GET A DEMO
See why 9,000+ companies trust Darktrace
Thanks, your request has been received
A member of our team will be in touch with you shortly.
YOU MAY FIND INTERESTING
Five Key Takeaways from Black Hat 2023
Hives & Frankensteins: The Half-Year Threat Report
Oops! Something went wrong while submitting the form.

Blog

Ransomware

OT

Thought Leadership

How Darktrace’s Cyber AI Analyst accelerates reporting incidents to the US federal government

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
12
Apr 2022
12
Apr 2022
This blog explains how Darktrace helps defenders abide by US federal laws on reporting cyber security incidents, featuring a real-world example of a ransomware attack investigated by Cyber AI Analyst.

On March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law, included as part of the Congressional Omnibus Appropriations bill. The law requires critical infrastructure owners and operators to quickly notify the Cyber and Infrastructure Security Agency (CISA) of ransomware payments and significant cyber-attacks.

The Cyber Incident Reporting for Critical Infrastructure Act creates two new reporting requirements:

  1. an obligation to report certain cyber incidents to DHS CISA within 72 hours
  2. an obligation to report ransomware payments within 24 hours

Supporting the new law, Darktrace AI accelerates the cyber incident reporting process. Specifically, Darktrace’s Cyber AI Analyst understands the connections among disparate security incidents with supervised machine learning and autonomously writes incident reports in human-readable language using natural language processing (NLP). These Darktrace incident reports allow human analysts to send reports to CISA quickly and efficiently.

In the below real-world attack case study, we demonstrate how Cyber AI Analyst facilitates seamless reporting for critical infrastructure organizations that fall victim to ransomware and malicious data exfiltration. The AI technology, trained on human analyst behavior, replicates investigations at machine speed and scale, surfacing relevant details in minutes and allowing security teams to understand what happened precisely and share this information with the relevant authorities.

The below threat investigation details a significant threat find on a step by step level in technical detail to demonstrate the power and speed of Cyber AI Analyst.

Cyber AI Analyst’s incident report

When ransomware struck this organization, Cyber AI Analyst was invaluable, autonomously investigating the full scope of the incident and generating a natural language summary that clearly showed the progression of the attack.

Figure 1: Cyber AI Analyst reveals the full scope of the attack

In the aftermath of this attack, Darktrace’s technology also offered analyst assistance in mapping out the timeline of the attack and identifying what files were compromised, helping the security team identify anomalous activity related to the ransomware attack.

Figure 2: Cyber AI Analyst showing the stages of the attack chain undergone by the compromised device

With Darktrace AI’s insights, the team easily identified the timeline of the attack, affected devices, credentials used, file shares accessed, files exfiltrated, and malicious endpoints contacted, enabling the customer to disclose the scale of the attack and notify necessary parties.

This example demonstrates how Cyber AI Analyst empowers critical infrastructure owners and operators to swiftly report major cyber-attacks to the federal government. Considering that 72 hours is the reporting period is for significant incidents — and 24 hours for ransomware payments — Cyber AI Analyst is no longer a nice-to-have but a must-have for critical infrastructure.

Attack breakdown: Ransomware and data exfiltration

Cyber AI Analyst delivered the most critical information in an easy-to-read report — with no human touch involved — as shown in the incident report above. We will now break down the attack further to demonstrate how Darktrace’s Self-Learning AI understood the unusual activity throughout the attack lifecycle.

In this double extortion ransomware, attackers exfiltrated data over 22 days. The detections made by Darktrace’s Self-Learning AI, and the parallel investigation by Cyber AI Analyst, were used to map the attack chain and identify how and what data had been exfiltrated and encrypted.

The attack consisted of three general groups of events:

  • Unencrypted FTP (File Transfer Protocol) data exfiltration to rare malicious external endpoint in Bulgaria (May 9 07:23:46 UTC – May 21 03:06:46 UTC)
  • Ransomware encryption of files in network file shares (May 25 01:00:27 UTC – May 30 07:09:53 UTC)
  • Encrypted SSH (Secure Shell) data exfiltration to rare malicious external endpoint (May 29 16:43:37 UTC – May 30 13:23:59 UTC)
Figure 3: Timeline of the attack alongside Darktrace model breaches

First, uploads of internal data to a rare external endpoint in Bulgaria were observed within the networks. The exfiltration was preceded by SMB reads of internal file shares before approximately 450GB of data was exfiltrated via FTP.

Darktrace’s AI identified this threatening activity on its own, and the organization was quickly able to pinpoint what data had been exfiltrated, including files camouflaged by markings such as ‘Talent Acquisition’ and ‘Engineering and Construction,’ and legal and financial documents — suggesting that these were documents of an extremely sensitive nature.

Figure 4: Screenshots showing two model breaches relating to external uploads over FTP
Figure 5: Screenshot showing SMB reads from a file share before FTP upload

Model breaches:

  • Anomalous Connection / Unusual Incoming Data Volume
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Compromise / Ransomware / Suspicious SMB Activity
  • Compromise / Ransomware / SMB Reads then Writes with Additional Extensions
  • Unusual Activity / Anomalous SMB Move & Write
  • Unusual Activity / High Volume Server Data Transfer
  • Unusual Activity / Sustained Anomalous SMB Activity
  • Device / SMB Lateral Movement

Four days following this observed activity, Darktrace’s AI detected the deployment of ransomware when multiple compromised devices began making anomalous SMB connections to file shares that they do not typically access, reading and writing similar volumes to the SMB file shares, as well as writing additional extensions to files over SMB. The file extension comprised a random string of letters and was likely to be unique to this target.

Using Darktrace, the customer obtained a full list of files that had been encrypted. The list included apparent financial records in an ‘Accounts’ file share.

Figure 6: Model breach showing additional extension written to file during ransomware encryption

Model breaches:

  • Anomalous Connection / Unusual Incoming Data Volume
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Compromise / Ransomware / Suspicious SMB Activity
  • Compromise / Ransomware / SMB Reads then Writes with Additional Extensions
  • Unusual Activity / Anomalous SMB Move & Write
  • Unusual Activity / High Volume Server Data Transfer
  • Unusual Activity / Sustained Anomalous SMB Activity
  • Device / SMB Lateral Movement

Simultaneously, uploads of internal data to a rare external endpoint were observed within the network. The uploads were all performed using encrypted SSH/SFTP. In total, approximately 3.5GB of data was exfiltrated this way.

Despite the attacker using an encrypted channel to exfiltrate this data, Darktrace detected anomalous SMB file transfers prior to the external upload, indicating which files were exfiltrated. Here, Darktrace’s ability to go ‘back in time’ proved invaluable in helping analysts determine which files had been exfiltrated, although they were exfiltrated via an encrypted means.

Figure 7: Model breaches showing anomalous SMB activity before upload over SSH

Model breaches:

  • Anomalous Server Activity / Outgoing from Server
  • Compliance / SSH to Rare External Destination
  • Unusual Activity / Enhanced Unusual External Data Transfer
  • Device / Anomalous SMB Followed By Multiple Model Breaches
  • Device / Large Number of Model Breaches
  • Anomalous Connection / Uncommon 1 GiB Outbound
  • Anomalous Connection / Data Sent to Rare Domain
  • Anomalous Connection / Data Sent To New External Device

How did the attack bypass the rest of the security stack?

Existing administrative credentials were used to escalate privileges within the network and perform malicious activity.

Had Darktrace Antigena been active, it would have actioned a targeted, autonomous response to contain the activity in its early stages. Antigena would have enforced the ‘pattern of life’ on the devices involved in anomalous SMB activity — containing activity such as reading from file shares that are not normally connected, appending extensions to files and blocking outgoing connections to rare external endpoints.

However, in this case, Antigena was not set up to take action – it was configured in Human Confirmation mode. The incident was clearly alerted on by Darktrace, and appeared as a top priority item in the security team’s workflow. However, the security team was not monitoring Darktrace’s user interface, and in the absence of any action taken by other tools, the attack was allowed to progress, and the organization was obligated to disclose the details of the incident.

Streamlining the reporting process

In the modern threat landscape, leaning on AI to stop fast-moving and sophisticated attacks at machine speed and scale is critical. As this attack shows, the technology also helps organizations fulfill reporting requirements in the aftermath of an attack.

New legislation requires timely disclosure; with many traditional approaches to security, organizations do not have the capacity to surface the full details after an attack. On top of this, collating these details can take days or weeks. This is why Darktrace is no longer a nice-to-have but a must-have for critical infrastructure organizations, which are now required to report significant incidents swiftly.

Darktrace’s AI detects malicious activity as it happens and empowers customers to quickly understand the timeline of a compromise, as well as files accessed and exfiltrated by an attacker. This not only prepares organizations to resist the most sophisticated attacks, but also accelerates and radically simplifies the process of reporting the data breach.

Security teams should not have to confront disclosure processes on their own. Attacks happen fast, and their aftermaths are messy – retrospective investigation of lost data can be a futile effort with traditional approaches. With Darktrace, security teams can meet disruptive and sudden attacks with precise and nimble means of uncovering data, as well as detection and mitigation of risk. And, should the need arise, rapid and accurate reporting of events is laid out on a silver platter by the AI.

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Justin Fier
SVP, Red Team Operations

Justin is one of the US’s leading cyber intelligence experts, and holds the position of SVP, Red Team Operations at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years’ experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Sally Kenyon Grant
VP, Darktrace Federal

Sally Kenyon Grant is Vice President of Federal at Darktrace, working with the US Department of Defense, the Intelligence Community and Federal Civilian Agencies.

Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
share this article
CATEGORIES
McLaren
PREVENT
RESPOND
Cloud
Ransomware
Inside the SOC
Thought Leadership
Crypto
Email
Threat Finds
OT
USE CASES
GOV
Government Regulations/Compliance
R
Ransomware & Malware
Software designed to corrupt systems
PRODUCT SPOTLIGHT
No items found.
COre coverage
OT
RELATED BLOGS
Gootloader Malware: Detecting and Containing Multi-Functional Threats with Darktrace
Catching CoinLoader: Decrypting the Malware Hijacking Networks for Cryptomining Operations
Trending blogs
1
Moving Beyond XDR to Achieve True Cyber Resilience with Darktrace ActiveAI Security Platform
Apr 9, 2024
2
Managing Risk Beyond CVE Scores With the Latest Innovations to Darktrace/OT
Apr 9, 2024
3
Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace/Email
Apr 7, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
Beyond DMARC: Navigating the Gaps in Email Security
Feb 29, 2024

More in this series

No items found.

Blog

Inside the SOC

Lost in Translation: Darktrace Blocks Non-English Phishing Campaign Concealing Hidden Payloads

Default blog imageDefault blog image
15
May 2024

Email – the vector of choice for threat actors

In times of unprecedented globalization and internationalization, the enormous number of emails sent and received by organizations every day has opened the door for threat actors looking to gain unauthorized access to target networks.

Now, increasingly global organizations not only need to safeguard their email environments against phishing campaigns targeting their employees in their own language, but they also need to be able to detect malicious emails sent in foreign languages too [1].

Why are non-English language phishing emails more popular?

Many traditional email security vendors rely on pre-trained English language models which, while function adequately against malicious emails composed in English, would struggle in the face of emails composed in other languages. It should, therefore, come as no surprise that this limitation is becoming increasingly taken advantage of by attackers.  

Darktrace/Email™, on the other hand, focuses on behavioral analysis and its Self-Learning AI understands what is considered ‘normal’ for every user within an organization’s email environment, bypassing any limitations that would come from relying on language-trained models [1].

In March 2024, Darktrace observed anomalous emails on a customer’s network that were sent from email addresses belonging to an international fast-food chain. Despite this seeming legitimacy, Darktrace promptly identified them as phishing emails that contained malicious payloads, preventing a potentially disruptive network compromise.

Attack Overview and Darktrace Coverage

On March 3, 2024, Darktrace observed one of the customer’s employees receiving an email which would turn out to be the first of more than 50 malicious emails sent by attackers over the course of three days.

The Sender

Darktrace/Email immediately understood that the sender never had any previous correspondence with the organization or its employees, and therefore treated the emails with caution from the onset. Not only was Darktrace able to detect this new sender, but it also identified that the emails had been sent from a domain located in China and contained an attachment with a Chinese file name.

The phishing emails detected by Darktrace sent from a domain in China and containing an attachment with a Chinese file name.
Figure 1: The phishing emails detected by Darktrace sent from a domain in China and containing an attachment with a Chinese file name.

Darktrace further detected that the phishing emails had been sent in a synchronized fashion between March 3 and March 5. Eight unique senders were observed sending a total of 55 emails to 55 separate recipients within the customer’s email environment. The format of the addresses used to send these suspicious emails was “12345@fastflavor-shack[.]cn”*. The domain “fastflavor-shack[.]cn” is the legitimate domain of the Chinese division of an international fast-food company, and the numerical username contained five numbers, with the final three digits changing which likely represented different stores.

*(To maintain anonymity, the pseudonym “Fast Flavor Shack” and its fictitious domain, “fastflavor-shack[.]cn”, have been used in this blog to represent the actual fast-food company and the domains identified by Darktrace throughout this incident.)

The use of legitimate domains for malicious activities become commonplace in recent years, with attackers attempting to leverage the trust endpoint users have for reputable organizations or services, in order to achieve their nefarious goals. One similar example was observed when Darktrace detected an attacker attempting to carry out a phishing attack using the cloud storage service Dropbox.

As these emails were sent from a legitimate domain associated with a trusted organization and seemed to be coming from the correct connection source, they were verified by Sender Policy Framework (SPF) and were able to evade the customer’s native email security measures. Darktrace/Email; however, recognized that these emails were actually sent from a user located in Singapore, not China.

Darktrace/Email identified that the email had been sent by a user who had logged in from Singapore, despite the connection source being in China.
Figure 2: Darktrace/Email identified that the email had been sent by a user who had logged in from Singapore, despite the connection source being in China.

The Emails

Darktrace/Email autonomously analyzed the suspicious emails and identified that they were likely phishing emails containing a malicious multistage payload.

Darktrace/Email identifying the presence of a malicious phishing link and a multistage payload.
Figure 3: Darktrace/Email identifying the presence of a malicious phishing link and a multistage payload.

There has been a significant increase in multistage payload attacks in recent years, whereby a malicious email attempts to elicit recipients to follow a series of steps, such as clicking a link or scanning a QR code, before delivering a malicious payload or attempting to harvest credentials [2].

In this case, the malicious actor had embedded a suspicious link into a QR code inside a Microsoft Word document which was then attached to the email in order to direct targets to a malicious domain. While this attempt to utilize a malicious QR code may have bypassed traditional email security tools that do not scan for QR codes, Darktrace was able to identify the presence of the QR code and scan its destination, revealing it to be a suspicious domain that had never previously been seen on the network, “sssafjeuihiolsw[.]bond”.

Suspicious link embedded in QR Code, which was detected and extracted by Darktrace.
Figure 4: Suspicious link embedded in QR Code, which was detected and extracted by Darktrace.

At the time of the attack, there was no open-source intelligence (OSINT) on the domain in question as it had only been registered earlier the same day. This is significant as newly registered domains are typically much more likely to bypass gateways until traditional security tools have enough intelligence to determine that these domains are malicious, by which point a malicious actor may likely have already gained access to internal systems [4]. Despite this, Darktrace’s Self-Learning AI enabled it to recognize the activity surrounding these unusual emails as suspicious and indicative of a malicious phishing campaign, without needing to rely on existing threat intelligence.

The most commonly used sender name line for the observed phishing emails was “财务部”, meaning “finance department”, and Darktrace observed subject lines including “The document has been delivered”, “Income Tax Return Notice” and “The file has been released”, all written in Chinese.  The emails also contained an attachment named “通知文件.docx” (“Notification document”), further indicating that they had been crafted to pass for emails related to financial transaction documents.

Darktrace/Email took autonomous mitigative action against the suspicious emails by holding the message from recipient inboxes.
Figure 5: Darktrace/Email took autonomous mitigative action against the suspicious emails by holding the message from recipient inboxes.

Conclusion

Although this phishing attack was ultimately thwarted by Darktrace/Email, it serves to demonstrate the potential risks of relying on solely language-trained models to detect suspicious email activity. Darktrace’s behavioral and contextual learning-based detection ensures that any deviations in expected email activity, be that a new sender, unusual locations or unexpected attachments or link, are promptly identified and actioned to disrupt the attacks at the earliest opportunity.

In this example, attackers attempted to use non-English language phishing emails containing a multistage payload hidden behind a QR code. As traditional email security measures typically rely on pre-trained language models or the signature-based detection of blacklisted senders or known malicious endpoints, this multistage approach would likely bypass native protection.  

Darktrace/Email, meanwhile, is able to autonomously scan attachments and detect QR codes within them, whilst also identifying the embedded links. This ensured that the customer’s email environment was protected against this phishing threat, preventing potential financial and reputation damage.

Credit to: Rajendra Rushanth, Cyber Analyst, Steven Haworth, Head of Threat Modelling, Email

Appendices  

List of Indicators of Compromise (IoCs)  

IoC – Type – Description

sssafjeuihiolsw[.]bond – Domain Name – Suspicious Link Domain

通知文件.docx – File - Payload  

References

[1] https://darktrace.com/blog/stopping-phishing-attacks-in-enter-language  

[2] https://darktrace.com/blog/attacks-are-getting-personal

[3] https://darktrace.com/blog/phishing-with-qr-codes-how-darktrace-detected-and-blocked-the-bait

[4] https://darktrace.com/blog/the-domain-game-how-email-attackers-are-buying-their-way-into-inboxes

Continue reading
About the author
Rajendra Rushanth
Cyber Analyst

Blog

No items found.

The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions

Default blog imageDefault blog image
13
May 2024

About the AI Cybersecurity Report

Darktrace surveyed 1,800 CISOs, security leaders, administrators, and practitioners from industries around the globe. Our research was conducted to understand how the adoption of new AI-powered offensive and defensive cybersecurity technologies are being managed by organizations.

This blog continues the conversation from “The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners” which was an overview of the entire report. This blog will focus on one aspect of the overarching report, the impact of AI on cybersecurity solutions.

To access the full report, click here.

The effects of AI on cybersecurity solutions

Overwhelming alert volumes, high false positive rates, and endlessly innovative threat actors keep security teams scrambling. Defenders have been forced to take a reactive approach, struggling to keep pace with an ever-evolving threat landscape. It is hard to find time to address long-term objectives or revamp operational processes when you are always engaged in hand-to-hand combat.                  

The impact of AI on the threat landscape will soon make yesterday’s approaches untenable. Cybersecurity vendors are racing to capitalize on buyer interest in AI by supplying solutions that promise to meet the need. But not all AI is created equal, and not all these solutions live up to the widespread hype.  

Do security professionals believe AI will impact their security operations?

Yes! 95% of cybersecurity professionals agree that AI-powered solutions will level up their organization’s defenses.                                                                

Not only is there strong agreement about the ability of AI-powered cybersecurity solutions to improve the speed and efficiency of prevention, detection, response, and recovery, but that agreement is nearly universal, with more than 95% alignment.

This AI-powered future is about much more than generative AI. While generative AI can help accelerate the data retrieval process within threat detection, create quick incident summaries, automate low-level tasks in security operations, and simulate phishing emails and other attack tactics, most of these use cases were ranked lower in their impact to security operations by survey participants.

There are many other types of AI, which can be applied to many other use cases:

Supervised machine learning: Applied more often than any other type of AI in cybersecurity. Trained on attack patterns and historical threat intelligence to recognize known attacks.

Natural language processing (NLP): Applies computational techniques to process and understand human language. It can be used in threat intelligence, incident investigation, and summarization.

Large language models (LLMs): Used in generative AI tools, this type of AI applies deep learning models trained on massively large data sets to understand, summarize, and generate new content. The integrity of the output depends upon the quality of the data on which the AI was trained.

Unsupervised machine learning: Continuously learns from raw, unstructured data to identify deviations that represent true anomalies. With the correct models, this AI can use anomaly-based detections to identify all kinds of cyber-attacks, including entirely unknown and novel ones.

What are the areas of cybersecurity AI will impact the most?

Improving threat detection is the #1 area within cybersecurity where AI is expected to have an impact.                                                                                  

The most frequent response to this question, improving threat detection capabilities in general, was top ranked by slightly more than half (57%) of respondents. This suggests security professionals hope that AI will rapidly analyze enormous numbers of validated threats within huge volumes of fast-flowing events and signals. And that it will ultimately prove a boon to front-line security analysts. They are not wrong.

Identifying exploitable vulnerabilities (mentioned by 50% of respondents) is also important. Strengthening vulnerability management by applying AI to continuously monitor the exposed attack surface for risks and high-impact vulnerabilities can give defenders an edge. If it prevents threats from ever reaching the network, AI will have a major downstream impact on incident prevalence and breach risk.

Where will defensive AI have the greatest impact on cybersecurity?

Cloud security (61%), data security (50%), and network security (46%) are the domains where defensive AI is expected to have the greatest impact.        

Respondents selected broader domains over specific technologies. In particular, they chose the areas experiencing a renaissance. Cloud is the future for most organizations,
and the effects of cloud adoption on data and networks are intertwined. All three domains are increasingly central to business operations, impacting everything everywhere.

Responses were remarkably consistent across demographics, geographies, and organization sizes, suggesting that nearly all survey participants are thinking about this similarly—that AI will likely have far-reaching applications across the broadest fields, as well as fewer, more specific applications within narrower categories.

Going forward, it will be paramount for organizations to augment their cloud and SaaS security with AI-powered anomaly detection, as threat actors sharpen their focus on these targets.

How will security teams stop AI-powered threats?            

Most security stakeholders (71%) are confident that AI-powered security solutions are better able to block AI-powered threats than traditional tools.

There is strong agreement that AI-powered solutions will be better at stopping AI-powered threats (71% of respondents are confident in this), and there’s also agreement (66%) that AI-powered solutions will be able to do so automatically. This implies significant faith in the ability of AI to detect threats both precisely and accurately, and also orchestrate the correct response actions.

There is also a high degree of confidence in the ability of security teams to implement and operate AI-powered solutions, with only 30% of respondents expressing doubt. This bodes well for the acceptance of AI-powered solutions, with stakeholders saying they’re prepared for the shift.

On the one hand, it is positive that cybersecurity stakeholders are beginning to understand the terms of this contest—that is, that only AI can be used to fight AI. On the other hand, there are persistent misunderstandings about what AI is, what it can do, and why choosing the right type of AI is so important. Only when those popular misconceptions have become far less widespread can our industry advance its effectiveness.  

To access the full report, click here.

Continue reading
About the author
The Darktrace Community
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.