The Analyst opened the events and saw something odd.:
- At 9:00 AM, Sarah, the sales manager, logged in from her home in California.
- At 9:45 AM, her account showed another login from Paris, France.
The Investigation
The Analyst began digging deeper. He pulled up the logs for Sarah's account:
- The first login from the California IP address was legitimate because the Analyst got update that logins from the California region from her are approved.
- The second login from Paris IP
"Looks like someone might have stolen Sarah's credentials," the Analyst thought.
But before jumping to conclusions, he needed to rule out other possibilities.
The Possible Culprits
- VPN Usage: "What if Sarah used a Virtual Private Network (VPN) that routed her connection through Paris?" Anil considered. However, checking the logs confirmed that no VPN was in use.
- Credential Sharing: "Could Sarah have shared her password with a colleague or friend in Paris?" This was possible but unlikely, as Sarah had recently completed a security training program emphasizing the dangers of password sharing.
- Compromise: The most likely scenario was that Sarah's credentials had been stolen—perhaps through phishing or a previous data breach.
The Analyst has followed the incident response and created the incident.
The Response:
The analyst quickly followed the incident response protocol:
Account Lockdown: Account lockout must be done until further verification from the user, so we recommend the team deactivate Sarah's account to prevent further misuse temporarily.
User Verification: Analyst/Incident response team called Sarah to confirm her activity. She was shocked to learn about the Paris login and confirmed she wasn't travelling.
Incident Analysis: Analyst examined the suspicious login further and found evidence of brute force attempts on Sarah's account over the weekend.
Credential Reset: Sarah's account password was reset, and Multi-Factor Authentication (MFA) was enforced to add an extra layer of security.
