Impossible Travel: How Hunters Detects Account Takeover Across Platforms
- Jun 1, 2023
- By Hunters Research
- 4 minutes to read
By: Yuval Zacharia, Security Research Team Lead; Ophir Kelman, Security Researcher; Dor Bernstein, Backend Engineer; Eliraz Levi, Security Researcher; Man Uri, Security Researcher
TL;DR: Hunters has released a new impossible travel detector that rises above the noise, cost and challenges of existing solutions in the market.
Overview
The impossible travel detector is a security mechanism that is used to detect and prevent unauthorized access to a network or system. It works by analyzing the location of a user's login attempts, and flagging any attempts that seem impossible based on the user's expected location and travel time.
For example, if a user logs in from Boston and then attempts to log in from Tel Aviv just a few minutes later, the impossible travel detector would flag this as suspicious activity, since it would be impossible for the user to travel from Boston to Tel Aviv in such a short amount of time.
Very prominent today are account takeover attacks (ATO), where 22% of adults in the US have been victims of someone else gaining access to their accounts. By detecting suspicious login attempts, security teams can track potential threats and be ready to take action before any damage is done
Additionally, impossible travel detectors can help organizations comply with regulatory requirements such as GDPR and HIPAA, which require companies to implement strong security measures to protect personal data.
Difficulties with impossible travel detectors
Some security tool providers offer impossible travel detectors, but creating, utilizing and maintaining them is not always simple. Some common challenges that come with this are:
- Overwhelming noise: With employees being located across the globe, using VPNs, multiple devices and under-researched detection rules, impossible travel detectors are known for being extremely noisy and overwhelming security teams, causing more issues than they solve.
- Correlating data across applications: Most existing rules search only across their own logs, because searching across applications would mean evaluating huge amounts of data in different formats. Not being able to correlate data means that if there is a login on Okta in Boston and one on AWS in Tel Aviv within 5 minutes of each other, those detectors would not be able to flag the suspicious activity across the different data sources.
- In-house detection engineering: many security tools have the capability to build their own impossible travel detectors. While this can be useful and gives a sense of control, it relies heavily on in-house teams to understand exactly what to look for, how to write the detector, and how to tune it. This can be a very large project for resource strapped teams.
- Cost: Some providers offer impossible travel detectors, but charge an additional cost for it.
Hunters' impossible travel detector
Hunters has just released a brand new, built-in impossible travel detector. This detector is available out-of-the-box for every Hunters SOC Platform customer, and can also be tuned to fit your individual needs. What makes this detector unique is that it solves for many of the pain points listed above:
- Cross data source correlation via unified schema: Hunters applies its proprietary unified schema across your data sources so that it can automatically correlate events no matter which logs they appear in. For example, if there is a login in Israel on Okta and 2 minutes later the same user logs into AWS from Germany, Hunters will be able to correlate those logins across sources to surface necessary alerts.
- Leveraging UEBA capabilities: Upon initiation, the detector establishes a benchmark of ‘approved’ geo-locations used regularly by each user. Once a new and suspicious login location is detected, the system will examine it relative to the user’s latest login location.
- Reduced noise via expert in-house detection engineers: Hunters’ in-house investigation team thoroughly researched and evaluated various levers that greatly decrease the amount of false positives generated through this detector. Theses levers include:
- Organizational IP filter that is able to identify IP addresses normally utilized within the organization
- Proxy/VPN/NAT filter to identify which are commonly used by members of your organization and should not surface an alert
- Excluding user names that are not humans by using different techniques, including leveraging other features of Hunters’ asset tagging feature
- Out-of-the-box and continually updated: This detector is built-in to the Hunters SOC Platform so there is no need to spend precious engineering time creating a detector or pay extra fees for something that is vital to your organization.
Conclusion
With this singular detector, Hunters is able to provide its customers with protection that has become consistently more relevant. By analyzing login attempts and flagging suspicious activity, it can alert security teams to potential threats and enable them to take action before any damage is done.
If you want to learn more about Hunters’ built-in, always up-to-date detection, check out this walkthrough tour of an attack on Active Directory. Adding our Impossible Travel Detector to an already robust arsenal of detection content equips your security team with the tools to be even more efficient and proactive.