Impossible Travel detectors (UEBA)

  • Updated on Mar 10, 2025
  • Published on Jun 1, 2023
Prev Next

About Impossible Travel Detectors

"Impossible travel" is a form of cyber attack in which an unauthorized individual attempts to access a user's account from two geographically distant locations in an unreasonably short period of time. This type of activity is typically indicative of a security breach or a compromised account, as it is implausible for a human user to travel between the two locations in the given timeframe.

The detection and prevention of impossible travel attacks are crucial to maintaining robust cybersecurity measures. Effective prevention strategies may include the implementation of multi-factor authentication protocols that require additional verification beyond simple login credentials, as well as the use of monitoring tools that can flag suspicious login activity.

Hunters’ Impossible Travel Detector

Detection Logic

Hunters’ Impossible Travel detector detects anomalous consecutive SaaS logins from two different IP addresses by the same user, with the required traveling speed between them being impossible in the observed time frame. Impossible travel may indicate the logins were not made by the same person, therefore may indicate the user was compromised by a malicious actor.

Upon initiation, the detector establishes a benchmark of ‘approved’ geo-locations used regularly by each user. Once a new and suspicious login location is detected, the system will examine whether it is a possible or an impossible travel from the user’s latest login location.

📘Note

The Impossible Travel detection logic will only consider successful logins in its calculation. Failed login attempts are considered to have low severity and so will be excluded.

Noise Reduction Methods

Due to the high volume of possible leads under the Impossible Travel category, Hunters implements a variety of methods designed to filter out noise and provide only the most valid leads for further investigation. These are a few of these methods:

  • Organizational IP filter - thanks to the ability to consolidate data points from several sources in the organization, Hunters can establish a list of familiar IP addresses across the organization. If both logins are from a familiar IP, these addresses will be considered safe and will not generate a lead.
  • Proxy/VPN/NAT filter - IP addresses used by a relatively large number of users will be considered proxy, VPN, or NAT addresses and will not generate a lead.
  • User name filter - Hunters filters out logins made by accounts that are not actually a person. For example, numeric value accounts used by Office365 or Okta AD service account. This is possible thanks to Hunters’ asset tagging capabilities.

Investigation Recommendations

  • Check the IP ASN:
    • Rare countries and cities for the user to login from might be suspicious
    • Hosting providers that are not used by the organization (Cloudflare, OVH, etc.) might be suspicious, while organizational hosting providers such as Google or Amazon are most likely benign
    • ISP which is not of the region of the user
  • Ask the user if they logged in from the specified locations