Netskope Global Technical Success (GTS)

UEBA: Compromised Credentials Incident Analysis

Netskope Cloud Version - 119

Objective

UEBA - Compromised Credentials Incident Analysis

Prerequisite

Netskope UEBA license is required

Context

A detailed explanation on How Netskope Compromised Credentials works

Analysis

Path: Netskope Tenant UI >>> Incidents >>> Compromised Credentials

Ref. Image

1. User - peter.johnson@abc.com

This is the official email ID of the end-user for whom the Compromised Credentials alert was triggered.

2. Matched User - pjohnson@gmail.com

This is the personal Email ID of the end-user for whom the Compromised Credentials alert was triggered.

3. Access Method - Client

The end-user was steering traffic to Netskope via Client (Netskope Client) when the compromised credentials alert was triggered

4. Source of Info - Combolist

Based on information from Combolist, the account details linked to the email address pjohnson@gmail.com were compromised and exposed on the dark web on April 10, 2023. Netskope does not possess details regarding the specific level of account information leaked, such as passwords, user personal details, etc.

5. Date Compromised - 10/4/2023

The date when Combolist released the leaked database was 10/04/2023.

6. Timestamp - 3/7/2024 2:49 AM

The user utilized the email address pjohnson@gmail.com in a transaction on 3/7/2024 2:49 AM

• Netskope's Compromised Credentials (CC) engine collects information from various sources regarding leaked email data and stores it in a database.
• This engine monitors every transaction, and if there's a match between a user's email ID used to log in to a web application and the database of leaked email data, Netskope generates a CC alert.
• In the scenario provided, the user logged in with their Gmail ID, triggering a CC alert because of a match detected by Netskope's engines.
• While matching with a @gmail.com, @yahoo.com, @live.com, @outlook.com is acceptable, there have been instances where employees registered for non-business applications using their official email IDs.
• If you see a hit for domain @abc.com in the matched user section, please contact the end-user and advise them to update their account passwords.

Recommendations

It's important to educate end-users about the risks associated with using official email addresses for non-sanctioned or non-business applications. Netskope recommends implementing the following security measures:

• Avoid Using Official Email Addresses: Encourage users not to create accounts on non-sanctioned or non-business applications using their official email addresses. Using personal email addresses for such purposes helps mitigate security risks.
• Enable Multi-Factor Authentication (MFA): Ensure that all business applications are enabled with multi-factor authentication (MFA). MFA adds an extra layer of security by requiring users to provide additional authentication factors, such as a code sent to their mobile device, in addition to their password.
• Implement Password Update Policy: Enforce a password update policy to ensure that users regularly update their account passwords. This helps prevent unauthorized access in case of compromised credentials.

By following these recommendations, organizations can enhance their security posture and reduce the risk of unauthorized access to business applications.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.