Hello CheckMates,
Recently we were reviewing some endpoint logs for a white hat phishing campaign that was being performed on one of our customers. Apparently the group was able to acquire a lot of domain credentials even though anti-phishing was on in prevent. Upon further research the endpoint performed flawlessly because everything that was protected by Check Point was prevented. However, this didn't stop the users from going to their mobile phone and entering their domain creds. That was an eye-opener for the client.
However, while we were in there investigating we noticed a few users that were reusing corporate credentials. We get a weekly report from Check Point that shows critical blocks/detects, the noisiest systems how many times this or that happened and a lot of "high risk" stuff. But what about the other things that slide under the radar?
My question is this. If you paste ("Corporate password%") into the endpoint log, you will see all of the people that attempted to or actually did use internal credentials on external sites. This clearly would draw some concern and maybe even require a chat with the end user about best practices, additional training, etc. What other valuable queries like that are there that provide visibility and value to an endpoint administrator other than the TOP10 or the most critical....canned reports.
Does anyone else have any favorites they use for endpoint?
Thanks,
Paul