Darktrace Blog

Perspectives on cyber defense

Every rule has an exception: How to detect insider threat without rules

Andrew Tsonchev, Director of Cyber Analysis | Wednesday June 21, 2017

Typically, security controls have to predefine ‘good’ and ‘bad’ behavior, but this approach inevitably leaves room for people to circumvent those rules, intentionally or otherwise. This is especially problematic when it comes to establishing rules for insiders. Too restrictive, and their workflow is impeded. Too laissez-fair, and they open themselves up to easily preventable threats.

For instance, to prevent anomalous RDP connections – either inbound or outbound – traditional security tools like firewalls often predefine which destination ports to allow and which ports to restrict. However, if an employee were to use a destination port not explicitly restricted by the firewall, they could theoretically exfiltrate data out of the network without raising any alerts.

After installing on the corporate network of a large manufacturing company, our AI technology recently spotted a rogue device making RDP connections to a rare external host that should have been blocked by the firewall.

10.230.102.143 · 00:23:18:28:3d:8c made 2 RDP connections to 100% rare external host mail.klaxcar[.]com

The company’s firewall was configured to prevent outbound RDP connections, but the rule was overly simplistic and was defined by destination port. By changing the port in use, the connections were allowed to continue.

Time: 2017-03-23 14:44:57 [UTC]
Protocol: RDP
Source: 10.230.102.143
Destination: 217.109.48.125
Destination Port: 30005

No other devices in the network had been observed connecting to that host. The activity represented a major deviation from the pattern of normality built by Darktrace’s AI algorithms. The connections lasted over ten minutes and involved the download of nearly 4MB of data.

10.230.102.143 was first seen on the network on 2017-03-23.
Total duration: 10 mins 34 secs
Total upload: 0.19 MB
Total download: 3.77 MB

Darktrace Antigena determined this activity was threatening enough to require an immediate response. It triggered an autonomous response that blocked all outgoing traffic from the device for 10 minutes, giving the security team time to identify the rogue device and stop the RDP activities.

Upon investigation, it became clear that an employee had connected their personal device to the corporate network and was attempting to send valuable intellectual property to a foreign party. The external host happened to be associated with a competing manufacturing company.

It may be tempting to conclude that the company simply needed a better firewall, but that misses the point. Legacy tools – no matter how expensive – still rely on rules, and every rule has an exception. Of course, firewalls are still an essential part of modern cyber security, but organizations need to accept that cyber-threats will always find a way around these tools.

At Darktrace, our technology doesn’t make any assumptions about maliciousness. It uses advanced machine learning and AI algorithms to learn ‘normal’ for every user and device on a network. When a threatening deviation arises, Darktrace neutralizes the threat in real time. While some of these anomalies get stopped by firewalls and other rules-based tools, subtle insider threats like these frequently go undetected.

To learn more about the threats Darktrace finds, check out our Darktrace Global Threat Case Studies Report 2016 which tells the story of how a hacker compromised the video conferencing unit in the executive boardroom.

WannaCry: Darktrace’s response to the global ransomware campaign

Andrew Tsonchev, Director of Cyber Analysis | Wednesday May 17, 2017

Over 200,000 organisations and private individuals were victims of Friday’s global cyber-attack. This number is likely to increase over the coming weeks, as copy-cat criminals develop variants of the same ransomware and new methods of delivering similar attacks.

Some background on the WannaCry campaign

The WannaCry outbreak does not appear to have targeted specific countries or industries. Instead, it targeted outdated computer systems, using exploit kits leaked earlier this year to infect devices and drop the initial ransomware file. Once inside a network, WannaCry will attempt to locate other vulnerable computers by conducting internal and external SMB scanning. Having established itself, the malware encrypts files and demands a ransom of around $300 to unlock them, payable in Bitcoin. However, dealing with criminals means that there is no guarantee of the files being released if that money is paid out. Strong security measures and effective response mechanisms are the only reliable ways in which to prevent extensive damage.

Leveraging Darktrace, these kind of infections are not hard to detect: WannaCry and other ransomware cause highly anomalous behavioural patterns that our machine-learning technology is ideally placed to recognise.

To demonstrate, let’s take a walk-through of how Darktrace was able to detect the WannaCry attack on a client. Note that device names have been obfuscated for security purposes.

  1. Following the initial compromise, Darktrace detected unusual activity originating from an infected device, as it scanned the network in an attempt to locate other devices open to SMB connections:

    Example of an internal scan.

    The worm was scanning the network to locate devices with the DoublePulsar backdoor already present, through which the WannaCry ransomware can be dropped. If this backdoor was not found to be present, the worm used an exploit known as EternalBlue to infect the device, installing both WannaCry and the DoublePulsar backdoor.

  2. This installation of the worm on vulnerable devices allowed it to continue to spread laterally inside the network.
  3. Simultaneously, infected devices scanned random external IPs on port 445 (SMB), to continue spreading the worm to other devices on the internet:

    Internal devices scanning external destinations.

  4. As soon as infected devices started scanning both inside and outside network, Darktrace detected these activities as serious deviations in the devices’ usual pattern of life:

    External and internal connections by one of the network devices 48 hours either side of the WannaCry campaign. Every orange dot represents a model breach.

  5. For many of these devices, the deviation from typical pattern of life was such that it took Darktrace one second to detect anomalous behaviour:

    As this unusual activity persisted in the network, the confidence of Darktrace’s machine learning increased and attributed higher scores to these anomalous events:

  6. These high scores caused Darktrace models to breach in real time, alerting the customer to the severity of the unusual connections occurring inside their network:

In these recent cyber-attacks, the level of disruption was attributed to the speed with which this infection was able to spread like wildfire through networks. Unlike more common forms of malware, which rely on human-mediated methods such as phishing to co-opt people into triggering the payload, this type of attack uses a worm to move from machine to machine without human intervention. Fortunately, it is precisely this – a dramatic change in internal activity – which has allowed us to effectively fight back.

Darktrace Antigena acts automatically to neutralise in-progress attacks, taking targeted action against deviations in the expected ‘pattern of life’. This allows organisations to react before humans have even become aware of a breach. So it follows that the extent of deviation produced by an attack is fundamentally linked to the ability of a self-aware network to protect itself.

The potential gravity of this situation has proven that infections travelling at machine speed require an equivalent response time – only possible with machine-learning technology – in order to stop and contain future threats.

Defending against ransomware: a live threat scenario

Andrew Tsonchev, Director of Cyber Analysis | Monday May 8, 2017

In 2016 alone, cyber-criminals launched 638 million ransomware attacks . That’s 20 ransomware attempts every second.

The cyber security industry has tried to stem the tide by stopping ransomware at the network border, which can help detect some known ransomware threats. The problem is that ransomware is constantly evolving and mutating, with new strains popping up every day.

At Darktrace, our technology detects ransomware without prior knowledge, a vital capability since no matter how strong the network border is, these types of threats inevitably find a way inside.

Let’s take a look at how Darktrace’s unsupervised machine learning detected and responded to a real ransomware attack at a large financial services organization. As with most ransomware, it all started with a phishing email.

  1. Darktrace first noticed anomalous behavior when an employee checked his personal webmail on a corporate laptop. The device started making HTTP requests to a rare external domain: Thu Nov 17, 20:20:22 192.168.103.106 connected to webmail.northrock.bm [80]
  2. The employee opened what he believed to be a Word document, but was actually a malicious .zip file containing a ransomware payload. The device then connected to a second rare external domain. It was not until the next day that OSINT vendors identified the domain as malicious: Thu Nov 17, 20:20:55 192.168.103.106 connected to www.inhabitantap[.]top [80]
  3. Darktrace then observed the device downloading a suspicious .exe file from the anomalous domain: File Transfer (EXE) — FileTransfer::Exe file found with filetype (application/x-dosexec) [80] SHA1: 7099508c86c3b40268a4039afa5aabafb6f36d90
  4. At this point, the ransomware executable had already bypassed multiple perimeter security protocols on the device. The ransomware then began to search for available SMB shares. Unlike the encryption of data on individual devices, SMB encryption jeopardizes data across the entire corporate network. Darktrace highlighted this activity as a major deviation from normal: 20:26:01

    1 SMB Move Success — share= rename_to=[REDACTED].thor file=[REDACTED].xls [445]
    An unusual time for this activity

    20:26:01

    1 SMB Read Success — share= file=[REDACTED].xls [445]

    An unusual time for this activity
  5. Nine seconds after the start of the SMB encryption activities, Darktrace raised an alert signifying that the anomaly required further investigation. As the behavior persisted over the next 24 seconds, Darktrace continually revised its understanding of the deviation as it progressed into a serious threat.

  6. At this point, Darktrace’s Enterprise Immune System determined that the threat required an immediate response, but the security team had gone home for the weekend and wasn’t on site to manually remediate the situation. The Enterprise Immune System stepped in and automatically interrupted all attempts to write encrypted files to network file shares. In so doing, Darktrace neutralized the threat 33 seconds after the malicious activity began.

    SMB write successes are observed as the device encrypts files on the network share (shown in gray). The green spikes represent the ‘significance’ of the activity as understood by Darktrace. This pattern of SMB activity represented a major deviation from the device’s normal behavior.

At every stage of the attack, the Enterprise Immune System continuously monitored the situation and raised alerts of increasing severity. Despite the speed with which the attack unfolded, and despite multiple endpoint solutions failing to identify the executable, the Enterprise Immune System identified the device’s behavior as highly anomalous, and in a matter of seconds, it destroyed the threat.

To learn more about the threats Darktrace finds, check out our annual Threat Report which details how external attackers changed data on a biometric scanner and attempted to take control of an industrial power station.

Trust attacks and the evolution of ransomware

Dave Palmer, Director of Technology | Wednesday April 5, 2017

Ransomware attacks are both indiscriminate and effective. They target everyone from Wall Street corporations to small-town hospitals; from CEOs to union leaders. In 2016 alone, ransomware attacks spiked by 6,000 percent , raking in over $1 billion from unsuspecting victims. For attackers, ransomware is as tried-and-true as they come.

But as the threat landscape continues to grow and evolve, so too does ransomware. Attackers have started to realize that targeting trust can be just as lucrative as targeting data. Reputation has become one of a company’s most valuable assets and is now under assault.

Traditional ransomware can often be dealt with behind the scenes. Whether the organization mitigates the ransomware on their own, recovers the files through a backup system, or even if they pay the ransom, the situation can be resolved without involving customers or press.

But the newest strain of ransomware – dubbed ‘Doxware’ – is not so discrete. Doxware packages a company’s data and threatens to release it to the public . This might include confidential documents like patient records and proprietary blueprints, or personal information like passwords and credit card numbers – the more sensitive the better.

85 percent of industry leaders now consider reputational damage the most significant impact of a cyber-attack . The rise of Doxware shows that cyber-criminals are good at adapting to new market opportunities, and they have a multitude of weapons at their disposal to inflict that damage. Meanwhile, legacy security tools still try to defend networks at the border or concentrate on finding ‘known bad’. Unless these novel attacks are stopped at an early stage, they’re bound to undermine organizational reputation.

As ‘trust attacks’ are becoming increasingly mainstream, safeguarding reputation has become an essential component of cyber security. To protect their brand and trustworthiness, organizations have to be able to evolve in step with the rapidly changing threat landscape, proactively protecting their assets from subtle, stealthy cyber-attacks.

When it comes to ransomware, paying the ransom isn’t a failsafe option, because there’s no guarantee the attacker will decrypt the data. Likewise, bracing for a public data dump via Doxware is equally inadvisable. The best alternative is to detect the threat while it’s still emerging.

At Darktrace, we see ransomware on a daily basis. The reason we can catch it comes down to the detection approach. We’re not looking for a specific signature or a pre-identified ransomware strain. Instead, the technology is constantly learning and re-learning what normal looks like, so when a new type of malware is launched, we don’t have to play catch-up. We detect it straight away.

Here’s an example of a ransomware attack that got through the perimeter at a California non-profit and how it was detected within minutes, allowing the security team to stop it before it spread to a second computer.

About the authors

Justin Fier

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. With over 10 years of experience in cyber defense, Fier has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Fier is a highly-skilled technical officer, and a specialist in cyber operations across both offensive and defensive arenas.

Dave Palmer

Dave Palmer is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over ten years of experience at the forefront of government intelligence operations, Palmer has worked across UK intelligence agencies GCHQ & MI5, where he delivered mission-critical infrastructure services, including the replacement and security of entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.

Andrew Tsonchev

Andrew Tsonchev is a technical specialist in cyber security and threat analysis, advising Darktrace’s strategic Fortune 500 customers on advanced threat detection, machine learning, and automated response. Before joining Darktrace, Andrew worked as a Security Researcher at Cisco Systems, analyzing vast data sets to uncover new trends and developments in the threat landscape. His findings have been widely reported in leading media outlets, including PC World, CRN, SecurityWeek, TripWire, and the New York Times. He holds a first-class degree in physics from Oxford University, and a first-class degree in philosophy from King’s College London.

English Français 日本語