Recently, I've been searching for a breach scenario where valid credentials or legitimate systems have been used in an unlawful way. I wanted to discuss the power of what user entity behaviour analytics can achieve. I stumbled across just such a scenario in this article by James Gill, a partner who leads Lewis Silkin's Commercial & Technology Group.

An interesting point raised in the article is that "the attackers used valid login details". From my experience, most organisations have an ability to monitor or be alerted to failed authentications and, quite commonly, those alerts are based on scenario analytics. However, in the event an account is compromised and valid credentials are used, how can you be alerted to malicious authentication successes, and how do you know it's malicious in the first place?