RA2003: Put Compromised Accounts On Monitoring
Summary
| ID | RA2003 |
|---|---|
| Brief Description | Put (potentially) compromised accounts on monitoring |
| Author | @atc_project |
| Creation Date | 2019/01/31 |
| Response Stage | Identification |
Description
Start monitoring for authentification attempts and all potentially harmful actions from (potentially) compromised accounts. Look for anomalies, unusual network connections, unusual geolocation/time of work, actions that were never executed before. Keep in touch with the real users and, in case of need, ask them if they executing some suspicious actions by themselves or not.