Blog
/

Inside the SOC

/
August 29, 2023

Analyzing Post-Exploitation on Papercut Servers

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
29
Aug 2023
Dive into our analysis covering post-exploitation activity on PaperCut servers. Learn the details and impact of this attack and how to keep yourself safe!

Introduction

Malicious cyber actors are known to exploit vulnerabilities in Internet-facing systems and services to gain entry to organizations’ digital environments. Keeping track of the vulnerabilities which malicious actors are exploiting is seemingly futile, with malicious actors continually finding new avenues of exploitation.  

In mid-April 2023, Darktrace, along with the wider security community, observed malicious cyber actors gaining entry to networks through exploitation of a critical vulnerability in the print management system, PaperCut. Darktrace observed two types of attack chain within its customer base, one involving the deployment of payloads to facilitate crypto-mining, and the other involving the deployment of a payload to facilitate Tor-based command-and-control (C2) communication.

Walking Through the Front Door

One of the most widely abused Initial Access methods attackers use to gain entry to an organization’s digital environment is the exploitation of vulnerabilities in Internet-facing systems and services [1]. The public disclosure of a critical vulnerability in a widely used, Internet-facing service, along with a proof of concept (POC) exploit for such vulnerability, provides malicious cyber actors with a key to the front door of countless organizations. Once malicious actors are in possession of such a key, security teams are in a race against time to patch all their vulnerable systems and services. But until organizations accomplish this, the doors are left open.

This year, the security community has seen malicious actors gaining entry to networks through the exploitation of vulnerabilities in a range of services. These services include familiar suspects, such as Microsoft Exchange and ManageEngine, along with less familiar suspects, such as PaperCut. PaperCut is a system for managing and tracking printing, copying, and scanning activity within organizations. In 2021, PaperCut was used in more than 50,000 sites across over 100 countries [2], making PaperCut a widely used print management system.

In January 2023, Trend Micro’s Zero Day Initiative (ZDI) notified PaperCut of a critical RCE vulnerability, namely CVE-2023–27350, in certain versions of PaperCut NG (PaperCut’s ‘print only’ variant) and PaperCut MF (PaperCut’s ‘extended feature’ variant) [3,4]. In March 2023, PaperCut released versions of PaperCut NG and PaperCut MF containing a fix for CVE-2023–27350 [4]. Despite this, security teams observed a surge in cases of malicious actors exploiting CVE-2023–27350 to compromise PaperCut servers in April 2023 [4-10]. This trend was mirrored in Darktrace’s customer base, where a surge in compromises of PaperCut servers was observed in April 2023.

Observed Attack Chains

In mid-April 2023, Darktrace identified two related clusters of attack chains. The attack chains within the first of these clusters involved Internet-facing PaperCut servers downloading payloads with crypto-mining capabilities from the external location, 50.19.48[.]59. While the attack chains within the second of the clusters involved Internet-facing PaperCut servers downloading payloads with Tor-based C2 capabilities from 192.184.35[.]216. The attack chains within the first cluster, which were observed on April 22, 2023, will be referred to as ‘50.19.48[.]59 chains’ and the attack chains in the second cluster, observed on April 24, 2023, will be called ‘192.184.35[.]216 chains’.

Both attack chains started with highly unusual external endpoints contacting the '/SetupCompleted' endpoint of an Internet-facing PaperCut server. These requests to the ‘/SetupCompleted’ endpoint likely represented attempts to exploit CVE-2023–27350 [10].  50.19.48[.]59 chains started with exploit connections from the external endpoint, 85.106.112[.]60, whereas 192.184.35[.]216 chains started with exploit connections from Tor nodes, such as 185.34.33[.]2.

Figure 1: Darktrace’s Advanced Search data showing likely CVE-2023-27350 exploitation activity from the suspicious, external endpoint, 85.106.112[.]60.

After the exploitation step, the two attack chains took different paths. In the 50.19.48[.]59 chains, the exploitation step was followed by the affected PaperCut server making HTTP GET requests over port 82 to the rare external endpoint, 50.19.48[.]59. In the 192.184.35[.]216 chains, the exploitation step was followed by the affected PaperCut server making an HTTP GET request over port 443 to 192.184.35[.]216.

The HTTP GET requests to 50.19.48[.]59 had Target URIs such as ‘/me1.bat’, ‘/me2.bat’, ‘/dom.zip’, ‘/mazar.bat’, and ‘/mazar.zip’, whilst the HTTP GET requests to 192.184.35[.]216 had the Target URI ‘/4591187629.exe’. The User-Agent header of the GET requests to 192.184.35[.]216 indicated that that the malicious file transfers were initiated through Microsoft’s pre-installed Background Intelligent Transfer Service (BITS).

Figure 2: Darktrace’s Advanced Search data showing a PaperCut server downloading Batch and ZIP files from 50.19.48[.]59 straight after receiving likely exploit connections from 85.106.112[.]60.
Figure 3: Darktrace’s Event Log data showing a PaperCut server downloading an executable file from 192.184.35[.]216 immediately after receiving a likely exploit connection from the Tor node, 185.34.33[.]2.

Downloads from 50.19.48[.]59 were followed by cURL GET requests to 138.68.61[.]82 and then connections to external endpoints associated with the cryptocurrency miner, Mimu (as seen in Fig 4). Downloads from 192.184.35[.]216 were followed by Python-urllib GET requests to api.ipify[.]org and long connections to Tor nodes (as seen in Fig 5).  

These facts suggest that the actor behind the 50.19.48[.]59 chains were seeking to drop cryptocurrency miners on PaperCut servers, with the intention of abusing the customer’s network to carry out resource intensive and costly cryptocurrency mining activity. Meanwhile, the actors behind the 192.184.35[.]216 chains were likely attempting to establish a Tor-based C2 channel with PaperCut servers to allow actors to further communicate with compromised devices.

Figure 4: Darktrace's Event Log data showing a PaperCut contacting 50.19.48[.]59 to download payloads, and then making a cURL request to 138.68.61[.]82 before contacting a Mimu crypto-mining endpoint.
Figure 5: Darktrace’s Event Log data showing a PaperCut server contacting 192.184.35[.]216 to download a payload, and then making connections to api.ipify[.]org and several Tor nodes.

The activities ensuing from both attack chains were varied, making it difficult to ascertain whether the activities were steps of separate attack chains, or steps of the existing 50.19.48[.]59 and 192.184.35[.]216 chains. A wide variety of activities ensued from observed 50.19.48[.]59 and 192.184.35[.]216 chains, including the abuse of pre-installed tools, such as cURL, CertUtil, and PowerShell to transfer further payloads to PaperCut servers, Cobalt Strike C2 communication, Ngrok usage, Mimikatz usage, AnyDesk usage, and in one case, detonation of the LockBit ransomware strain.

Figure 6: Diagram representing the steps of observed 50.19.48[.]59 chains.
Figure 7: Diagram representing the steps of observed 192.184.35[.]215 chains.

As the PaperCut servers that were targeted by malicious actors are Internet-facing, they regularly receive connections from unusual external endpoints. The exploit connections in the 50.19.48[.]59 and 192.184.35[.]216 chains, which originated from unusual external endpoints, were therefore not detected by Darktrace DETECT™, which relies on anomaly-based methods to detect network-based steps of an intrusion.

On the other hand, the post-exploitation steps of the 50.19.48[.]59 and 192.184.35[.]216 chains yielded ample anomaly-based detections, given that they consisted of PaperCut servers displaying highly unusual behaviors. As such Darktrace DETECT was able to successfully identify multiple chains of suspicious activity, including unusual file downloads from external endpoints and beaconing activity to rare external locations.

The file downloads from 50.19.48[.]59 observed in the 50.19.48[.]59 chains caused the following Darktrace DETECT models to breach:

- Anomalous Connection / Application Protocol on Uncommon Port

- Anomalous File / Internet Facing System File Download

- Anomalous File / Script from Rare External Location

- Anomalous File / Zip or Gzip from Rare External Location

- Device / Internet Facing Device with High Priority Alert

Figure 8: Darktrace’s Event Log data showing a PaperCut server breaching several models immediately after contacting 50.19.48[.]59.

The file downloads from 192.184.35[.]216 observed in the 192.184.35[.]216 chains caused the following Darktrace DETECT models to breach:

- Anomalous File / EXE from Rare External Location

- Anomalous File / Numeric File Download

- Device / Internet Facing Device with High Priority Alert

Figure 9: Darktrace’s Event Log data showing a PaperCut server breaching several models immediately after contacting 192.184.35[.]216.

Subsequent C2, beaconing, and crypto-mining connections in the 50.19.48[.]59 chains caused the following Darktrace DETECT models to breach:

- Anomalous Connection / New User Agent to IP Without Hostname

- Anomalous Server Activity / New User Agent from Internet Facing System

- Anomalous Server Activity / Rare External from Server

- Compromise / Crypto Currency Mining Activity

- Compromise / High Priority Crypto Currency Mining

- Compromise / High Volume of Connections with Beacon Score

- Compromise / Large Number of Suspicious Failed Connections

- Compromise / SSL Beaconing to Rare Destination

- Device / Initial Breach Chain Compromise

- Device / Large Number of Model Breaches

Figure 10: Darktrace’s Event Log data showing a PaperCut server breaching models as a result of its connections to a Mimu crypto-mining endpoint.

Subsequent C2, beaconing, and Tor connections in the 192.184.35[.]216 chains caused the following Darktrace DETECT models to breach:

- Anomalous Connection / Application Protocol on Uncommon Port

- Compromise / Anomalous File then Tor

- Compromise / Beaconing Activity To External Rare

- Compromise / Possible Tor Usage

- Compromise / Slow Beaconing Activity To External Rare

- Compromise / Uncommon Tor Usage

- Device / Initial Breach Chain Compromise

Figure 11: Darktrace’s Event Log data showing a PaperCut server breaching several models as a result of its connections to Tor nodes.

Darktrace RESPOND

Darktrace RESPOND™ was not active in any of the networks affected by 192.184.35[.]216 activity, however, RESPOND was active in some of the networks affected by 50.19.48[.]59 activity.  In those environments where RESPOND was enabled in autonomous mode, observed malicious activities resulted in intervention from RESPOND, including autonomous actions like blocking connections to specific external endpoints, blocking all outgoing traffic, and restricting affected devices to a pre-established pattern of behavior.

Figure 12: Darktrace’s Event Log data showing Darktrace RESPOND automatically performing inhibitive actions on a device in response to the device’s connection to 50.19.48[.]59.
Figure 13: Darktrace’s Event Log data showing Darktrace RESPOND automatically performing inhibitive actions on a device in response to the device’s connections to a Mimu crypto-mining endpoint.

Darktrace Cyber AI Analyst

Cyber AI Analyst autonomously investigated model breaches caused by events within these 50.19.48[.]59 and 192.184.35[.]216 chains. Cyber AI Analyst created user-friendly and detailed descriptions of these events, and then linked together these descriptions into threads representing the attack chains. Darktrace DETECT thus uncovered the individual steps of the attack chains, while Cyber AI Analyst was able to piece together the individual steps and uncover the attack chains themselves.  

Figure 14: An AI Analyst Incident entry showing the first event in a 50.19.48[.]59 chain uncovered by Cyber AI Analyst.
Figure 15: An AI Analyst Incident entry showing the second event in a 50.19.48[.]59 chain uncovered by Cyber AI Analyst.
Figure 16: An AI Analyst Incident entry showing the third event in a 50.19.48[.]59 chain uncovered by Cyber AI Analyst.
Figure 17: An AI Analyst Incident entry showing the first event in a 192.184.35[.]216 chain uncovered by Cyber AI Analyst.
Figure 18: An AI Analyst Incident entry showing the second event in a 192.184.35[.]216 chain uncovered by Cyber AI Analyst.

Conclusion

The existence of critical vulnerabilities in third-party software leaves organizations at constant risk of malicious actors breaching the perimeters of their networks. This risk can be mitigated through attack surface management and regular patching. However, this does not eliminate cyber risk entirely, meaning that organizations must be prepared for the eventuality of malicious actors getting inside their digital estate.

In April 2023, Darktrace observed malicious actors breaching the perimeters of several customer networks through exploitation of a critical vulnerability in PaperCut. Darktrace DETECT observed actors exploiting PaperCut servers to conduct a wide variety of post-exploitation activities, including downloading malicious payloads associated with cryptocurrency mining or payloads with Tor-based C2 capabilities. Darktrace DETECT created numerous model breaches based on this activity which alerted then customer’s security teams early in their development, providing them with ample time to take mitigative steps.

The successful detection of this payload delivery activity, along with the crypto-mining, beaconing, and Tor C2 activities which followed, elicited Darktrace RESPOND to take autonomous inhibitive action against the ongoing activity in those environments where it was operating in autonomous response mode.

If left to unfold, these intrusions developed in a variety of ways, in some cases leading to Cobalt Strike and ransomware activity. The detection of these intrusions in their early stages thus played a vital role in preventing malicious cyber actors from causing significant disruption.

Credit to: Sam Lister, Senior SOC Analyst, Zoe Tilsiter, Senior Cyber Analyst.

Appendices

MITRE ATT&CK Mapping

Initial Access techniques:

- Exploit Public-Facing Application (T1190)

Execution techniques:

- Command and Scripting Interpreter: PowerShell (T1059.001)

Discovery techniques:

- System Network Configuration Discovery (T1016)

Command and Control techniques

- Application Layer Protocol: Web Protocols (T1071.001)

- Encrypted Channel: Asymmetric Cryptography (T1573.002)

- Ingress Tool Transfer (T1105)

- Non-Standard Port (T1571)

- Protocol Tunneling (T1572)

- Proxy: Multi-hop Proxy (T1090.003)

- Remote Access Software (T1219)

Defense Evasion techniques:

- BITS Jobs (T1197)

Impact techniques:

- Data Encrypted for Impact (T1486)

List of Indicators of Compromise (IoCs)

IoCs from 50.19.48[.]59 attack chains:

- 85.106.112[.]60

- http://50.19.48[.]59:82/me1.bat

- http://50.19.48[.]59:82/me2.bat

- http://50.19.48[.]59:82/dom.zip

- 138.68.61[.]82

- update.mimu-me[.]cyou • 102.130.112[.]157

- 34.195.77[.]216

- http://50.19.48[.]59:82/mazar.bat

- http://50.19.48[.]59:82/mazar.zip

- http://50.19.48[.]59:82/prx.bat

- http://50.19.48[.]59:82/lol.exe  

- http://77.91.85[.]117/122.exe

- windows.n1tro[.]cyou • 176.28.51[.]151

- 77.91.85[.]117

- 91.149.237[.]76

- kernel-mlclosoft[.]site • 104.21.29[.]206

- tunnel.us.ngrok[.]com • 3.134.73[.]173

- 212.113.116[.]105

- c34a54599a1fbaf1786aa6d633545a60 (JA3 client fingerprint of crypto-mining client)

IoCs from 192.184.35[.]216 attack chains:

- 185.56.83[.]83

- 185.34.33[.]2

- http://192.184.35[.]216:443/4591187629.exe

- api.ipify[.]org • 104.237.62[.]211

- www.67m4ipctvrus4cv4qp[.]com • 192.99.43[.]171

- www.ynbznxjq2sckwq3i[.]com • 51.89.106[.]29

- www.kuo2izmlm2silhc[.]com • 51.89.106[.]29

- 148.251.136[.]16

- 51.158.231[.]208

- 51.75.153[.]22

- 82.66.61[.]19

- backmainstream-ltd[.]com • 77.91.72[.]149

- 159.65.42[.]223

- 185.254.37[.]236

- http://137.184.56[.]77:443/for.ps1

- http://137.184.56[.]77:443/c.bat

- 45.88.66[.]59

- http://5.8.18[.]237/download/Load64.exe

- http://5.8.18[.]237/download/sdb64.dll

- 140e0f0cad708278ade0984528fe8493 (JA3 client fingerprint of Tor-based client)

References

[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-137a

[2] https://www.papercut.com/kb/Main/PaperCutMFSolutionBrief/

[3] https://www.zerodayinitiative.com/advisories/ZDI-23-233/

[4] https://www.papercut.com/kb/Main/PO-1216-and-PO-1219

[5] https://www.trendmicro.com/en_us/research/23/d/update-now-papercut-vulnerability-cve-2023-27350-under-active-ex.html

[6] https://www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software

[7] https://news.sophos.com/en-us/2023/04/27/increased-exploitation-of-papercut-drawing-blood-around-the-internet/

[8] https://twitter.com/MsftSecIntel/status/1651346653901725696

[9] https://twitter.com/MsftSecIntel/status/1654610012457648129

[10] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Sam Lister
SOC Analyst
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

January 28, 2025

/

Inside the SOC

Bytesize Security: Insider Threats in Google Workspace

Default blog imageDefault blog image

What is an insider threat?

An insider threat is a cyber risk originating from within an organization. These threats can involve actions such as an employee inadvertently clicking on a malicious link (e.g., a phishing email) or an employee with malicious intent conducting data exfiltration for corporate sabotage.

Insiders often exploit their knowledge and access to legitimate corporate tools, presenting a continuous risk to organizations. Defenders must protect their digital estate against threats from both within and outside the organization.

For example, in the summer of 2024, Darktrace / IDENTITY successfully detected a user in a customer environment attempting to steal sensitive data from a trusted Google Workspace service. Despite the use of a legitimate and compliant corporate tool, Darktrace identified anomalies in the user’s behavior that indicated malicious intent.

Attack overview: Insider threat

In June 2024, Darktrace detected unusual activity involving the Software-as-a-Service (SaaS) account of a former employee from a customer organization. This individual, who had recently left the company, was observed downloading a significant amount of data in the form of a “.INDD” file (an Adobe InDesign document typically used to create page layouts [1]) from Google Drive.

While the use of Google Drive and other Google Workspace platforms was not unexpected for this employee, Darktrace identified that the user had logged in from an unfamiliar and suspicious IPv6 address before initiating the download. This anomaly triggered a model alert in Darktrace / IDENTITY, flagging the activity as potentially malicious.

A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.
Figure 1: A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.

Following this detection, the customer reached out to Darktrace’s Security Operations Center (SOC) team via the Security Operations Support service for assistance in triaging and investigating the incident further. Darktrace’s SOC team conducted an in-depth investigation, enabling the customer to identify the exact moment of the file download, as well as the contents of the stolen documents. The customer later confirmed that the downloaded files contained sensitive corporate data, including customer details and payment information, likely intended for reuse or sharing with a new employer.

In this particular instance, Darktrace’s Autonomous Response capability was not active, allowing the malicious insider to successfully exfiltrate the files. If Autonomous Response had been enabled, Darktrace would have immediately acted upon detecting the login from an unusual (in this case 100% rare) location by logging out and disabling the SaaS user. This would have provided the customer with the necessary time to review the activity and verify whether the user was authorized to access their SaaS environments.

Conclusion

Insider threats pose a significant challenge for traditional security tools as they involve internal users who are expected to access SaaS platforms. These insiders have preexisting knowledge of the environment, sensitive data, and how to make their activities appear normal, as seen in this case with the use of Google Workspace. This familiarity allows them to avoid having to use more easily detectable intrusion methods like phishing campaigns.

Darktrace’s anomaly detection capabilities, which focus on identifying unusual activity rather than relying on specific rules and signatures, enable it to effectively detect deviations from a user’s expected behavior. For instance, an unusual login from a new location, as in this example, can be flagged even if the subsequent malicious activity appears innocuous due to the use of a trusted application like Google Drive.

Credit to Vivek Rajan (Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

SaaS / Resource::Unusual Download Of Externally Shared Google Workspace File

References

[1]https://www.adobe.com/creativecloud/file-types/image/vector/indd-file.html

MITRE ATT&CK Mapping

Technqiue – Tactic – ID

Data from Cloud Storage Object – COLLECTION -T1530

Continue reading
About the author
Vivek Rajan
Cyber Analyst

Blog

/

January 28, 2025

/
No items found.

Reimagining Your SOC: How to Achieve Proactive Network Security

Default blog imageDefault blog image

Introduction: Challenges and solutions to SOC efficiency

For Security Operation Centers (SOCs), reliance on signature or rule-based tools – solutions that are always chasing the latest update to prevent only what is already known – creates an excess of false positives. SOC analysts are therefore overwhelmed by a high volume of context-lacking alerts, with human analysts able to address only about 10% due to time and resource constraints. This forces many teams to accept the risks of addressing only a fraction of the alerts while novel threats go completely missed.

74% of practitioners are already grappling with the impact of an AI-powered threat landscape, which amplifies challenges like tool sprawl, alert fatigue, and burnout. Thus, achieving a resilient network, where SOC teams can spend most of their time getting proactive and stopping threats before they occur, feels like an unrealistic goal as attacks are growing more frequent.

Despite advancements in security technology (advanced detection systems with AI, XDR tools, SIEM aggregators, etc...), practitioners are still facing the same issues of inefficiency in their SOC, stopping them from becoming proactive. How can they select security solutions that help them achieve a proactive state without dedicating more human hours and resources to managing and triaging alerts, tuning rules, investigating false positives, and creating reports?

To overcome these obstacles, organizations must leverage security technology that is able to augment and support their teams. This can happen in the following ways:

  1. Full visibility across the modern network expanding into hybrid environments
  2. Have tools that identifies and stops novel threats autonomously, without causing downtime
  3. Apply AI-led analysis to reduce time spent on manual triage and investigation

Your current solutions might be holding you back

Traditional cybersecurity point solutions are reliant on using global threat intelligence to pattern match, determine signatures, and consequently are chasing the latest update to prevent only what is known. This means that unknown threats will evade detection until a patient zero is identified. This legacy approach to threat detection means that at least one organization needs to be ‘patient zero’, or the first victim of a novel attack before it is formally identified.

Even the point solutions that claim to use AI to enhance threat detection rely on a combination of supervised machine learning, deep learning, and transformers to

train and inform their systems. This entails shipping your company’s data out to a large data lake housed somewhere in the cloud where it gets blended with attack data from thousands of other organizations. The resulting homogenized dataset gets used to train AI systems — yours and everyone else’s — to recognize patterns of attack based on previously encountered threats.

While using AI in this way reduces the workload of security teams who would traditionally input this data by hand, it emanates the same risk – namely, that AI systems trained on known threats cannot deal with the threats of tomorrow. Ultimately, it is the unknown threats that bring down an organization.

The promise and pitfalls of XDR in today's threat landscape

Enter Extended Detection and Response (XDR): a platform approach aimed at unifying threat detection across the digital environment. XDR was developed to address the limitations of traditional, fragmented tools by stitching together data across domains, providing SOC teams with a more cohesive, enterprise-wide view of threats. This unified approach allows for improved detection of suspicious activities that might otherwise be missed in siloed systems.

However, XDR solutions still face key challenges: they often depend heavily on human validation, which can aggravate the already alarmingly high alert fatigue security analysts experience, and they remain largely reactive, focusing on detecting and responding to threats rather than helping prevent them. Additionally, XDR frequently lacks full domain coverage, relying on EDR as a foundation and are insufficient in providing native NDR capabilities and visibility, leaving critical gaps that attackers can exploit. This is reflected in the current security market, with 57% of organizations reporting that they plan to integrate network security products into their current XDR toolset[1].

Why settling is risky and how to unlock SOC efficiency

The result of these shortcomings within the security solutions market is an acceptance of inevitable risk. From false positives driving the barrage of alerts, to the siloed tooling that requires manual integration, and the lack of multi-domain visibility requiring human intervention for business context, security teams have accepted that not all alerts can be triaged or investigated.

While prioritization and processes have improved, the SOC is operating under a model that is overrun with alerts that lack context, meaning that not all of them can be investigated because there is simply too much for humans to parse through. Thus, teams accept the risk of leaving many alerts uninvestigated, rather than finding a solution to eliminate that risk altogether.

Darktrace / NETWORK is designed for your Security Operations Center to eliminate alert triage with AI-led investigations , and rapidly detect and respond to known and unknown threats. This includes the ability to scale into other environments in your infrastructure including cloud, OT, and more.

Beyond global threat intelligence: Self-Learning AI enables novel threat detection & response

Darktrace does not rely on known malware signatures, external threat intelligence, historical attack data, nor does it rely on threat trained machine learning to identify threats.

Darktrace’s unique Self-learning AI deeply understands your business environment by analyzing trillions of real-time events that understands your normal ‘pattern of life’, unique to your business. By connecting isolated incidents across your business, including third party alerts and telemetry, Darktrace / NETWORK uses anomaly chains to identify deviations from normal activity.

The benefit to this is that when we are not predefining what we are looking for, we can spot new threats, allowing end users to identify both known threats and subtle, never-before-seen indicators of malicious activity that traditional solutions may miss if they are only looking at historical attack data.

AI-led investigations empower your SOC to prioritize what matters

Anomaly detection is often criticized for yielding high false positives, as it flags deviations from expected patterns that may not necessarily indicate a real threat or issues. However, Darktrace applies an investigation engine to automate alert triage and address alert fatigue.

Darktrace’s Cyber AI Analyst revolutionizes security operations by conducting continuous, full investigations across Darktrace and third-party alerts, transforming the alert triage process. Instead of addressing only a fraction of the thousands of daily alerts, Cyber AI Analyst automatically investigates every relevant alert, freeing up your team to focus on high-priority incidents and close security gaps.

Powered by advanced machine-learning techniques, including unsupervised learning, models trained by expert analysts, and tailored security language models, Cyber AI Analyst emulates human investigation skills, testing hypotheses, analyzing data, and drawing conclusions. According to Darktrace Internal Research, Cyber AI Analyst typically provides a SOC with up to  50,000 additional hours of Level 2 analysis and written reporting annually, enriching security operations by producing high level incident alerts with full details so that human analysts can focus on Level 3 tasks.

Containing threats with Autonomous Response

Simply quarantining a device is rarely the best course of action - organizations need to be able to maintain normal operations in the face of threats and choose the right course of action. Different organizations also require tailored response functions because they have different standards and protocols across a variety of unique devices. Ultimately, a ‘one size fits all’ approach to automated response actions puts organizations at risk of disrupting business operations.

Darktrace’s Autonomous Response tailors its actions to contain abnormal behavior across users and digital assets by understanding what is normal and stopping only what is not. Unlike blanket quarantines, it delivers a bespoke approach, blocking malicious activities that deviate from regular patterns while ensuring legitimate business operations remain uninterrupted.

Darktrace offers fully customizable response actions, seamlessly integrating with your workflows through hundreds of native integrations and an open API. It eliminates the need for costly development, natively disarming threats in seconds while extending capabilities with third-party tools like firewalls, EDR, SOAR, and ITSM solutions.

Unlocking a proactive state of security

Securing the network isn’t just about responding to incidents — it’s about being proactive, adaptive, and prepared for the unexpected. The NIST Cybersecurity Framework (CSF 2.0) emphasizes this by highlighting the need for focused risk management, continuous incident response (IR) refinement, and seamless integration of these processes with your detection and response capabilities.

Despite advancements in security technology, achieving a proactive posture is still a challenge to overcome because SOC teams face inefficiencies from reliance on pattern-matching tools, which generate excessive false positives and leave many alerts unaddressed, while novel threats go undetected. If SOC teams are spending all their time investigating alerts then there is no time spent getting ahead of attacks.

Achieving proactive network resilience — a state where organizations can confidently address challenges at every stage of their security posture — requires strategically aligned solutions that work seamlessly together across the attack lifecycle.

References

1.       Market Guide for Extended Detection and Response, Gartner, 17thAugust 2023 - ID G00761828

Continue reading
About the author
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Your data. Our AI.
Elevate your network security with Darktrace AI