Recently, I've been searching for a breach scenario where valid credentials or legitimate systems have been used in an unlawful way. I wanted to discuss the power of what user entity behaviour analytics can achieve. I stumbled across just such a scenario in this article by James Gill, a partner who leads Lewis Silkin's Commercial & Technology Group.
An interesting point raised in the article is that "the attackers used valid login details". From my experience, most organisations have an ability to monitor or be alerted to failed authentications and, quite commonly, those alerts are based on scenario analytics. However, in the event an account is compromised and valid credentials are used, how can you be alerted to malicious authentication successes, and how do you know it's malicious in the first place?
The Information Commissioner’s Office (ICO) recently issued Carphone Warehouse with a £400,000 fine following the occurrence of a third party cyberattack in 2015. The cyberattack targeted a specific Dixons Carphone computer system which hosted internal and external websites, including e-commerce sites. The attackers used valid login details to access the system using out of date WordPress software. At the time of the attack, the computer system in question contained records of over 3 million customers of a number of mobile phone providers (the records included their name, date of birth, marital status and address), as well as historic transaction data covering over 18,000 payment cards and personal records of Carphone Warehouse’s employees.