Every rule has an exception: How to detect insider threat without rules

Andrew Tsonchev, Director of Cyber Analysis | Wednesday June 21, 2017

Typically, security controls have to predefine ‘good’ and ‘bad’ behavior, but this approach inevitably leaves room for people to circumvent those rules, intentionally or otherwise. This is especially problematic when it comes to establishing rules for insiders. Too restrictive, and their workflow is impeded. Too laissez-fair, and they open themselves up to easily preventable threats.

For instance, to prevent anomalous RDP connections – either inbound or outbound – traditional security tools like firewalls often predefine which destination ports to allow and which ports to restrict. However, if an employee were to use a destination port not explicitly restricted by the firewall, they could theoretically exfiltrate data out of the network without raising any alerts.

After installing on the corporate network of a large manufacturing company, our AI technology recently spotted a rogue device making RDP connections to a rare external host that should have been blocked by the firewall.

10.230.102.143 · 00:23:18:28:3d:8c made 2 RDP connections to 100% rare external host mail.klaxcar[.]com

The company’s firewall was configured to prevent outbound RDP connections, but the rule was overly simplistic and was defined by destination port. By changing the port in use, the connections were allowed to continue.

Time: 2017-03-23 14:44:57 [UTC]
Protocol: RDP
Source: 10.230.102.143
Destination: 217.109.48.125
Destination Port: 30005

No other devices in the network had been observed connecting to that host. The activity represented a major deviation from the pattern of normality built by Darktrace’s AI algorithms. The connections lasted over ten minutes and involved the download of nearly 4MB of data.

10.230.102.143 was first seen on the network on 2017-03-23.
Total duration: 10 mins 34 secs
Total upload: 0.19 MB
Total download: 3.77 MB

Darktrace Antigena determined this activity was threatening enough to require an immediate response. It triggered an autonomous response that blocked all outgoing traffic from the device for 10 minutes, giving the security team time to identify the rogue device and stop the RDP activities.

Upon investigation, it became clear that an employee had connected their personal device to the corporate network and was attempting to send valuable intellectual property to a foreign party. The external host happened to be associated with a competing manufacturing company.

It may be tempting to conclude that the company simply needed a better firewall, but that misses the point. Legacy tools – no matter how expensive – still rely on rules, and every rule has an exception. Of course, firewalls are still an essential part of modern cyber security, but organizations need to accept that cyber-threats will always find a way around these tools.

At Darktrace, our technology doesn’t make any assumptions about maliciousness. It uses advanced machine learning and AI algorithms to learn ‘normal’ for every user and device on a network. When a threatening deviation arises, Darktrace neutralizes the threat in real time. While some of these anomalies get stopped by firewalls and other rules-based tools, subtle insider threats like these frequently go undetected.

To learn more about the threats Darktrace finds, check out our Threat Use Cases page which tells the story of how a hacker compromised the video conferencing unit in the executive boardroom.

Andrew Tsonchev

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.

WannaCry: Darktrace’s response to the global ransomware campaign

Andrew Tsonchev, Director of Cyber Analysis | Wednesday May 17, 2017

Over 200,000 organisations and private individuals were victims of Friday’s global cyber-attack. This number is likely to increase over the coming weeks, as copy-cat criminals develop variants of the same ransomware and new methods of delivering similar attacks.

Some background on the WannaCry campaign

The WannaCry outbreak does not appear to have targeted specific countries or industries. Instead, it targeted outdated computer systems, using exploit kits leaked earlier this year to infect devices and drop the initial ransomware file. Once inside a network, WannaCry will attempt to locate other vulnerable computers by conducting internal and external SMB scanning. Having established itself, the malware encrypts files and demands a ransom of around $300 to unlock them, payable in Bitcoin. However, dealing with criminals means that there is no guarantee of the files being released if that money is paid out. Strong security measures and effective response mechanisms are the only reliable ways in which to prevent extensive damage.

Leveraging Darktrace, these kind of infections are not hard to detect: WannaCry and other ransomware cause highly anomalous behavioral patterns that our machine-learning technology is ideally placed to recognise.

To demonstrate, let’s take a walk-through of how Darktrace was able to detect the WannaCry attack on a client. Note that device names have been obfuscated for security purposes.

  1. Following the initial compromise, Darktrace detected unusual activity originating from an infected device, as it scanned the network in an attempt to locate other devices open to SMB connections:

    Example of an internal scan.

    The worm was scanning the network to locate devices with the DoublePulsar backdoor already present, through which the WannaCry ransomware can be dropped. If this backdoor was not found to be present, the worm used an exploit known as EternalBlue to infect the device, installing both WannaCry and the DoublePulsar backdoor.

  2. This installation of the worm on vulnerable devices allowed it to continue to spread laterally inside the network.
  3. Simultaneously, infected devices scanned random external IPs on port 445 (SMB), to continue spreading the worm to other devices on the internet:

    Internal devices scanning external destinations.

  4. As soon as infected devices started scanning both inside and outside network, Darktrace detected these activities as serious deviations in the devices’ usual pattern of life:

    External and internal connections by one of the network devices 48 hours either side of the WannaCry campaign. Every orange dot represents a model breach.

  5. For many of these devices, the deviation from typical pattern of life was such that it took Darktrace one second to detect anomalous behavior:

    As this unusual activity persisted in the network, the confidence of Darktrace’s machine learning increased and attributed higher scores to these anomalous events:

  6. These high scores caused Darktrace models to breach in real time, alerting the customer to the severity of the unusual connections occurring inside their network:

In these recent cyber-attacks, the level of disruption was attributed to the speed with which this infection was able to spread like wildfire through networks. Unlike more common forms of malware, which rely on human-mediated methods such as phishing to co-opt people into triggering the payload, this type of attack uses a worm to move from machine to machine without human intervention. Fortunately, it is precisely this – a dramatic change in internal activity – which has allowed us to effectively fight back.

Darktrace Antigena acts automatically to neutralise in-progress attacks, taking targeted action against deviations in the expected ‘pattern of life’. This allows organisations to react before humans have even become aware of a breach. So it follows that the extent of deviation produced by an attack is fundamentally linked to the ability of a self-aware network to protect itself.

The potential gravity of this situation has proven that infections traveling at machine speed require an equivalent response time – only possible with machine-learning technology – in order to stop and contain future threats.

Andrew Tsonchev

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.