Between Equifax, Yahoo! and other major breaches, criminals have so much information on us, login credentials are almost meaningless. There is likely to be an increase in stolen credential threats with criminals masquerading as legitimate employees, accessing companies’ most valued data assets. So how can companies detect and stop these bad actors before it’s too late?

It starts with flipping the model–instead of focusing on preventing bad actors from stealing credentials, they should be asking, “What should we do once they are inside pretending to be one of our own employees?” It starts with taking a page out of the credit card industry’s playbook. Ryan Stolte, co-founder and CTO at Bay Dynamics, sat down with Inside Counsel to discuss what the credit card industry is doing right and how it can be applied to cyber to minimize risk to companies when credentials are stolen.

Every time there’s a significant breach, the criminals collect more information about us. With Yahoo!, for example, they collected usernames and passwords. With Equifax, they collected names, email addresses, social security numbers, birth dates and other personally identifiable information. By this point the criminals have enough of our information to build user profiles, leveraging the information to break into companies using legitimate user login credentials.

“The most significant breaches impacted millions, and in some cases billions of user accounts worldwide, with many of them involving criminals stealing login credentials,” explained Stolte. “Not to mention, oftentimes stolen credentials end up on the dark web, available for other bad actors to buy and leverage. Once they have user credentials, the criminals log in into legitimate users’ accounts, pretending to be them. In some cases, they stick around for months, accessing sensitive corporate data without raising any flags because they used legitimate credentials.”

So, how can companies detect and stop these bad actors before it’s too late? According to Stolte, companies need to flip the model. Instead of asking, “How can we keep the bad guys out,” they should be asking, “How can we detect them once they are in?” They should use user and entity behavior analytics (UEBA) to monitor and detect when a user’s behavior seems out of the ordinary, and integrate UEBA with data loss prevention technology to prioritize which users to investigate before sensitive data is stolen.

“For example, let’s say a criminal steals John’s login credentials and accesses a highly sensitive database post [during] John’s typical work hours from a country John does not live in. Data loss prevention technology would follow the data, blocking the criminal from exfiltrating it,” he explained. “UEBA technology would detect John’s unusual behavior, confirm it’s unusual for John’s peers and overall team, and prioritize the alert based on impact to the business if [the] database under attack were compromised, the value of the database and associated vulnerabilities. Within minutes, analysts would receive the threat alert and could investigate the perpetrator before the damage is done.”

Today, multifactor authentication integrated with UEBA is another useful tool because, in John’s case, UEBA would detect the unusual behavior and multifactor would send a text to the real John asking him to confirm if he logged into the database. If John doesn’t respond or says “no,” then the criminal would not be allowed access to the database. With UEBA and technologies like data-loss prevention, multifactor authentication, encryption, tagging and others, whether John is doing a bad thing, someone hijacked his account and is doing a bad thing, or a machine is pretending to be him, the technologies will detect the behavior and enable responders to act quickly, before sensitive data walks out the door.

“Companies need to assume the criminals are already inside,” said Stolte. “They should assume criminals have already stolen employees’ login credentials due to significant breaches of the past, and focus on detecting and mitigating bad actors pretending to be legitimate employees. No one can 100 percent walk in someone else’s shoes so at some point the criminals will behave in a way that’s unusual for the legitimate employee, and if companies are focused on an inside-out mode of operation, they will catch them.”

The credit card industry has mastered the model of detecting and mitigating fraud. For example, Stolte recently received a text message from his card company asking if he bought gas in Connecticut. He lives and works in New York City, so it would be unusual for him to buy gas in Connecticut. He responded “no,” and his credit card account was frozen. On the other hand, he also received a call from his card company asking if he bought gas in Iowa. At that time, he happened to be in Iowa visiting family, so he responded “yes,” and his day continued, business as usual.

In cyber, the same lessons should apply, per Stolte. If an employee was detected doing something he normally would not do, he should receive a text message or another form of confirmation, asking him to confirm it’s really him. If he responds, “no,” then his account should be frozen so the criminal cannot move any further. If he responds “yes,” or if his manager confirms that he was given permission for business purposes, then the employee should be able to go about his business uninterrupted.

He said, “The process enables companies to detect a criminal masquerading as a legitimate employee and stopping him from stealing sensitive data, while enabling real employees to do their jobs uninterrupted.”

Amanda G. Ciccatelli is a Freelance Journalist for Corporate Counsel and InsideCounsel, where she covers intellectual property, legal technology, patent litigation, cybersecurity, innovation, and more.