Blog

Threat Finds

Ransomware

Inside the SOC

The double extortion business: Conti Ransomware Gang finds new avenues of negotiation

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
07
Dec 2021
07
Dec 2021
By constantly shifting tactics, the Conti Ransomware Gang have maintained one of the largest stakes in the increasingly profitable ransomware industry. Discover how Darktrace was able to detect one of their crippling double extortion attacks at its earliest stages.

In a previous blog, we outlined how the Ryuk ransomware strain developed by Russian hacking group ‘Wizard Spider’ has fallen into the hands of small-time cyber criminals.

Wizard Spider – who allegedly operate with support from the Russian government and remain under investigation by the FBI and Interpol – adopted Ryuk ransomware’s successor ‘Conti’ in 2020. Conti affects all Windows operating systems and has been involved in more than 400 incidents. Wizard Spider were soon rebranded in cyber press as the ‘Conti Ransomware Gang’, though the group does not necessarily see itself as a ‘gang’. It prefers to present itself as a business.

The ransomware bubble

Ransomware has become a multibillion-dollar industry – and the Conti Ransomware Gang reportedly made up 15% of it in 2020. With this scale of income, groups like Conti find themselves adopting some crude imitations of legitimate business practice. This corporate mimicry dictates that their victims be called ‘customers’, their extortion attempts ‘negotiations’ and their criminal peers ‘affiliates’. They even publish ‘press releases’ via a dedicated Dark Web site.

The gang’s Ransomware-as-a-Service ‘business model’ consists of employing affiliates, training them in Conti ransomware’s deployment and management, and then taking 30% of the profits themselves. With exact profits known only to the malware writers and not the affiliates, however, the percentage Conti takes is often much higher than the 30% they claim.

There may not be checks and regulations in place to address fraud in the cyber underworld, but one business complication which Conti have not been able to escape is that of the disgruntled employee.

Unhappy with the malpractice of their superiors, an underpaid affiliate leaked the Conti Ransomware Gang’s training materials and the IP addresses for their Cobalt Strike C2 servers in August 2021, declaring, “they recruit suckers and divide the money among themselves”.

Meanwhile, the US Government has also been taking action to try to disrupt the profit margins of groups like the Conti Ransomware Gang, going as far as to impose sanctions on cryptocurrency exchanges seen as facilitating ransomware transactions. However, leaks and legislation have proved far from fatal for Conti.

The reality is that these actions have not lost the Conti Ransomware Gang any of its so-called “customers”, and where there are customers there is profit. Any individual or organization entrusting their cyber security to conventional, rules-based measures is in their target market.

Darktrace’s AI recently detected a Conti attack conducted along the lines of one of the methods outlined in the August leak. The target organization – a US transportation company – was trialing Darktrace but, without Darktrace’s Autonomous Response set in active mode, the attack was allowed to go ahead. In examining how it progressed, however, it should become clear not only how threatening double extortion ransomware attacks like this one can be, but also how effectively they can be stopped by Darktrace at each stage of the attack.

Figure 1: Timeline of the attack

Conti Ransomware Gang diversifies the ransomware playbook

A single uninstalled Microsoft patch had left the target organization with dangerous ProxyShell vulnerabilities. Conti exploited these vulnerabilities, quickly gaining the rights to remotely execute Exchange PowerShell commands on the company’s server and steadily broadened its presence within the digital environment. This is a relatively new approach for the Conti Ransomware Gang, who previously relied upon phishing attacks and firewall exploits. By diversifying its approach, it stays ahead of patches and intelligence.

Two weeks after the initial breach, C2 connections were made to an unusual endpoint located in Finland using an SSL client which appeared innocuous but was 100% rare for the organization. Had Autonomous Response been set in active mode, Darktrace would have shut the connections down at this very early stage.

The IP address of this suspicious endpoint has since been identified as a Conti IoC (Indicator of Compromise), allowing it to be incorporated into rules-based security solutions. This would have done little good for the company in question, however, which was breached weeks before this intelligence was made available.

As Conti continued to conduct internal reconnaissance and move laterally through the company’s digital environment, Darktrace detected further unusual activity. The suspicious Finnish endpoint then employed new ‘Living off the Land’ techniques, installing the usually legitimate tools AnyDesk and Cobalt Strike onto various parts of the environment.

A series of SSL connections were made to AnyDesk endpoints and external hosts, one of which lasted 95 hours, indicating an active remote session conducted by one of Conti’s affiliates. At this stage, Darktrace had 10 distinct reasons to suspect an imminent attack.

Conti News: Closing the deal with double extortion ransomware

Double extortion has become the Conti Ransomware Gang’s new favourite sales tactic. If you refuse to pay its ransom, Conti will not only take your most important files from you, but also exfiltrate and publish them using its dedicated ‘Conti News’ website, or sell them directly to your competitors.

Having expanded their reach across the transport company’s network, the Conti affiliate began rapidly exfiltrating large quantities of company data to Conti’s preferred cloud storage site, MEGA. Over four days, more than 3TB of data was uploaded, and then encrypted.

To avoid detection by a human security team, encryption was launched at close to midnight – Conti’s ‘business’ does not respect business hours. When the company’s security team returned to work the next day, they were met with a ransom note.

This attack was able to progress because Darktrace was only being trialed at this stage and was therefore allowed to detect threats but not to take action against them. With Autonomous Response employed in active mode, this ransomware attack would have ended in the very early stages, when Darktrace detected its first suspicious connections.

Nonetheless, the Cyber AI Analyst was able to investigate and connect the dots of the attack automatically, making the organization’s remediation efforts drastically quicker and easier than they would have been without even this partial Darktrace deployment.

Figure 2: Cyber AI Analyst generated this incident report following the initiation of data exfiltration

How the Conti Ransomware Gang evades cyber intelligence

Security systems that rely on human intelligence to detect threats fit Conti’s ideal customer profile perfectly. By adapting and diversifying their approach, moving from Ryuk to Conti, and from spear phishing and firewall exploits to this new ProxyShell approach, Conti stay ahead of regulations and hold on to their vulnerable customer base.

Even if the Conti Ransomware Gang is brought down by leaks or legislation, other groups will rise to fill the gap in the market, eager for their own cut of the illicit gains. If these groups are to be truly stopped, they must be made unprofitable.

The US government has tried to do this by imposing fines upon ransom payers, but companies still often consider the losses involved in not recovering their data too great. As I have argued previously, ‘to pay or not to pay,’ is not the question we should be asking.

If you’re deciding whether to pay or not to pay, you’re already too far down the line. Darktrace stops groups like Conti at the first encounter. As this case has shown, Darktrace’s Self-Learning AI is able to identify threats weeks before human analysts and threat intelligence can do the same, and neutralize them at every stage of an attack with Autonomous Response.

Thanks to Darktrace analyst Sam Lister for his insights on the above threat find.

Darktrace model detections:

  • Device / Long Agent Connection to New Endpoint
  • Device / ICMP Address Scan
  • Anomalous Connection / SMB Enumeration
  • Anomalous Server Activity / Outgoing from Server
  • Compromise / Beacon to Young Endpoint
  • Anomalous Server Activity / Rare External from Server
  • Compromise / Fast Beaconing to DGA
  • Compromise / SSL or HTTP Beacon
  • Compromise / Sustained SSL or HTTP Increase
  • Compromise / Beacon for 4 Days
  • Anomalous Connection / Multiple HTTP POSTs to Rare Hostname
  • Unusual Activity / Enhanced Unusual External Data Transfer
  • Anomalous Connection / Data Sent to Rare Domain
  • Anomalous Connection / Uncommon 1 GiB Outbound
  • Compliance / SMB Drive Write
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Anomalous Connection / Suspicious Read Write Ratio
  • Anomalous Connection / Suspicious Read Write Ratio and Unusual SMB
  • Anomalous Connection / Sustained MIME Type Conversion
  • Unusual Activity / Anomalous SMB Move & Write
  • Unusual Activity / Unusual Internal Data Volume as Client or Server
  • Device / Suspicious File Writes to Multiple Hidden SMB Shares
  • Compromise / Ransomware / Suspicious SMB Activity
  • Anomalous File / Internal / Unusual SMB Script Write
  • Anomalous File / Internal / Masqueraded Executable SMB Write
  • Device / SMB Lateral Movement
  • Device / Multiple Lateral Movement Model Breaches

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Justin Fier
SVP, Red Team Operations

Justin is one of the US’s leading cyber intelligence experts, and holds the position of SVP, Red Team Operations at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years’ experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Book a 1-1 meeting with one of our experts
share this article
COre coverage
No items found.

More in this series

No items found.

Blog

Inside the SOC

Identifying the Imposter: Darktrace’s Detection of Simulated Malware vs the Real Thing

Default blog imageDefault blog image
13
Mar 2024

Distinguishing attack simulations from the real thing

In an era marked by the omnipresence of digital technologies and the relentless advancement of cyber threats, organizations face an ongoing battle to safeguard their digital environment. Although red and blue team exercises have long served as cornerstones in evaluating organizational defenses, their reliance on manual processes poses significant constraints [1]. Led by seasoned security professionals, these tests offer invaluable insights into security readiness but can be marred by their resource-intensive and infrequent testing cycles. The gaps between assessments leave organizations open to undetected vulnerabilities, compromising the true state of their security environment. In response to the ever-changing threat landscape, organizations are adopting a proactive stance towards cyber security to fortify their defenses.

At the forefront, these efforts tend to revolve around simulated attacks, a process designed to test an organization's security posture against both known and emerging threats in a safe and controlled environment [2]. These meticulously orchestrated simulations imitate the tactics, techniques, and procedures (TTPs) employed by actual adversaries and provide organizations with invaluable insights into their security resilience and vulnerabilities. By immersing themselves in simulated attack scenarios, security teams can proactively probe for vulnerabilities, adopt a more aggressive defense posture, and stay ahead of evolving cyber threats.

Distinguishing between simulated malware observations and authentic malware activities stands as a critical imperative for organizations bolstering their cyber defenses. While simulated platforms offer controlled scenarios for testing known attack patterns, Darktrace’s Self-Learning AI can detect known and unknown threats, identify zero-day threats, and previously unseen malware variants, including attack simulations. Whereas simulated platforms focus on specific known attack vectors, Darktrace DETECT™ and Darktrace RESPOND™ can identify and contain both known and unknown threats across the entire attack surface, providing unparalleled protection of the cyber estate.

Darktrace’s Coverage of Simulated Attacks

In January 2024, the Darktrace Security Operations Center (SOC) received a high volume of alerts relating to an unspecified malware strain that was affecting multiple customers across the fleet, raising concerns, and prompting the Darktrace Analyst team to swiftly investigate the multitude of incident. Initially, these activities were identified as malicious, exhibiting striking resemblance to the characteristics of Remcos, a sophisticated remote access trojan (RAT) that can be used to fully control and monitor any Windows computer from XP and onwards [3]. However, further investigation revealed that these activities were intricately linked to a simulated malware provider.

This discovery underscores a pivotal insight into Darktrace’s capabilities. To this point, leveraging advanced AI, Darktrace operates with a sophisticated framework that extends beyond conventional threat detection. By analyzing network behavior and anomalies, Darktrace not only discerns between simulated threats, such as those orchestrated by breach and attack simulation platforms and genuine malicious activities but can also autonomously respond to these threats with RESPOND. This showcases Darktrace’s advanced capabilities in effectively mitigating cyber threats.

Attack Simulation Process: Initial Access and Intrusion

Darktrace initially observed devices breaching several DETECT models relating to the hostname “new-tech-savvy[.]com”, an endpoint that was flagged as malicious by multiple open-source intelligence (OSINT) vendors [4].

In addition, multiple HTML Application (HTA) file downloads were observed from the malicious endpoint, “new-tech-savvy[.]com/5[.]hta”. HTA files are often seen as part of the UAC-0050 campaign, known for its cyber-attacks against Ukrainian targets, which tends to leverage the Remcos RAT with advanced evasion techniques [5] [6]. Such files are often critical components of a malware operation, serving as conduits for the deployment of malicious payloads onto a compromised system. Often, within the HTA file resides a VBScript which, upon execution, triggers a PowerShell script. This PowerShell script is designed to facilitate the download of a malicious payload, namely “word_update.exe”, from a remote server. Upon successful execution, “word_update.exe” is launched, invoking cmd.exe and initiating the sharing of malicious data. This process results in the execution of explorer.exe, with the malicious RemcosRAT concealed within the memory of explorer.exe. [7].

As the customers were subscribed to Darktrace’s Proactive Threat Notification (PTN) service, an Enhanced Monitoring model was breached upon detection of the malicious HTA file. Enhanced Monitoring models are high-fidelity DETECT models designed to identify activity likely to be indicative of compromise. These PTN alerts were swiftly investigated by Darktrace’s round the clock SOC team.

Following this successful detection, Darktrace RESPOND took immediate action by autonomously blocking connections to the malicious endpoint, effectively preventing additional download attempts. Similar activity may be seen in the case of a legitimate malware attack; however, in this instance, the hostname associated with the download confirmed the detected malicious activity was the result of an attack simulation.

Figure 1: The Breach Log displays the model breach, “Anomalous File/Incoming HTA File”, where a device was detected downloading the HTA file, “5.hta” from the endpoint, “new-tech-savvy[.]com”.
'
Figure 2: The Model Breach Event Log shows a device making connections to the endpoint, “new-tech-savvy[.]com”. As a result, theRESPOND model, “Antigena/Network/External Threat/Antigena File then New Outbound Block", breached and connections to this malicious endpoint were blocked.
Figure 3: The Breach Log further showcases another RESPOND model, “Antigena/Network/External Threat/Antigena Suspicious File Block", which was triggered when the device downloaded a  HTA file from the malicious endpoint, “new-tech-savvy[.]com".

In other cases, Darktrace observed SSL and HTTP connections also attributed to the same simulated malware provider, highlighting Darktrace’s capability to distinguish between legitimate and simulated malware attack activity.

Figure 4: The Model Breach “Anomalous Connection/Low and Slow Exfiltration" displays the hostname of a simulated malware provider, confirming the detected malicious activity as the result of an attack simulation.
Figure 5: The Model Breach Event Log shows the SSL connections made to an endpoint associated with the simulated malware provider.
Figure 6: Darktrace’s Advanced Search displays SSL connection logs to the endpoint of the simulated malware provider around the time the simulation activity was observed.

Upon detection of the malicious activity occurring within affected customer networks, Darktrace’s Cyber AI Analyst™ investigated and correlated the events at machine speed. Figure 8 illustrates the synopsis and additional technical information that AI Analyst generated on one customer’s environment, detailing that over 220 HTTP queries to 18 different endpoints for a single device were seen. The investigation process can also be seen in the screenshot, showcasing Darktrace’s ability to provide ‘explainable AI’ detail. AI Analyst was able to autonomously search for all HTTP connections made by the breach device and identified a single suspicious software agent making one HTTP request to the endpoint, 45.95.147[.]236.

Furthermore, the malicious endpoints, 45.95.147[.]236, previously observed in SSH attacks using brute-force or stolen credentials, and “tangible-drink.surge[.]sh”, associated with the Androxgh0st malware [8] [9] [10], were detected to have been requested by another device.

This highlights Darktrace’s ability to link and correlate seemingly separate events occurring on different devices, which could indicate a malicious attack spreading across the network.  AI Analyst was also able to identify a username associated with the simulated malware prior to the activity through Kerberos Authentication Service (AS) requests. The device in question was also tagged as a ‘Security Device’ – such tags provide human analysts with valuable context about expected device activity, and in this case, the tag corroborates with the testing activity seen. This exemplifies how Darktrace’s Cyber AI Analyst takes on the labor-intensive task of analyzing thousands of connections to hundreds of endpoints at a rapid pace, then compiling results into a single pane that provides customer security teams with the information needed to evaluate activities observed on a device.

All in all, this demonstrates how Darktrace’s Self-Learning AI is capable of offering an unparalleled level of awareness and visibility over any anomalous and potentially malicious behavior on the network, saving security teams and administrators a great deal of time.

Figure 7: Cyber AI Analyst Incident Log containing a summary of the attack simulation activity,, including relevant technical details, and the AI investigation process.

Conclusion

Simulated cyber-attacks represent the ever-present challenge of testing and validating security defenses, while the threat of legitimate compromise exemplifies the constant risk of cyber threats in today’s digital landscape. Darktrace emerges as the solution to this conflict, offering real-time detection and response capabilities that identify and mitigate simulated and authentic threats alike.

While simulations are crafted to mimic legitimate threats within predefined parameters and controlled environments, the capabilities of Darktrace DETECT transcend these limitations. Even in scenarios where intent is not malicious, Darktrace’s ability to identify anomalies and raise alerts remains unparalleled. Moreover, Darktrace’s AI Analyst and autonomous response technology, RESPOND, underscore Darktrace’s indispensable role in safeguarding organizations against emerging threats.

Credit to Priya Thapa, Cyber Analyst, Tiana Kelly, Cyber Analyst & Analyst Team Lead

Appendices

Model Breaches

Darktrace DETECT Model Breach Coverage

Anomalous File / Incoming HTA File

Anomalous Connection / Low and Slow Exfiltration

Darktrace RESPOND Model Breach Coverage

§  Antigena / Network/ External Threat/ Antigena File then New Outbound Block

Cyber AI Analyst Incidents

• Possible HTTP Command and Control

• Suspicious File Download

List of IoCs

IP Address

38.52.220[.]2 - Malicious Endpoint

46.249.58[.]40 - Malicious Endpoint

45.95.147[.]236 - Malicious Endpoint

Hostname

tangible-drink.surge[.]sh - Malicious Endpoint

new-tech-savvy[.]com - Malicious Endpoint

References

1.     https://xmcyber.com/glossary/what-are-breach-and-attack-simulations/

2.     https://www.picussecurity.com/resource/glossary/what-is-an-attack-simulation

3.     https://success.trendmicro.com/dcx/s/solution/1123281-remcos-malware-information?language=en_US&sfdcIFrameOrigin=null

4.     https://www.virustotal.com/gui/url/c145cf7010545791602e9585f447347c75e5f19a0850a24e12a89325ded88735

5.     https://www.virustotal.com/gui/url/7afd19e5696570851e6413d08b6f0c8bd42f4b5a19d1e1094e0d1eb4d2e62ce5

6.     https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html

7.     https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method

8.     https://www.virustotal.com/gui/ip-address/45.95.147.236/community

9.     https://www.virustotal.com/gui/domain/tangible-drink.surge.sh/community

10.  https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-016a

Continue reading
About the author
Priya Thapa
Cyber Analyst

Blog

No items found.

Mastering Cloud Migration: Strategies, Services, and Risks

Default blog imageDefault blog image
12
Mar 2024

What is cloud migration?

Cloud migration, in its simplest form, refers to the process of moving digital assets, such as data, applications, and IT resources, from on-premises infrastructure or legacy systems to cloud computing environments. There are various flavours of migration and utilization, but according to a survey conducted by IBM, one of the most common is the 'Hybrid' approach, with around 77% of businesses adopting a hybrid cloud approach.

There are three key components of a hybrid cloud migration model:

  1. On-Premises (On-Prem): Physical location with some amount of hardware and networking, traditionally a data centre.
  2. Public Cloud: Third-party providers like AWS, Azure, and Google, who offer multiple services such as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS).
  3. Private Cloud: A cloud computing environment where resources are isolated for one customer.

Why does cloud migration matter for enterprises?

Cloud adoption provides many benefits to businesses, including:

  1. Scalability: Cloud environments allow enterprises to scale resources up or down based on demand, enabling them to quickly adapt to changing business requirements.
  2. Flexibility and Agility: Cloud platforms provide greater flexibility and agility, enabling enterprises to innovate and deploy new services more rapidly compared to traditional on-premises infrastructure.
  3. Cost Efficiency: Pay-as-you-go model, allowing enterprises to reduce capital expenditures on hardware and infrastructure.
  4. Enhanced Security: Cloud service providers invest heavily in security measures to protect data and infrastructure, offering advanced security features and compliance certifications.

The combination of these benefits provides significant potential for businesses to innovate and move quickly, ultimately allowing them to be flexible and adapt to changing market conditions, customer demands, and technological advancements with greater agility and efficiency.

Cloud migration strategy

There are multiple migration strategies a business can adopt, including:

  1. Rehosting (Lift-and-shift): Quickly completed but may lead to increased costs for running workloads.
  2. Refactoring (Cloud Native): Designed specifically for the cloud but requires a steep learning curve and staff training on new processes.
  3. Hybrid Cloud: Mix of on-premises and public cloud use, offering flexibility and scalability while keeping data secure on-premises. This can introduce complexities in setup and management overhead and requires ensuring security and compliance in both environments.

It is important to note that each strategy has its trade-offs and there is no single gold standard for a one size fits all cloud migration strategy. Different businesses will prioritize and leverage different benefits, for instance while some might prefer a rehosting strategy as it gets them migrated the fastest, it typically ends up also being the most costly strategy as “lift-and-shift” doesn’t take advantage of many key benefits that the cloud has to offer. Conversely, refactoring is a strategy optimized at making the most of the benefits that cloud providers have to offer, however the process of redesigning applications requires cloud expertise and based on the scale of applications that are required to be refactored this strategy might not be the quickest when it comes to moving applications from being hosted on premise to in the cloud.  

Phases of a cloud migration

At the highest level, there are four main steps in a successful migration:

  1. Discover: Identify and categorize IT assets, applications, and critical dependencies.
  2. Plan: Develop a detailed migration plan, including timelines, resource allocation, and risk management strategies.
  3. Migrate: Execute the migration plan, minimizing disruption to business operations.
  4. Optimize: Continuously optimize the cloud environment using automation, performance monitoring, and cost management tools to improve efficiency, performance, and scalability.

While it is natural to race towards the end goals of a cloud migration, most successful cloud migration strategies allocate the appropriate timelines to each phase.  

The “Discover” phase specifically is where most businesses can set themselves up for success. Having a complete understanding of assets, applications, services, and dependencies needed to migrate however is much easier said than done. Given the pace of change and how laborious of a task inventorying everything can be to manage and maintain, most mistakes at this stage will propagate and amplify through the migration journey.  

Risks and challenges of cloud migration

Though cloud migration offers a wealth of benefits, it also introduces new risks that need to be accounted for and managed effectively. Security should be considered a fundamental part of the process, not an additional measure that can be ‘bolted’ on at the end.

Let’s consider the most popular migration strategy, using a ‘Hybrid Cloud’. A recent report by the industry analyst group Forrester cited that Cloud Security Posture Management (CSPM) tools are just one facet of security, stating:

"No matter how good it is, using a CSPM solution alone will not provide you with full visibility, detection, and effective remediation capabilities for all threats. Your adversaries are also targeting operating systems, existing on-prem network infrastructure, and applications in their quest to steal valuable data".

Unpacking some of the risks here, it’s clear they fall into a range of categories, including:

  1. Security Concerns: Ensuring security across both on-premises and cloud environments, addressing potential misconfigurations and vulnerabilities.
  2. Contextual Understanding: Effective security requires a deep understanding of the organization's business processes and the context in which data and applications operate.
  3. Threat Detection and Response: Identifying and responding to threats in real-time requires advanced capabilities such as AI and anomaly detection.
  4. Platform Approach: Deploying integrated security solutions that provide end-to-end visibility, centralized management, and automated responses across hybrid infrastructure.

Since the cloud doesn’t operate in a vacuum, businesses will always have a myriad of 3rd party applications, users, endpoints, external services, and partners connecting and interacting with their cloud environments. From this perspective, being able to correlate and understand behaviors and activity both within the cloud and its surroundings becomes imperative.

It then follows that context from a business wide perspective is necessary. This has two distinct implications, the first is application or workload specific context (i.e. where do the assets, services, and functions alerted on reside within the cloud application) and the second is business wide context. Given the volume of alerts that security practitioners need to manage, findings that lack the appropriate context to fully understand and resolve the issue create additional strain on teams that are already managing a difficult challenge.  

Conclusion

With that in mind, Darktrace’s approach to security, with its existing and new advances in Cloud Detection and Response capabilities, anomaly detection across SaaS applications, and native ability to leverage many AI techniques to understand the business context within your dynamic cloud environment and on-premises infrastructure. It provides you with the integrated building blocks to provide the ‘360’ degree view required to detect and respond to threats before, during, and long after your enterprise migrates to the cloud.

References

IBM Transformation Index: State of Cloud https://www.ibm.com/blog/hybrid-cloud-use-cases/

https://www.forrester.com/report/the-top-trends-shaping-cloud-security-posture-management-cspm-in-2024/RES180379  

Continue reading
About the author
Adam Stevens
Analyst Technical Director
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.