Detecting suspicious login activity

In today's world, security is one of the most important components of any modern application. To mitigate cyber threats and keep users engaging with an application at bay, application protection and risk management measures must be implemented. And as the Internet develops and innovates, cybersecurity risks are becoming more commonplace. Common examples of these risks include Account Takeover (ATO), spamming and phishing, eavesdropping, Distributed Denial of Service (DDoS) attacks and so on.

Cybersecurity risks are a very serious issue, particularly in enterprise software applications that deal with sensitive user credentials such as financial information, passwords, biometric information and so on.

Businesses typically suffer significant and drastic consequences from security breaches, including legal issues, customer loss, reputational damage, among others. In response to the trend and increase in cyber-threats, businesses and organizations are implementing preventive security measures to mitigate and eliminate the impact of these vulnerabilities. This article will examine and discuss one such security measure used in detecting suspicious login activity in a user's account.

Impossible travel detection is a login system security measure that determines if a login activity by a user is genuine based on calculations from the user's last known location and the new location where the login attempt is initiated.

For example, if a user's last login was made in San Francisco, and two hours later there's an attempt to login into the same account from Paris. Then, a system that utilizes Impossible travel detection will alert a potential security breach since it's nearly impossible for the user to be in Paris in just two hours. Impossible travel detection uses metrics such as a user geolocation, IP address or user-agent and devices to analyze and determine if a login activity is legitimate.

In this article, we'll explore how you can implement suspicious login detection in a Node.js app authenticated with Auth0 using Datadog impossible travel detection rules.

Setting up a demo application with Auth0

To get started, we'll set up an example Auth0 authenticated app in Express and Node.js to demonstrate how to detect suspicious login attempts with Datadog.

For the uninitiated, Auth0 is an easy to implement, authentication and authorization as a service platform that lets you implement authentication with multiple identity providers (such as Google, Facebook, Twitter, etc) that support the OAuth 2.0 authorization protocol , log in users with username/password databases, passwordless, or multi-factor authentication among other features.

The Auth0 docs has an already bootstrapped application that we can use to get started quickly. Visit the documentation page here, sign up and follow the instructions to set up a demo application in a few steps.

Following the instructions and everything working correctly, you should have an example application running on localhost:3000 as shown below.

Using Datadog to detect suspicious login activity

Datadog is a Cloud Monitoring as a Service platform that provides real-time monitoring of application servers and databases, services, performance metrics and security monitoring.

In this article, we'll use Datadog Cloud-based Security Information and Event Management (Cloud SIEM) - a part of the Datadog Cloud Security Platform - to analyze logs and detect suspicious login attempts in the demo application from the previous section.

To begin using Datadog, you'll need to sign up for an account here to get a trial Pro version that includes all premium features (including Cloud SIEM), and also install the Datadog Agent on your computer. The signup page has instructions to walk you through the installation process.

After you've completed signup and installed the Datadog Agent, navigate to Security > Cloud SIEM on your Datadog dashboard to configure streaming the logs from the Auth0 demo application to Datadog.

Click on Log sources and select auth0 in the list of sources to stream logs from, then click on Select API Key to copy your Datadog API Key.

Next, you'll see a set of instructions to help you integrate Auth0 that looks like below:

1. Log in to your Auth0 Dashboard
2. Navigate to Monitoring > Streams
3. Click Create Stream
4. Select Datadog and enter a unique name for your new Datadog Event Stream
5. On the next screen, provide the following settings for your Datadog Event Stream:
6. API key: Enter
7. Region: If you are in the Datadog EU site (app.datadoghq.eu), the Region should be EU, otherwise it should be the region you selected when signing up
8. In Filter by Event Category, select all login events and all user/behavioral events
9. Leave the Starting Cursor box unchecked
10. Click Save

Now, when Auth0 writes the next tenant log, you’ll receive a copy of that log event in Datadog with the source and service set to auth0.

Next, click the Next: Notification button in the bottom right to create a notification rule on Datadog that will automatically notify you when detection rules are triggered.

The notification rule is created by default when you click the button but you can customize the type of notification alerts you want to receive by clicking on Edit It First. This lets you choose at which severity levels you wish to signal alerts and who should be notified of the alerts.

To confirm if everything works as expected, try logging in and out of the demo application and then, go to Logs > Live Tail on your Datadog dashboard, you should see your Auth0 activity logs streamed to Datadog as shown in the image below:

The next step is to create detection rules on Datadog. Navigate to Security > Detection Rules on your Datadog dashboard.

Type auth0 in the search bar to filter detection rules, and make sure Impossible travel Auth0 login is enabled like below:

Next, click on Impossible travel Auth0 login and you'll be taken to a Security & Configuration page that looks like below to view the detection rules configured by default for detecting impossible travel activities. The page looks like the image below:

If you wish to edit the rules and configuration options for the rule, click on the three-dots menu icon and select Edit default rule as shown below:

When you click on Edit default rule, you'll be taken to the Security & Configuration page to edit and update the detection rules.

Here are the configuration options available to fine-tune the detection rules for impossible travel:

• Select a rule type - this section allows us to select a detection rule type and detection methods. For the detection rule type, we'll choose Log Detection (this is already selected by default for us by Datadog). For Detection methods we'll choose Impossible travel, which is also selected for us by default.
• Define search queries - this section allows us to provide customized queries such as the Preview section which lets us define a time-frame we choose to monitor the logs
• Exclude benign activities with suppression queries - this section allows us to create queries for Datadog to only generate a signal if there's a match, and suppression queries if we don't want to generate a signal if any of the available queries matches
• Set a rule case - the impossible travel detection method doesn't allow us to set a rule case as the options are already configured by default. However, we can choose who Datadog should notify when the rule is triggered.
• Say what's happening - this section allows us to configure in Markdown, the rule name that appears in the detection rules list view and a title for the Security Signal.

You can visit the documentation page here to learn more about fine-tuning log detection rules for impossible travel detection.

Ways to improve suspicious login detection systems

One of the best ways to protect your applications from cyberattacks is to have a high-quality login detection system in place. As a result, you'll be able to identify suspicious login activities and prevent them from happening.

Here are some suggestions that can help you mitigate security risks and vulnerabilities in your login detection systems:

1. Utilize user-agent checking and IP address analysis to detect login attempts by malicious users. For example, you can block a login attempt or alert a user if a login attempt is made from a device or IP address they have never used before.
2. Implement two-factor authentication for an extra layer of security.
3. Encourage users to use strong passwords and change their passwords regularly.
4. Set a number of allowed login attempts per user, and how many seconds after each attempt before locking out an account if there are several failed login attempts.
5. Notify users of login attempts into their accounts through emails or text messages.

Conclusion

In this article, we explored how you can build a suspicious login detection system that detects suspicious login attempts using Datadog's Impossible Travel detection feature. We also discussed some common ways you can mitigate cyber risks and vulnerabilities in your suspicious login detection systems.

There is a constant threat of security breaches affecting businesses across all industries and sectors, and there have also been systems put in place to checkmate and eliminate these threats. Although impossible travel detection is one method for detecting illegitimate activities in login security systems, the method is not so accurate and efficient.

For instance, it's possible for a legitimate user to use Virtual Private Networks (VPNs) to access your application for some reasons, which can trigger detection rules by mistake if the IP addresses are a thousand miles away from the user's last login location. False positives and inaccuracies of this nature suggest that more accurate and more efficient solutions are needed for a secure cyberspace.