I have a request that asks that we monitor for a specific set of passwords that are utilized by a known group of ransomware operators. The SOC would like to get alerted whenever this specific set is utilized.
The problem that I run into is that I checked all of the passwords and most of them are in the have I been pwnd DB that we reference, and also are part of the custom dictionary that we have. So they get blocked automatically. When I try to create a policy that only has this specific set of passwords, Iām not finding a solution.
My best bet is to create a new policy, and add the passwords into the block if contains defined text box, and alert the team when they are used. But I donāt think that is the best way. Iām thinking that we just add the passwords into the custom dictionary, but that doesnāt make it easy to alert on them when they are used. Any help or guidance would be appreciated.
Thanks,
JP
Hi Jay - Separate Policy as you mention is only solution I see as the HIBP dataset and the custom dictionary are shared by all policies. With a separate policy (rather than additional registration in same policy) you can configure email alerts for this policy so when one of the password change attempts matches entries in the ācontains defined textā box folks are notified w/o seeing emails due to other EPE policies. Further you can check the ācapture rejected passwordā option so can see exactly what PW string the user entered. That is helpful if also checking the character substitution, case sensitive or reverse order options in combination with using ārecent eventsā or āinvestigateā to review activity.
Hey Tony!! Ok, you confirmed my thoughts on how to go about this, thank you! Iāll let you know how it goes, I am going to see about setting up some time next week to test with them and Iāll report back.
Tony, wanted to let you know that this worked, although, only for the passwords that werenāt in the custom dictionary or haveibeenpwnd DB. Those automatically get blocked, which is a win as well. I did add the passwords into the defined text area and made the policy only monitor and not block. It alerted on the tests that we have done, and Iām going to be adding this policy into our production environment. Thanks for the help!