search

panther-labs / panther-analysis

Built-in Panther detection rules and policies
https://panther.com/
Apache License 2.0
339 stars 173 forks source link

Filter out Intelsat satellite network plane wifi from Impossible Travel #1358

Closed geoffg-sentry closed 1 month ago

geoffg-sentry commented 2 months ago

Background

Intelsat provides in-flight wifi for a number of airlines (American, Alaska, etc) among other mobile services but like any ASN provides geographic information for a fixed spot on the globe. This leads to false positives when persons using in-flight wifi have login activity shortly before or after a login from in-flight. An example:

Changes

Adds a check on ipinfo_asn lookups and excludes Intelsat's ASN AS22351 from triggering the rule or being included in new_login_stats. Any additional satellite network ASNs identified can be added to the SATELLITE_NETWORK_ASNSconstant.

Testing

ben-githubs commented 1 month ago

Hi Geoff, thanks for submitting! I've been reviewing your PR and I'm wondering why the current rule code doesn't satisfy your situation...

It appears that Intelsat gets identified by IPinfo as a VPN, and therefore the current code would not use it for any distance calculations in further events. (It does generate an alert, but the alert is INFO level and auto-dismissed, so it shouldn't generate any noise. The reason we still generate an alert for VPNs is in case the VPN designation was a mistake - you'll still have a record of the alert and the event details, if you review your alert history.)

Please let me know if there's something I'm not seeing!

geoffg-sentry commented 1 month ago

@ben-githubs It may be that not all of their subnets will return as VPN and I have a few alerts that have triggered as Highs as the default severity. No errors in my table lookups for ipinfo_privacy either.

ben-githubs commented 1 month ago

That makes sense! I've adjusted the logic slightly to handle alerting/caching the same way the VPN check does, but still uses the is_satellite_network rather than rely on ipinfo_privacy. Lmk if you have any questions!

abdullahdevrel commented 1 month ago

Just an FYI, I am the DevRel of IPinfo and have been following this PR.

We are working on the engineering feature for recognizing in-flight WiFi providers. We do not want to point to just a fixed amount of ASN and say these provide In-Flight WiFi. In fact, whenever anyone from our engineering team travels by plane, they log networking information from the in-flight WiFi which we use to create a more reliable flagging mechanism for this feature.

This feature is currently in active development. I will update you once it is released.

geoffg-sentry commented 1 month ago

Oh that's very cool, thanks @abdullahdevrel