Recently, I've been searching for a breach scenario where valid credentials or legitimate systems have been used in an unlawful way. I wanted to discuss the power of what user entity behaviour analytics can achieve. I stumbled across this article written by James Gill, a partner who leads Lewis Silkin's Commercial & Technology Group. Thank you for sharing this scenario, James. 

An interesting point you raise in the article is that "the attackers used valid login details". From my experience, most organisations have an ability to monitor or be alerted to failed authentications and, quite commonly, those alerts are based on scenario analytics. However, in the event an account is compromised and valid credentials are used, how can you be alerted to malicious authentication successes and how do you know it is malicious in the first place? 

An answer is certainly through the use of UEBA (User Entity Behaviour Analytics) tools. LogRhythm's CloudAI will baseline a user's activity to understand what normal looks like. If the user deviates  from their usual behaviour pattern, the organisation will be alerted. 

Combining behaviour analytics with scenario analytics could be hugely effective in a situation such as the one James describes, i.e. Joe Bloggs has logged in at 6am and has taken three authentication attempts (unusual for Joe, as he typically authenticates first time and begins his day at 9am ) + the authentication location is China (very unusual for Joe, as he works from the London office). While scenarios can be planned for, stolen or unlawfully used credentials can't. Using behavioural analytics will help to achieve granular monitoring of abnormal activity.