The Impossible Travel Problem

Or the Teleportation Problem

When a user signs into a system, the system normally creates a timestamp of the occurrence. In addition to the time, the system may frequently capture other important information such as the device used, physical location, IP address, failed login attempts, and so on. The more data collected, the more useful it becomes. Now, if the user has two or more Successful Login or Unsuccessful Login attempts that too with two or more different Country codes within a very little amount of time such as travelling between 2 countries within 15 minutes will be an event of the Impossible Travel, which can indicate a possible credential theft (unless we have figured out teleportation or some sort of fast travel or I don’t know if Dr. Strange is real).

The server being accessed from two different vast locations within a small amount of time: Indicating an Impossible Travel for the user

But the problem is, how to detect this kind of event and how to automate the whole tedious process of confirming with the user whether the user travelled somewhere like this, raising a ticket for this incident, and even escalating on the mail or throwing an alert when the user declines the incident where such kind of travel did not occur which can be a possible credential theft? * (Did I say, Automate? Like Automation and stuff?) *

We can achieve this by using Shuffle. Shuffle is an open-source SOAR (Security Orchestration, Automation, and Response). It seeks to bring all of the features required to transfer data throughout an organization with plug-and-play Apps, making automation accessible to anyone.

We can push the Login events from the SIEM to our Shuffle SOAR platform where we will co-relate the events and automate the detection process to eliminate the False Positives.

Technical Stuff

I am using Wazuh as my SIEM platform where I will detect the Successful or Unsuccessful Authentication Events occurring in my environment.

To push the events from Wazuh to Shuffle, you can refer to the following link: https://shuffler.io/docs/extensions#wazuh

Now, to automate several processes we will create a workflow within Shuffle itself.

Login to your Shuffle account and you can create a new workflow by clicking on the (+) icon.

So, this is the workflow that I have configured, where the things will be automated.

Here, the Webhook will receive the Security Events of the Successful/Unsuccessful Login attempts.

Now, we need to check whether the IP address found in our events are Public address or a Private one. For that, we have used the Shuffle Tools.

If the IP address is Public, we need its co-ordinates to determine the Country. To check this, we will use the IPinfo app in Shuffle.

Once, the co-ordinates and the country codes are received, we can co-relate and check whether the country codes differ in the authentication events or not. From this, we would possibly know whether there is some event of credential theft occurred or not. For this co-relation, we have used Shuffle Tools again.

After the co-relation is done and if the difference is found in the Country Codes, we can say that an event of Impossible Travel took place. We can raise a Case or a ticket for the same. For this, we will be using TheHIVE app.

We can even send an actionable alert message on the Microsoft Teams channel to ask the user whether such an incident that took place was caused by him or was it someone else.

The alert message and choices are both customizable, so you may have it just the way you want it.

Here, If the user clicks “Yes”, the ticket will get closed by knowing the incident was genuine, the incident can be called as genuine in certain circumstances such as if the user used a VPN or the user literally just moved between the nearest borders such as moving from France to Belgium.

But, if the user clicks “No”, which also indicates possible credential theft, we can even generate an alert over a mail.

If the user clicks “It is the year 2100”, don’t ask me anything regarding this till the year 2099.

We can even send alerts to multiple platforms according to our needs and even perform more automation which we would like to configure according to our use cases.

Conclusion

Using Shuffle as our SOAR platform, we can automate the whole process of raising a case for the incident, questioning the user for the confirmation, and even escalating the event and giving out an alert to the IT Security Team as well. The whole process can be automated in a blink of an eye (just like teleporting from one country to another).