Blog
/
AI
/
July 26, 2022

Self-Learning AI for Zero-Day and N-Day Attack Defense

Explore the differences between zero-day and n-day attacks on different customer servers to learn how Darktrace detects and prevents cyber threats effectively.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Lewis Morgan
Cyber Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
26
Jul 2022

Key Terms:

Zero-day | A recently discovered security vulnerability in computer software that has no currently available fix or patch. Its name come from the reality that vendors have “zero days” to act and respond.

N-day | A vulnerability that emerges in computer software in which a vendor is aware and may have already issued (or are currently working on) a patch or fix. Active exploits often already exist and await abuse by nefarious actors.

Traditional security solutions often apply signature-based-detection when identifying cyber threats, helping to defend against legacy attacks but consequently missing novel ones. Therefore, security teams often lend a lot of focus to ensuring that the risk of zero-day vulnerabilities is reduced [1]. As explored in this blog, however, organizations can face just as much of a risk from n-day attacks, since they invite the most attention from malicious actors [2]. This is due in part to the reduced complexity, cost and time invested in researching and finding new exploits compared with that found when attackers exploit zero-days. 

This blog will examine both a zero-day and n-day attack that two different Darktrace customers faced in the fall of 2021. This will include the activity Darktrace detected, along with the steps taken by Darktrace/Network to intervene. It will then compare the incidents, discuss the possible dangers of third-party integrations, and assess the deprecation of legacy security tools.

Revisiting zero-day attacks 

Zero-days are among the greatest concerns security teams face in the era of modern technology and networking. Defending critical systems from zero-day compromises is a task most legacy security solutions are often unable to handle. Due to the complexity of uncovering new security flaws and developing elaborate code that can exploit them, these attacks are often carried out by funded or experienced groups such as nation-state actors and APTs. One of history’s most prolific zero-days, ‘Stuxnet’, sent security teams worldwide into a global panic in 2010. This involved a widespread attack on Iranian nuclear infrastructure and was widely accepted to be a result of nation-state actors [3]. The Stuxnet worm took advantage of four zero-day exploits, compromising over 200,000 devices and physically damaging around 10% of the 9,000 critical centrifuges at the Natanz nuclear site. 

More recently, 2021 saw the emergence of several critical zero-day vulnerabilities within SonicWall’s product suite [4]. SonicWall is a security hardware manufacturer that provides hardware firewall devices, unified threat management, VPN gateways and network security solutions. Some of these vulnerabilities lie within their Secure Mobile Access (SMA) 100 series (for example, CVE-2019-7481, CVE-2021-20016 and CVE-2021-20038 to name a few). These directly affected VPN devices and often allowed attackers easy remote access to company devices. CVE-2021-20016 in particular incorporates an SQL-Injection vulnerability within SonicWall’s SSL VPN SMA 100 product line [5]. If exploited, this defect would allow an unauthenticated remote attacker to perform their own malicious SQL query in order to access usernames, passwords and other session related information. 

The N-day underdog

The shadow cast by zero-day attacks often shrouds that of n-day attacks. N-days, however, often pose an equal - if not greater - risk to the majority of organizations, particularly those in industrial sectors. Since these vulnerabilities have fixes available, all of the hard work around research is already done; malicious actors only need to view proof of concepts (POCs) or, if proficient in coding, reverse-engineer software to reveal code-changes (binary diffing) in order to exploit these security flaws in the wild. These vulnerabilities are typically attributed to opportunistic hackers and script-kiddies, where little research or heavy lifting is required.  

August 2021 gave rise to a critical vulnerability in Atlassian Confluence servers, namely CVE-2021-26084 [6]. Confluence is a widely used collaboration wiki tool and knowledge-sharing platform. As introduced and discussed a few months ago in a previous Darktrace blog (Explore Internet-Facing System Vulnerabilities), this vulnerability allows attackers to remotely execute code on internet-facing servers after exploiting injection vulnerabilities in Object-Graph Navigation Language (OGNL). Whilst Confluence had patches and fixes available to users, attackers still jumped on this opportunity and began scanning the internet for signs of critical devices serving this outdated software [7]. Once identified, they would  exploit the vulnerability, often installing crypto mining software onto the device. More recently, Darktrace explored a new vulnerability (CVE-2022-26134), disclosed midway through 2022, that affected Confluence servers and data centers using similar techniques to that found in CVE-2021-26084 [8]. 

SonicWall in the wild – 1. Zero-day attack

At the beginning of August 2021, Darktrace prevented an attack from taking place within a European automotive customer’s environment (Figure 1). The attack targeted a vulnerable internet-facing SonicWall VPN server, and while the attacker’s motive remains unclear, similar historic events suggest that they intended to perform ransomware encryption or data exfiltration. 

Figure 1: Timeline of the SonicWall attack 

Darktrace was unable to confirm the definite tactics, techniques and procedures (TTPs) used by the attacker to compromise the customer’s environment, as the device was compromised before Darktrace installation and coverage. However, from looking at recently disclosed SonicWall VPN vulnerabilities and patterns of behaviour, it is likely CVE-2021-20016 played a part. At some point after this initial infection, it is also believed the device was able to move laterally to a domain controller (DC) using administrative credentials; it was this server that then initiated the anomalous activity that Darktrace detected and alerted on. 

On August 5th 2021 , Darktrace observed this compromised domain controller engaging in unusual ICMP scanning - a protocol used to discover active devices within an environment and create a map of an organization’s network topology. Shortly after, the infected server began scanning devices for open RDP ports and enumerating SMB shares using unorthodox methods. SMB delete and HTTP requests (over port 445 and 80 respectively) were made for files named delete.me in the root directory of numerous network shares using the user agent Microsoft WebDAV. However, no such files appeared to exist within the environment. This may have been the result of an attacker probing devices in the network in an effort to see their responses and gather information on properties and vulnerabilities they could later exploit. 

Soon the infected DC began establishing RDP tunnels back to the VPN server and making requests to an internal DNS server for multiple endpoints relating to exploit kits, likely in an effort to strengthen the attacker’s foothold within the environment. Some of the endpoints requested relate to:

-       EternalBlue vulnerability 

-       Petit Potam NTLM hash attack tool

-       Unusual GitHub repositories

-       Unusual Python repositories  

The DC made outgoing NTLM requests to other internal devices, implying the successful installation of Petit Potam exploitation tools. The server then began performing NTLM reconnaissance, making over 1,000 successful logins under ‘Administrator’ to several other internal devices. Around the same time, the device was also seen making anonymous SMBv1 logins to numerous internal devices, (possibly symptomatic of the attacker probing machines for EternalBlue vulnerabilities). 

Interestingly, the device also made numerous failed authentication attempts using a spoofed credential for one of the organization’s security managers. This was likely in an attempt to hide themselves using ‘Living off the Land’ (LotL) techniques. However, whilst the attacker clearly did their research on the company, they failed to acknowledge the typical naming convention used for credentials within the environment. This ultimately backfired and made the compromise more obvious and unusual. 

In the morning of the following day, the initially compromised VPN server began conducting further reconnaissance, engaging in similar activity to that observed by the domain controller. Until now, the customer had set Darktrace RESPOND to run in human confirmation mode, meaning interventions were not made autonomously but required confirmation by a member of the internal security team. However, thanks to Proactive Threat Notifications (PTNs) delivered by Darktrace’s dedicated SOC team, the customer was made immediately aware of this unusual behaviour, allowing them to apply manual Darktrace RESPOND blocks to all outgoing connections (Figure 2). This gave the security team enough time to respond and remediate before serious damage could be done.

Figure 2: Darktrace RESPOND model breach showing the manually applied “Quarantine Device” action taken against the compromised VPN server. This screenshot displays the UI from Darktrace version 5.1

Confluence in the wild – 2. N-day attack

Towards the end of 2021, Darktrace saw a European broadcasting customer leave an Atlassian Confluence internet-facing server unpatched and vulnerable to crypto-mining malware using CVE-2021-26084. Thanks to Darktrace, this attack was entirely immobilized within only a few hours of the initial infection, protecting the organization from damage (Figure 3). 

Figure 3: Timeline of the Confluence attack

On midday on September 1st 2021, an unpatched Confluence server was seen receiving SSL connections over port 443 from a suspicious new endpoint, 178.238.226[.]127.  The connections were encrypted, meaning Darktrace was unable to view the contents and ascertain what requests were being made. However, with the disclosure of CVE-2021-26084 just 7 days prior to this activity, it is likely that the TTPs used involved injecting OGNL expressions to Confluence server memory; allowing the attacker to remotely execute code on the vulnerable server.

Immediately after successful exploitation of the Confluence server, the infected device was observed making outgoing HTTP GET requests to several external endpoints using a new user agent (curl/7.61.1). Curl was used to silently download and configure multiple suspicious files relating to XMRig cryptocurrency miner, including ld.sh, XMRig and config.json. Subsequent outgoing connections were then made to europe.randomx-hub.miningpoolhub[.]com · 172.105.210[.]117 using the JSON-RPC protocol, seen alongside the mining credential maillocal.confluence (Figure 4). Only 3 seconds after initial compromise, the infected device began attempting to mine cryptocurrency using the Minergate protocol but was instantly and autonomously blocked by Darktrace RESPOND. This prevented the server from abusing system resources and generating profits for the attacker.

Figure 4: A graph showing the frequency of external connections using the JSON-RPC protocol made by the breach device over a 48-hour window. The orange-red dots represent models that breached as a result of this activity, demonstrating the “waterfall” effect commonly seen when a device suffers a compromise. This screenshot displays the UI from Darktrace version 5.1

In the afternoon, the malware persisted with its infection. The compromised server began making successive HTTP GET requests to a new rare endpoint 195.19.192[.]28 using the same curl user agent (Figures 5 & 6). These requests were for executable and dynamic library files associated with Kinsing malware (but fortunately were also blocked by Darktrace RESPOND). Kinsing is a malware strain found in numerous attack campaigns which is often associated with crypto-jacking, and has appeared in previous Darktrace blogs [9].

Figure 5: Cyber AI Analyst summarising the unusual download of Kinsing software using the new curl user agent. This screenshot displays the UI from Darktrace version 5.1

The attacker then began making HTTP POST requests to an IP 185.154.53[.]140, using the same curl user agent; likely a method for the attacker to maintain persistence within the network and establish a foothold using its C2 infrastructure. The Confluence server was then again seen attempting to mine cryptocurrency using the Minergate protocol. It made outgoing JSON-RPC connections to a different new endpoint, 45.129.2[.]107, using the following mining credential: ‘42J8CF9sQoP9pMbvtcLgTxdA2KN4ZMUVWJk6HJDWzixDLmU2Ar47PUNS5XHv4Kmfdh8aA9fbZmKHwfmFo8Wup8YtS5Kdqh2’. This was once again blocked by Darktrace RESPOND (Figure 7). 

Figure 6: VirusTotal showing the unusualness of one of these external IPs [10]
Figure 7: Log data showing the action taken by Darktrace RESPOND in response to the device breaching the “Crypto Currency Mining Activity” model. This screenshot displays the UI from Darktrace version 5.1

The final activity seen from this device involved the download of additional shell scripts over HTTP associated with Kinsing, namely spre.sh and unk.sh, from 194.38.20[.]199 and 195.3.146[.]118 respectively (Figure 8). A new user agent (Wget/1.19.5 (linux-gnu)) was used when connecting to the latter endpoint, which also began concurrently initiating repeated connections indicative of C2 beaconing. These scripts help to spread the Kinsing malware laterally within the environment and may have been the attacker's last ditch efforts at furthering their compromise before Darktrace RESPOND blocked all connections from the infected Confluence server [11]. With Darktrace RESPOND's successful actions, the customer’s security team were then able to perform their own response and remediation. 

Figure 8: Cyber AI Analyst revealing the last ditch efforts made by the threat actor to download further malicious software. This screenshot displays the UI from Darktrace version 5.1

Darktrace Coverage: N- vs Zero-days

In the SonicWall case the attacker was unable to achieve their actions on objectives (thanks to Darktrace's intervention). However, this incident displayed tactics of a more stealthy and sophisticated attacker - they had an exploited machine but waited for the right moment to execute their malicious code and initiate a full compromise. Due to the lack of visibility over attacker motive, it is difficult to deduce what type of actor led to this intrusion. However, with the disclosure of a zero-day vulnerability (CVE-2021-20016) not long before this attack, along with a seemingly dormant initially compromised device, it is highly possible that it was carried out by a sophisticated cyber criminal or gang. 

On the other hand, the Confluence case engaged in a slightly more noisy approach; it dropped crypto mining malware on vulnerable devices in the hope that the target’s security team did not maintain visibility over their network or would merely turn a blind eye. The files downloaded and credentials observed alongside the mining activity heavily imply the use of Kinsing malware [11]. Since this vulnerability (CVE-2021-26084) emerged as an n-day attack with likely easily accessible POCs, as well as there being a lack of LotL techniques and the motive being long term monetary gain, it is possible this attack was conducted by a less sophisticated or amateur actor (script-kiddie); one that opportunistically exploits known vulnerabilities in internet-facing devices in order to make a quick profit [12].

Whilst Darktrace RESPOND was enabled in human confirmation mode only during the start of the SonicWall attack, Darktrace’s Cyber AI Analyst still offered invaluable insight into the unusual activity associated with the infected machines during both the Confluence and SonicWall compromises. SOC analysts were able to see these uncharacteristic behaviours and escalate the incident through Darktrace’s PTN and ATE services. Analysts then worked through these tickets with the customers, providing support and guidance and, in the SonicWall case, quickly helping to configure Darktrace RESPOND. In both scenarios, Darktrace RESPOND was able to block abnormal connections and enforce a device’s pattern of life, affording the security team enough time to isolate the infected machines and prevent further threats such as ransomware detonation or data exfiltration. 

Concluding thoughts and dangers of third-party integrations 

Organizations with internet-facing devices will inevitably suffer opportunistic zero-day and n-day attacks. While little can be done to remove the risk of zero-days entirely, ensuring that organizations keep their systems up to date will at the very least help prevent opportunistic and script-kiddies from exploiting n-day vulnerabilities.  

However, it is often not always possible for organizations to keep their systems up to date, especially for those who require continuous availability. This may also pose issues for organizations that rely on, and put their trust in, third party integrations such as those explored in this blog (Confluence and SonicWall), as enforcing secure software is almost entirely out of their hands. Moreover, with the rising prevalence of remote working, it is essential now more than ever that organizations ensure their VPN devices are shielded from external threats, guidance on which has been released by the NSA/CISA [13].

These two case studies have shown that whilst organizations can configure their networks and firewalls to help identify known indicators of compromise (IoC), this ‘rearview mirror’ approach will not account for, or protect against, any new and undisclosed IoCs. With the aid of Self-Learning AI and anomaly detection, Darktrace can detect the slightest deviation from a device’s normal pattern of life and respond autonomously without the need for rules and signatures. This allows for the disruption and prevention of known and novel attacks before irreparable damage is caused- reassuring security teams that their digital estates are secure. 

Thanks to Paul Jennings for his contributions to this blog.

Appendices: SonicWall (Zero-day)

Darktrace model detections

·      AIA / Suspicious Chain of Administrative Credentials

·      Anomalous Connection / Active Remote Desktop Tunnel

·      Anomalous Connection / SMB Enumeration

·      Anomalous Connection / Unusual Internal Remote Desktop

·      Compliance / High Priority Compliance Model Breach

·      Compliance / Outgoing NTLM Request from DC

·      Device / Anomalous RDP Followed By Multiple Model Breaches

·      Device / Anomalous SMB Followed By Multiple Model Breaches

·      Device / ICMP Address Scan

·      Device / Large Number of Model Breaches

·      Device / Large Number of Model Breaches from Critical Network Device

·      Device / Multiple Lateral Movement Model Breaches (PTN/Enhanced Monitoring model)

·      Device / Network Scan

·      Device / Possible SMB/NTLM Reconnaissance

·      Device / RDP Scan

·      Device / Reverse DNS Sweep

·      Device / SMB Session Bruteforce

·      Device / Suspicious Network Scan Activity (PTN/Enhanced Monitoring model)

·      Unusual Activity / Possible RPC Recon Activity

Darktrace RESPOND (Antigena) actions (as displayed in example)

·      Antigena / Network / Manual / Quarantine Device

MITRE ATT&CK Techniques Observed
IoCs

Appendices: Confluence (N-day)

Darktrace model detections

·      Anomalous Connection / New User Agent to IP Without Hostname

·      Anomalous Connection / Posting HTTP to IP Without Hostname

·      Anomalous File / EXE from Rare External Location

·      Anomalous File / Script from Rare Location

·      Compliance / Crypto Currency Mining Activity

·      Compromise / High Priority Crypto Currency Mining (PTN/Enhanced Monitoring model)

·      Device / Initial Breach Chain Compromise (PTN/Enhanced Monitoring model)

·      Device / Internet Facing Device with High Priority Alert

·      Device / New User Agent

Darktrace RESPOND (Antigena) actions (displayed in example)

·      Antigena / Network / Compliance / Antigena Crypto Currency Mining Block

·      Antigena / Network / External Threat / Antigena File then New Outbound Block

·      Antigena / Network / External Threat / Antigena Suspicious Activity Block

·      Antigena / Network / External Threat / Antigena Suspicious File Block

·      Antigena / Network / Significant Anomaly / Antigena Block Enhanced Monitoring

MITRE ATT&CK Techniques Observed
IOCs

References:

[1] https://securitybrief.asia/story/why-preventing-zero-day-attacks-is-crucial-for-businesses

[2] https://electricenergyonline.com/energy/magazine/1150/article/Security-Sessions-More-Dangerous-Than-Zero-Days-The-N-Day-Threat.htm

[3] https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

[4] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SonicWall+2021 

[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20016

[6] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084

[7] https://www.zdnet.com/article/us-cybercom-says-mass-exploitation-of-atlassian-confluence-vulnerability-ongoing-and-expected-to-accelerate/

[8] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134

[9] https://attack.mitre.org/software/S0599/

[10] https://www.virustotal.com/gui/ip-address/195.19.192.28/detection 

[11] https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/

[12] https://github.com/alt3kx/CVE-2021-26084_PoC

[13] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/2791320/nsa-cisa-release-guidance-on-selecting-and-hardening-remote-access-vpns/

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Lewis Morgan
Cyber Analyst

More in this series

No items found.

Blog

/

/

May 8, 2025

Anomaly-based threat hunting: Darktrace's approach in action

person working on laptopDefault blog imageDefault blog image

What is threat hunting?

Threat hunting in cybersecurity involves proactively and iteratively searching through networks and datasets to detect threats that evade existing automated security solutions. It is an important component of a strong cybersecurity posture.

There are several frameworks that Darktrace analysts use to guide how threat hunting is carried out, some of which are:

  • MITRE Attack
  • Tactics, Techniques, Procedures (TTPs)
  • Diamond Model for Intrusion Analysis
  • Adversary, Infrastructure, Victims, Capabilities
  • Threat Hunt Model – Six Steps
  • Purpose, Scope, Equip, Plan, Execute, Feedback
  • Pyramid of Pain

These frameworks are important in baselining how to run a threat hunt. There are also a combination of different methods that allow defenders diversity– regardless of whether it is a proactive or reactive threat hunt. Some of these are:

  • Hypothesis-based threat hunting
  • Analytics-driven threat hunting
  • Automated/machine learning hunting
  • Indicator of Compromise (IoC) hunting
  • Victim-based threat hunting

Threat hunting with Darktrace

At its core, Darktrace relies on anomaly-based detection methods. It combines various machine learning types that allows it to characterize what constitutes ‘normal’, based on the analysis of many different measures of a device or actor’s behavior. Those types of learning are then curated into what are called models.

Darktrace models leverage anomaly detection and integrate outputs from Darktrace Deep Packet Inspection, telemetry inputs, and additional modules, creating tailored activity detection.

This dynamic understanding allows Darktrace to identify, with a high degree of precision, events or behaviors that are both anomalous and unlikely to be benign.  On top of machine learning models for detection, there is also the ability to change and create models showcasing the tool’s diversity. The Model Editor allows security teams to specify values, priorities, thresholds, and actions they want to detect. That means a team can create custom detection models based on specific use cases or business requirements. Teams can also increase the priority of existing detections based on their own risk assessments to their environment.

This level of dexterity is particularly useful when conducting a threat hunt. As described above, and in previous ‘Inside the SOC’ blogs such a threat hunt can be on a specific threat actor, specific sector, or a  hypothesis-based threat hunt combined with ‘experimenting’ with some of Darktrace’s models.

Conducting a threat hunt in the energy sector with experimental models

In Darktrace’s recent Threat Research report “AI & Cybersecurity: The state of cyber in UK and US energy sectors” Darktrace’s Threat Research team crafted hypothesis-driven threat hunts, building experimental models and investigating existing models to test them and detect malicious activity across Darktrace customers in the energy sector.

For one of the hunts, which hypothesised utilization of PerfectData software and multi-factor authentication (MFA) bypass to compromise user accounts and destruct data, an experimental model was created to detect a Software-as-a-Service (SaaS) user performing activity relating to 'PerfectData Software’, known to allow a threat actor to exfiltrate whole mailboxes as a PST file. Experimental model alerts caused by this anomalous activity were analyzed, in conjunction with existing SaaS and email-related models that would indicate a multi-stage attack in line with the hypothesis.

Whilst hunting, Darktrace researchers found multiple model alerts for this experimental model associated with PerfectData software usage, within energy sector customers, including an oil and gas investment company, as well as other sectors. Upon further investigation, it was also found that in June 2024, a malicious actor had targeted a renewable energy infrastructure provider via a PerfectData Software attack and demonstrated intent to conduct an Operational Technology (OT) attack.

The actor logged into Azure AD from a rare US IP address. They then granted Consent to ‘eM Client’ from the same IP. Shortly after, the actor granted ‘AddServicePrincipal’ via Azure to PerfectData Software. Two days later, the actor created a  new email rule from a London IP to move emails to an RSS Feed Folder, stop processing rules, and mark emails as read. They then accessed mail items in the “\Sent” folder from a malicious IP belonging to anonymization network,  Private Internet Access Virtual Private Network (PIA VPN) [1]. The actor then conducted mass email deletions, deleting multiple instances of emails with subject “[Name] shared "[Company Name] Proposal" With You” from the  “\Sent folder”. The emails’ subject suggests the email likely contains a link to file storage for phishing purposes. The mass deletion likely represented an attempt to obfuscate a potential outbound phishing email campaign.

The Darktrace Model Alert that triggered for the mass deletes of the likely phishing email containing a file storage link.
Figure 1: The Darktrace Model Alert that triggered for the mass deletes of the likely phishing email containing a file storage link.

A month later, the same user was observed downloading mass mLog CSV files related to proprietary and Operational Technology information. In September, three months after the initial attack, another mass download of operational files occurred by this actor, pertaining to operating instructions and measurements, The observed patience and specific file downloads seemingly demonstrated an intent to conduct or research possible OT attack vectors. An attack on OT could have significant impacts including operational downtime, reputational damage, and harm to everyday operations. Darktrace alerted the impacted customer once findings were verified, and subsequent actions were taken by the internal security team to prevent further malicious activity.

Conclusion

Harnessing the power of different tools in a security stack is a key element to cyber defense. The above hypothesis-based threat hunt and custom demonstrated intent to conduct an experimental model creation demonstrates different threat hunting approaches, how Darktrace’s approach can be operationalized, and that proactive threat hunting can be a valuable complement to traditional security controls and is essential for organizations facing increasingly complex threat landscapes.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO at Darktrace) and Zoe Tilsiter (EMEA Consultancy Lead)

References

  1. https://spur.us/context/191.96.106.219

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

/

May 6, 2025

Combatting the Top Three Sources of Risk in the Cloud

woman working on laptopDefault blog imageDefault blog image

With cloud computing, organizations are storing data like intellectual property, trade secrets, Personally Identifiable Information (PII), proprietary code and statistics, and other sensitive information in the cloud. If this data were to be accessed by malicious actors, it could incur financial loss, reputational damage, legal liabilities, and business disruption.

Last year data breaches in solely public cloud deployments were the most expensive type of data breach, with an average of $5.17 million USD, a 13.1% increase from the year before.

So, as cloud usage continues to grow, the teams in charge of protecting these deployments must understand the associated cybersecurity risks.

What are cloud risks?

Cloud threats come in many forms, with one of the key types consisting of cloud risks. These arise from challenges in implementing and maintaining cloud infrastructure, which can expose the organization to potential damage, loss, and attacks.

There are three major types of cloud risks:

1. Misconfigurations

As organizations struggle with complex cloud environments, misconfiguration is one of the leading causes of cloud security incidents. These risks occur when cloud settings leave gaps between cloud security solutions and expose data and services to unauthorized access. If discovered by a threat actor, a misconfiguration can be exploited to allow infiltration, lateral movement, escalation, and damage.

With the scale and dynamism of cloud infrastructure and the complexity of hybrid and multi-cloud deployments, security teams face a major challenge in exerting the required visibility and control to identify misconfigurations before they are exploited.

Common causes of misconfiguration come from skill shortages, outdated practices, and manual workflows. For example, potential misconfigurations can occur around firewall zones, isolated file systems, and mount systems, which all require specialized skill to set up and diligent monitoring to maintain

2. Identity and Access Management (IAM) failures

IAM has only increased in importance with the rise of cloud computing and remote working. It allows security teams to control which users can and cannot access sensitive data, applications, and other resources.

Cybersecurity professionals ranked IAM skills as the second most important security skill to have, just behind general cloud and application security.

There are four parts to IAM: authentication, authorization, administration, and auditing and reporting. Within these, there are a lot of subcomponents as well, including but not limited to Single Sign-On (SSO), Two-Factor Authentication (2FA), Multi-Factor Authentication (MFA), and Role-Based Access Control (RBAC).

Security teams are faced with the challenge of allowing enough access for employees, contractors, vendors, and partners to complete their jobs while restricting enough to maintain security. They may struggle to track what users are doing across the cloud, apps, and on-premises servers.

When IAM is misconfigured, it increases the attack surface and can leave accounts with access to resources they do not need to perform their intended roles. This type of risk creates the possibility for threat actors or compromised accounts to gain access to sensitive company data and escalate privileges in cloud environments. It can also allow malicious insiders and users who accidentally violate data protection regulations to cause greater damage.

3. Cross-domain threats

The complexity of hybrid and cloud environments can be exploited by attacks that cross multiple domains, such as traditional network environments, identity systems, SaaS platforms, and cloud environments. These attacks are difficult to detect and mitigate, especially when a security posture is siloed or fragmented.  

Some attack types inherently involve multiple domains, like lateral movement and supply chain attacks, which target both on-premises and cloud networks.  

Challenges in securing against cross-domain threats often come from a lack of unified visibility. If a security team does not have unified visibility across the organization’s domains, gaps between various infrastructures and the teams that manage them can leave organizations vulnerable.

Adopting AI cybersecurity tools to reduce cloud risk

For security teams to defend against misconfigurations, IAM failures, and insecure APIs, they require a combination of enhanced visibility into cloud assets and architectures, better automation, and more advanced analytics. These capabilities can be achieved with AI-powered cybersecurity tools.

Such tools use AI and automation to help teams maintain a clear view of all their assets and activities and consistently enforce security policies.

Darktrace / CLOUD is a Cloud Detection and Response (CDR) solution that makes cloud security accessible to all security teams and SOCs by using AI to identify and correct misconfigurations and other cloud risks in public, hybrid, and multi-cloud environments.

It provides real-time, dynamic architectural modeling, which gives SecOps and DevOps teams a unified view of cloud infrastructures to enhance collaboration and reveal possible misconfigurations and other cloud risks. It continuously evaluates architecture changes and monitors real-time activity, providing audit-ready traceability and proactive risk management.

Real-time visibility into cloud assets and architectures built from network, configuration, and identity and access roles. In this unified view, Darktrace / CLOUD reveals possible misconfigurations and risk paths.
Figure 1: Real-time visibility into cloud assets and architectures built from network, configuration, and identity and access roles. In this unified view, Darktrace / CLOUD reveals possible misconfigurations and risk paths.

Darktrace / CLOUD also offers attack path modeling for the cloud. It can identify exposed assets and highlight internal attack paths to get a dynamic view of the riskiest paths across cloud environments, network environments, and between – enabling security teams to prioritize based on unique business risk and address gaps to prevent future attacks.  

Darktrace’s Self-Learning AI ensures continuous cloud resilience, helping teams move from reactive to proactive defense.

[related-resource]

Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Your data. Our AI.
Elevate your network security with Darktrace AI