hundreds of metrics to look for compromised accounts, but these are some of
               the clues you can use to identify an insider threat.



                   1.  Logins from odd places or times: If you see logins coming from geographical
                       areas that seem unfamiliar or at times when you are asleep, it  can be a dead
                       giveaway that your account has been compromised.
                   2.  New device login: It’s always a good idea to check for new devices accessing
                       an account, they should all be your own. You should sign out all other sessions
                       and monitor as you connect.
                   3.  New inbox rules: Take a look at your inbox settings and see if there are strange
                       rules you did not create. Outlook-InboxRules for Office 365 and Gmail-Filters for
                       Gmail.
                   4.  New folders: Check for new folders you didn’t create. Instead of using the trash
                       folder, hackers will sometimes create new folders with inconspicuous names like
                       “Reminders” to use as their inbox.
                   5.  Emails with many recipients: Looks for emails with multiple recipients in your
                       trash  folder  and  sent  folder.  Hackers  may  be  sending  emails  with  lots  of
                       employees in the BCC field to better their odds of compromising another inbox.
                   6.  Someone  mentions  getting  an  odd email  from  you:  You  might  not  see  the
                       malicious  email,  but  some  you  know  might.  Also,  if  someone  sends  you  a
                       suspicious  email,  use  an  external  method  of  communication  like  the  phone  or
                       text message to validate it. The hacked account may be theirs.
                   7.  Failed logins or password reset messages: If you find yourself having to reset
                       your password for any of your accounts—banking, work, an attacker might have
                       sent a password reset to himself through your account.


               What to do if you have been breached.
               If a single account has been breached, you must assume that more than one account
               could be involved. We will go into more detail in a later article, but the response should
               be immediate.

                   ●  Logout all users and force the resetting of passwords upon next connection.
                   ●  Turn on 2-factor authentication for all users.
                   ●  Search all inboxes, outboxes and deleted emails for signs of the attack.
                   ●  Identify  and  remove  any  third-party  SaaS  that  a  malicious  user  might  have
                       authorized.






                    79   Cyber Defense eMagazine – October 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   74   75   76   77   78   79   80   81   82   83   84