The speed of today’s most advanced threats can be devastating. In the few minutes it takes a security analyst to step away from her screen to grab a coffee, ransomware can take down thousands of computers before human teams or traditional tools have the chance to respond. And while big, fast threats are more likely to grab the headlines, cyber-attacks which do the opposite can be just as dangerous. The latest escalation in the cyber arms race sees attackers choosing stealth over speed and cunning over chaos.
As defenders work to rapidly deploy new security and detection technologies, malware authors have been similarly innovative, working to find a means of evading them. New ‘low and slow’ attacks are able to bypass traditional security tools because each individual action compiling the larger threat is too small to detect. These attacks are designed to operate over a longer period of time – and by minimizing disruption to any data transfer or connectivity levels, they blend into legitimate traffic.
For advanced and well-resourced actors like nation states in search of valuable intellectual property or sensitive political records, subtle and prolonged exposure to the systems they attack is a significant benefit. When it comes to the most sophisticated threats, slow and steady really can win the race.
Nevertheless, detection of low and slow attacks is possible with advanced machine learning techniques. To do so, contextual knowledge is critical; by modeling the subtle and unique ‘patterns of life’ of every user, device, and the network as a whole, AI-powered defenses are, for the first time, winning this battle.
This blog explores how attackers use low and slow techniques during multiple stages of the kill chain to achieve their eventual goal. We examine three real-world case studies, drawn from over 7,000 deployments of the Enterprise Immune System, to demonstrate how cyber AI detects low and slow reconnaissance, data exfiltration, and command-and-control activity.
Low and slow reconnaissance
By monitoring the behavioral pattern of devices and users, Darktrace AI is able to learn an evolving profile for expected activity. Armed with this understanding of ‘normal’ for the network, it can then identify significant anomalies indicative of a threat. It does all this without relying on training sets of historical data, enabling the technology to spot threats that other tools miss.
On the network of a European financial services firm, Darktrace discovered a server conducting port scans of various internal computers. This type of network scanning is regularly performed for legitimate testing purposes by administrative devices, but it is also a tactic for attackers to identify vulnerabilities and points of compromise – an early stage of an attack.
Over a duration of 7 days, the server made around 214,000 failed connections to 276 unique devices. However, only a small number of ports were targeted per day. The attack was sequential, but slow over time. Measured in one day, the level of disturbance was minimal enough to evade all rules-based defenses. Nevertheless, by learning ‘self’ across the entire digital business over time, cyber AI can detect even the subtlest deviation from ‘normal’ relative to the individual device, user, or network. Darktrace recognized the longer pattern of network scanning and alerted the customer immediately.
Low and slow data exfiltration
At an industrial manufacturing company, a desktop was identified establishing over 2,000 connections to a rare host over a 7-day period. During this time, a total of 9.15GB of data was transferred externally. No single connection transmitted more than a few MB of data – an amount which, if viewed in isolation, would not be cause for concern. However, the destination for these connections was 100% rare for the network and maintained that level of rarity for the entire period of exfiltration. This not only flagged the activity as initially suspicious, but also prevented it from being absorbed into legitimate traffic. Combined with the accumulated volume of data leaving the network, Darktrace AI identified this as significant deviation in the device’s behavior, indicating a threat in progress.
Low and slow command and control
Darktrace is extremely successful in finding malware infections before they appear on open-source threat lists, a crucial ability when stopping the most serious, never-before-seen threats. This is achieved in large part by detecting beaconing patterns rather than relying on signatures. Beaconing occurs when a malicious program attempts to establish contact with its online infrastructure. Similar to network scanning, it creates a surge in outgoing connections.
Darktrace was deployed in a corporate network where a device was found making connections at steady intervals to a malicious browser extension. The average rate of connection was 11 connections every 4 hours – a low activity level which could easily have blended into legitimate internet traffic. Having identified the regularity of these connections, Darktrace’s AI assigned a high beaconing score, which indicated that they were likely initiated by an automated process. If we include the fact that the destination was rare, it became clear that this was caused by a malicious background program that was running unbeknownst to the user.
As cyber security advances, attackers will develop increasingly sophisticated methods to operate under the radar. Traditional cyber security tools which work in binary ways based on historical data – either the upload exceeded a predefined limit or not – cannot keep up. This new era will see AI proven crucial because of its ability to learn a constantly-evolving ‘pattern of life’ for a network over the duration of its deployment. This allows Darktrace AI to effectively locate the disturbances in connectivity levels – no matter how small – that have been caused by malicious or non-compliant activity. Fundamentally, this enables Darktrace to discover in-progress attacks and then autonomously respond, neutralizing them before they become a crisis.
High-profile, fast-moving attacks like NotPetya and WannaCry have encouraged some organizations to focus on preventing certain types of threat, at the expense of others – and hackers are catching on. By leveraging powerful AI, Darktrace empowers customers to prevent not just the fastest-moving attacks, but also the slowest and subtlest.
Dave is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over 19 years of experience at the forefront of government intelligence operations, Dave has worked across UK intelligence agencies GCHQ and MI5, where he was responsible for delivering mission-critical infrastructure services, including replacing and securing entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He acts as an advisor to cyber security start-ups and growth-stage companies from the UK Government’s Cyber Security Accelerator and CyLon. His insights on AI and the future of cyber security are also regularly featured in the UK media. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.
From Thanksgiving to Cyber Monday, shoppers across the globe will splurge tens of billions of dollars on everything from pillows to parkas to Pokémon pajamas. U.S. consumers alone spent a record $19.62 billion last Black Friday weekend — on just online purchases. And while the number of customers at brick-and-mortar stores declined 4% from 2016, e-commerce sales were 18% higher in 2017, when for the first time more Americans shopped online than in person. There is every reason to suspect that a virtually unprecedented volume of virtual cash is about to change hands, presenting an equally unprecedented opportunity for a massive holiday cyber-heist. Here’s what such a heist might look like:
Proof of concept
While the incentive for cyber-crime during this Black Friday weekend is historically unparalleled, it has long been the holiday of choice for criminals. On Cyber Monday of 2014, for instance, a DNS provider was hit by a relatively rudimentary DDoS attack that nonetheless disrupted its clients’ websites. More advanced DDoS attacks launched by modern Mirai botnets — like the 2016 Dyn attack that crippled many of the Internet’s top websites — would be devastating on Black Friday, when companies like Amazon reel in upwards of a million dollars per minute. And for smaller retailers, a ransomware or DDoS attack this weekend poses existential risk, both because of lost revenue and because of reputational damage in such a highly competitive industry.
Prior to last year’s Black Friday weekend, experts anticipated more than 50 million attacks on businesses during peak shopping days, and cyber-criminals did not disappoint. Darktrace detected a 70% uptick in significant threats facing its retail clients during the holiday season, from November and December, compared to the previous two months, an uptick that helps explain why cyber-crime cost the world $600 billion last year. At least in the short term, it appears that online crime does pay — especially after Thanksgiving.
Mode of attack
As forensics continue to improve and CCTVs rapidly proliferate, the in-person criminal heist has largely been replaced by online robbery, which leaves no fingerprints and can be seen by no camera. One example: the annual amount of money stolen in U.S. bank robberies — the quintessential heist — has fallen by more than 60% since 2003, while cyber-crimes like credit card fraud have simultaneously skyrocketed. This transition to digital larceny makes financial sense as well, given that less than 10% of the world’s currency still exists as physical cash.
Indeed, identity theft is even more lucrative than bank robbery if done at scale, yet it entails far less risk for the perpetrators. Stolen credit card numbers can each sell for $100 on the Dark Web, rendering crimes like the Target breach — which took place during Black Friday weekend in 2013 and exposed 40 million debit and credit accounts — extremely profitable. With more than 100 million Americans and close to a billion global shoppers online during the holiday season, ’tis certainly the season for a large-scale assault on personal information.
But perhaps the most revolutionary aspect of cyber-heists is that they need not even steal anything to make off with loot. Faced with a well-timed ransomware attack, retailers often simply hand over their cash to remain operational: 70% of businesses paid the ransom after attacks in 2016, prompting criminals to quadruple their average demand. And on the busiest shopping day in history, there’s no telling how exorbitant these demands might be.
Cyber-threats that are specifically aimed at the retail sector make the challenge of security even more difficult for defenders, since much like a targeted traditional heist, they exploit their victims’ unique vulnerabilities. The numbers validate common sense here: insights from across Darktrace’s customer base reveal that these key retail threats — which include personalized phishing attacks, Cloud and SaaS attacks, as well as trojans — are more than twice as likely to become high-priority incidents as the average threat. With so much money on the line, every retailer should expect to confront targeted attacks throughout the weekend.
Bypassing the defenses
From ransomware to data exfiltration, one can make an educated guess about the kinds of threats facing retailers this Black Friday. But the truth is that no one knows exactly what the next global cyber-attack will look like, particularly given the enormous incentive for criminals to create an entirely new attack strain — or even a new type of attack altogether. Several recent, state-sponsored exploits have proven that the financial and technical backing exists to produce malware sophisticated enough to deliver a serious blow to the U.S. economy.
Innovative attacks pose a fundamental problem for traditional security tools, which rely on knowledge of past incidents to stop future ones. By updating their predefined notions of what constitutes a cyber-threat when a breach occurs, the best of these tools stop previously known attacks, but they are nonetheless blind to unknown threats. Many retailers have deployed Darktrace’s AI cyber security because it doesn’t presume to know what tomorrow’s attack will look like; rather, Darktrace learns on the job to differentiate between normal and abnormal behavior. But while such adaptive security is the only approach that stands a chance in today’s fast-changing threat landscape, most retailers have yet to make the switch.
In this era of DNA forensics and near-ubiquitous surveillance, the criminal heist has not disappeared — it’s digitized. And while retail companies prepare themselves for the generic cyber-threats of the past, very few are in a position to counter a never-before-seen attack that, like a physical heist, has been planned for months to exploit their unique security blind spots. As we inch closer to zero hour, the industry must be willing to adapt its cyber defenses against an ever-evolving adversary, or it may end Black Friday firmly in the red.
Justin is one of the US’s leading cyber intelligence experts, and holds the position of Director for Cyber Intelligence & Analytics at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.