Impossible Travel
closed
Rich Mozeleski
closed
Impossible travel detections were an early consideration for the product but we found them to have far too high of a rate of false positives to serve much value.
We treat impossible travel events as a symptom of session token theft and credential theft and we attempt to detect account takeovers via functionality that more directly targets this tradecraft.
J
Jacob Wiley
Rich Mozeleski Is Huntress completely ignoring impossible travel events or do they contribute to some internal score that Huntress considers?
Are there any plans to make the events available for partners to investigate if they are interested? I watched Huntress's webinar on this as I realize it's hard to do but there are some instances of impossible travel that are clearly an account compromise. Huntress just giving up on the whole thing doesn't sit right.
D
Damien Mallon
This needs to be added as a matter of urgency. Adversary in the middle attacks where a session cookie/token is stolen and then used to authenticate from a different location are causing havoc, even though 2FA is enabled in O365
P
PT
My understanding is that improbable travel is ingested as contextual alerts, but they do not constitute a lockout on their own due to the high number of reasons an account may appear to look like improbable travel. There must be other contextual alerts to tag along with it such as a forwarding rule or a suspicious app registration.
C
Craig Irvin
In terms of feedback on this feature. Keep in mind for those who operate services that include remote desktop to where a person could be seen in two different places at the same time. For instance we have customers in Missouri but accessing resources in Virginia; their Office 365 logins can/do show being logged in from both places.
NW
It must be working as we got a customer account locked out today for this very reason.
J
Justin Wood
NW: I don't think it is. I had an incident last week where another platform was flagging accounts for impossible travel that I had to investigate and Huntress didn't flag anything. Others have commented here with similar feedback. If it is implemented, it would be great to get an official response from Huntress on how it works to put our minds at ease.
NW
Justin Wood: I agree.
I think huntress only reports if the account is successfully logged into which lowers false positives.
That was the case in my instance.
A
Alex Perrot
This really is a must for us. We had an account compromised this week, and our other security product alerted us due to the location of the logins. Huntress reported everything normal/no issue. Disappointing to say the least.
P
Pascal Lavoie
Alex Perrot: same deal for us last week
James
Yes please. This really should have been part of the initial release.