<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Workday - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/workday/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/workday/feed.xml" rel="self" type="application/rss+xml"/><item><title>Geographic Improbable Location Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-geographic-improbable-location/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-geographic-improbable-location/</guid><description>Detection of user logins originating from geographically distant locations within a short timeframe, indicative of potential Remote Employment Fraud or compromised credentials.</description><content:encoded><![CDATA[<p>This detection identifies &quot;improbable travel&quot; scenarios where a user logs in from two geographically distant locations within a short timeframe, suggesting potential Remote Employment Fraud (REF) or compromised credentials. The analysis focuses on login events for critical applications like Workday, Slack, GlobalProtect, Jira, Atlassian Cloud, and Zoom, using Okta logs as a primary data source. This technique is relevant because REF actors and credential thieves often operate from different locations than the legitimate user, and time zone/geographic inconsistencies can expose fraudulent activity. The detection considers factors like user's work country, travel speed, and distance between login locations to assess the risk. This helps defenders identify suspicious logins that bypass traditional security measures.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>User credentials compromised via phishing or other methods (not directly observed in this detection, but a common precursor).</li>
<li>Attacker establishes initial access from Location A, authenticating to a target application (e.g., Workday) via Okta.</li>
<li>A short time later (minutes to hours), the attacker attempts to access the same or a different application from Location B, potentially on the other side of the world.</li>
<li>The detection analyzes Okta logs and correlates login events based on the user ID, source IP, and timestamp.</li>
<li>Geolocation data (latitude, longitude) is obtained for both login locations based on the source IP addresses.</li>
<li>The distance and travel speed between the two locations are calculated.</li>
<li>If the calculated speed exceeds a defined threshold (e.g., 500 km/h) and distance exceeds a defined threshold (e.g., 750 km), the activity is flagged as suspicious.</li>
<li>The user's work country is compared to the login locations to further assess the risk. If the login locations do not match the user's expected work location, the risk score is increased.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this technique can lead to unauthorized access to sensitive corporate resources, data exfiltration, and financial fraud. Compromised accounts used for Remote Employment Fraud can result in financial losses and reputational damage. While the exact number of victims and sectors targeted are not explicitly mentioned in the source, this type of attack can affect organizations of any size in any sector. A successful attack can result in significant financial losses and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Geographic Improbable Location</code> to your SIEM, ensuring it is tuned to account for legitimate VPN usage and remote work scenarios.</li>
<li>Investigate any alerts generated by the <code>Geographic Improbable Location</code> rule, focusing on users with high-value accounts and access to sensitive data.</li>
<li>Utilize the <code>known_devices_public_ip_filter.csv</code> lookup table (mentioned in the &quot;how_to_implement&quot; section) to exclude known and trusted devices from the detection logic.</li>
<li>Monitor Okta logs for failed login attempts preceding improbable travel events to identify potential credential compromise attempts.</li>
<li>Implement multi-factor authentication (MFA) for all users to reduce the risk of credential compromise.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>remote-employment-fraud</category><category>credential-compromise</category><category>okta</category></item></channel></rss>