Recently, I've been searching for a breach scenario where valid credentials or legitimate systems have been used in an unlawful way. I wanted to discuss the power of what user entity behaviour analytics can achieve. I stumbled across this article written by James Gill, a partner who leads Lewis Silkin's Commercial & Technology Group. Thank you for sharing this scenario, James.
An interesting point you raise in the article is that "the attackers used valid login details". From my experience, most organisations have an ability to monitor or be alerted to failed authentications and, quite commonly, those alerts are based on scenario analytics. However, in the event an account is compromised and valid credentials are used, how can you be alerted to malicious authentication successes and how do you know it is malicious in the first place?
An answer is certainly through the use of UEBA (User Entity Behaviour Analytics) tools. LogRhythm's CloudAI will baseline a user's activity to understand what normal looks like. If the user deviates from their usual behaviour pattern, the organisation will be alerted.
Combining behaviour analytics with scenario analytics could be hugely effective in a situation such as the one James describes, i.e. Joe Bloggs has logged in at 6am and has taken three authentication attempts (unusual for Joe, as he typically authenticates first time and begins his day at 9am ) + the authentication location is China (very unusual for Joe, as he works from the London office). While scenarios can be planned for, stolen or unlawfully used credentials can't. Using behavioural analytics will help to achieve granular monitoring of abnormal activity.
What happened? The Information Commissioner’s Office (ICO) recently issued Carphone Warehouse with a £400,000 fine following the occurrence of a third party cyberattack in 2015. The cyberattack targeted a specific Dixons Carphone computer system which hosted internal and external websites, including e-commerce sites. The attackers used valid login details to access the system using out of date WordPress software. At the time of the attack, the computer system in question contained records of over 3 million customers of a number of mobile phone providers (the records included their name, date of birth, marital status and address), as well as historic transaction data covering over 18,000 payment cards and personal records of Carphone Warehouse’s employees.