Cyber AI Platform
The application of artificial intelligence to the cyber defense challenge has marked a fundamental shift in our ability to protect critical data systems and digital infrastructures. For strained security teams, it offers the possibility to keep pace with an ever-evolving threat landscape.
While rule and signature-based solutions offer some protection against pre-identified threats, the reality is that no one knows where the next cyber-threat might come from, or how it will manifest itself.
Powered by unsupervised machine learning, Cyber AI is a self-learning technology – it learns ‘on the job’, from the data and activity that it observes in situ. This means making billions of probability-based calculations in light of evolving evidence.
As it learns, Cyber AI uncovers rare and previously unseen patterns in information, amid the noise of everyday activity across an organization’s digital systems. By detecting subtle deviations from the organization’s ‘pattern of life’, it can distinguish friend from foe – and highlight true cyber-threats or attacks that would otherwise go unnoticed.
Cyber AI can then take the right action, at the right time, to curb a threat in seconds – a unique Autonomous Response capability hailed by Dr Nick Jennings, Chair in Artificial Intelligence at Imperial College London, as a “significant engineering innovation that extends the frontier of cyber security,” and as “essential for dealing with the volume, novelty, and speed of modern cyber incidents.” Today, Darktrace’s Cyber AI Platform is relied on by more than 3,000 organizations worldwide.
And as cyber-criminals begin to augment their own attacks with artificial intelligence, organizations will need Autonomous Response AI to fight back against a new generation of cyber-threats. AI and machine learning will soon enable cyber-criminals to launch targeted attacks at speed and scale, autonomously devising novel attack techniques that no human could conceive. Yet in the war of algorithms to come, Cyber AI will always be one step ahead of the attackers – prepared to defend at any moment.
Security teams are overwhelmed – the threats are getting more advanced, the digital business is expanding.
Autonomous response is there when you can’t be – artificial intelligence that knows what to do and when, in order to stop a cyber-threat in its tracks.
Recognized by experts
Autonomous response has been recognized by Forrester, Gartner, Ovum and 451 Research as the next phase in cyber defense.
Acts when you are OOTO
You can’t be everywhere. Autonomous response is there to stop threats spreading – giving you time to catch up. Hundreds of business leaders sleep better at night knowing AI has got their back.
Reacts every 3 seconds
Darktrace AI is responding to a threat somewhere in the world every 3 seconds. It knows the right action to take, without causing disruption to the organization.
Darktrace Threat Visualizer
The Threat Visualizer is Darktrace’s real-time, 3D threat notification interface. As well as displaying threat alerts, the Threat Visualizer provides a graphical overview of the day-to-day activity of your network(s), which is easy to use, and accessible for both security specialists and business executives.
Using cutting-edge visualization techniques, the Threat Visualizer user interface automatically alerts analysts to significant incidents and threats within their environments, enabling analysts to proactively investigate specific areas of the infrastructure.
- 3D visualization of entire network topology
- Real-time global overview of enterprise threat level
- Intelligently clusters anomalies
- Pan-spectrum viewing – higher-order network topology; specific clusters, subnets, and host events
- Searchable logs and events
- Replay of historical data
- Concise summary of overall behavior for device and external IPs
- Designed for business executives and security analysts
Visualization techniques can also be used to provide a high-level overview of a company’s network for business executives, helping to bridge the gap between technical specialists and the boardroom. Executives are given an easy-to-consume oversight of security issues, improving their awareness and understanding of the network environment, and enhancing their ability to make management decisions.
AI & Machine Learning
Artificial intelligence and machine learning present a significant opportunity to the cyber security industry. Today, new machine learning methods can vastly improve the accuracy of threat detection and enhance network visibility thanks to the greater amount of computational analysis they can handle. They are also heralding in a new era of autonomous response, where a machine system is sufficiently intelligent to understand how and when to fight back against in-progress threats.
From the outset, Darktrace rejected the assumption that data relating to historical attacks could predict future ones. Instead, Darktrace’s Cyber AI Platform uses unsupervised machine learning to analyze network data at scale, and makes billions of probability-based calculations based on the evidence that it sees. Instead of relying on knowledge of past threats, it independently classifies data and detects compelling patterns.
Darktrace’s world-leading cyber AI allows thousands of organizations across the globe to identify and respond to all kinds of threats and highlights deviations from ‘normal’ behavior that require attention. It is the best proven, most scalable and most accurate artificial intelligence platform used today in the enterprise.
Darktrace AI for cyber defense is powered by unique machine learning developed by mathematicians in Cambridge, UK and is relied on by thousands of organizations globally.
Our Enterprise Immune System can detect friend from foe in real time, identifying cyber-threats before they spread. Not only that, our self-learning technology can also fight back against threats as they unfold at computer speed.
Whether you face an insider threat or a long-term compromise, you are targeted with ransomware or a connected object is hacked, Darktrace sees the subtle indicators of abnormal activity, and defends your most critical systems.
The founders of Darktrace include expert software engineers and specialists in machine learning and mathematics. Pioneering a new use of Bayesian mathematics, named Recursive Bayesian Estimation (RBE), they laid the foundations of Darktrace’s award-winning Enterprise Immune System technology and its probabilistic approach to the identification of cyber-threats.
Bayesian mathematics allows for meaning to be drawn from large, profuse data sets, and for estimated probabilities of a given event to be updated as more information is observed. Recursive Bayesian Estimation allows for this approach to be applied without the need for a supercomputer.
Our Research and Development team in Cambridge, UK continue to create new innovations that push the boundaries of what is possible in cyber security software engineering and artificial intelligence.
Threat Use Cases
Darktrace is capable of detecting a range of in-progress threats, breaches and vulnerabilities — from IoT hacks and criminal campaigns, through to insider threats or latent vulnerabilities. The selected use cases demonstrate diverse threat scenarios that Darktrace identified in real time, before serious damage was inflicted.
Darktrace detected a brute-force attack against a server within the cloud infrastructure, which was accidentally exposed to the Internet.
The connection between the cloud and physical network segments meant that the network as a whole would have been compromised had the attack succeeded. Not only did the activity pose a significant security risk, but with so many connection attempts being received continuously, there was also the real possibility of a denial of service affecting the server.
- Over a four-week period, over 8,000 access attempts were observed from over 100 different source addresses.
- The addresses were systematically attempting to gain access to a cloud-based RDP server using a single username: “hello”.
- The activity accounted for the majority of traffic to and from the server.
Darktrace found a new and advanced strain of ransomware on the network of a telecommunications firm. The attack was automated and spread faster than ordinary ransomware. It started when an employee circumvented corporate security protocols by accessing their personal email, where they were likely tricked into downloading a malicious file. Seconds later, the device began connecting to an external server on the Tor network.
Nine seconds after the start of the SMB encryption activities, Darktrace raised an alert signifying that the anomaly required investigation. As the behavior persisted over the next 24 seconds, Darktrace continually revised its understanding of the deviation as it progressed into a serious threat. The security team had gone home for the weekend, so Darktrace Antigena stepped in and automatically interrupted all attempts to write encrypted files to network file shares.
- The employee’s device made a series of anomalous HTTP requests to rare external domains.
- The device downloaded a suspicious .exe file.
- SMB shares began to be successfully read and encrypted.
At a multinational manufacturing company, an attacker exploited known vulnerabilities to compromise a biometric scanner, which was used to restrict access to machinery and industrial plants. The attacker began to change the data on the fingerprint data stored on the device.
Had the threat gone unnoticed, the attacker could have added their fingerprint data to the database to gain physical access to the industrial plant. Standard anti-malware and signature solutions did not detect the subtle activity that led to the compromise.
- After installation, Darktrace detected suspicious Telnet connections from an external computer.
- The external computer successfully accessed the scanners by using default credentials, and it used root privileges to retrieve CPU information.
- The attacker then attempted to pivot to reach other internal systems.
- Further investigation revealed that the scanner’s availability on Telnet port 23 was recorded on the IP database shodan.io.
An international sporting company opened a string of new offices around the world, and invested in video conferencing equipment to facilitate day-to-day communications between their teams. On learning the ‘pattern of life’ of the organization, Darktrace observed unusual behavior pertaining to one particular device on the network – the video conferencing system in the company boardroom. An attacker had exploited unauthenticated remote access and started to transmit audio data out of the organization.
By collecting the audio stream from confidential meetings, the attacker had begun to build up sensitive corporate information. Unchecked, the attacker could have also moved laterally to locate Point-of-Sale devices and inflicted further damage.
- One of the units was the only internal device connecting externally via Telnet.
- Anomalously large volumes of information were uploaded to six rare external computers.
- A backdoor Trojan had been uploaded to the device before Darktrace was installed.
- The device connected to suspicious external servers via FTP, Telnet, and HTTP.
A disgruntled employee decided to spend their last day with the company attempting to steal a large volume of customer data by uploading it to Dropbox.
Dropbox was widely used at this company, so the employee likely believed that their activity would go unnoticed. Legacy tools would not have recognized the behavior as threatening, but Darktrace’s self-learning approach can accurately detect even the slightest deviations from normal. As a result, the illegitimate transfers were identified before the employee could successfully steal the information.
- A company server uploaded 17GB of data to Dropbox, an unusually large volume for that server.
- Dropbox connections were common at the company, but were rarely made from the server in question.
- The data contained information about the geo-location of the company’s clients.
The network of a healthcare provider was infected with a strain of malware designed to steal user credentials. Once on the network, the malware spreads by copying programs into sensitive folders on other devices and guessing login details.
The attacker was attempting to extract user credentials from the network. The type of malware used was unlike anything on existing threat databases, and it was automated. This means that the security team could not respond quickly enough, and traditional defenses could not identify it. Darktrace’s AI approach recognized the copied programs and the forced access of password managers as abnormal given its understanding of the normal activity of users and organizations.
- Infected devices were sending programs to sensitive files.
- The file transfers were happening at speeds faster than users could have been acting.
- The devices were attempting to communicate with a suspicious third-party infrastructure.
Some of the most sophisticated attacks that Darktrace finds contain ‘active defense mechanisms’ that allow them to avoid detection by traditional security systems. One such attack used self-modifying malware to quietly infiltrate the network of a major university. The attacker used the ‘Smoke Malware Loader’ tool to autonomously extract user passwords. By dynamically changing its threat signature and generating fake error messages as a smokescreen, the malware attempted to obscure its presence on the network.
The malware was deceptive – more indicative of a targeted attack than a conventional, indiscriminate campaign. Darktrace built a detailed understanding of this highly-evolved operation, combining a series of anomalous behaviors to determine the existence of a serious anomaly requiring immediate action.
- The initial file download originated from a rare external source.
- Successful transfers – likely containing passwords – were sent to a highly unusual destination.
- Transfers were followed by a flurry of error messages signifying failed connections.
- Beaconing activity represented a major deviation from the devices’ normal activity.
A software engineer at a financial services company – who had access to the company’s server farms – owned a company device that was observed communicating with a rare external endpoint.
It was subsequently discovered that the employee had been planning to establish a profitable Bitcoin mining operation. Between the rare IP, hostname, RDP activity, and SMB queries, Darktrace understood these indicators as part of a larger pattern of threat and identified the activity in real time.
- Anomalous RDP activity and SMB queries were observed on the employee’s device.
- The device was connecting to the user’s home network which was using an FTP server.
- The server contained a folder with the company’s name on it.
- Inside the folder was a series of trojaned files with malicious Bitcoin mining operations.
While working with a SCADA energy network in the Middle East, Darktrace identified an internal server that was compromised and leaking data to an external attacker.
The power network was a high-profile target, making the data exfiltration particularly alarming. Darktrace was able to draw attention to this sophisticated cyber-attack through its self-learning approach, and the security team could take quick and decisive action before any critical information left the network.
- An anomalous SSH connection to the server was observed from an external device that had never communicated with the server before.
- The server was sending unusually large volumes of information outside the network via ICMP connections.
- The SSH connections were made after a series of failed SSH connections using access codes listed as factory defaults online.
After being deployed in a corporate network, Darktrace detected a ‘rogue’ device acting anomalously in the company’s data center. Meanwhile, the security team had no knowledge of the device existing in the first place. After Darktrace repeatedly alerted to the anomalous activity over the course of two weeks, the company decided to investigate. The team discovered a small computer installed under the floorboards of their data center. It transpired that the device was plugged into the back of the server, and was siphoning data. A malicious attack was suspected and investigated.