Suspicious Activity Monitoring for UW NetID Login Service

This documents the procedure for monitoring suspicious activity of the UW Web Initial Sign-on.

Note: The below assumes contact and explanation from the ISP will halt the below process at any phase or step. The noted IP will be added to a list of confirmed hosts excluding the IP from further analysis.

  1. Each day, monitor the 3 day summary mailed "WebISO Activity Report" for IPs/hosts exceeding the Warning or Critical thresholds for either successful logins, failed logins or both. E-mail "request for explanation regarding suspicious activity" notice to each one of these hosts that have not already been confirmed or explained as legitimate. Log detail showing the questionable activity will be attached as a .txt file. Information about what threshold value triggered our communication will also be included.

  2. If "request for explanation" notice is not acknowledged within 7 days a second notice, the "threat to suspend connection notice", should be sent containing the same information detailed in step 1, but clearly stating blocking action will be scheduled on the stated IPs/hosts if notice is not acknowledged within the week.

  3. Assuming no contact within an additional 7 days, send a final notice, "connection suspension scheduled" . A date on which the IP will be blocked will be clearly stated in the communication as 7 days after the final notice send date.

  4. Assuming no contact, process blocking of the necessary IPs. Initially this will be accomplished with firewall filters on the login host(s). It may be necessary to block whole subnets, specifically for overseas IPs. Subnet blocking will be evaluated on a case by case basis.

  5. Help Desk escalations of support related to host blocking should be investigated but generally considered an indication of legitimate activity. If deemed legitimate the host firewall should be removed and the IP added to the safe list. We should make an attempt to communicate with the user escalating for support to determine what they were doing/where they were at the time for our record keeping, but that should not be required.

  6. If we receive no contact ( ie, silence ) from an ISP or any users after an IP/host is blocked we should consider that suspicious and at this point, and only at this point, refer the host to abuse@wisc.edu. No specific action will be requested from Security rather we will notify them that, for a specific host, the above actions have been executed. Security can take action or not as they deem appropriate.