Why are There So Many Impossible Travels in MCAS?
Discern true and false positive impossible travels.
Analysts at CyberMSI have been noticing a significant increase in MCAS impossible travel alerts lately. At first it looked like a trend in information security incidents, but after looking into the alerts further they discovered that the increase in this alert type was due to false positives.
In this blog, we show how an analyst can go through an MCAS impossible travel alert to determine if it is a true or false positive. We will also discuss what happens during the investigation process that leads analysts to the conclusions that they draw.
Use Common Sense When Looking at IPs
Security analysts should have some basic understanding of networking concepts that would help them identify false positives. In the example image below the analyst was able to identify that “::1” is the IPv6 loopback address.
When the device is reporting that its address was the loopback address that means the device is not connected to the network at the time the activity took place. The analyst can reasonably conclude that this is a false positive because MCAS did not recognize the loopback address as being internal, which caused the impossible travel alert to be set off.
Use “What is My IP” to Help Investigate
The website “https://whatismyipaddress.com/” is useful for looking up suspicious IP addresses found during an investigation. In the example image below the analyst identified a suspicious IP address from Singapore that they believe they should look up.
After searching for the IP address, the analyst discovered that the suspicious IP address was a Microsoft Azure server. The analyst can reasonably conclude that MCAS did not recognize the address of this server that was being used at the time the cloud resources were accessed.
Consult Documentation for Other Cloud Services.
MCAS can mistake using a VPN for an impossible travel because it operates using location and address history. In the example images below the analyst discovered some suspicious IP addresses from Atlanta Georgia that set off an impossible travel alert.
After looking at the customer documentation and looking up the IP address the analysts was able to determine that the user had a legitimate need to use the “Clouvider” service that set off the alert.
Analyze Alert to Find Malicious Activity
If the analyst is not able to make any reasonable conclusions after looking up information at their disposal, they can use context clues from the activity logs to see what happened during the impossible travel incident.
In the example image below the analyst went through the activity and discovered that a “To Do List” was updated, and a mundane email was sent out using Exchange. Neither of these activities seem malicious. It is not enough information to finish the investigation, but the analyst can use this information when drawing their conclusions about the incident.
We will continue to share best practices and lessons learned in future posts on MCAS investigations in customer environments. In the future MCAS is likely to become better about detecting IP address context, but until then analysts need to be able to discern between false and true positive impossible travels using methods like these.
In closing, consider these three questions when handling MCAS impossible travels in your organization:
- Do our analysts know enough about networking concepts to handle investigating impossible travel incidents?
- Are procedures in place to help address the impossible travel issues associated with MCAS?
- Does our documentation include cloud services that could be causing this type of false positive incident?