Credential stuffing attack on Jumpcloud

Set up the jumpcloud integration.

Goal

Detect an account take over (ATO) through credential stuffing attack against a Jumpcloud account.

Strategy

To determine a successful attempt: Detect a high number of failed logins from at least seven unique users and at least one successful login for a user within a period of time from the same IP address.

To determine an unsuccessful attempt: Detect a high number of failed logins from at least seven unique users within a period of time from the same IP address.

Triage and response

  1. Determine if it is a legitimate attack or a false positive.
  2. Determine compromised users.
  3. Remediate compromised user accounts.