Blog

Email

Thought Leadership

AI email security: Understanding the human behind the keyboard

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
30
Sep 2020
30
Sep 2020
Despite organizations adopting ‘secure’ email gateways and extensive employee training, 94% of cyber-attacks still start in the inbox. Cyber AI understands the human beings behind email communications and autonomously responds to anomalous emails it deems malicious, stopping attacks that other tools miss.

At the heart of any email attack is the goal of moving the recipient to engage: whether that’s clicking a link, filling in a form, or opening an attachment. And with over nine in ten cyber-attacks starting with an email, this attack vector continues to prove successful, despite organizations’ best efforts to safeguard their workforce by deploying email gateways and training employees to spot phishing attempts.

Email attackers have seen such success because they understand their victims. They know that, ultimately, human beings are creatures of habit, prone to error, and susceptible to their emotions. Years of experience has allowed attackers to fine tune their emails making them more plausible and more provocative. Automated tools are now increasing the speed and scale at which criminals can buy new domains and send emails en masse. This makes it even easier to ‘A/B test’ attack methods: abandoning those that don’t see high success rates and capitalizing on those that do.

We can classify phishing attempts into five broad categories, each aiming to trigger a different emotional reaction and elicit a response.

  • Fear: “We have detected a virus on your device, log in to your McAfee account.”
  • Curiosity: “You have 3 new voicemails, click here.”
  • Generosity: “COVID-19 has greatly impacted homelessness in your area. Donate now.”
  • Greed: “Only 23 iPhones left to give away, act now!”
  • Concern: “Coronavirus outbreak in your area: Find out more.”

It’s worth noting that today’s increasingly dynamic workforces are more susceptible to these techniques, isolated in their homes and hungry for new information.

Turning to tech

As email attacks continue to trick employees and find success, many organizations have realized that the built-in security tools that come with their email provider aren’t enough to defend against today’s attacks. Additional email gateways are successful in catching spam and other low-hanging fruit, but fail to stop advanced attacks – particularly those leveraging novel malware, new domains, or advanced techniques. These advanced attacks are also the most damaging to businesses.

This failure is due to an inherent weakness in the legacy approach of traditional security tools. They compare inbound mail against lists of ‘known bad’ IPs, domains, and file hashes. Senders and recipients are treated simply as data points – ignoring the nuances of the human beings behind the keyboards.

Looking at these metrics in isolation fails to take into account the full context that can only be gained by understanding the people behind email interactions: where they usually log in from, who they communicate with, how they write, and what types of attachments they send and receive. It is this rich, personal context that reveals seemingly benign emails to be unmistakably malicious, especially when other data fails to reveal the danger.

Misunderstanding the human

Frustrated with the ineffectiveness of traditional tools, many organizations think that the solution is to minimize the chances that employees engage with malicious emails through comprehensive employee training. Indeed, companies often attempt to train their employees to spot malicious emails to compensate for their technology’s lack of detection.

Considering humans to be the last line of defense is dangerous, and this approach overlooks the fact that today’s sophisticated fakes can appear indistinguishable to legitimate mails. It's only when you really break an email down beyond the text, beyond the personal name, beyond the domain and email address (in the case of compromised trusted senders), that you can decipher between real and fake.

Large data breaches of recent years have given attackers greater access than ever to corporate emails and stolen passwords, and so supply chain attacks are becoming increasingly common. When attackers take over a trusted account or an existing email thread, how can an employee be expected to notice a subtle change in wording or the different type of attached document? However rigorous the internal training program and regardless of how vigilant employees are, we are now at the point where humans cannot spot these very subtle indicators. And one click is all it takes.

Understanding the human

Email security, for a long time, remains an unsolved piece of the complex cyber security puzzle. The failure of both traditional tools and employee training has prompted organizations to take a radically different approach. Thousands of businesses across the world, in both the public and private sector, use artificial intelligence that understands the human behind the keyboard and forms a nuanced and continually evolving understanding of email interactions across the business.

By learning what a human does, who they interact with, how they write, and the substance of a typical conversation between any two or more people, AI begins to understand the habits of employees, and over time it builds a comprehensive picture of their normal patterns of behavior. Most importantly, AI is self-learning, continuously revising its understanding of ‘normal’ so that when employees’ habits change, so does the AI’s understanding.

This enables the technology to detect behavioral anomalies that fall outside of an employee’s ‘pattern of life’, or the pattern of life for the organization as a whole.

This fundamentally new approach to email security enables the system to recognize the subtle indicators of a threat and make accurate decisions to stop or allow emails to pass through, even if a threat has never been seen before.

Sitting behind email gateways, this self-learning technology has extremely high catch rates. It has caught countless malicious emails that other tools missed, from impersonations of senior financial personnel to ‘fearware’ that played on the workforce’s uncertainties at a time of pandemic.

Attackers are continuing to innovate, and automation has led to a new wave of email threats. 88% of security leaders now believe that cyber-attacks powered by offensive AI are inevitable. The email threat landscape is rapidly changing, and we can expect to receive more hoax emails that are more convincing. Now is a crucial moment for organizations to prepare for this eventuality by adopting AI in their email defenses.

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Dan Fein
VP, Product

Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace/Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.

Book a 1-1 meeting with one of our experts
share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.

More in this series

No items found.

Blog

Inside the SOC

Identifying the Imposter: Darktrace’s Detection of Simulated Malware vs the Real Thing

Default blog imageDefault blog image
13
Mar 2024

Distinguishing attack simulations from the real thing

In an era marked by the omnipresence of digital technologies and the relentless advancement of cyber threats, organizations face an ongoing battle to safeguard their digital environment. Although red and blue team exercises have long served as cornerstones in evaluating organizational defenses, their reliance on manual processes poses significant constraints [1]. Led by seasoned security professionals, these tests offer invaluable insights into security readiness but can be marred by their resource-intensive and infrequent testing cycles. The gaps between assessments leave organizations open to undetected vulnerabilities, compromising the true state of their security environment. In response to the ever-changing threat landscape, organizations are adopting a proactive stance towards cyber security to fortify their defenses.

At the forefront, these efforts tend to revolve around simulated attacks, a process designed to test an organization's security posture against both known and emerging threats in a safe and controlled environment [2]. These meticulously orchestrated simulations imitate the tactics, techniques, and procedures (TTPs) employed by actual adversaries and provide organizations with invaluable insights into their security resilience and vulnerabilities. By immersing themselves in simulated attack scenarios, security teams can proactively probe for vulnerabilities, adopt a more aggressive defense posture, and stay ahead of evolving cyber threats.

Distinguishing between simulated malware observations and authentic malware activities stands as a critical imperative for organizations bolstering their cyber defenses. While simulated platforms offer controlled scenarios for testing known attack patterns, Darktrace’s Self-Learning AI can detect known and unknown threats, identify zero-day threats, and previously unseen malware variants, including attack simulations. Whereas simulated platforms focus on specific known attack vectors, Darktrace DETECT™ and Darktrace RESPOND™ can identify and contain both known and unknown threats across the entire attack surface, providing unparalleled protection of the cyber estate.

Darktrace’s Coverage of Simulated Attacks

In January 2024, the Darktrace Security Operations Center (SOC) received a high volume of alerts relating to an unspecified malware strain that was affecting multiple customers across the fleet, raising concerns, and prompting the Darktrace Analyst team to swiftly investigate the multitude of incident. Initially, these activities were identified as malicious, exhibiting striking resemblance to the characteristics of Remcos, a sophisticated remote access trojan (RAT) that can be used to fully control and monitor any Windows computer from XP and onwards [3]. However, further investigation revealed that these activities were intricately linked to a simulated malware provider.

This discovery underscores a pivotal insight into Darktrace’s capabilities. To this point, leveraging advanced AI, Darktrace operates with a sophisticated framework that extends beyond conventional threat detection. By analyzing network behavior and anomalies, Darktrace not only discerns between simulated threats, such as those orchestrated by breach and attack simulation platforms and genuine malicious activities but can also autonomously respond to these threats with RESPOND. This showcases Darktrace’s advanced capabilities in effectively mitigating cyber threats.

Attack Simulation Process: Initial Access and Intrusion

Darktrace initially observed devices breaching several DETECT models relating to the hostname “new-tech-savvy[.]com”, an endpoint that was flagged as malicious by multiple open-source intelligence (OSINT) vendors [4].

In addition, multiple HTML Application (HTA) file downloads were observed from the malicious endpoint, “new-tech-savvy[.]com/5[.]hta”. HTA files are often seen as part of the UAC-0050 campaign, known for its cyber-attacks against Ukrainian targets, which tends to leverage the Remcos RAT with advanced evasion techniques [5] [6]. Such files are often critical components of a malware operation, serving as conduits for the deployment of malicious payloads onto a compromised system. Often, within the HTA file resides a VBScript which, upon execution, triggers a PowerShell script. This PowerShell script is designed to facilitate the download of a malicious payload, namely “word_update.exe”, from a remote server. Upon successful execution, “word_update.exe” is launched, invoking cmd.exe and initiating the sharing of malicious data. This process results in the execution of explorer.exe, with the malicious RemcosRAT concealed within the memory of explorer.exe. [7].

As the customers were subscribed to Darktrace’s Proactive Threat Notification (PTN) service, an Enhanced Monitoring model was breached upon detection of the malicious HTA file. Enhanced Monitoring models are high-fidelity DETECT models designed to identify activity likely to be indicative of compromise. These PTN alerts were swiftly investigated by Darktrace’s round the clock SOC team.

Following this successful detection, Darktrace RESPOND took immediate action by autonomously blocking connections to the malicious endpoint, effectively preventing additional download attempts. Similar activity may be seen in the case of a legitimate malware attack; however, in this instance, the hostname associated with the download confirmed the detected malicious activity was the result of an attack simulation.

Figure 1: The Breach Log displays the model breach, “Anomalous File/Incoming HTA File”, where a device was detected downloading the HTA file, “5.hta” from the endpoint, “new-tech-savvy[.]com”.
'
Figure 2: The Model Breach Event Log shows a device making connections to the endpoint, “new-tech-savvy[.]com”. As a result, theRESPOND model, “Antigena/Network/External Threat/Antigena File then New Outbound Block", breached and connections to this malicious endpoint were blocked.
Figure 3: The Breach Log further showcases another RESPOND model, “Antigena/Network/External Threat/Antigena Suspicious File Block", which was triggered when the device downloaded a  HTA file from the malicious endpoint, “new-tech-savvy[.]com".

In other cases, Darktrace observed SSL and HTTP connections also attributed to the same simulated malware provider, highlighting Darktrace’s capability to distinguish between legitimate and simulated malware attack activity.

Figure 4: The Model Breach “Anomalous Connection/Low and Slow Exfiltration" displays the hostname of a simulated malware provider, confirming the detected malicious activity as the result of an attack simulation.
Figure 5: The Model Breach Event Log shows the SSL connections made to an endpoint associated with the simulated malware provider.
Figure 6: Darktrace’s Advanced Search displays SSL connection logs to the endpoint of the simulated malware provider around the time the simulation activity was observed.

Upon detection of the malicious activity occurring within affected customer networks, Darktrace’s Cyber AI Analyst™ investigated and correlated the events at machine speed. Figure 8 illustrates the synopsis and additional technical information that AI Analyst generated on one customer’s environment, detailing that over 220 HTTP queries to 18 different endpoints for a single device were seen. The investigation process can also be seen in the screenshot, showcasing Darktrace’s ability to provide ‘explainable AI’ detail. AI Analyst was able to autonomously search for all HTTP connections made by the breach device and identified a single suspicious software agent making one HTTP request to the endpoint, 45.95.147[.]236.

Furthermore, the malicious endpoints, 45.95.147[.]236, previously observed in SSH attacks using brute-force or stolen credentials, and “tangible-drink.surge[.]sh”, associated with the Androxgh0st malware [8] [9] [10], were detected to have been requested by another device.

This highlights Darktrace’s ability to link and correlate seemingly separate events occurring on different devices, which could indicate a malicious attack spreading across the network.  AI Analyst was also able to identify a username associated with the simulated malware prior to the activity through Kerberos Authentication Service (AS) requests. The device in question was also tagged as a ‘Security Device’ – such tags provide human analysts with valuable context about expected device activity, and in this case, the tag corroborates with the testing activity seen. This exemplifies how Darktrace’s Cyber AI Analyst takes on the labor-intensive task of analyzing thousands of connections to hundreds of endpoints at a rapid pace, then compiling results into a single pane that provides customer security teams with the information needed to evaluate activities observed on a device.

All in all, this demonstrates how Darktrace’s Self-Learning AI is capable of offering an unparalleled level of awareness and visibility over any anomalous and potentially malicious behavior on the network, saving security teams and administrators a great deal of time.

Figure 7: Cyber AI Analyst Incident Log containing a summary of the attack simulation activity,, including relevant technical details, and the AI investigation process.

Conclusion

Simulated cyber-attacks represent the ever-present challenge of testing and validating security defenses, while the threat of legitimate compromise exemplifies the constant risk of cyber threats in today’s digital landscape. Darktrace emerges as the solution to this conflict, offering real-time detection and response capabilities that identify and mitigate simulated and authentic threats alike.

While simulations are crafted to mimic legitimate threats within predefined parameters and controlled environments, the capabilities of Darktrace DETECT transcend these limitations. Even in scenarios where intent is not malicious, Darktrace’s ability to identify anomalies and raise alerts remains unparalleled. Moreover, Darktrace’s AI Analyst and autonomous response technology, RESPOND, underscore Darktrace’s indispensable role in safeguarding organizations against emerging threats.

Credit to Priya Thapa, Cyber Analyst, Tiana Kelly, Cyber Analyst & Analyst Team Lead

Appendices

Model Breaches

Darktrace DETECT Model Breach Coverage

Anomalous File / Incoming HTA File

Anomalous Connection / Low and Slow Exfiltration

Darktrace RESPOND Model Breach Coverage

§  Antigena / Network/ External Threat/ Antigena File then New Outbound Block

Cyber AI Analyst Incidents

• Possible HTTP Command and Control

• Suspicious File Download

List of IoCs

IP Address

38.52.220[.]2 - Malicious Endpoint

46.249.58[.]40 - Malicious Endpoint

45.95.147[.]236 - Malicious Endpoint

Hostname

tangible-drink.surge[.]sh - Malicious Endpoint

new-tech-savvy[.]com - Malicious Endpoint

References

1.     https://xmcyber.com/glossary/what-are-breach-and-attack-simulations/

2.     https://www.picussecurity.com/resource/glossary/what-is-an-attack-simulation

3.     https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US&sfdcIFrameOrigin=null

4.     https://www.virustotal.com/gui/url/c145cf7010545791602e9585f447347c75e5f19a0850a24e12a89325ded88735

5.     https://www.virustotal.com/gui/url/7afd19e5696570851e6413d08b6f0c8bd42f4b5a19d1e1094e0d1eb4d2e62ce5

6.     https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html

7.     https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method

8.     https://www.virustotal.com/gui/ip-address/45.95.147.236/community

9.     https://www.virustotal.com/gui/domain/tangible-drink.surge.sh/community

10.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

Continue reading
About the author
Priya Thapa
Cyber Analyst

Blog

No items found.

Mastering Cloud Migration: Strategies, Services, and Risks

Default blog imageDefault blog image
12
Mar 2024

What is cloud migration?

Cloud migration, in its simplest form, refers to the process of moving digital assets, such as data, applications, and IT resources, from on-premises infrastructure or legacy systems to cloud computing environments. There are various flavours of migration and utilization, but according to a survey conducted by IBM, one of the most common is the 'Hybrid' approach, with around 77% of businesses adopting a hybrid cloud approach.

There are three key components of a hybrid cloud migration model:

  1. On-Premises (On-Prem): Physical location with some amount of hardware and networking, traditionally a data centre.
  2. Public Cloud: Third-party providers like AWS, Azure, and Google, who offer multiple services such as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS).
  3. Private Cloud: A cloud computing environment where resources are isolated for one customer.

Why does cloud migration matter for enterprises?

Cloud adoption provides many benefits to businesses, including:

  1. Scalability: Cloud environments allow enterprises to scale resources up or down based on demand, enabling them to quickly adapt to changing business requirements.
  2. Flexibility and Agility: Cloud platforms provide greater flexibility and agility, enabling enterprises to innovate and deploy new services more rapidly compared to traditional on-premises infrastructure.
  3. Cost Efficiency: Pay-as-you-go model, allowing enterprises to reduce capital expenditures on hardware and infrastructure.
  4. Enhanced Security: Cloud service providers invest heavily in security measures to protect data and infrastructure, offering advanced security features and compliance certifications.

The combination of these benefits provides significant potential for businesses to innovate and move quickly, ultimately allowing them to be flexible and adapt to changing market conditions, customer demands, and technological advancements with greater agility and efficiency.

Cloud migration strategy

There are multiple migration strategies a business can adopt, including:

  1. Rehosting (Lift-and-shift): Quickly completed but may lead to increased costs for running workloads.
  2. Refactoring (Cloud Native): Designed specifically for the cloud but requires a steep learning curve and staff training on new processes.
  3. Hybrid Cloud: Mix of on-premises and public cloud use, offering flexibility and scalability while keeping data secure on-premises. This can introduce complexities in setup and management overhead and requires ensuring security and compliance in both environments.

It is important to note that each strategy has its trade-offs and there is no single gold standard for a one size fits all cloud migration strategy. Different businesses will prioritize and leverage different benefits, for instance while some might prefer a rehosting strategy as it gets them migrated the fastest, it typically ends up also being the most costly strategy as “lift-and-shift” doesn’t take advantage of many key benefits that the cloud has to offer. Conversely, refactoring is a strategy optimized at making the most of the benefits that cloud providers have to offer, however the process of redesigning applications requires cloud expertise and based on the scale of applications that are required to be refactored this strategy might not be the quickest when it comes to moving applications from being hosted on premise to in the cloud.  

Phases of a cloud migration

At the highest level, there are four main steps in a successful migration:

  1. Discover: Identify and categorize IT assets, applications, and critical dependencies.
  2. Plan: Develop a detailed migration plan, including timelines, resource allocation, and risk management strategies.
  3. Migrate: Execute the migration plan, minimizing disruption to business operations.
  4. Optimize: Continuously optimize the cloud environment using automation, performance monitoring, and cost management tools to improve efficiency, performance, and scalability.

While it is natural to race towards the end goals of a cloud migration, most successful cloud migration strategies allocate the appropriate timelines to each phase.  

The “Discover” phase specifically is where most businesses can set themselves up for success. Having a complete understanding of assets, applications, services, and dependencies needed to migrate however is much easier said than done. Given the pace of change and how laborious of a task inventorying everything can be to manage and maintain, most mistakes at this stage will propagate and amplify through the migration journey.  

Risks and challenges of cloud migration

Though cloud migration offers a wealth of benefits, it also introduces new risks that need to be accounted for and managed effectively. Security should be considered a fundamental part of the process, not an additional measure that can be ‘bolted’ on at the end.

Let’s consider the most popular migration strategy, using a ‘Hybrid Cloud’. A recent report by the industry analyst group Forrester cited that Cloud Security Posture Management (CSPM) tools are just one facet of security, stating:

"No matter how good it is, using a CSPM solution alone will not provide you with full visibility, detection, and effective remediation capabilities for all threats. Your adversaries are also targeting operating systems, existing on-prem network infrastructure, and applications in their quest to steal valuable data".

Unpacking some of the risks here, it’s clear they fall into a range of categories, including:

  1. Security Concerns: Ensuring security across both on-premises and cloud environments, addressing potential misconfigurations and vulnerabilities.
  2. Contextual Understanding: Effective security requires a deep understanding of the organization's business processes and the context in which data and applications operate.
  3. Threat Detection and Response: Identifying and responding to threats in real-time requires advanced capabilities such as AI and anomaly detection.
  4. Platform Approach: Deploying integrated security solutions that provide end-to-end visibility, centralized management, and automated responses across hybrid infrastructure.

Since the cloud doesn’t operate in a vacuum, businesses will always have a myriad of 3rd party applications, users, endpoints, external services, and partners connecting and interacting with their cloud environments. From this perspective, being able to correlate and understand behaviors and activity both within the cloud and its surroundings becomes imperative.

It then follows that context from a business wide perspective is necessary. This has two distinct implications, the first is application or workload specific context (i.e. where do the assets, services, and functions alerted on reside within the cloud application) and the second is business wide context. Given the volume of alerts that security practitioners need to manage, findings that lack the appropriate context to fully understand and resolve the issue create additional strain on teams that are already managing a difficult challenge.  

Conclusion

With that in mind, Darktrace’s approach to security, with its existing and new advances in Cloud Detection and Response capabilities, anomaly detection across SaaS applications, and native ability to leverage many AI techniques to understand the business context within your dynamic cloud environment and on-premises infrastructure. It provides you with the integrated building blocks to provide the ‘360’ degree view required to detect and respond to threats before, during, and long after your enterprise migrates to the cloud.

References

IBM Transformation Index: State of Cloud https://www.ibm.com/blog/hybrid-cloud-use-cases/

https://www.forrester.com/report/the-top-trends-shaping-cloud-security-posture-management-cspm-in-2024/RES180379  

Continue reading
About the author
Adam Stevens
Analyst Technical Director
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.