Darktrace Blog

Perspectives on cyber defense

Trust attacks and the evolution of ransomware

Dave Palmer, Director of Technology | Wednesday April 5, 2017

Ransomware attacks are both indiscriminate and effective. They target everyone from Wall Street corporations to small-town hospitals; from CEOs to union leaders. In 2016 alone, ransomware attacks spiked by 6,000 percent , raking in over $1 billion from unsuspecting victims. For attackers, ransomware is as tried-and-true as they come.

But as the threat landscape continues to grow and evolve, so too does ransomware. Attackers have started to realize that targeting trust can be just as lucrative as targeting data. Reputation has become one of a company’s most valuable assets and is now under assault.

Traditional ransomware can often be dealt with behind the scenes. Whether the organization mitigates the ransomware on their own, recovers the files through a backup system, or even if they pay the ransom, the situation can be resolved without involving customers or press.

But the newest strain of ransomware – dubbed ‘Doxware’ – is not so discrete. Doxware packages a company’s data and threatens to release it to the public . This might include confidential documents like patient records and proprietary blueprints, or personal information like passwords and credit card numbers – the more sensitive the better.

85 percent of industry leaders now consider reputational damage the most significant impact of a cyber-attack . The rise of Doxware shows that cyber-criminals are good at adapting to new market opportunities, and they have a multitude of weapons at their disposal to inflict that damage. Meanwhile, legacy security tools still try to defend networks at the border or concentrate on finding ‘known bad’. Unless these novel attacks are stopped at an early stage, they’re bound to undermine organizational reputation.

As ‘trust attacks’ are becoming increasingly mainstream, safeguarding reputation has become an essential component of cyber security. To protect their brand and trustworthiness, organizations have to be able to evolve in step with the rapidly changing threat landscape, proactively protecting their assets from subtle, stealthy cyber-attacks.

When it comes to ransomware, paying the ransom isn’t a failsafe option, because there’s no guarantee the attacker will decrypt the data. Likewise, bracing for a public data dump via Doxware is equally inadvisable. The best alternative is to detect the threat while it’s still emerging.

At Darktrace, we see ransomware on a daily basis. The reason we can catch it comes down to the detection approach. We’re not looking for a specific signature or a pre-identified ransomware strain. Instead, the technology is constantly learning and re-learning what normal looks like, so when a new type of malware is launched, we don’t have to play catch-up. We detect it straight away.

Here’s an example of a ransomware attack that got through the perimeter at a California non-profit and how it was detected within minutes, allowing the security team to stop it before it spread to a second computer.

The threat is already inside

Justin Fier, Director of Cyber Intelligence | Monday March 6, 2017

Imagine a middle-aged middle manager at a multinational corporation. Joe is the kind of employee who’s always done just enough to get by, cutting corners when he can and flying under the radar. One day, Joe’s boss decides that enough is enough. She fires Joe.

Furious, Joe storms back to his desk to pack up his belongings. Halfway through cleaning out his filing cabinet, he remembers that he doesn’t have to go quietly into the night. He still has administrative access to edit the company website, he has valuable client information, and he’s on an email thread with compromising photos of his boss at the last holiday party.

Disgruntled employees like Joe may be in the minority, but their potential to do serious damage can’t be ignored. Posting those photos of his boss on the company website would be trivial, causing embarrassment at best and impacting financial performance and market confidence at worst. Another option at Joe’s disposal would be to make some money out of his trauma by selling client intelligence to a competitor.

Joe might even go a step further, obtaining access to supposedly secure documents via a new device called PoisonTap, a $5 USB that installs a backdoor onto locked computers . By handing over access to a sophisticated hacker on the Dark Web, Joe could undermine his former employer in the long term with surprising ease.

A recent industry report found that 60 percent of all cyber-attacks are carried out by insiders, and 1 in 4 of those attacks are accidental. For instance, employees click on phishing emails an alarming 23 percent of the time and often use cloud services like Dropbox despite their company explicitly forbidding them. Even basic cyber hygiene remains an uphill battle. The most common password today is ‘123456’ , and ‘password’ isn’t far behind.

So even if Joe does take the high road, he may already have exposed his company to serious risk through using poor passwords, mishandling of sensitive documents, or becoming the victim of a well-disguised phishing attack. Despite our modern-day interest in foreign attackers, the biggest threat facing organizations isn’t nation-state hackers or anonymous saboteurs. It’s everyday employees like Joe.

So how do we stop Joe and people like him from exposing their companies to risk, either purposefully or on accident? The first step has to be educating employees on best practices, but education can only go so far. Defending against insider threat should be a core focus in our approach to security. To do that, we have to continuously monitor all users and devices and look out for the early signs of compromise. One thing is for sure in cyber security – the threat is already inside.

Smile! You're on camera

Dave Palmer, Director of Technology | Monday February 13, 2017

Every day, we’re surrounded by cameras and microphones. It’s not just those on our smartphones and laptops anymore. It’s smart TVs, CCTV cameras, conferencing systems, and virtual assistants like Amazon’s Alexa. Many of these devices are recording even when you think they’re off , so they collect audio and video footage 24/7.

Unfortunately, these are among the most vulnerable devices in the IT world. The Mirai botnets responsible for the largest DDoS attack in history have reportedly taken control of 300,000 devices worldwide . Most of them are cameras and video recording equipment.

So why is video equipment so vulnerable? In short, they were manufactured for mass production, and quick time-to-market, not security. After the Dyn DDoS attack, Chinese company Xiongmai vowed to recall up to 10,000 webcams . Devices like these use default usernames and passwords like “admin” and “password”. And in many cases, they’re designed so that users can’t change the password.

The scale of this vulnerability is giving way to a new threat type: ambient surveillance, where you are potentially watched all the time as you move around the world.

But this begs the question: who would want to do such a thing? What would they have to gain by listening to my meetings for hours? Why would a hacker want to watch my face staring at a computer screen?

Because it’s profitable. The rapid development of AI means that ambient surveillance is increasingly becoming a viable way to penetrate business environments and engage in corporate espionage and ambient data theft.

In the past, attackers would have to go through victims’ video or audio footage manually to look for something of value. But AI techniques will automate the process. Attackers will be able to train malicious software to know what to look for – to understand what it hears and sees. In other words, infected machines will be able to sift through all the boring stuff to find the diamond in the rough – recognizing faces, images, and words along the way.

Without disrupting normal functions, conferencing systems could quietly listen and extract the most valuable information, like discussions of illegal activity, quarterly earnings, negotiations, or prep for M&A.

This isn’t just a hypothetical. Recently, Darktrace observed a law firm’s video-conferencing unit behaving strangely. It was transmitting large volumes of data to rare external IPs. The camera was being accessed remotely, allowing the attacker to essentially live stream images and sound. The worst part?

The conference room was used for the most important board and customer meetings. Sensitive information was discussed daily, and the attacker had access to all of it.

This case involved sending large streams of data to the attacker’s server. But soon, cyber-attacks will only send back the most relevant information. By leaking only tiny fragments, these attacks will be much harder to detect.

In the movies, we see gangsters and spies lock their phones away before discussing sensitive topics. But in an era of widespread IoT we need to do something cleverer than hiding from our devices. Ambient surveillance is just one of many new techniques that modern attackers will add to their arsenal.

To learn more about the advanced threats we’ve uncovered, you can book a meeting with me and the rest of the Executive Team at the upcoming RSA conference in San Francisco.

Cyber-threats mean banks are no longer ‘too big to fail’

Justin Fier, Director of Cyber Intelligence | Monday January 30, 2017

Last year, hackers made off with $951 million from the Bank of Bangladesh . The record-breaking cyber-heist was no anomaly. It was just one in a series of sophisticated cyber-attacks targeting the financial sector. In 2014, criminals stole account information from 83 million JP Morgan customers . And again last year, a single Russian bank suffered 69 separate DDoS attacks . Cyber-attacks against the financial sector are relentless.

And finance isn’t just hit more often than other industries. It’s hit harder. For banks, the average cost per record stolen is $221, well over the average of $158. Driven by the prospect of a huge payday, hackers reserve some of their most sophisticated attacks for banks and other high-profile financial organizations.

To detect advanced attacks like these, we use unsupervised machine learning to identify deviations from normal network activity. Crucially, this approach lets companies detect threats from the inside. At Darktrace, some of the biggest vulnerabilities we’ve found started with a careless employee. Nowhere is this activity more troubling than in the financial services sector.

For example, at a top US investment firm, we detected strange communications between a company desktop and a Chinese cloud service. These communications were deemed highly anomalous and a major deviation from that user’s normal behavior. The employee in question was using the cloud service for legitimate work reasons, but this service came with a host of hidden risks — namely, it was secretly transmitting login details to an unknown third party. The leaked information could have led to a debilitating attack.

These attacks are alarming, but in the future, attackers won’t just try to steal data; they’ll try to change it. Since financial services rely on public confidence, they’ll be disproportionately affected by data manipulation. For instance, by subtly tweaking bank account information, an attacker could destroy the very integrity of the bank’s data. The bank would lose all credibility if the attack went public. Similarly, an attack could alter the mathematical models that inform boardroom decisions at a Wall Street company, thus forcing them to make bad investments.

Between insider threats and sophisticated data manipulation, banks and other financial organizations are feeling the brunt of the ongoing cyber-war. To fight back, they have to arm themselves with similarly advanced security tools. Because when it comes to cyber security, banks are no longer ‘too big to fail’.

To learn more about the challenges facing financial institutions, check out Darktrace’s Industry Data Sheet on Financial Services.

AI will supercharge spear-phishing

Dave Palmer, Director of Technology | Monday January 9, 2017

Imagine a piece of malware hidden on your boss’ computer. It watches her every move, quietly listening; learning. It sifts through her emails, calendar, and messages. In the process, it doesn’t just learn her writing style. It learns the unique way she interacts with everyone in her life.

It picks up on the inside jokes she shares with her husband. It knows the formal tone she employs with the CEO. And it recognizes the familiar cadence she uses with her favorite employee: you.

Her emails to you are often casual, even jokey. She signs her emails with ‘Cheers’ and sends you corny jokes on occasion. And before important meetings, she writes you an encouraging email.

One day, on your way to a morning meeting, you get an email from her. It reads:

Hi there!

I’ll see you at 9 for our meeting. You’re gonna kill it today.

See attached for a map to their office.


PS why did the refrigerator need a bandaid?
……….. for the cold cuts!

You smile, but suddenly you remember that you don’t know where their office is. Would you open the map?

Most people wouldn’t give a second thought. But the attached ‘map’ is really a malicious payload that, if opened, would start rapidly encrypting data and hold your company’s files hostage for a $30,000 ransom.

Artificial intelligence won’t just be used for good — it will open the door for sophisticated cyber-attacks like this. AI will supercharge spear-phishing with automated, intelligent technology. Hyper-realistic, machine-written emails are not some distant fiction. Indeed, the technology already exists.

Between Google’s DeepMind and voice-recognition software like Amazon’s Alexa, machines can now recognize and copy subtle patterns in human behavior. Recently, an intelligent machine even learned how to write a dystopian sci-fi novel . An email from your boss would be child’s play for an even moderately advanced AI.

Artificial intelligence won’t just power phishing attacks either. It will augment every kind of cyber-attack — including those we don’t even know about ­— with advanced decision-making capabilities. To keep pace with intelligent, unpredictable threats, cyber security will have to adopt an intelligent security of its own.

Want to learn more about the future of AI? You can book a meeting with me and the rest of the Executive Team at the upcoming RSA conference in San Francisco.

5 cyber security predictions for 2017

Justin Fier, Director of Cyber Intelligence | Friday December 16, 2016

Between the Yahoo hack, the DNC email leak, and the DDoS attack that took down much of the Internet, 2016 has seen an unprecedented wave of cyber-attacks.

But these headlines offer but a glimpse into the cyber-war that’s waged every day on a grand scale. Evolving threats and new vulnerabilities mean this war is in a state of constant flux. By analysing current security trends, however, we can try to gauge what the attacks of the future will look like.

These are my predictions for 2017:

  1. Attackers won’t just steal data — they’ll change it
    Criminals aren’t just looking to make a quick buck anymore. They’re playing the long con. By subtly manipulating information, they can inflict reputational damage, erode the integrity of data, or even influence public opinion via ‘fake news’.
  2. Insider threats will rise dramatically
    As networks become busier and more complex, indications of insider threat will get lost in the noise of the network. Yet, these subtle changes could represent thousands of files being removed by a careless employee.
  3. The Internet of Things will become the Internet of Vulnerabilities
    According to Gartner, 13.5 billion connected devices will be in use by 2020 . The Dyn attack exploited these smart devices to devastating effect, and future attacks will continue to use vulnerabilities in the IoT for large-scale attacks.
  4. Consumer devices will be held hostage
    In 2016 alone, ransomware has skyrocketed by 400 percent . It’s only a matter of time until these attacks start to target consumer devices. Your smart TV, your phone, your computer, even your car could be held for ransom.
  5. Artificial intelligence will go dark
    AI will soon become a cyber-weapon. Highly sophisticated and persistent attacks will use AI to bypass traditional defenses. From the shadows, they’ll be able to manipulate data, launch advanced phishing campaigns, steal sensitive files, or activate a kill-switch.

But there is hope. If we can forecast the upcoming threats, we can better prepare ourselves for the challenges to come. Our security strategies for the new year should be designed with these threats in mind.

In the meantime, on behalf of everyone here at Darktrace, we hope you have a wonderful holiday, a happy New Year, and a cyber-safe 2017.

The Internet of Stranger Things

Dave Palmer, Director of Technology | Monday December 5, 2016

To take down DNS provider Dyn, hackers exploited critical vulnerabilities in the Internet of Things. Vital internet services crashed, including Twitter, Amazon, and Netflix. Experts now suggest that amateurs may have been behind the attack . This begs the question — if amateurs can use IoT to wreak havoc, how will more sophisticated attackers proceed?

As IoT devices become increasingly prevalent — and as ransomware has skyrocketed by 259 percent in just five months — criminals will start to look at essential business equipment as a viable target. Healthcare machines like insulin pumps and MRIs are now network-connected, as are Boeing 787s, oilfield sensors, wind turbines, quality control machines, and more.

By taking control of essential equipment, a criminal can bring business to a grinding halt, either demanding payment to regain access, or sabotaging the equipment beyond repair.

But IoT attacks also don’t have to be so obvious. Once a criminal has control of a network device, they can subtly alter its data. For instance, by changing results obtained from a drilling company’s sensors, a criminal can trick them into mining a depleted area.

This represents a far more insidious kind of attack. With critical equipment under their control, a criminal can quietly tweak bank account numbers, medical results, or blueprints. Just a small change can prove catastrophic, and given the ubiquitous nature of IoT devices, every industry is vulnerable. Worse still, you may not realize until it’s too late.

By comparison, the Dyn attack seems rather crude.

To be sure, the DDoS attack on Dyn was eye-opening. In the course of a day, we learned the ease with which lackluster IoT security can be exploited for massive cyber-attacks. In this instance, the attacker created a Mirai botnet using home devices to overload the Dyn servers with attack traffic reported to be as high as 1.2 Tbps .

But the Dyn attack is just the beginning. Whether through a subtle attack or an aggressive ransomware extortion, modern businesses are facing substantial new threats because of the IoT. Our security approach needs to reflect this new reality. Fortunately, self-learning immune systems are here, and they can automatically adapt to protect even the newest technologies within our digital ecosystems.

For more on the future of IoT security, sign up for my webinar to learn how cyber-attacks will soon be powered by AI .

Holiday hacking: Cyber-attacks on Cyber Monday

Justin Fier, Director of Cyber Intelligence | Friday November 18, 2016

Every year, on the first Monday after Thanksgiving, two things happen. First, online retailers slash prices and the internet goes on its annual shopping spree. And second, criminals swarm on unwitting businesses, launching large-scale hacks and clever scams.

Digital sales reach up to $3.19 billion on Cyber Monday . Amazon alone generated 36 percent of all online sales last Cyber Monday, accounting for an estimated $1 billion. With so much money changing hands over the internet, the ramifications of a cyber-attack would be huge.

What happens if a DDoS attack hits Amazon’s service provider? The website goes down. Digital sales grind to a halt. And millions in revenue go down the drain as they watch their most lucrative day of the year pass them by.

On Cyber Monday 2014, a DNS provider was hit with a fairly rudimentary DDoS attack. While it lacked the large-scale impact of today’s Mirai botnets, their clients lost vital business. In another holiday attack, criminals hacked Target and stole sensitive data from 70 million customers.

Disruption and data-theft have become tried-and-true tactics for criminals on Cyber Monday. And with Mirai botnets capable of launching massive DDoS attacks, these could become even more devastating, reminiscent of the Dyn attack but with more far-reaching monetary consequences.

However, in their current form, DDoS attacks are still relatively simple. They work by exploiting a fundamental flaw in the Internet. But what if this Cyber Monday, a highly targeted and sophisticated DDoS attack took an organization hostage? By overwhelming a company — or a series of companies — with junk traffic, an attacker could demand a large sum to stop the attack. Whether to manipulate the market or for financial gain, all signs point toward increasingly advanced DDoS attacks.

The implications for this Cyber Monday are clear — businesses need to be prepared. From DDoS to ransomware, every organization can expect to be hit. Companies should bolster their cyber defense well before the holidays, because in security, as in life, you should expect the best, but prepare for the worst.

To learn more about the types of attack you could face, check out my thoughts on DDoS and the IoT .

2016: The year of election tampering?

Justin Fier, Director of Cyber Intelligence | Friday November 4, 2016

The 2016 U.S. election is roiled by fears over election tampering and cyber-warfare. While such anxiety threatens to undermine confidence in the results, the up-side is that for the first time since 2000, the election is generating thoughtful discussion on the intersection of cyber-security and voting.

After the high-profile hack of the Democratic National Committee, and after attacks on voter registration databases in 20 states, these fears are certainly justified. After all, we live in a new era of threat, where foreign powers don’t hesitate to use cyber-tools for economic and political gain. The White House has now formally blamed Russia for the DNC hack, but they’re hardly the only nation-state willing to engage in cloak-and-dagger cyber-warfare.

Further complicating matters is that our voting machines are in desperate need of an overhaul. In 2006, computer scientists proved that in less than a minute, an e-voting machine could be hacked and installed with vote-changing malware , and it can even be done remotely. But intentional manipulation may not even be our biggest concern — in 2004, North Carolina lost 4,438 votes because of a system error.

If you’re thinking paper ballots are the answer, I don’t blame you. Most states would agree: only five states currently use digital voting alone , and 75 percent of all voting is done on paper ballots.

But after the 2000 election, when the infamous ‘hanging chads’ forced millions of votes to be invalidated, it became clear that paper ballots are not only cumbersome, but inaccurate. Two years later, Congress passed the Help America Vote Act and introduced digitized voting and registration databases across America. Unfortunately, the new machines were plagued with errors, and many of them are still in use today.

Growing concern over election tampering prompted 33 state election agencies to petition the Department of Homeland Security for aid. The DHS responded by offering “cyber hygiene scans on Internet-facing systems as well as risk and vulnerability assessments.”

This is a good start, but hardly a long-term solution. Cyber-security for the future has to go beyond one-off scans and retrospective assessments. The answer has to involve intelligently monitoring and analyzing millions of devices — from voting machines to vulnerable IoT devices — in order to mitigate risk from unknown threats. Whether it be a state-sponsored hack or tampering from a politically motivated insider, the integrity of our elections is at stake, and its security deserves the utmost attention.

To hear more of my thoughts on the modern threat landscape, sign up for my webinar on November 9.

6 emerging cyber-threats you didn’t see in the news

Justin Fier, Director of Cyber Intelligence | Monday October 24, 2016

As an industry, the constant stream of cyber-attacks in the news can be overwhelming. It seems like every day we see front-page headlines announcing defaced websites or massive data breaches.

But what about the attacks that never make the news?

Here at Darktrace, our worldwide deployments find early-stage threats every day. While these developing threats never make the headlines, they often emerge in fascinating and unexpected ways.

Here’s a selection of what we’ve found for our customers:

  1. An attacker hacked into a biometric fingerprint scanner used for physical access at a major manufacturing company.
    This company used network-connected fingerprint scanners, allowing the attacker to use Telnet connections and default credentials to gain access. There were strong indiciators that the attacker was able to use the device to breach other servers.
  2. A cyber-criminal gained access to a video conferencing system of a multi-national corporation.
    Using a backdoor Trojan Horse, the attacker used six external computers to collect data from the camera, presumably in an attempt to steal video from confidential meetings.
  3. A new strain of malware forced the computers of a security company to visit explicit websites.
    Using random, algorithmically-generated websites, the attackers tried to plant incriminating evidence on the network by generating illegal web activity.
  4. A threat-actor hacked a ‘Lost and Found’ computer at a major European airport.
    To gain entry, the attacker used DNS servers, an essential capability for internet communication though rarely used for information transfer.
  5. A hacker tried to compromise an industrial power network using default codes.
    After penetrating the SCADA energy network, the attacker tried to establish a remote control link by using access codes listed as factory defaults online.
  6. A phishing email launched a ransomware attack on a non-profit charity.
    Using a fake email, the attacker claimed to have an invoice from a legitimate supplier. The attached pdf contacted a server in Ukraine and downloaded malware attempting to encrypt the non-profit’s network.

Our ‘immune system’ technology caught each attack at an extremely early stage, giving us a rare look at how modern threats are able to bypass legacy systems. Traditional security solutions can only detect attacks with pre-determined signatures. But in each case, threat-actors used signature-less attacks to blend into the noise of the network.

By harnessing the power of unsupervised machine learning, the Enterprise Immune System learned ‘normal’ for each of these networks, and detected the threats as anomalous behavior. Our threat analysts then determined the nature of the attack and counseled the organization to take appropriate action.

If you’re interested in learning the full story behind these emerging cyber-threats, check out our full Global Threat Case Studies report.

We look forward to sharing more of our industry insights with you in the future.

About the authors

Justin Fier

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. With over 10 years of experience in cyber defense, Fier has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Fier is a highly-skilled technical officer, and a specialist in cyber operations across both offensive and defensive arenas.

Dave Palmer

Dave Palmer is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over ten years of experience at the forefront of government intelligence operations, Palmer has worked across UK intelligence agencies GCHQ & MI5, where he delivered mission-critical infrastructure services, including the replacement and security of entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.

Andrew Tsonchev

Andrew Tsonchev is a technical specialist in cyber security and threat analysis, advising Darktrace’s strategic Fortune 500 customers on advanced threat detection, machine learning, and automated response. Before joining Darktrace, Andrew worked as a Security Researcher at Cisco Systems, analyzing vast data sets to uncover new trends and developments in the threat landscape. His findings have been widely reported in leading media outlets, including PC World, CRN, SecurityWeek, TripWire, and the New York Times. He holds a first-class degree in physics from Oxford University, and a first-class degree in philosophy from King’s College London.

English Français 日本語