Stolen Credentials

detectors

The Stolen Credentials Detector sifts through travel and network trust features from authentication focused logon events that are ingested into the Secureworks® Taegis™ XDR data lake, looking for unusual pairings that indicate an impossible amount of travel has occurred in the time between login events for a single user. The unusual events are then published as an alert that displays in the XDR Dashboard.

Stolen Credentials Alert

Alert information includes a map to show IP-based geolocation information for logins, timestamp for the event(s), source IP, location, any relevant MITRE information, and calculated travel and network trust feature information for the event.

The Stolen Credentials algorithm surfaces the most plausible list of alerts. The algorithm uses fuzzy accurate IP geolocation for travel speed, observed historical user login IP addresses, and observed historical user login Autonomous System Number (ASN) sources. The algorithm relies on the network effect across all of our customers to build trust as we see trusted IP addresses and ASNs over time, while protecting each customer's data and privacy. To help sort and prioritize multiple Stolen Credential alerts, each alert is given a confidence level between 0 and 1 based on the number of algorithm elements (out of nine possible factors) firing.

Schema ⫘

Auth

Outputs ⫘

Currently, this detector batch processes events and generates alerts based on the scheduled batch interval. Current batch interval is 4 hours combined with 30-90 minutes processing time. Therefore, alerts should be seen by this detector every 4.5-6 hours.

Stolen Credential alerts pushed to the XDR Alert Database and XDR Dashboard.

MITRE ATT&CK Category ⫘

MITRE Enterprise ATT&CK - Defense Evasion, Persistence, Privilege Escalation, Initial Access - Valid Accounts. For more information, see MITRE Technique T1078.

Configuration Options ⫘

None

Detector Requirements ⫘

• Alerts, Auth, Netflow