Blog

Ransomware

Darktrace’s Cyber AI Analyst investigates Sodinokibi (REvil) ransomware

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
29
Nov 2020
29
Nov 2020
Darktrace recently detected Sodinokibi, the most lucrative strain of ransomware in 2020, in a retail organization in the US. Cyber AI Analyst launched several automatic, real-time investigations into the incident simultaneously, producing concise and digestible summaries shown in this blog.

Sodinokibi is one of the most lucrative ransomware strains of 2020, with its creators, cyber-criminal gang REvil, recently claiming over $100 million in profits this year alone. The prevalent threat is known to wipe backup files, encrypt files on local shares and exfiltrate data.

Exfiltration before encryption is a technique being increasingly adopted by profit-seeking cyber-criminals, who can threaten to leak the stolen data should a target organization not comply with their demands. Sodinobiki also makes heavy use of code obfuscation and encryption techniques to evade detection by signature-based, anti-virus solutions.

Darktrace’s AI recently detected Sodinokibi targeting a retail organization in the US. Prior to this year, the company operated primarily face-to-face in physical stores, but have conducted the majority of their business in the digital realm since the onset of the pandemic.

Cyber AI Analyst automatically launched a full investigation into this incident in real time, as the attack was unfolding. The technology provided summary reports of the entire incident which the security team could immediately action for incident response. This blog explores its findings.

Sodinokibi timeline

Darktrace automatically investigated on the full scope of the Sodinokibi attack, with Cyber AI Analyst clearly identifying and summarising every stage of the attack lifecycle, which played out over the course of three weeks as below:

Figure 1: A timeline of the attack

Darktrace produced a large number of security-relevant anomalies associated with just three credentials, and displayed these along a common timeline shown below:

Figure 2: A timeline view of anomaly detections separated by users. Note the clusters of model breaches for the compromised credentials leading up to October 14.

While a human analyst might have been able to identify these unusual patterns and investigate what caused the clusters of anomalous activity, this process would have taken precious hours during a crisis. Cyber AI Analyst automatically performed the same analysis using supervised machine learning trained on Darktrace’s world-leading analysts, generating meaningful summaries of each stage of the event in real time, as the incident unfolded.

REvil ransomware attack

The following events occurred during a free trial period, and Darktrace was not being actively monitored. Its Autonomous Response technology, Darktrace Antigena, was installed in passive mode, and in the absence of automatic interference at an early stage, this compromise was allowed to unfold without interruption. However, with Darktrace’s AI learning normal ‘patterns of life’ for every device in the background, identifying anomalies, and launching an automated investigation into the attack, we are able to go back into the Threat Visualizer and see how the incident unfolded.

The attack began when the credentials of a highly privileged member of the retail organization’s IT team were compromised. REvil is known to make use of phishing emails, exploit kits, server vulnerabilities, and compromised MSP networks for initial intrusion.

In this case, the attacker used the IT credential to compromise a domain controller and exfiltrate data directly after initial reconnaissance. Darktrace’s AI detected the attacker logging into the domain controller via SMB, writing suspicious files and then deleting batch scripts and log files in the root directory to clear their tracks.

The domain controller then made connections to several rare external endpoints, and Darktrace witnessed a 28MB upload that was likely exfiltration of initial reconnaissance data. Four days later, the attacker connected to the same endpoint (sadstat[.]com) – likely a stager download for C2, which was then initiated via connections on port 443 later that same day.

A week on from the intial C2 connection, a SQL server was detected engaging in network scanning as the attacker sought to move laterally in search of sensitive and valuable data. Over the course of two weeks, Darktrace witnessed unusual internal RDP connections using administrative credentials, before data was uploaded to multiple cloud storage endpoints as well as an SSH server. PsExec was used to deploy the ransomware, resulting in file encryption.

The evasive nature of modern ransomware

REvil started with an inherent advantage in that they were armed with the credentials of a highly privileged IT admin. Nevertheless, they still made several attempts to evade traditional, signature-based tools, such as ‘Living off the Land’ – using common tools such PsExec, WMI, RDP to blend into to legitimate activity.

They leveraged frequently-used cloud storage solutions like Dropbox and pCloud for data transfer, and they conducted SSH on port 443, blending in with SSL connections on the same port. They used a newly-registered domain for C2 communication, meaning Open Source Intelligence Tools (OSINT) were blind to the threat.

Finally, the malware itself was evasive in that it made use of code obfuscation and encryption, and had no need for a system library or API imports. This is the basis for most modern ransomware attacks, and the reality is signature-based tools cannot keep up. Darktrace’s AI not only detected the anomalous activity associated with every stage of the attack, but generated fleshed-out summaries of each stage of the attack with Cyber AI Analyst.

Cyber AI Analyst: Real-time incident reporting

Between September 21 and October 12, Cyber AI Analyst created 15 incidents, investigating dozens of point detections and creating a coherent attack narrative.

Figure 3: Cyber AI Incident log of the first compromised DC. This incident tab details the connections to sadstat[.]com

Figure 4: The DC establishes C2 to the first GHOSTnet GmbH IP

Figure 5: This incident tab highlights the file encryption of files on network shares

Figure 6: Darktrace surfaces the IT admin account takeover

Figure 7: Example of a client type device involved in extensive administrative RDP and SMB activity, as well as data uploads to Dropbox (this upload to Dropbox occurs few seconds before file encryption begins)

REvil vs AI

This Sodinokibi ransomware attack slipped under the radar of a range of traditional tools deployed by the retail organization. However, despite the threat dwelling in the retail organization’s digital environment for over a month, and REvil using local tools to blend in to regular traffic, from Darktrace’s perspective these actions were noisy in comparison to the organization’s normal ‘pattern of life’, setting off a series of alerts and investigations.

Darktrace’s Cyber AI Analyst was able to autonomously investigate nearly every attack phase of the ransomware. The technology works around the clock, without requiring training or time off, and can often reduce hours or days of incident response into just minutes, reducing time to triage by up to 92% and augmenting the capabilities of the human security team.

Thanks to Darktrace analyst Joel Lee for his insights on the above threat find.

Learn more about Cyber AI Analyst

Darktrace model detections:

  • Anomalous Connection / Active Remote Desktop Tunnel
  • Anomalous Connection / Data Sent To New External Device
  • Anomalous Connection / Data Sent to Rare Domain
  • Anomalous Connection / High Volume of New or Uncommon Service Control
  • Anomalous Connection / SMB Enumeration
  • Anomalous Connection / Uncommon 1 GiB Outbound
  • Anomalous Connection / Unusual Admin RDP Session
  • Anomalous Connection / Unusual Admin SMB Session
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Anomalous Server Activity / Anomalous External Activity from Critical Network Device
  • Compliance / SMB Drive Write
  • Compliance / Possible Tor Usage
  • Compromise / Ransomware / Ransom or Offensive Words Written to SMB
  • Compromise / Ransomware / Suspicious SMB Activity
  • Device / ICMP Address Scan
  • Device / Multiple Lateral Movement Model Breaches
  • Device / Network Scan
  • Device / New or Uncommon WMI Activity
  • Device / New or Unusual Remote Command Execution
  • Device / RDP Scan
  • Device / Suspicious Network Scan Activity
  • Unusual Activity / Enhanced Unusual External Data Transfer
  • Unusual Activity / Unusual Internal Connections
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Max Heinemeyer
Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Book a 1-1 meeting with one of our experts
share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.

More in this series

No items found.

Blog

Inside the SOC

Sliver C2: How Darktrace Provided a Sliver of Hope in the Face of an Emerging C2 Framework

Default blog imageDefault blog image
17
Apr 2024

Offensive Security Tools

As organizations globally seek to for ways to bolster their digital defenses and safeguard their networks against ever-changing cyber threats, security teams are increasingly adopting offensive security tools to simulate cyber-attacks and assess the security posture of their networks. These legitimate tools, however, can sometimes be exploited by real threat actors and used as genuine actor vectors.

What is Sliver C2?

Sliver C2 is a legitimate open-source command-and-control (C2) framework that was released in 2020 by the security organization Bishop Fox. Silver C2 was originally intended for security teams and penetration testers to perform security tests on their digital environments [1] [2] [5]. In recent years, however, the Sliver C2 framework has become a popular alternative to Cobalt Strike and Metasploit for many attackers and Advanced Persistence Threat (APT) groups who adopt this C2 framework for unsolicited and ill-intentioned activities.

The use of Sliver C2 has been observed in conjunction with various strains of Rust-based malware, such as KrustyLoader, to provide backdoors enabling lines of communication between attackers and their malicious C2 severs [6]. It is unsurprising, then, that it has also been leveraged to exploit zero-day vulnerabilities, including critical vulnerabilities in the Ivanti Connect Secure and Policy Secure services.

In early 2024, Darktrace observed the malicious use of Sliver C2 during an investigation into post-exploitation activity on customer networks affected by the Ivanti vulnerabilities. Fortunately for affected customers, Darktrace DETECT™ was able to recognize the suspicious network-based connectivity that emerged alongside Sliver C2 usage and promptly brought it to the attention of customer security teams for remediation.

How does Silver C2 work?

Given its open-source nature, the Sliver C2 framework is extremely easy to access and download and is designed to support multiple operating systems (OS), including MacOS, Windows, and Linux [4].

Sliver C2 generates implants (aptly referred to as ‘slivers’) that operate on a client-server architecture [1]. An implant contains malicious code used to remotely control a targeted device [5]. Once a ‘sliver’ is deployed on a compromised device, a line of communication is established between the target device and the central C2 server. These connections can then be managed over Mutual TLS (mTLS), WireGuard, HTTP(S), or DNS [1] [4]. Sliver C2 has a wide-range of features, which include dynamic code generation, compile-time obfuscation, multiplayer-mode, staged and stageless payloads, procedurally generated C2 over HTTP(S) and DNS canary blue team detection [4].

Why Do Attackers Use Sliver C2?

Amidst the multitude of reasons why malicious actors opt for Sliver C2 over its counterparts, one stands out: its relative obscurity. This lack of widespread recognition means that security teams may overlook the threat, failing to actively search for it within their networks [3] [5].

Although the presence of Sliver C2 activity could be representative of authorized and expected penetration testing behavior, it could also be indicative of a threat actor attempting to communicate with its malicious infrastructure, so it is crucial for organizations and their security teams to identify such activity at the earliest possible stage.

Darktrace’s Coverage of Sliver C2 Activity

Darktrace’s anomaly-based approach to threat detection means that it does not explicitly attempt to attribute or distinguish between specific C2 infrastructures. Despite this, Darktrace was able to connect Sliver C2 usage to phases of an ongoing attack chain related to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN appliances in January 2024.

Around the time that the zero-day Ivanti vulnerabilities were disclosed, Darktrace detected an internal server on one customer network deviating from its expected pattern of activity. The device was observed making regular connections to endpoints associated with Pulse Secure Cloud Licensing, indicating it was an Ivanti server. It was observed connecting to a string of anomalous hostnames, including ‘cmjk3d071amc01fu9e10ae5rt9jaatj6b.oast[.]live’ and ‘cmjft14b13vpn5vf9i90xdu6akt5k3pnx.oast[.]pro’, via HTTP using the user agent ‘curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.7’.

Darktrace further identified that the URI requested during these connections was ‘/’ and the top-level domains (TLDs) of the endpoints in question were known Out-of-band Application Security Testing (OAST) server provider domains, namely ‘oast[.]live’ and ‘oast[.]pro’. OAST is a testing method that is used to verify the security posture of an application by testing it for vulnerabilities from outside of the network [7]. This activity triggered the DETECT model ‘Compromise / Possible Tunnelling to Bin Services’, which breaches when a device is observed sending DNS requests for, or connecting to, ‘request bin’ services. Malicious actors often abuse such services to tunnel data via DNS or HTTP requests. In this specific incident, only two connections were observed, and the total volume of data transferred was relatively low (2,302 bytes transferred externally). It is likely that the connections to OAST servers represented malicious actors testing whether target devices were vulnerable to the Ivanti exploits.

The device proceeded to make several SSL connections to the IP address 103.13.28[.]40, using the destination port 53, which is typically reserved for DNS requests. Darktrace recognized that this activity was unusual as the offending device had never previously been observed using port 53 for SSL connections.

Model Breach Event Log displaying the ‘Application Protocol on Uncommon Port’ DETECT model breaching in response to the unusual use of port 53.
Figure 1: Model Breach Event Log displaying the ‘Application Protocol on Uncommon Port’ DETECT model breaching in response to the unusual use of port 53.

Figure 2: Model Breach Event Log displaying details pertaining to the ‘Application Protocol on Uncommon Port’ DETECT model breach, including the 100% rarity of the port usage.
Figure 2: Model Breach Event Log displaying details pertaining to the ‘Application Protocol on Uncommon Port’ DETECT model breach, including the 100% rarity of the port usage.

Further investigation into the suspicious IP address revealed that it had been flagged as malicious by multiple open-source intelligence (OSINT) vendors [8]. In addition, OSINT sources also identified that the JARM fingerprint of the service running on this IP and port (00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01) was linked to the Sliver C2 framework and the mTLS protocol it is known to use [4] [5].

An Additional Example of Darktrace’s Detection of Sliver C2

However, it was not just during the January 2024 exploitation of Ivanti services that Darktrace observed cases of Sliver C2 usages across its customer base.  In March 2023, for example, Darktrace detected devices on multiple customer accounts making beaconing connections to malicious endpoints linked to Sliver C2 infrastructure, including 18.234.7[.]23 [10] [11] [12] [13].

Darktrace identified that the observed connections to this endpoint contained the unusual URI ‘/NIS-[REDACTED]’ which contained 125 characters, including numbers, lower and upper case letters, and special characters like “_”, “/”, and “-“, as well as various other URIs which suggested attempted data exfiltration:

‘/upload/api.html?c=[REDACTED] &fp=[REDACTED]’

  • ‘/samples.html?mx=[REDACTED] &s=[REDACTED]’
  • ‘/actions/samples.html?l=[REDACTED] &tc=[REDACTED]’
  • ‘/api.html?gf=[REDACTED] &x=[REDACTED]’
  • ‘/samples.html?c=[REDACTED] &zo=[REDACTED]’

This anomalous external connectivity was carried out through multiple destination ports, including the key ports 443 and 8888.

Darktrace additionally observed devices on affected customer networks performing TLS beaconing to the IP address 44.202.135[.]229 with the JA3 hash 19e29534fd49dd27d09234e639c4057e. According to OSINT sources, this JA3 hash is associated with the Golang TLS cipher suites in which the Sliver framework is developed [14].

Conclusion

Despite its relative novelty in the threat landscape and its lesser-known status compared to other C2 frameworks, Darktrace has demonstrated its ability effectively detect malicious use of Sliver C2 across numerous customer environments. This included instances where attackers exploited vulnerabilities in the Ivanti Connect Secure and Policy Secure services.

While human security teams may lack awareness of this framework, and traditional rules and signatured-based security tools might not be fully equipped and updated to detect Sliver C2 activity, Darktrace’s Self Learning AI understands its customer networks, users, and devices. As such, Darktrace is adept at identifying subtle deviations in device behavior that could indicate network compromise, including connections to new or unusual external locations, regardless of whether attackers use established or novel C2 frameworks, providing organizations with a sliver of hope in an ever-evolving threat landscape.

Credit to Natalia Sánchez Rocafort, Cyber Security Analyst, Paul Jennings, Principal Analyst Consultant

Appendices

DETECT Model Coverage

  • Compromise / Repeating Connections Over 4 Days
  • Anomalous Connection / Application Protocol on Uncommon Port
  • Anomalous Server Activity / Server Activity on New Non-Standard Port
  • Compromise / Sustained TCP Beaconing Activity To Rare Endpoint
  • Compromise / Quick and Regular Windows HTTP Beaconing
  • Compromise / High Volume of Connections with Beacon Score
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / HTTP Beaconing to Rare Destination
  • Compromise / Sustained SSL or HTTP Increase
  • Compromise / Large Number of Suspicious Failed Connections
  • Compromise / SSL or HTTP Beacon
  • Compromise / Possible Malware HTTP Comms
  • Compromise / Possible Tunnelling to Bin Services
  • Anomalous Connection / Low and Slow Exfiltration to IP
  • Device / New User Agent
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Numeric File Download
  • Anomalous Connection / Powershell to Rare External
  • Anomalous Server Activity / New Internet Facing System

List of Indicators of Compromise (IoCs)

18.234.7[.]23 - Destination IP - Likely C2 Server

103.13.28[.]40 - Destination IP - Likely C2 Server

44.202.135[.]229 - Destination IP - Likely C2 Server

References

[1] https://bishopfox.com/tools/sliver

[2] https://vk9-sec.com/how-to-set-up-use-c2-sliver/

[3] https://www.scmagazine.com/brief/sliver-c2-framework-gaining-traction-among-threat-actors

[4] https://github[.]com/BishopFox/sliver

[5] https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors

[6] https://securityaffairs.com/158393/malware/ivanti-connect-secure-vpn-deliver-krustyloader.html

[7] https://www.xenonstack.com/insights/out-of-band-application-security-testing

[8] https://www.virustotal.com/gui/ip-address/103.13.28.40/detection

[9] https://threatfox.abuse.ch/browse.php?search=ioc%3A107.174.78.227

[10] https://threatfox.abuse.ch/ioc/1074576/

[11] https://threatfox.abuse.ch/ioc/1093887/

[12] https://threatfox.abuse.ch/ioc/846889/

[13] https://threatfox.abuse.ch/ioc/1093889/

[14] https://github.com/projectdiscovery/nuclei/issues/3330

Continue reading
About the author
Natalia Sánchez Rocafort
Cyber Security Analyst

Blog

Email

Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace/Email

Default blog imageDefault blog image
09
Apr 2024

Organizations Should Demand More from their Email Security

In response to a more intricate threat landscape, organizations should view email security as a critical component of their defense-in-depth strategy, rather than defending the inbox alone with a traditional Secure Email Gateway (SEG). Organizations need more than a traditional gateway – that doubles, instead of replaces, the capabilities provided by native security vendor – and require an equally granular degree of analysis across all messaging, including inbound, outbound, and lateral mail, plus Teams messages.  

Darktrace/Email is the industry’s most advanced cloud email security, powered by Self-Learning AI. It combines AI techniques to exceed the accuracy and efficiency of leading security solutions, and is the only security built to elevate, not duplicate, native email security.  

With its largest update ever, Darktrace/Email introduces the following innovations, finally allowing security teams to look beyond secure email gateways with autonomous AI:

  • AI-augmented data loss prevention to stop the entire spectrum of outbound mail threats
  • an easy way to deploy DMARC quickly with AI
  • major enhancements to streamline SOC workflows and increase the detection of sophisticated phishing links
  • expansion of Darktrace’s leading AI prevention to lateral mail, account compromise and Microsoft Teams

What’s New with Darktrace/Email  

Data Loss Prevention  

Block the entire spectrum of outbound mail threats with advanced data loss prevention that builds on tags in native email to stop unknown, accidental, and malicious data loss

Darktrace understands normal at individual user, group and organization level with a proven AI that detects abnormal user behavior and dynamic content changes. Using this understanding, Darktrace/Email actions outbound emails to stop unknown, accidental and malicious data loss.  

Traditional DLP solutions only take into account classified data, which relies on the manual input of labelling each data piece, or creating rules to catch pattern matches that try to stop data of certain types leaving the organization. But in today’s world of constantly changing data, regular expression and fingerprinting detection are no longer enough.

  • Human error – Because it understands normal for every user, Darktrace/Email can recognize cases of misdirected emails. Even if the data is correctly labelled or insensitive, Darktrace recognizes when the context in which it is being sent could be a case of data loss and warns the user.  
  • Unclassified data – Whereas traditional DLP solutions can only take action on classified data, Darktrace analyzes the range of data that is either pending labels or can’t be labeled with typical capabilities due to its understanding of the content and context of every email.  
  • Insider threat – If a malicious actor has compromised an account, data exfiltration may still be attempted on encrypted, intellectual property, or other forms of unlabelled data to avoid detection. Darktrace analyses user behaviour to catch cases of unusual data exfiltration from individual accounts.

And classification efforts already in place aren’t wasted – Darktrace/Email extends Microsoft Purview policies and sensitivity labels to avoid duplicate workflows for the security team, combining the best of both approaches to ensure organizations maintain control and visibility over their data.

End User and Security Workflows

Achieve more than 60% improvement in the quality of end-user phishing reports and detection of sophisticated malicious weblinks1

Darktrace/Email improves end-user reporting from the ground up to save security team resource. Employees will always be on the front line of email security – while other solutions assume that end-user reporting is automatically of poor quality, Darktrace prioritizes improving users’ security awareness to increase the quality of end-user reporting from day one.  

Users are empowered to assess and report suspicious activity with contextual banners and Cyber AI Analyst generated narratives for potentially suspicious emails, resulting in 60% fewer benign emails reported.  

Out of the higher-quality emails that end up being reported, the next step is to reduce the amount of emails that reach the SOC. Darktrace/Email’s Mailbox Security Assistant automates their triage with secondary analysis combining additional behavioral signals – using x20 more metrics than previously – with advanced link analysis to detect 70% more sophisticated malicious phishing links.2 This directly alleviates the burden of manual triage for security analysts.

For the emails that are received by the SOC, Darktrace/Email uses automation to reduce time spent investigating per incident. With live inbox view, security teams gain access to a centralized platform that combines intuitive search capabilities, Cyber AI Analyst reports, and mobile application access. Analysts can take remediation actions from within Darktrace/Email, eliminating console hopping and accelerating incident response.

Darktrace takes a user-focused and business-centric approach to email security, in contrast to the attack-centric rules and signatures approach of secure email gateways

Microsoft Teams

Detect threats within your Teams environment such as account compromise, phishing, malware and data loss

Around 83% of Fortune 500 companies rely on Microsoft Office products and services, particularly Teams and SharePoint.3

Darktrace now leverages the same behavioral AI techniques for Microsoft customers across 365 and Teams, allowing organizations to detect threats and signals of account compromise within their Teams environment including social engineering, malware and data loss.  

The primary use case for Microsoft Teams protection is as a potential entry vector. While messaging has traditionally been internal only, as organizations open up it is becoming an entry vector which needs to be treated with the same level of caution as email. That’s why we’re bringing our proven AI approach to Microsoft Teams, that understands the user behind the message.  

Anomalous messaging behavior is also a highly relevant indicator of whether a user has been compromised. Unlike other solutions that analyze Microsoft Teams content which focus on payloads, Darktrace goes beyond basic link and sandbox analysis and looks at actual user behavior from both a content and context perspective. This linguistic understanding isn’t bound by the requirement to match a signature to a malicious payload, rather it looks at the context in which the message has been delivered. From this analysis, Darktrace can spot the early symptoms of account compromise such as early-stage social engineering before a payload is delivered.

Lateral Mail Analysis

Detect and respond to internal mailflow with multi-layered AI to prevent account takeover, lateral phishing and data leaks

The industry’s most robust account takeover protection now prevents lateral mail account compromise. Darktrace has always looked at internal mail to inform inbound and outbound decisions, but will now elevate suspicious lateral mail behaviour using the same AI techniques for inbound, outbound and Teams analysis.

Darktrace integrates signals from across the entire mailflow and communication patterns to determine symptoms of account compromise, now including lateral mailflow

Unlike other solutions which only analyze payloads, Darktrace analyzes a whole range of signals to catch lateral movement before a payload is delivered. Contributing yet another layer to the AI behavioral profile for each user, security teams can now use signals from lateral mail to spot the early symptoms of account takeover and take autonomous actions to prevent further compromise.

DMARC

Gain in-depth visibility and control of 3rd parties using your domain with an industry-first AI-assisted DMARC

Darktrace has created the easiest path to brand protection and compliance with the new Darktrace/DMARC. This new capability continuously stops spoofing and phishing from the enterprise domain, while automatically enhancing email security and reducing the attack surface.

Darktrace/DMARC helps to upskill businesses by providing step by step guidance and automated record suggestions provide a clear, efficient road to enforcement. It allows organizations to quickly achieve compliance with requirements from Google, Yahoo, and others, to ensure that their emails are reaching mailboxes.  

Meanwhile, Darktrace/DMARC helps to reduce the overall attack surface by providing visibility over shadow-IT and third-party vendors sending on behalf of an organization’s brand, while informing recipients when emails from their domains are sent from un-authenticated DMARC source.

Darktrace/DMARC integrates with the wider Darktrace product platform, sharing insights to help further secure your business across Email Attack Path and Attack Surface management.

Conclusion

To learn more about the new innovations to Darktrace/Email download the solution brief here.

All of the new updates to Darktrace/Email sit within the new Darktrace ActiveAI Security Platform, creating a feedback loop between email security and the rest of the digital estate for better protection. Click to read more about the Darktrace ActiveAI Security Platform or to hear about the latest innovations to Darktrace/OT, the most comprehensive prevention, detection, and response solution purpose built for critical infrastructures.  

Learn about the intersection of cyber and AI by downloading the State of AI Cyber Security 2024 report to discover global findings that may surprise you, insights from security leaders, and recommendations for addressing today’s top challenges that you may face, too.

References

[1] Internal Darktrace Research

[2] Internal Darktrace Research

[3] Essential Microsoft Office Statistics in 2024

Continue reading
About the author
Carlos Gray
Product Manager
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.