When a malicious party has gained access to a first system they will often exploit the legitimate users' poor security practices to gain access to additional systems. For example, a user may use a password in a social media system and reuse that password on a work system, thus allowing the malicious party access to both systems once one is compromised if the malicious party can link the user's account names on the two systems. Lists of user credentials (usernames, passwords, domains, etc.) are hosted by malicious parties for sale to one another and may be used to gain access to systems directly, build password dictionaries, or provide a starting point for a targeted brute force attack (e.g., when a user varies a password by incrementing a digit: password1, password2, password3, etc.).
Administrators of networks often set operational security policies that suggest or require users to use passwords different than those used in other systems, to frequently change passwords, and to not reuse passwords within their networks, but their networks are still subject to attacks that use these compromised credentials due to users ignoring, forgetting, or skirting these policies. Even when individual users are not vulnerable to these attacks, due to following good operational security policies, the network itself has to deal with these attacks due to malicious parties testing the network for vulnerabilities due to poorly chosen or exposed credentials, which may be indistinguishable from benign login errors (e.g., when a legitimate user mis-enters a password or forgets to update a password in a system that automatically attempts to login to the network).
To combat attacks, administrators need to identify a set of one or more login attempts as malicious and take action to secure the network, which may include locking an account, restricting access from an account, blocking a port, applying an Access Control List (ACL) (e.g., a whitelist or a blacklist for sets of IP addresses), flagging an account for manual review, etc. Identifying an attack as malicious and securing a network can require a significant expenditure of human and computing resources, and may result in false positives; requiring additional human and computing resources to undo the security actions. If false positives are returned too frequently, it eventually leads to weakened security for the network due to users bypassing security and ignoring good security practices out of frustration.