Stop the clock: How Autonomous Response contains cyber-threats in seconds

Max Heinemeyer, Director of Threat Hunting | Tuesday December 3, 2019
The next phase in our journey toward autonomous security is Autonomous Response decision-making.
Lawrence Pingree, Research Vice President, Gartner

We’ve talked extensively on this blog about Autonomous Response: the AI-powered technology that, according to Gartner, represents a paradigm shift in cyber defense. As the first such Autonomous Response tool, Darktrace Antigena has already thwarted countless cyber-attacks, from a spear-phishing campaign against a major city to an IoT smart locker attack targeting a popular amusement park. Antigena’s surgical intervention afforded their security teams the time they needed to investigate — stopping the clock in seconds by containing just the malicious behavior.

For all its benefits, however, Autonomous Response does have one drawback: it can make for slightly anticlimactic blog posts. In place of captivating, step-by-step descriptions of malware spreading throughout the enterprise and inflicting irrevocable damage, Antigena case studies end a mere moment after they start, with the “patient zero” employee completely unaware of the compromise that could have been.

In this particular case, however, Antigena was deployed in Human Confirmation Mode — a starter mode wherein the AI’s actions must first be approved by the security team. Absent such approval, the result was both an in-depth look at a sophisticated ransomware attack, as well as a remarkable illustration of how Antigena reacted in real time to every stage of that attack’s lifecycle:

Initial download

Patient zero here was a device that Darktrace detected downloading an executable file from a server with which no other devices on the network had ever communicated. Downloads like this one regularly bypass conventional endpoint tools, since they cannot be programmed in advance to catch the full range of unpredictable future threats. By contrast, because Darktrace AI learned the typical behavior of the company’s unique users and devices while ‘on the job’, it easily determined the download to be anomalous.

Figure 1: Darktrace alerts on the 100% rare connection and subsequent download — as it occurs.

Had Antigena been in Active Mode at the time, this would have marked the end of the blog post. By blocking all connections to the associated IP and port, Antigena would have instantly stopped the download — without otherwise impacting the device at all.

Figure 2: Antigena, in Human Confirmation Mode, recommends that it block the suspicious activity.

Command and control

Following the download, Darktrace observed the device making an HTTP GET request to the same rare endpoint. The continuation of this suspicious activity precipitated an escalation in Antigena’s recommended response, which would now have blocked all outgoing traffic from the breached device to prevent any infection from spreading.

Darktrace then detected the device making yet more unusual external connections to endpoints that, in many cases, had self-signed SSL certificates. Such self-signed certificates do not require verification by a trusted authority and are therefore frequently utilized by cyber-criminals. As a consequence, the outgoing connections from our infected device are likely the installed malware communicating with its command and control infrastructure, as Darktrace flagged below:

Figure 3: Darktrace alerts on the suspicious SSL certificates.

Figure 4: Antigena recommends taking action to block the connections in question.

Internal reconnaissance

Beyond the unusual external activity observed from the breached device, it also began to deviate significantly from its typical pattern of internal behavior. Indeed, Darktrace detected the device making over 160,000 failed internal connections on two key ports: Remote Desktop Protocol port 3389 and SMB port 445. This activity — known as network scanning — provides crucial reconnaissance, giving the attacker insight into the network structure, the services available on each device, and any potential vulnerabilities. Ports 3389 and 445 are especially common targets.

Figure 5: Darktrace tracks this ransomware attack at every step, though the security team does not mount a response in time.

The unusual external connections to self-signed SSL certificates, combined with the highly anomalous internal connectivity from the device, would have caused Antigena to escalate further. Alas, the attack proceeds.

Darktrace detected no further anomalous activity from patient zero for the next four days — perhaps a mechanism to remain under the radar. Yet this period of dormancy concluded when, once again, the device connected to a rare domain with a self-signed SSL certificate, likely reaching out to its command and control infrastructure for additional instructions.

Lateral movement

A day later — in a sign that suggests the prior scanning was somewhat fruitful — the infected device performed a large amount of unusual SMB activity consistent with the malware attempting to move laterally across the network. Darktrace picked up on the breached device sending unusual outgoing SMB writes to the remote administration tool PsExec to a total of 38 destination devices, 28 of which it compromised with a malicious file.

Darktrace recognized this activity as highly anomalous for the particular device, as it doesn’t usually communicate with these destination devices in this manner. Antigena would therefore would have surgically blocked the remote administration behavior by first containing the patient zero device to its normal ‘pattern of life’, and then by escalating to blocking all outgoing connections from the device if lateral movement had continued. Antigena’s escalation can be seen below: the first action is taken at 08:03, the second, more severe action at 08:43.

Figure 6: Darktrace repeatedly alerts on the unusual SMB traffic with high confidence — thanks to its evolving understanding of the device’s typical ‘pattern of life’.

Figure 7: Antigena again recommends immediate intervention, this time to impede lateral movement.

Encryption

Darktrace observed the first sign of the ransomware’s ultimate objective — encrypting files — on a different device, which also performed a large volume of unusual SMB activity. After accessing a multitude of SMB shares that it hadn’t accessed previously, it systematically appended those files with the .locked extension. When all was said and done, this encryption activity was seen from no less than 40 internal devices.

In Active Mode, Antigena Ransomware Block would have fully quarantined the devices — a culmination of increasingly severe Antigena actions from the initial infection of patient zero, to the command and control communication, to the internal reconnaissance, to the lateral movement, and finally to the file encryption.

Figure 8: Antigena Ransomware Block was fully armed and prepared to fight back against the infection.

The case for boring blog posts

No other approach to cyber security is able to track ransomware so comprehensively throughout its lifecycle, as programming legacy tools to flag all remote administration behavior, for instance, would inundate security teams with thousands of false positive alerts. Thus, only Darktrace’s understanding ‘self’ for each infected device can shed light on such activities — in the rare cases when they are anomalous.

Figure 9: An overview of Darktrace’s myriad warnings throughout the five-day attack with each colored dot representing a high-confidence alert.

However, intriguing though it may be to track this lifecycle to conclusion, the technology to write far less intriguing blog posts already exists and is already proven. Autonomous Response will render this kind of threat story a relic of the past, and for organizations with sensitive data and critical intellectual property to safeguard, the days of boring security blogs cannot come soon enough.

To learn more about how Autonomous Response stops the clock on cyber-attacks, check out our white paper: Autonomous Response: Threat Report 2019.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

The best signature move: Detecting ransomware without any signatures at all

Max Heinemeyer, Director of Threat Hunting | Monday November 18, 2019

Across Darktrace’s global customer base, ransomware is rapidly on the rise. And unlike the indiscriminate ransomware worms — like WannaCry and BadRabbit — that we’ve discussed in the past, the trend of today’s attacks is toward selective “big game hunting.” The Ryuk ransomware incident I blogged about last month demonstrates how criminals now seek to exploit the particular vulnerabilities of their strategic targets.

Despite the increasing sophistication of these attacks, however, detecting them is ultimately just a classification problem — albeit a highly complex and consequential one. To understand what makes this problem difficult, consider three ways of identifying ransomware. The first and most common way is to cross-reference new activity with the digital ‘signatures’ of known malware strains, catching attacks that the security community has already catalogued. Of course, such fixed signatures are blind to the novel malware variants that dominate the modern threat landscape.

The second level uses supervised machine learning, which entails training an AI on lots of historical examples of ransomware attacks in an attempt to find their commonalities. While this approach can, in theory, detect ransomware that isn’t identical to training data, the supervised learning approach is essentially just signatures on steroids, failing to flag malicious behavior that is fundamentally unlike anything seen before. Rather, addressing the ransomware epidemic once and for all requires unsupervised machine learning. By understanding how each particular employee and device functions while ‘on the job’ — without any signatures or training data — Cyber AI does just that.

An education in ransomware

When a world-leading education institution was hit with a strain of the Dharma ransomware family this past October, Darktrace Cyber AI immediately alerted on the attack using this learnt knowledge of the institution itself — rather than with signatures. The following timeline details each phase of the incident:

Figure 1: An overview of the attack.

In summary, the threat-actors brute-forced their way into the institution’s network by exploiting a server that lacked protection against such RDP brute-forcing — compromising an admin’s credentials. They then proceeded to scan the network until they located an open port 445, whereupon they moved laterally using the PsExec tool that allows for remote administration. The initially compromised server copied the ransomware, named “system.exe,” to hidden SMB shares on the other machines via the SMB protocol. Finally, that ransomware began encrypting data on all of these devices.

Cyber AI traced every step of the above attack by contrasting it with the institution’s normal online behavior. The graph below shows the infected server’s activity throughout the entire incident.

Figure 2: Every colored dot represents a high-confidence Darktrace alert indicating significantly anomalous activity.

Beyond just detecting the attack, however, Darktrace’s AI Autonomous Response tool, Antigena, would have taken targeted action to neutralize it within seconds. When hit with machine-speed threats like ransomware, human security teams need such AI tools to contain the damage, as Antigena would have done:

An alternate reality with Autonomous Response

The attack would have gone quite differently had it been met with Autonomous Response. To start with, Antigena would have blocked the threat-actor’s repeated login attempts over RDP, since these attempts originated from external IP addresses that had never communicated with the organization before. Antigena works by enforcing the normal ‘pattern of life’ for each impacted user and device, meaning that it would not have blocked IP addresses that regularly communicate with the RDP server. This ensures that activity necessary to daily operations isn’t interrupted during even serious threats.

Figure 3: Darktrace alerts on one of the multiple unusual IP addresses that attempted brute-forcing.

By this point, the threat would already have been neutralized by the blocked brute-forcing. But had the attackers somehow still managed to scan the network for open SMB services, Antigena would have intervened once again to surgically restrict that behavior, as Darktrace recognized that the infected server almost never scanned the internal network.

Figure 4: Darktrace alerts on the anomalous scanning behavior, which Antigena would have autonomously blocked.

Continuing on with the hypothetical, though, the server now employs PsExec to move laterally to other devices — activity that Darktrace identified as anomalous immediately. Antigena would have escalated its response at this point, stopping all outbound connections from the server for several hours. Ultimately, Autonomous Response would have completely disarmed the threat, as it has successfully demonstrated on millions of occasions already.

Uncovering the Unpredictable

It has never been easier for threat-actors to devise novel ransomware strains and to gain access to new command & control domains. Using fixed signatures, IP blacklists, and predefined assumptions is therefore insufficient, since no security tool can predict the next fundamentally unpredictable attack. Only Cyber AI — which learns what’s normal for each unique user and device it defends — is equipped for such a challenge.

Of course, detection alone won’t cut it. Modern ransomware is increasingly automated; in this particular case, the entire incident took less than two hours, from the initial brute-forcing to the concluding encryption. And although Darktrace alerted on the threat in real time, the security team was occupied with other tasks, leading to a compromise. That’s where Autonomous Response has become business-critical across every industry — it’s on guard 24/7, even when the security team can’t be.

To learn more about how Autonomous Response neutralizes ransomware without relying on signatures, check out our white paper: Darktrace Antigena: The Future of AI-Powered Autonomous Response.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.