Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Brianna Luong (Leddy)
Sr. Technical Alliances Manager
Share
20
Oct 2021
In the era of international-scale cyber-warfare, focus has started to move away from small-time cyber thieves toward well-known, well-funded and sometimes government-backed cyber-crime organizations. Cyber-attacks sometimes work on discordant scales, however, and it doesn’t always take big budgets or key players for considerable damage to be dealt.
Numerous stories detail how the criminal and the curious alike have single-handedly breached some of the most secure systems in the world. At the more amusing end, there’s the story of Kristoffer von Hassel who discovered a novel exploit in Microsoft’s Xbox Live system at just five years old. And then of course there are those who hack their way right into promising security careers by breaching systems at major organizations. However, genuine damage has been done by individual threat actors as well.
These might be criminals using second-hand offensive tools, buying botnet armies for as little as $10 on the Dark Web, or using ransomware files downloaded for free. But ultimately, even a single cyber-criminal can inflict crippling damage upon large organizations if they are given the opportunity.
This is especially the case when the tools in their possession have been developed by some of the most notorious names in cyber-crime.
Copycat criminals
In early 2021, Darktrace detected a new instance of the once notorious Ryuk ransomware being launched against a business in the APAC region. The detection was intriguing.
The developers of Ryuk, a prolific cyber-criminal organization given the name ‘Wizard Spider’, had long since abandoned it in favor of a successor called ‘Conti’. Wizard Spider have launched some of the largest cyber-attacks in recent history, allegedly with the support of the Russian government, and are under investigation by Interpol and the FBI. They are not known for using outdated tools.
It soon became clear that this attack was not being launched by Wizard Spider at all, but by small-scale threat actors picking up the tools Wizard Spider left behind. And as the new attackers proved, these tools are still far from defunct.
Ryuk ransomware: A city-stopper for sale
Ryuk ransomware is commonly used to target large enterprise environments, even taking down entire city councils in some instances. Lake City, Florida and the City of Onkaparinga in South Australia are two of its known victims, along with numerous schools and hospitals across the US.
Once active in a system, Ryuk uses a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files, disabling Windows’ system restore feature as it does so, and generally demands payment via Bitcoin in return for a private decryption key.
Though Ryuk was not initially sold in the same manner as its predecessor, Hermes, on the Dark Web site ‘exploit[.]in’, it is now believed by some publications that the toolkit must be available somewhere for various threat actors to buy and tailor to their requirements. This explains its recurrence beyond Wizard Spider activities.
New dog, old tricks
Darktrace spotted the new instance of Ryuk during a trial with a real estate business in the APAC region. The first warning sign came when some basic .dat files were downloaded onto one of the business’ devices from an unknown Russian IP address. Darktrace immediately detected that this download was a likely breach and, had Antigena been set up in active mode, would have initiated a targeted response at this early stage.
The .dat files on the infected device allowed the attackers to use RDP (Remote Desktop Protocol) to spread further into the business’ network. Two days after the initial compromise, the threat actor had gained administrative credentials through a bruteforce attack and could begin scanning the network further.
Figure 1: Timeline of the attack
The witching hour
Just an hour after the attacker gained administrative credentials, at approximately 3:30am local time, ransomware files appeared in the business’ network. This timing was not accidental. The attackers knew that the security teams at the target business were home and asleep when the ransomware landed in the small hours of the morning, giving them plenty of time to conduct their attack.
This is precisely the kind of simple tactic which can multiply the scale of an attack without using large budgets or complex toolsets. The Ryuk ransomware rapidly began encrypting corporate files during the night, and by the time the security team returned in the morning, all they could do was shut down the entire network and hope to limit the spread of Ryuk, if only to save a few final devices.
The total attack time, from initial compromise to widespread data encryption, was just two and a half days. Whether due to understaffing or preoccupation, the security team did not find the time in that small window to respond to alerts, and, with Darktrace Antigena in passive mode, the attack was able to go ahead. This business’ need for Autonomous Response, which can protect against old and new attacks around the clock without the need for manual intervention, was painfully apparent.
Autonomous Response: Stop Ryuk before Ryuk stops you
Understanding Ryuk’s history and functionality does little good for organizations when it is still capable of eluding their defenses and catching security teams unawares. Darktrace’s Self-Learning AI is uniquely positioned to address these sophisticated threats, even as they evolve in the hands of different attackers and become unrecognizable to traditional rule-based security approaches.
Utilizing 24/7 Autonomous Response to stop both new and old threats at machine speed gives security teams the best chance of leveling the playing field against attackers. With Darktrace Antigena, the size or status of the attacking organization and their toolset is irrelevant – any anomalous and threatening behavior will be neutralized quickly and accurately, before damage can be done.
Thanks to Darktrace analyst Thomas Nommensen for his insights on the above threat find.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Darktrace named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) For the Second Consecutive Year
Darktrace has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) for the second consecutive year. We believe this reflects continued execution in NDR, ongoing AI innovation, and strong outcomes delivered for customers globally.
When Open Source Is Weaponized: Analysis of a Trojanized 7 Zip Installer
Attackers abused a trojanized 7‑Zip installer distributed via a typo‑squatted domain to establish proxyware infections worldwide. This blog analyzes how social engineering, trusted open‑source software, and stealthy command‑and‑control activity enabled widespread compromise, highlighting the importance of software validation, user awareness, and proactive network‑level detection.
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Darktrace researchers identified a Twill Typhoon–linked China‑nexus campaign targeting APJ customers. The activity observed includes CDN impersonation, legitimate binaries, and DLL sideloading to deploy a modular .NET RAT.
The CIP-015 Countdown: What Utilities Should Be Doing Before October 2028
CIP-015 what you need to know
The electric sector already knows CIP-015 is coming. The better question is whether utilities are using the time before October 1, 2028 to build an Internal Network Security Monitoring program that is defensible, auditable, and operationally useful.
I have spent most of my OT cybersecurity career around the power sector, from early NERC CIP program work as an asset owner, to consulting with utilities ranging from small municipalities and rural cooperatives to some of the largest power companies in the country, to now working with technology that helps organizations improve visibility and detection across IT and OT. One lesson has been consistent across all of those roles: compliance is not just about having a control in place. It is about being able to prove the control works.
That is where CIP-015 becomes important.
The standard is not simply asking utilities to deploy a tool inside the Electronic Security Perimeter and call the job done. CIP-015 is about improving the probability of detecting anomalous or unauthorized network activity so that organizations can improve response and recovery from an attack. That purpose is directly stated in the standard itself. (NERC)
The real work between now and October 2028 is not just buying technology. It is building an INSM capability that can collect the right data, detect meaningful activity, support evaluation, retain the right evidence, and protect that evidence from unauthorized deletion or modification.
Why CIP-015 exists
CIP-015 exists because perimeter security alone does not solve the internal visibility problem.
For years, many CIP controls have focused heavily on access management, segmentation, patching, logging, training, and other security practices that help reduce the likelihood of unauthorized access. Those controls still matter. But they do not fully answer what happens after an attacker, insider, compromised vendor account, misused credential, or malicious activity is already operating inside a trusted environment.
NERC’s technical rationale explains that Internal Network Security Monitoring focuses on the collection and analysis of network communications inside a “trust zone,” such as an ESP. In other words, CIP-015 is not only about defending the edge. It is about understanding what is happening inside the environment once traffic is already within the trusted zone. (NERC)
That is the internal visibility gap utilities need to close.
Why traditional security monitoring does not fully satisfy CIP-015
One mistake utilities should avoid is assuming that existing security event monitoring automatically solves CIP-015.
Many organizations already have logging programs tied to CIP-007, SIEM use cases, host-level security events, authentication logs, malware alerts, and incident response workflows. Those capabilities remain valuable, but they are not the same as Internal Network Security Monitoring.
Security event monitoring often tells you what happened on or to a system. INSM is intended to help show what is happening between systems, across network communications, devices, connections, and internal traffic patterns. That distinction is especially important in OT environments where adversaries may use legitimate pathways, valid credentials, native protocols, remote access, engineering workstations, or trusted systems to move inside the environment.
CIP-015 pushes utilities toward a different level of visibility: not just “did a system log something,” but “can we see and evaluate anomalous or unauthorized activity occurring inside the ESP?”
What CIP-015 requires
At a high level, CIP-015-1 requires three core capabilities.
First, under Requirement R1, Responsible Entities must implement, using a risk-based rationale, network data feeds to monitor network activity, including connections, devices, and network communications. They must also implement one or more methods to detect anomalous network activity using those feeds, and one or more methods to evaluate detected anomalous activity to determine further actions.
Requirement R2: Retaining INSM data for investigations
Second, under Requirement R2, entities must retain INSM data associated with anomalous network activity at least until the related evaluation and action are complete. The standard also notes that entities are not required to retain INSM data that is not relevant to detected anomalous activity.
Requirement R3: Protecting monitoring data from tampering
Third, under Requirement R3, entities must protect INSM data collected for R1 and retained for R2 from unauthorized deletion or modification.
Those requirements may sound straightforward, but implementation is where the challenge begins.
What should utilities be asking themselves for CIP-015?
Where are we collecting network data inside the ESP, and why are those feeds defensible?
What methods are we using to detect anomalous network activity?
How do we distinguish meaningful anomalous behavior from normal operational change?
Who evaluates detections, and how are decisions documented?
What data is retained, and how is it protected from unauthorized deletion or modification?
Can we produce evidence that proves this process has worked over time?
Those answers matter because auditors will not be looking for marketing claims. They will be looking for evidence.
Why anomaly detection is central to CIP-015 compliance
One of the most important parts of CIP-015 is also one of the easiest to oversimplify: the word anomalous.
NERC’s technical rationale provides useful context. It explains that, as used in CIP-015, “anomalous” refers to unexpected, undesired, unusual, or undetermined network traffic. It also makes clear that the term does not refer to any single proprietary technology commonly marketed as “anomaly detection.”
Understanding static baselines vs true anomaly detection
A static baseline is not the same thing as meaningful anomaly detection. If a platform observes traffic for a limited period of time, assumes that observed behavior is “normal,” and then flags future deviations without deeper context, the result can be noisy, brittle, and operationally frustrating.
In real OT environments, “normal” is not fixed. Maintenance windows, vendor access, failovers, engineering changes, testing activity, backup jobs, and operational shifts can all change behavior. Detection has to keep learning and understand context. Otherwise, the organization may end up with alerts that are technically anomalous but not practically useful.
CIP-015 is not just about producing anomalies. It is about producing meaningful detections that can be evaluated, documented, and acted upon.
What should utilities consider when looking for anomaly detection tools
Some technologies were built around behavioral analysis and anomaly detection long before CIP-015 existed. What practitioners should look for is if the technology behind the phrase can identify meaningful deviations, provide context, reduce noise, and support the evaluation and evidence expectations of the standard.
Utilities should be cautious of vendor positioning that treats “anomaly” as a simple compliance keyword. This is especially important when evaluating tools historically built around signature-based, threat-based, or rule-based detection methods that are now being positioned as anomaly detection because CIP-015 uses the term.
A platform does not solve CIP-015 simply because it can baseline traffic or generate alerts when something changes.
The question is not: Can this tool create alerts?
The question is: Can this tool identify meaningful anomalous activity with enough context, prioritization, and evidence to support evaluation and response?
Why evidence and audit readiness matter for CIP-015
In NERC CIP, the control is only part of the story. Evidence is the part that proves the control existed, worked, and was followed.
That is why CIP-015 readiness should not be treated as a simple deployment project. It should be treated as a compliance operations and evidence program.
What auditors will expect utilities to prove
For R1, examples of evidence include documentation of network data feeds and the risk-based rationale for selecting them, anomalous network detection events, INSM configuration settings, communication baselines or other detection methods, methods used to evaluate anomalous activity, and actions taken in response to detected anomalies.
For R2, evidence may include documentation of the retention process, system configurations, or system-generated reports showing retention timelines sufficient to support evaluation. For R3, evidence may include documentation showing how INSM data is protected from unauthorized deletion or modification.
Common evidence gaps that can create compliance risk
If an entity implements a platform that generates noisy detections, lacks context, does not retain the right data, cannot demonstrate how data is protected, or cannot produce useful audit evidence, the issue may not become obvious until much later. By then, an organization may discover during an audit that it cannot prove what it thought it had implemented.
That is a bad place to be.
CIP evidence gaps can create exposure that goes back over time, not just to the day the audit finding is discovered. This is why utilities need to validate the process early. Do not wait until an audit cycle to find out whether your INSM approach can stand up to scrutiny.
How utilities should prepare for CIP-015 before 2028
October 2028 may sound far away, but in utility planning terms, it is not.
Utilities should already be moving through a structured readiness process.
Assessing internal network visibility across trusted environments
Start with scope. Identify the applicable High and Medium Impact BES Cyber Systems, the relevant ESPs, and the environments where INSM requirements will apply. Then map current visibility. Where do you already have useful network monitoring? Where are you relying mostly on logs, perimeter controls, or assumptions? Where do you have limited east-west visibility inside trusted environments?
Building a defensible network data feed strategy
Next, define the network data feed strategy. CIP-015 requires a risk-based rationale, so the organization should be able to explain why specific feeds were selected and how they support detection of anomalous activity across relevant connections, devices, and communications.
Validating anomaly detection workflows
Then validate the detection method. This is where utilities need to go deeper than vendor claims. Ask how the platform identifies anomalous activity. Ask how it reduces noise. Ask what context is provided for evaluation. Ask how it handles changes in normal operations. Ask what evidence is retained and how that evidence can be produced.
Testing evidence retention and protection processes
After that, build the evaluation workflow. Who reviews detections? How are anomalies classified as benign, abnormal but not suspicious, suspicious, or potentially malicious? When does an event move into CIP-008 incident response? What documentation is created during that process?
Finally, test evidence production. Utilities should be able to show detection records, configuration settings, evaluation notes, response actions, retention records, and data protection controls before an auditor asks for them.
Where Darktrace Fits into CIP-015
This is where technology matters, but only as part of the broader program.
Darktrace was built on self-learning anomaly detection long before CIP-015 created a new compliance driver around anomalous network activity. Its value is rooted in continuous behavioral understanding, multiple analytical techniques, and the ability to identify meaningful deviations across complex IT and OT environments. That matters because CIP-015 requires more than basic alerting. It requires detection that supports evaluation, evidence, and action.
This IT and OT visibility is especially important in power utility environments. High and Medium Impact environments are not made up only of industrial protocols and field devices. Control centers, operational workstations, engineering workstations, servers, remote access systems, domain services, printers, and other enterprise-class assets often sit inside or adjacent to critical operational environments. A useful INSM capability should understand a wide range of communications across both IT and OT, not only traditional industrial protocols like Modbus, DNP3, or IEC 61850.
That distinction matters because “protocol support” can mean very different things. Identifying that a protocol is present is not the same as performing deeper packet analysis that can provide behavioral context, richer protocol understanding, and meaningful detection across the communications actually used inside the environment. For CIP-015, utilities should be asking whether a platform can help evaluate activity across both enterprise and industrial communications, because real power utility environments are rarely “OT-only.”
This is also why utilities should look carefully at how vendors use the word “anomaly.” Some platforms were designed around behavioral understanding and anomaly detection long before CIP-015 created a new compliance driver. Others may now be adopting the language because the standard uses the term. The difference matters. Utilities should ask whether the platform’s detection approach is foundational to the technology, or simply a new label applied to existing signature-based, threat-based, or rule-based methods.
In OT environments, detection quality matters. Utilities do not need more noise. They need visibility into internal communications, confidence in what is normal, context when something changes, and prioritization that helps security and operations teams focus on what matters.
A strong INSM program should help utilities move from raw monitoring to operational confidence. It should support east-west visibility, better anomaly evaluation, defensible evidence retention, protection of monitoring data, and alignment between compliance and security outcomes.
That is the right way to think about CIP-015.
Not as “deploy a tool and move on.”But as “build a capability that can be trusted, operated, and proven.”
CIP-015 is about proving your INSM capability works
The CIP-015 countdown is real, but the countdown itself is not the whole story.
The real story is what utilities do with the time that remains.
Organizations that treat CIP-015 as a checkbox may be able to say they deployed something. But organizations that treat it as an opportunity to close the internal visibility gap will gain something much more valuable: better detection, better response, better evidence, and stronger operational resilience.
The question utilities should be asking now is not whether they can produce more alerts before October 2028.
The question is whether they can prove their INSM capability actually works.
Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL
Darktrace / EMAIL is an implementation of the Darktrace methodology – a multi-layered AI system built into a single product. As with other Darktrace products, Darktrace / EMAIL learns the expected behaviours of an organization and its employees to identify novel threats and anomalous activity.
The diagram below represents the architecture of Darktrace / EMAIL’s multi-layered AI: a structured visualization of how intelligence is built, step by step, from raw data to actionable insight. Each layer plays a distinct role, feeding into the next: collecting data, understanding behaviour, analysing intent, making decisions, and presenting clear outcomes.
It all starts with an email
In this blog, we’ll follow a malicious email as it passes through the Darktrace / EMAIL system, showing exactly what happens as it travels through each layer of the pyramid, from basic data extraction to AI-powered metric creation, and finally deciding on any autonomous actions.
Let’s take this example email. As an end-user, you can see that this is an obvious extortion attempt where an adversary is threatening legal action if money isn’t paid within 24 hours, but how does Darktrace figure that out?
Part 1: Data Gathering
Processing of an email begins on point-of-transit for all inbound, outbound, or lateral emails. The first step is to extract information directly. This includes taking information from the headers (such as sending and receiving addresses, sender IP address, routing, and authentication protocols), as well as extraction of raw HTML and CSS data from the email itself.
This directly extracted information only allows for immediate surface level analysis, such as identifying signature-based attacks (known malicious addresses / domains), but is insufficient for identifying novel threats, complex attacks, or potential email or vendor compromise. This is where Darktrace’s AI analysis shines.
In this example, the SPF, DKIM, and DMARC authentication all passed successfully, showing that even malicious emails can still bypass these signature-based checks. Even with this success, Darktrace will continue to analyse the email.
Diving deeper into the technical information, we can see further information extracted from the headers, including aggregations from the header information, historical calculations such as the frequency and volume of emails to and from a particular domain, and much more.
Part 2: Social Graphing
Social Graphing involves the analysis of sending and receiving behaviours of different mailboxes to create peer-groups. Mailboxes who often send and receive to and from the same mailboxes, or exhibit other correlated behaviours, will be clustered together using a collection of unsupervised AI clustering systems. These groups may represent uses in the same teams who perform similar activity, groups of external facing mailboxes which often receive unsolicited emails, or groups of VIP users (such as C-suite or executives).
Social graphing is an essential component of Darktrace’s pattern of life analysis. This clustering allows Darktrace to understand the responsibilities of individuals – for example, behaviours which are anomalous for one group of users may be completely expected of another group.
In our example, the email was sent to 3 different users within the organization. As part of the social graphing, an “Association Anomaly” is calculated which indicates the likelihood that these users would receive emails from this user or domain, based on historical patterns.
Part 3: Metric Calculation
Metrics are calculated for every email, representing more complex characteristics of an email which can’t be directly extracted. Darktrace / EMAIL features over 1000 unique metrics, calculated both algorithmically and using an ensemble of AI systems.
Algorithmically calculated (non-AI) metrics include further historical calculations, and counts of features such as code blocks, and hidden text, to name a few.
AI-driven metrics include Inducement Classification which uses Natural Language Processing to identify potential phishing, solicitation, or extortion attempts; Named Entity Recognition to identify PII and other sensitive data within an email to support Data Loss Prevention; and many more.
We can follow our example email through this process and view the outcome of these metric calculations. Looking at the language metrics for this email, we can see that our email has reported a high extortion inducement, along with identification of banking information and language indicating urgency.
Part 4: Evaluation and Combination Engine (models)
Once all metrics have been calculated for an email, it gets sent to an evaluation and combination engine where the metrics are compared against blocks of logic to determine if an email contains a threat. One key model which alerted for this example message was a model to tag and block extortion attempts.
Since our example email has a high inducement score for extortion, along the presence of a bitcoin wallet address in the message, this model alerts. When a model in the engine is activated, actions are taken – in this case adding a tag to the email to flag it as extortion in the console and hold the email to prevent it from reaching the end-user mailbox.
Part 5: Meta-Modelling and Actions
Once the models have been run, the actions are taken against the email. If the email hasn’t been blocked or held, this is the point where it will reach the end-user's mailbox.
In the Darktrace / EMAIL UI, all actions models which alerted for an email and actions taken as a result can be seen. At the top of this page, you can see the alert indicating an extortion attempt along with the action to hold the message.
Alongside this, a meta-classifier is used to calculate an overall anomaly score for each email, based on how much the email differs from the pattern of life for the user. The score of the email is boosted by any actions that have taken place.
Part 6: Campaign Clustering
All emails are passed through the Darktrace / EMAIL campaign clustering system. This system creates clusters based on related features within the emails to identify groups of emails with the same sender or intent.
In our case, the email was identified as part of a campaign, alongside other emails which were also identified as extortion attempts against a small group of recipients.
Email campaigns may have additional actions applied to them if the campaign is deemed malicious, and in this case, you can see that the autonomous response was to hold all emails in the campaign. This means that if an email manages to avoid being blocked in the evaluation and combination engine but gets identified as part of the campaign, the hold action will be applied to it retroactively.
Part 7: Cyber AI Analyst
Darktrace’s Cyber AI Analyst presents key information and anomaly indicators for each email, such as further information about authentication, specific metrics, or other identified anomalies and mismatches.
Cyber AI Analyst can also utilize data from Darktrace / EMAIL to enhance its investigation of incidents from other Darktrace products, correlating relevant information to build a fuller picture. More information about the Cyber AI Analyst is available in the Darktrace AI Arsenal.
Part 8: Data Presentation (UI)
Once all processing has taken place against the email, it is presented in the Darktrace / EMAIL UI. Here, members of the SOC team can investigate incidents and anomalies, interact with malicious emails to see why they were blocked, and much more.
Our email stands out here with its 100 anomaly score. Every email which passes through a Darktrace / EMAIL will undergo the same thorough and rigorous analysis to identify potential risks, apply autonomous actions where required, and will ultimately be assigned a score to be displayed here. By providing a single overall score in the UI, rather than presenting emails in full, Darktrace / EMAIL allows SOC teams to more easily identify which emails are most important to investigate, increasing efficiency and reducing alert fatigue.
Take the next step
Many email security tools on the market that claim to be AI-driven are in fact bolting AI onto attack-centric approaches, which rely on automating the identification of known threats. These approaches struggle, and will continue to struggle, with adapting to novel, AI-generated threats.
By analyzing every email within its deeply integrated, multi-layered AI system, Darktrace / EMAIL is able to identify the subtle threats that others miss. This depth not only improves detection accuracy, but enables confident, autonomous action, giving security teams clearer insight into AI outcomes and greater control while supporting users.
%201.png)
.jpg)
