The Enterprise Immune System
The Enterprise Immune System is the world’s most advanced machine learning technology for cyber defense. Inspired by the self-learning intelligence of the human immune system, this new class of technology has enabled a fundamental shift in the way organizations defend themselves, amid a new era of sophisticated and pervasive cyber-threats.
The human immune system is incredibly complex and continually adapts to new forms of threats, such as viral DNA that constantly mutates. It works by learning about what is normal for the body, identifying and neutralizing outliers that do not fit that evolving pattern of normality.
Darktrace applies the same logic to enterprise and industrial environments. Powered by machine learning and AI algorithms, Enterprise Immune System technology iteratively learns a unique ‘pattern of life’ (‘self’) for every device and user on a network, and correlates these insights in order to spot emerging threats that would otherwise go unnoticed.
Like the human immune system, the Enterprise Immune System does not require previous experience of a threat or pattern of activity in order to understand that it is potentially threatening. It works automatically, without prior knowledge or signatures, detecting and fighting back against subtle, stealthy attacks inside the network — in real time.
Machine learning can be thought of as the third and most recent machine revolution. The first was the replacement of muscle by machine in the industrial revolution. The second involved computers taking over repetitive tasks that had originally been done by people. Machine learning represents computers being able to undertake complex, thoughtful tasks.
The fundamental technology underlying Darktrace is powered by advanced, unsupervised machine learning, which is capable of learning what is normal and what is abnormal inside a network on an evolving basis, without using training data or customized models. This allows it to detect cyber-attacks that may not have been observed before, the unknown unknowns.
Legacy approaches to cyber security embody the second revolution: people describe what an attack looks like and then ask the computer to look for a match to that description. Darktrace turns this paradigm on its head, embodying the third machine revolution: the computer autonomously finds anomalous areas within large data sets, and makes intelligent judgements accordingly. This self-learning capability is transformative, allowing organizations to embrace interconnected networks, while defending their critical data and reputation.
Our unique expertise in cyber defense operations and ground-breaking, self-learning technology allows organizations to keep up with the speed and sophistication of today's attackers.
Whether defending against an APT or an insider attack, Darktrace understands the human traces behind every attack. Our solutions are anchored in Enterprise Immune System technology, which detects subtle indicators of compromise and threatening behaviors, even when those behaviors are brand new, complex and constantly changing.
The age of surrounding your information with higher and higher walls is over. Legacy approaches permanently leave you a step behind. Darktrace moves at the same speed as the threat, automatically learning from an organization's ongoing activity in real time to detect threat behaviors as they emerge.
The foundations of Darktrace’s unique approach lie in cutting-edge machine learning and mathematics developed at the University of Cambridge. With technical teams made up of world-class mathematicians and technical experts who themselves helped develop the groundbreaking Recursive Bayesian Estimation (RBE) theory that lies at the heart of the unique Enterprise Immune System technology, Darktrace is able to exceed the boundaries set by legacy approaches to cyber security.
Bayesian mathematics allows for meaning to be drawn from large, profuse data sets, and for estimated probabilities of a given event to be updated as more information is observed. Recursive Bayesian Estimation allows for this approach to be applied without the need for a supercomputer.
The founders of Darktrace include senior members of the UK government’s cyber community from MI5 and GCHQ, and Lord Evans, former Director-General of MI5, sits on the advisory board.
Our expert team have had experience on the frontline of cyber defense, and have been responsible for the protection of critical national assets – people, public services, and core intellectual property – from some of the most insidious threats in operation, including both sophisticated insider attacks and large-scale, state sponsored espionage groups. Darktrace’s team has now expanded to include experts from intelligence communities globally, such as the NSA and CIA, with backgrounds ranging from threat analysis to senior intelligence positions.
Threat Use Cases
Darktrace is capable of detecting a range of in-progress threats, breaches and vulnerabilities — from IoT hacks and criminal campaigns, through to insider threats or latent vulnerabilities. The selected use cases demonstrate diverse threat scenarios that Darktrace identified in real time, before serious damage was inflicted.
Darktrace found a new and advanced strain of ransomware on the network of a telecommunications firm. The attack was automated and spread faster than ordinary ransomware. It started when an employee circumvented corporate security protocols by accessing their personal email, where they were likely tricked into downloading a malicious file. Seconds later, the device began connecting to an external server on the Tor network.
Nine seconds after the start of the SMB encryption activities, Darktrace raised an alert signifying that the anomaly required investigation. As the behavior persisted over the next 24 seconds, Darktrace continually revised its understanding of the deviation as it progressed into a serious threat. The security team had gone home for the weekend, so Darktrace Antigena stepped in and automatically interrupted all attempts to write encrypted files to network file shares.
- The employee’s device made a series of anomalous HTTP requests to rare external domains.
- The device downloaded a suspicious .exe file.
- SMB shares began to be successfully read and encrypted.
At a multinational manufacturing company, an attacker exploited known vulnerabilities to compromise a biometric scanner, which was used to restrict access to machinery and industrial plants. The attacker began to change the data on the fingerprint data stored on the device.
Had the threat gone unnoticed, the attacker could have added their fingerprint data to the database to gain physical access to the industrial plant. Standard anti-malware and signature solutions did not detect the subtle activity that led to the compromise.
- After installation, Darktrace detected suspicious Telnet connections from an external computer.
- The external computer successfully accessed the scanners by using default credentials, and it used root privileges to retrieve CPU information.
- The attacker then attempted to pivot to reach other internal systems.
- Further investigation revealed that the scanner’s availability on Telnet port 23 was recorded on the IP database shodan.io.
An international sporting company opened a string of new offices around the world, and invested in video conferencing equipment to facilitate day-to-day communications between their teams. On learning the ‘pattern of life’ of the organization, Darktrace observed unusual behavior pertaining to one particular device on the network – the video conferencing system in the company boardroom. An attacker had exploited unauthenticated remote access and started to transmit audio data out of the organization.
By collecting the audio stream from confidential meetings, the attacker had begun to build up sensitive corporate information. Unchecked, the attacker could have also moved laterally to locate Point-of-Sale devices and inflicted further damage.
- One of the units was the only internal device connecting externally via Telnet.
- Anomalously large volumes of information were uploaded to six rare external computers.
- A backdoor Trojan had been uploaded to the device before Darktrace was installed.
- The device connected to suspicious external servers via FTP, Telnet, and HTTP.
A disgruntled employee decided to spend their last day with the company attempting to steal a large volume of customer data by uploading it to Dropbox.
Dropbox was widely used at this company, so the employee likely believed that their activity would go unnoticed. Legacy tools would not have recognized the behavior as threatening, but Darktrace’s self-learning approach can accurately detect even the slightest deviations from normal. As a result, the illegitimate transfers were identified before the employee could successfully steal the information.
- A company server uploaded 17GB of data to Dropbox, an unusually large volume for that server.
- Dropbox connections were common at the company, but were rarely made from the server in question.
- The data contained information about the geo-location of the company’s clients.
The network of a healthcare provider was infected with a strain of malware designed to steal user credentials. Once on the network, the malware spreads by copying programs into sensitive folders on other devices and guessing login details.
The attacker was attempting to extract user credentials from the network. The type of malware used was unlike anything on existing threat databases, and it was automated. This means that the security team could not respond quickly enough, and traditional defenses could not identify it. Darktrace’s AI approach recognized the copied programs and the forced access of password managers as abnormal given its understanding of the normal activity of users and organizations.
- Infected devices were sending programs to sensitive files.
- The file transfers were happening at speeds faster than users could have been acting.
- The devices were attempting to communicate with a suspicious third-party infrastructure.
Some of the most sophisticated attacks that Darktrace finds contain ‘active defense mechanisms’ that allow them to avoid detection by traditional security systems. One such attack used self-modifying malware to quietly infiltrate the network of a major university. The attacker used the ‘Smoke Malware Loader’ tool to autonomously extract user passwords. By dynamically changing its threat signature and generating fake error messages as a smokescreen, the malware attempted to obscure its presence on the network.
The malware was deceptive – more indicative of a targeted attack than a conventional, indiscriminate campaign. Darktrace built a detailed understanding of this highly-evolved operation, combining a series of anomalous behaviors to determine the existence of a serious anomaly requiring immediate action.
- The initial file download originated from a rare external source.
- Successful transfers – likely containing passwords – were sent to a highly unusual destination.
- Transfers were followed by a flurry of error messages signifying failed connections.
- Beaconing activity represented a major deviation from the devices’ normal activity.
A software engineer at a financial services company – who had access to the company’s server farms – owned a company device that was observed communicating with a rare external endpoint.
It was subsequently discovered that the employee had been planning to establish a profitable Bitcoin mining operation. Between the rare IP, hostname, RDP activity, and SMB queries, Darktrace understood these indicators as part of a larger pattern of threat and identified the activity in real time.
- Anomalous RDP activity and SMB queries were observed on the employee’s device.
- The device was connecting to the user’s home network which was using an FTP server.
- The server contained a folder with the company’s name on it.
- Inside the folder was a series of trojaned files with malicious Bitcoin mining operations.
While working with a SCADA energy network in the Middle East, Darktrace identified an internal server that was compromised and leaking data to an external attacker.
The power network was a high-profile target, making the data exfiltration particularly alarming. Darktrace was able to draw attention to this sophisticated cyber-attack through its self-learning approach, and the security team could take quick and decisive action before any critical information left the network.
- An anomalous SSH connection to the server was observed from an external device that had never communicated with the server before.
- The server was sending unusually large volumes of information outside the network via ICMP connections.
- The SSH connections were made after a series of failed SSH connections using access codes listed as factory defaults online.
Darktrace detected a brute-force attack against a server within the cloud infrastructure, which was accidentally exposed to the Internet.
The connection between the cloud and physical network segments meant that the network as a whole would have been compromised had the attack succeeded. Not only did the activity pose a significant security risk, but with so many connection attempts being received continuously, there was also the real possibility of a denial of service affecting the server.
- Over a four-week period, over 8,000 access attempts were observed from over 100 different source addresses.
- The addresses were systematically attempting to gain access to a cloud-based RDP server using a single username: “hello”.
- The activity accounted for the majority of traffic to and from the server.
After being deployed in a corporate network, Darktrace detected a ‘rogue’ device acting anomalously in the company’s data center. Meanwhile, the security team had no knowledge of the device existing in the first place. After Darktrace repeatedly alerted to the anomalous activity over the course of two weeks, the company decided to investigate. The team discovered a small computer installed under the floorboards of their data center. It transpired that the device was plugged into the back of the server, and was siphoning data. A malicious attack was suspected and investigated.
In 2016 cyber-criminals launched 638 million ransomware attacks. That’s a 167-fold increase from the 4 million attack attempts in 2015, with most of the attacks delivered as phishing campaigns capable of by-passing existing defense mechanisms. With the rise of ransomware-as-a-service lowering the barrier to entry, it is now easier than ever for attackers to access and deploy ransomware.
Once inside the enterprise, the malware encrypts data and looks to spread to other devices or shared drives. The speed with which the attack can spread and devastating effects it can have make ransomware an attractive proposition for cyber attackers.
Darktrace’s Enterprise Immune System has been proven to detect and defend against emerging ransomware attacks across every industry. The Enterprise Immune System, using machine learning and AI algorithms, is able to identify a wide range of anomalies pertaining to ransomware, taking into account weak indicators to form a compelling picture of the overall threat level.
For example, Darktrace successfully identified WannaCry malware activity due to the highly anomalous way in which the devices were behaving as they attempted to access and encrypt files, and laterally scan for other exposed devices.
On detecting the ransomware, Darktrace responds in real time by forcibly dropping suspect connections within the internal network and stopping its spread. This entirely autonomous response, generated by Darktrace Antigena, gave security teams the vital time to catch up before the data was lost or encrypted.
If you are concerned about ransomware, please schedule a briefing with a Darktrace expert by emailing [email protected] or call us on:
Europe: +44 (0) 1223 394100
US: +1 415 229 9100
Asia-Pacific: +65 6804 5010