Blog
/
/
March 4, 2019

The VR Goldilocks Problem and Value of Continued Recognition

Security and Operations Teams face challenges when it comes to visibility and recognition. Learn more about how we find a solution to the problems!
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
04
Mar 2019

First, some context about VR

Security Operations teams face two fundamental challenges when it comes to 'finding bad'.

The first is gaining and maintaining appropriate visibility into what is happening in our environments. Visibility is provided through data (e.g. telemetry, logs). The trinity of data sources for visibility concern accounts/credentials, devices, and network traffic.

The second challenge is getting good recognition within the scope of what is visible. Recognition is fundamentally about what alerting and workflows you can implement and automate in response to activity that is suspicious or malicious.

Visibility and Recognition each have their own different associated issues.

Visibility is a problem about what is and can be generated and either read as telemetry, or logged and stored locally, or shipped to a central platform. The timelines and completeness of what visibility you have can depend on factors such as how much data you can or can't store locally on devices that generate data - and for how long; what your data pipeline and data platform look like (e.g. if you are trying to centralise data for analysis); or the capability of host software agents you have to process certain information locally.

The constraints on visibility sets the bar for factors like coverage, timelines and completeness of what recognition you can achieve. Without visibility, we cannot recognize at all. With limited visibility, what we can recognize may not have much value. With the right visibility, we can still fail to recognise the right things. And with too much recognition, we can quickly overload our senses.

A good example of a technology that offers the opportunity to solve these challenges at the network layer is Darktrace. Their technology provides visibility, from a network traffic perspective, into data that concerns devices and the accounts/credentials associated with them. They then provide recognition on top of this by using Machine Learning (ML) models for anomaly detection. Their models alert on a wide range of activities that may be indicative of threat activity, (e.g. malware execution and command and control, a technical exploit, data exfiltration and so on).

The major advantage they provide, compared to traditional Intrusion Detection Systems (IDS) and other vendors who also use ML for network anomaly detection, is that you can a) adjust the sensitivity of their algorithms and b) build your own recognition for particular patterns of interest. For example, if you want to monitor what connections are made to one or two servers, you can set up alerts for any change to expected patterns. This means you can create and adjust custom recognition based on your enterprise context and tune it easily in response to how context changes over time.

The Goldilocks VR Matrix

Below is what we call the VR Goldilocks Matrix at PBX Group Security. We use it to assess technology, measure our own capability and processes, and ask ourselves hard questions about where we need to focus to get the most value from our budget, (or make cuts / shift investment) if we need to.

In the squares are some examples of what you (maybe) should think about doing if you find yourself there.

Important questions to ask about VR

One of the things about Visibility and Recognition is that it’s not a given they are ‘always on’. Sometimes there are failure modes for visibility (causing a downstream issue with recognition). And sometimes there are failure modes or conditions under which you WANT to pause recognition.

The key questions you must have answers to about this include:

  • Under what conditions might I lose visibility?
  • How would I know if I have?
  • Is that loss a blind spot (i.e. data is lost for a given time period)…
  • …or is it 'a temporal delay’ (e.g. a connection fails and data is batched for moving from A to B but that doesn’t happen for a few hours)?
  • What are the recognitions that might be impacted by either of the above?
  • What is my expectation for the SLA on those recognitions from ‘cause of alert’ to ‘response workflow’?
  • Under what conditions would I be willing to pause recognition, change the workflow for what happens upon recognition, or stop it all together?
  • What is the stacked ranked list of ‘must, should, could’ for all recognition and why?

Alerts. Alerts everywhere.

More often than not, Security Operations teams suffer the costs of wasted time due to noisy alerts from certain data sources. As a consequence, it's more difficult for them to single out malicious behavior as suspicious or benign. The number of alerts that are generated due to out of the box SIEM platform configurations for sources like Web Proxies and Domain Controllers are often excessive, and the cost to tune those rules can also be unpalatable. Therefore, rather than trying to tune alerts, teams might make a call to switch them off until someone can get around to figuring out a better way. There’s no use having hypothetical recognition, but no workflow to act on what is generate (other than compliance).

This is where technologies that use ML can help. There are two basic approaches...

One is to avoid alerting until multiple conditions are met that indicate a high probability of threat activity. In this scenario, rather than alerting on the 1st, 2nd, 3rd and 4th ‘suspicious activities’, you wait until you have a critical mass of indicators, and then you generate one high fidelity alert that has a much greater weighting to be malicious. This requires both a high level of precision and accuracy in alerting, and naturally some trade off in the time that can pass before an alert for malicious activity is generated.

The other is to alert on ‘suspicious actives 1-4' and let an analyst or automated process decide if this merits further investigation. This approach sacrifices accuracy for precision, but provides rapid context on whether one, or multiple, conditions are met that push the machine(s) up the priority list in the triage queue. To solve for the lower level of accuracy, this approach can make decisions about how long to sustain alerting. For example, if a host triggers multiple anomaly detection models, rather than continue to send alerts (and risk the SOC deciding to turn them off), the technology can pause alerts after a certain threshold. If a machine has not been quarantined or taken off the network after 10 highly suspicious behaviors are flagged, there is a reasonable assumption that the analyst will have dug into these and found the activity is legitimate.

Punchline 1: the value of Continued Recognition even when 'not malicious'

The topic of paused detections was raised after a recent joint exercise between PBX Group Security and Darktrace in testing Darktrace’s recognition. After a machine being used by the PBX Red Team breached multiple high priority models on Darktrace, the technology stopped alerting on further activity. This was because the initial alerts would have been severe enough to trigger a SOC workflow. This approach is designed to solve the problem of alert overload on a machine that is behaving anomalously but is not in fact malicious. Rather than having the SOC turn off alerts for that machine (which could later be used maliciously), the alerts are paused.

One of the outcomes of the test was that the PBX Detect team advised they would still want those alerts to exist for context to see what else the machine does (i.e. to understand its pattern of life). Now, rather than pausing alerts, Darktrace is surfacing this to customers to show where a rule is being paused and create an option to continue seeing alerts for a machine that has breached multiple models.

Which leads us on to our next point…

Punchline 2: the need for Atomic Tests for detection

Both Darktrace and Photobox Security are big believers in Atomic Red Team testing, which involves ‘unit tests’ that repeatedly (or at a certain frequency) test a detection using code. Unit tests automate the work of Red Teams when they discovery control strengths (which you want to monitor continuously for uptime) or control gaps (which you want to monitor for when they are closed). You could design atomic tests to launch a series of particular attacks / threat actor actions from one machine in a chained event. Or you could launch different discreet actions from different machines, each of which has no prior context for doing bad stuff. This allows you to scale the sample size for testing what recognition you have (either through ML or more traditional SIEM alerting). Doing this also means you don't have to ask Red Teams to repeat the same tests again, allowing them to focus on different threat paths to achieve objectives.

Mitre Att&ck is an invaluable framework for this. Many vendors are now aligning to Att&ck to show what they can recognize relating to attack TTPs (Tools, Tactics and Procedures). This enables security teams to map what TTPs are relevant to them (e.g. by using threat intel about the campaigns of threat actor groups that are targeting them). Atomic Red Team tests can then be used to assure that expected detections are operational or find gaps that need closing.

If you miss detections, then you know you need to optimise the recognition you have. If you get too many recognitions outside of the atomic test conditions, you either have to accept a high false positive rate because of the nature of the network, or you can tune your detection sensitivity. The opportunities to do this with technology based on ML and anomaly detection are significant, because you can quickly see for new attack types what a unit test tells you about your current detections and that coverage you think you have is 'as expected'.

Punchline 3: collaboration for the win

Using well-structured Red Team exercises can help your organisation and your technology partners learn new things about how we can collectively find and halt evil. They can also help defenders learn more about good assumptions to build into ML models, as well as covering edge cases where alerts have 'business intelligence' value vs ‘finding bad’.

If you want to understand the categorisations of ways that your populations of machines act over time, there is no better way to do it than through anomaly detection and feeding alerts into a system that supports SOC operations as well as knowledge management (e.g. a graph database).

Working like this means that we also help get the most out of the visibility and recognition we have. Security solutions can be of huge help to Network and Operations teams for troubleshooting or answering questions about network architecture. Often, it’s just a shift in perspective that unlocks cross-functional value from investments in security tech and process. Understanding that recognition doesn’t stop with security is another great example of where technologies that let you build your own logic into recognition can make a huge difference above protecting the bottom line, to adding top line value.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO

More in this series

No items found.

Blog

/

Network

/

August 14, 2025

From Exploit to Escalation: Tracking and Containing a Real-World Fortinet SSL-VPN Attack

Fortinet SSL-VPN AttackDefault blog imageDefault blog image

Threat actors exploiting Fortinet CVEs

Over the years, Fortinet has issued multiple alerts about a wave of sophisticated attacks targeting vulnerabilities in its SSL-VPN infrastructure. Despite the release of patches to address these vulnerabilities, threat actors have continued to exploit a trio of Common Vulnerabilities and Exposures (CVEs) disclosed between 2022 and 2024 to gain unauthorized access to FortiGate devices.

Which vulnerabilities are exploited?

The vulnerabilities—CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762—affect Fortinet’s SSL-VPN services and have been actively exploited by threat actors to establish initial access into target networks.

The vulnerabilities affect core components of FortiOS, allowing attackers to execute remote code on affected systems.

CVE-2022-42475

Type: Heap-Based Buffer Overflow in FortiOS SSL-VPN

Impact: Remote Code Execution (Actively Exploited)

This earlier vulnerability also targets the SSL-VPN interface and has been actively exploited in the wild. It allows attackers to execute arbitrary code remotely by overflowing a buffer in memory, often used to deploy malware or establish persistent backdoors [6].

CVE-2023-27997

Type: Heap-Based Buffer Overflow in FortiOS and FortiProxy

Impact: Remote Code Execution

This flaw exists in the SSL-VPN component of both FortiOS and FortiProxy. By exploiting a buffer overflow in the heap memory, attackers can execute malicious code remotely. This vulnerability is particularly dangerous because it can be triggered without authentication, making it ideal for an initial compromise [5].

CVE-2024-21762

Type: Out-of-Bounds Write in sslvpnd

Impact: Remote Code Execution

This vulnerability affects the SSL-VPN daemon (sslvpnd) in FortiOS. It allows unauthenticated remote attackers to send specially crafted HTTP requests that write data outside of allocated memory bounds. This can lead to arbitrary code execution, giving attackers full control over a device [4].

In short, these flaws enable remote attackers to execute arbitrary code without authentication by exploiting memory corruption issues such as buffer overflows and out-of-bounds writes. Once inside, threat actors use symbolic link (symlink) in order to maintain persistence on target devices across patches and firmware updates. This persistence then enables them to bypass security controls and manipulate firewall configurations, effectively turning patched systems into long-term footholds for deeper network compromise [1][2][3].

Darktrace’s Coverage

Darktrace detected a series of suspicious activities originating from a compromised Fortinet VPN device, including anomalous HTTP traffic, internal network scanning, and SMB reconnaissance, all indicative of post-exploitation behavior. Following initial detection by Darktrace’s real-time models, its Autonomous Response capability swiftly acted on the malicious activity, blocking suspicious connections and containing the threat before further compromise could occur.

Further investigation by Darktrace’s Threat Research team uncovered a stealthy and persistent attack that leveraged known Fortinet SSL-VPN vulnerabilities to facilitate lateral movement and privilege escalation within the network.

Phase 1: Initial Compromise – Fortinet VPN Exploitation

The attack on a Darktrace customer likely began on April 11 with the exploitation of a Fortinet VPN device running an outdated version of FortiOS. Darktrace observed a high volume of HTTP traffic originating from this device, specifically targeting internal systems. Notably, many of these requests were directed at the /cgi-bin/ directory,  a common target for attackers attempting to exploit web interfaces to run unauthorized scripts or commands. This pattern strongly indicated remote code execution attempts via the SSL-VPN interface [7].

Once access was gained, the threat actor likely modified existing firewall rules, a tactic often used to disable security controls or create hidden backdoors for future access. While Darktrace does not have direct visibility into firewall configuration changes, the surrounding activity and post-exploitation behavior indicated that such modifications were made to support long-term persistence within the network.

HTTP activity from the compromised Fortinet device, including repeated requests to /cgi-bin/ over port 8080.
Figure 1: HTTP activity from the compromised Fortinet device, including repeated requests to /cgi-bin/ over port 8080

Phase 2: Establishing Persistence & Lateral Movement

Shortly after the initial compromise of the Fortinet VPN device, the threat actor began to expand their foothold within the internal network. Darktrace detected initial signs of network scanning from this device, including the use of Nmap to probe the internal environment, likely in an attempt to identify accessible services and vulnerable systems.

Darktrace’s detection of unusual network scanning activities on the affected device.
Figure 2: Darktrace’s detection of unusual network scanning activities on the affected device.

Around the same time, Darktrace began detecting anomalous activity on a second device, specifically an internal firewall interface device. This suggested that the attacker had established a secondary foothold and was leveraging it to conduct deeper reconnaissance and move laterally through the network.

In an effort to maintain persistence within the network, the attackers likely deployed symbolic links in the SSL-VPN language file directory on the Fortinet device. While Darktrace did not directly observe symbolic link abuse, Fortinet has identified this as a known persistence technique in similar attacks [2][3]. Based on the observed post-exploitation behavior and likely firewall modifications, it is plausible that such methods were used here.

Phase 3: Internal Reconnaissance & Credential Abuse

With lateral movement initiated from the internal firewall interface device, the threat actor proceeded to escalate their efforts to map the internal network and identify opportunities for privilege escalation.

Darktrace observed a successful NTLM authentication from the internal firewall interface to the domain controller over the outdated protocol SMBv1, using the account ‘anonymous’. This was immediately followed by a failed NTLM session connection using the hostname ‘nmap’, further indicating the use of Nmap for enumeration and brute-force attempts. Additional credential probes were also identified around the same time, including attempts using the credential ‘guest’.

Darktrace detection of a series of login attempts using various credentials, with a mix of successful and unsuccessful attempts.
Figure 3: Darktrace detection of a series of login attempts using various credentials, with a mix of successful and unsuccessful attempts.

The attacker then initiated DCE_RPC service enumeration, with over 300 requests to the Endpoint Mapper endpoint on the domain controller. This technique is commonly used to discover available services and their bindings, often as a precursor to privilege escalation or remote service manipulation.

Over the next few minutes, Darktrace detected more than 1,700 outbound connections from the internal firewall interface device to one of the customer’s subnets. These targeted common services such as FTP (port 21), SSH (22), Telnet (23), HTTP (80), and HTTPS (443). The threat actor also probed administrative and directory services, including ports 135, 137, 389, and 445, as well as remote access via RDP on port 3389.

Further signs of privilege escalation attempts were observed with the detection of over 300 Netlogon requests to the domain controller. Just over half of these connections were successful, indicating possible brute-force authentication attempts, credential testing, or the use of default or harvested credentials.

Netlogon and DCE-RPC activity from the affected device, showing repeated service bindings to epmapper and Netlogon, followed by successful and failed NetrServerAuthenticate3 attempts.
Figure 4: Netlogon and DCE-RPC activity from the affected device, showing repeated service bindings to epmapper and Netlogon, followed by successful and failed NetrServerAuthenticate3 attempts.

Phase 4: Privilege Escalation & Remote Access

A few minutes later, the attacker initiated an RDP session from the internal firewall interface device to an internal server. The session lasted over three hours, during which more than 1.5MB of data was uploaded and over 5MB was downloaded.

Notably, no RDP cookie was observed during this session, suggesting manual access, tool-less exploitation, or a deliberate attempt to evade detection. While RDP cookie entries were present on other occasions, none were linked to this specific session—reinforcing the likelihood of stealthy remote access.

Additionally, multiple entries during and after this session show SSL certificate validation failures on port 3389, indicating that the RDP connection may have been established using self-signed or invalid certificates, a common tactic in unauthorized or suspicious remote access scenarios.

Darktrace’s detection of an RDP session from the firewall interface device to the server, lasting over 3 hours.
Figure 5: Darktrace’s detection of an RDP session from the firewall interface device to the server, lasting over 3 hours.

Darktrace Autonomous Response

Throughout the course of this attack, Darktrace’s Autonomous Response capability was active on the customer’s network. This enabled Darktrace to autonomously intervene by blocking specific connections and ports associated with the suspicious activity, while also enforcing a pre-established “pattern of life” on affected devices to ensure they were able to continue their expected business activities while preventing any deviations from it. These actions were crucial in containing the threat and prevent further lateral movement from the compromised device.

Darktrace’s Autonomous Response targeted specific connections and restricted affected devices to their expected patterns of life.
Figure 6: Darktrace’s Autonomous Response targeted specific connections and restricted affected devices to their expected patterns of life.

Conclusion

This incident highlights the importance of important staying on top of patching and closely monitoring VPN infrastructure, especially for internet-facing systems like Fortinet devices. Despite available patches, attackers were still able to exploit known vulnerabilities to gain access, move laterally and maintain persistence within the customer’s network.

Attackers here demonstrated a high level of stealth and persistence. Not only did they gain access to the network and carry out network scans and lateral movement, but they also used techniques such as symbolic link abuse, credential probing, and RDP sessions without cookies to avoid detection.  Darktrace’s detection of the post-exploitation activity, combined with the swift action of its Autonomous Response technology, successfully blocked malicious connections and contained the attack before it could escalate

Credit to Priya Thapa (Cyber Analyst), Vivek Rajan (Cyber Analyst), and Ryan Traill (Analyst Content Lead)

Appendices

Real-time Detection Model Alerts

·      Device / Suspicious SMB Scanning Activity

·      Device / Anomalous Nmap Activity

·      Device / Network Scan

·      Device / RDP Scan

·      Device / ICMP Address Scan

Autonomous Response Model Alerts:  

·      Antigena / Network / Insider Threat / Antigena Network Scan Block

·       Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

MITRE ATT&CK Mapping

Initial Access – External Remote Services – T1133

Initial Access – Valid Accounts – T1078

Execution – Exploitation for Client Execution – T1203

Persistence – Account Manipulation – T1098

Persistence – Application Layer Protocol – T1071.001

Privilege Escalation – Exploitation for Privilege Escalation – T1068

Privilege Escalation – Valid Accounts – T1078

Defense Evasion – Masquerading – T1036

Credential Access – Brute Force – T1110

Discovery – Network Service Scanning – T1046

Discovery – Remote System Discovery – T1018

Lateral Movement – Remote Services – T1021

Lateral Movement – Software Deployment Tools – T1072

Collection – Data from Local System – T1005

Collection – Data Staging – T1074

Exfiltration – Exfiltration Over Alternative Protocol – T1048

References

[1]  https://www.tenable.com/blog/cve-2024-21762-critical-fortinet-fortios-out-of-bound-write-ssl-vpn-vulnerability

[2] https://thehackernews.com/2025/04/fortinet-warns-attackers-retain.html

[3] https://www.cisa.gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities

[4] https://www.fortiguard.com/psirt/FG-IR-24-015

[5] https://www.tenable.com/blog/cve-2023-27997-heap-based-buffer-overflow-in-fortinet-fortios-and-fortiproxy-ssl-vpn-xortigate

[6]  https://www.tenable.com/blog/cve-2022-42475-fortinet-patches-zero-day-in-fortios-ssl-vpns

[7] https://www.fortiguard.com/encyclopedia/ips/12475

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content without notice.

Continue reading
About the author
Priya Thapa
Cyber Analyst

Blog

/

Cloud

/

August 14, 2025

How Organizations are Addressing Cloud Investigation and Response

Cloud investigation and responseDefault blog imageDefault blog image

Why cloud investigation and response needs to evolve

As organizations accelerate their move to the cloud, they’re confronting two interrelated pressures: a rapidly expanding attack surface and rising regulatory scrutiny. The dual pressure is forcing security practitioners to evolve their strategies in the cloud, particularly around investigation and response, where we see analysts spending the most time. This work is especially difficult in the cloud, often requiring experienced analysts to manually stitch together evidence across fragmented systems, unfamiliar platforms, and short-lived assets.

However, adapting isn’t easy. Many teams are operating with limited budgets and face a shortage of cloud-specific security talent. That’s why more organizations are now prioritizing tools that not only deliver deep visibility and rapid response in the cloud, but also help upskill their analysts to keep pace with threats and compliance demands.

Our 2024 survey report highlights just how organizations are recognizing gaps in their cloud security, feeling the heat from regulators, and making significant investments to bolster their cloud investigation capabilities.

In this blog post, we’ll explore the current challenges, approaches, and strategies organizations are employing to enhance their cloud investigation and incident response.

Recognizing the gaps in current cloud investigation and response methods

Complex environments & static tools

Due to the dynamic nature of cloud infrastructure, ephemeral assets, autoscaling environments, and multi-cloud complexity, traditional investigation and response methods which rely on static snapshots and point-in-time data, are fundamentally mismatched. And with Cloud environment APIs needing deep provider knowledge and scripting skills to extract much needed evidence its unrealistic for one person to master all aspects of cloud incident response.

Analysts are still stitching together logs from fragmented systems, manually correlating events, and relying on post-incident forensics that often arrive too late to drive meaningful response. These approaches were built for environments that rarely changed. In the cloud, where assets may only exist for minutes and attacker movement can span regions or accounts in seconds, point-in-time visibility simply can’t keep up. As a result, critical evidence is missed, timelines are incomplete, and investigations drag on longer than they should.

Even some modern approaches still depend heavily on static configurations, delayed snapshots, or siloed visibility that can’t keep pace with real-time attacker movement.

There is even the problem of  identifying what cloud data sources hold the valuable information needed to investigate in the first place. With AWS alone having over 200 products, each with its own security practices and data sources.It can be challenging to identify where you need to be looking.  

To truly secure the cloud, investigation and response must be continuous, automated, and context-rich. Tools should be able to surface the signal from the noise and support analysts at every step, even without deep forensics expertise.

Increasing compliance pressure

With the rise of data privacy regulations and incident reporting mandates worldwide, organizations face heightened scrutiny. Noncompliance can lead to severe penalties, making it crucial to have robust cloud investigation and response mechanisms in place. 74% of organizations surveyed reported that data privacy regulations complicate incident response, underscoring the urgency to adapt to regulatory requirements.

In addition, a majority of organizations surveyed (89%) acknowledged that they suffer damage before they can fully contain and investigate incidents, particularly in cloud environments, highlighting the need for enhanced cloud capabilities.  

Enhancing cloud investigation and response

To address these challenges, organizations are actively growing their capabilities to perform investigations in the cloud. Key steps include:

Allocating and increasing budgets:  

Recognizing the importance of cloud-specific investigation tools, many organizations have started to allocate dedicated budgets for cloud forensics. 83% of organizations have budgeted for cloud forensics, with 77% expecting this budget to increase. This reflects a strong commitment to improving cloud security.

Implementing automation that understands cloud behavior

Automation isn’t just about speeding up tasks. While modern threats require speed and efficiency from defenders, automation aims to achieve this by enabling consistent decision making across unique and dynamic environments. Traditional SOAR platforms, often designed for static on-prem environments, struggle to keep pace with the dynamic and ephemeral nature of the cloud, where resources can disappear before a human analyst even has a chance to look at them. Cloud-native automation, designed to act on transient infrastructure and integrate seamlessly with cloud APIs, is rapidly emerging as the more effective approach for real-time investigation and response. Automation can cover collection, processing, and storage of incident evidence without ever needing to wait for human intervention and the evidence is ready and waiting all in once place, regardless of if the evidence is cloud-provider logs, disk images, or  memory dumps. With the right automation tools you can even go further and automate the full process from end to end covering acquisition, processing, analysis, and response.

Artificial Intelligence (AI) that augments analysts’ intuition not just adds speed

While many vendors tout AI’s ability to “analyze large volumes of data,” that’s table stakes. The real differentiator is how AI understands the narrative of an incident, surfacing high-fidelity alerts, correlating attacker movement across cloud and hybrid environments, and presenting findings in a way that upskills rather than overwhelms analysts.  

In this space, AI isn’t just accelerating investigations, it’s democratizing them by reducing the reliance on highly specialized forensic expertise.  

Strategies for effective cloud investigation and response

Organizations are also exploring various strategies to optimize their cloud investigation and response capabilities:

Enhancing visibility and control:

  • Unified platforms: Implementing platforms that provide a unified view across multiple cloud environments can help organizations achieve better visibility and control. This consolidation reduces the complexity of managing disparate tools and data sources.
  • Improved integration: Ensuring that all security tools and platforms are seamlessly integrated is critical. This integration facilitates better data sharing and cohesive incident management.
  • Cloud specific expertise: Training and Recruitment: Investing in training programs to develop cloud-specific skills among existing staff and recruiting experts with cloud security knowledge can bridge the skill gap.
  • Continuous learning: Given the constantly evolving nature of cloud threats, continuous learning and adaptation are essential for maintaining effective security measures.

Leveraging automation and AI:

  • Automation solutions: Automation solutions for cloud environments can significantly speed up and simplify incident response efficiency. These solutions can handle repetitive tasks, allowing security teams to focus on more complex issues.
  • AI powered analysis: AI can assist in rapidly analyzing incident data, identifying anomalies, and predicting potential threats. This proactive approach can help prevent incidents before they escalate.

Cloud investigation and response with Darktrace

Darktrace’s  forensic acquisition & investigation capabilities helps organizations address the complexities of cloud investigations and incident response with ease. The product seamlessly integrates with AWS, GCP, and Azure, consolidating data from multiple cloud environments into one unified platform. This integration enhances visibility and control, making it easier to manage and respond to incidents across diverse cloud infrastructures.

By leveraging machine learning and automation, Forensic Acquisition & Investigation accelerates the investigation process by quickly analyzing vast amounts of data, identifying patterns, and providing actionable insights. Automation reduces manual effort and response times, allowing your security team to focus on the most pressing issues.

Forensic Acquisition & Investigation can help you stay ahead of threats whilst also meeting regulatory requirements, helping you to maintain a robust cloud security position.

Continue reading
About the author
Calum Hall
Technical Content Researcher
Your data. Our AI.
Elevate your network security with Darktrace AI