Skip to main content

AD_4nXdj8ww_ttNdMcdRFXXn8JVExoY_XpMKB4GvHBk-UkaZhi8iftC43xIZVFCPwqB9KqTBirHc-TWAdBUjHtn0_s8drfuRl6jiwEcEg-T8CufhOZxgI6wqfzRmlVCxb4KZXHtToWCZh3zle4FMBFrtxbgFrS1m?key=B7hkKmTJAIeP6GkMs81DiQ

Netskope Global Technical Success (GTS)

UEBA: Shared Credentials Incident Analysis

 

Netskope Cloud Version - 119

 

Objective

UEBA - Shared Credentials Incident Analysis

 

Prerequisite

Netskope Standard/Advanced UEBA license is required

 

Context

A detailed explanation on How Netskope Shared Credentials works

 

Analysis

Step 1: Incident Review

Path: Netskope Tenant UI >>> Skope IT >>> Alerts

Filter: Policy Name = Shared Credentials

Ref. Image

AD_4nXf4epDSEU3B-dUaKaD2bDSviRPe9MJEoxOi4zK_tuhcCW6s_o8RS90NXsN8QdDeEQMzLOprlmKaUKdteSROdmvV9CDFoA5aRrOrSpA0uCbnai43mDlUspdVO6XlDZzPNG6E5pa_z4cLBLKFwbEmAImRuCca?key=B7hkKmTJAIeP6GkMs81DiQ

 

A - User: mandeepsingh@___.com

B - User: zarminshaikh@___.com

C - Credential: msingh@netskope.com

 

Both mandeepsingh@___.com and zarminshaikh@___.com used the same login credentials, which is msingh@netskope.com, to access an application.

 

Step 2: Identify the transactions

Let's Identify the transactions made by user mandeepsingh@___.com and zarminshaikh@___.com, where they used the same login credentials i.e. msingh@netskope.com

 

  • mandeepsingh@___.com transactions

Path: Netskope Tenant UI >>> Skope IT >>> Application Events

Filter: User = mandeepsingh@___.com

AD_4nXf0KgcN0cZadiJy-5iTzNVlio4T3zVC-Lgloux3PdszAYRm4fHkeSUXh4IMFeETZExa_ifjiC9s7SrugThxksapCjspaVoHmuq_PyBTQ82y6Y_2P-RCiOx2L1lCS3DNzC89APz_9tApnUoWd9IyrlgeU20?key=B7hkKmTJAIeP6GkMs81DiQ

 

Note

What is From_User?

Netskope defines the username used to log into an application as ‘From_User’

AD_4nXeKe-QXMQS5Au8VDKRmH-pa5Cfbf4Qlk_6byY6UE5-0biS0SZF7EeZXaAFx49W1Ggz2snZ7LzyqVSVT10mNTctov48Z5JCyvhXn4UWE443ARqWA9_wvQr68-g7VnJvo8f3aTs_bHJjIcCgsZV3I_NN89u3n?key=B7hkKmTJAIeP6GkMs81DiQ

 

  • zarminshaikh@___.com transactions

Path: Netskope Tenant UI >>> Skope IT >>> Application Events

Filter: User = zarminshaikh@___.com

AD_4nXfFGo2BNDyD5gAzqBJDpbi4UNwfVexLH1OxT1ClMHCS61HUUQDA-CPyPSTLbO0u54iN0ojkdiCKZ0WxiieEqN3ehFYRspWFzP7dO6JlAWJMcPC8eQmZr0HwYJUBkAXNrl7y6KpeA5aEFe8jrbkUTbobRxI?key=B7hkKmTJAIeP6GkMs81DiQ

AD_4nXd5Fd39hf2E2FzJHa22w7SwtaGoyXivxS2cCX0PqfP6U_yAGTLzjJyqDkN3V60R1ZeNE2FrOIx6J0vyoBshmBsaTCVs9B8d2W2bHG7DdF-gs7xZ_66_uXrKvU86Qv0wVlnsuv007au_YYTEur6FmwE5fcR7?key=B7hkKmTJAIeP6GkMs81DiQ

 

  • It is evident that end-users mandeepsingh@___.com and zarminshaikh@___.com accessed applications such as Google Drive, Slack, Atlassian Confluence, and Google Calendar using the msingh@netskope.com credentials.

 

Author Notes

Sharing credentials is not considered a best practice for several reasons:

  • Compromised Security: If the shared credentials are compromised, all users with access to those credentials are at risk. It’s much harder to secure and manage a single set of credentials that’s used by multiple people compared to unique credentials for each individual.

  • Lack of Accountability: Shared credentials obscure who performed specific actions within the application. This lack of individual accountability makes it difficult to track and audit user activities, which is crucial for detecting and responding to security incidents.

  • Increased Risk of Credential Sharing: Users with shared credentials may be more likely to share passwords with unauthorized individuals or use them in less secure environments, increasing the risk of unauthorized access.

  • Inability to Enforce Individual Access Controls: Unique credentials allow for the enforcement of tailored access controls and permissions for each user. Shared credentials mean that access permissions can’t be customized or enforced on a per-user basis, potentially exposing sensitive information to unauthorized users.

  • Difficulty in Incident Response: In the event of a security incident, shared credentials make it challenging to determine the origin of the breach or to respond effectively. It becomes difficult to isolate the issue to a specific user or to understand the full extent of the compromise.

  • Regulatory and Compliance Issues: Many regulations and industry standards require individual user accounts to ensure proper access control and logging. Shared credentials can lead to non-compliance with these regulations, potentially resulting in legal and financial repercussions.

  • Increased Risk of Phishing Attacks: If a shared credential is targeted by phishing attacks, the compromise of those credentials could affect all users relying on them, amplifying the impact of the attack.

In summary, unique credentials for each user enhances security, accountability, and compliance, and simplifies access management.

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.

 

 

What to Read Next?

UEBA: Compromised Credentials Incident Analysis Link
UEBA: Compromised Credentials - General Q/A Link
UEBA: Compromised Credentials - Q/A attached to Email Notification Link