GeoLogonalyzer powered by FireEye to identify the malicious login based on the GeoFeasibility, it identifies anomalies based on the speed of required travel, distance, hostname changes, ASN changes, VPN client changes, etc.
Organizations need to be connected with the target system from multiple locations, attackers could use the stolen credential from employees to get access to the system and it is difficult to detect the malicious login.
GeoFeasibility works based on the location where the user initiated login, for example, a user connecting to a VPN from New York at 13:00 cannot connect again with a VPN from Australia five minutes later.
According to FireEye GeoLogonalyzer estimates the location of each login originated from using data such as MaxMind’s free GeoIP database. With the timestamps, analysts can determine the possibility of user traveled between the locations.
For example, the first user, “Meghan, logged on from New York City, New York on 2017-11-24 at 10:00:00 UTC and then logged on from Los Angeles, California 10 hours later on 2017-11-24 at 20:00:00 UTC, that is roughly a 2,450 mile change over 10 hours. Meghan’s login source change can be normalized to 245 miles per hour which is reasonable through commercial airline travel.”
If a second user account, “Harry, logged on from Dallas, Texas on 2017-11-25 at 17:00:00 UTC and then logged on from Sydney, Australia two hours later on 2017-11-25 at 19:00:00 UTC, that is roughly an 8,500-mile change over two hours. Harry’s logon source change can be normalized to 4,250 miles per hour, which is likely infeasible with modern travel technology.”
Here is an example of GeoLogonalyzer logs.
Analysts can use GeoLogonalyzer to flag login request from Countries or regions where no business takes place or no employees located or dataCenters, Usernames, Unapproved VPN ad Hostnames.
GeoLogonalyzer relies on open source data to make cloud hosting provider determinations. Use of VPN or other tunneling services may create false positives. GeoLogonalyzer can be downloaded from GitHub.