| Title | Put compromised accounts on monitoring |
|---|---|
| ID | RA2003 |
| Description | Put (potentially) compromised accounts on monitoring |
| Author | @atc_project |
| Creation Date | 2019/01/31 |
| Category | General |
| Stage | RS0002: Identification |
Workflow
Start monitoring for authentification attempts and all potentially harmful actions from (potentially) compromised accounts.
Look for anomalies, unusual network connections, unusual geolocation/time of work, actions that were never executed before.
Keep in touch with the real users and, in case of need, ask them if they executing some suspicious actions by themselves or not.