Defenders must understand the threat landscape in order to protect against it. They can do that with threat intelligence.
Darktrace approaches threat intelligence with a unique perspective. Unlike traditional security vendors that rely on established patterns from past incidents, it uses a strategy that is rooted in the belief that identifying behavioral anomalies is crucial for identifying both known and novel threats.
For Darktrace analysts and researchers, the incidents detected by the AI solution mark the beginning of a deeper investigation, aiming to connect mitigated threats to wider trends from across the threat landscape. Through hindsight analysis, the Darktrace Threat Research team has highlighted numerous threats, including zero-day, n-day, and other novel attacks, showcasing their evolving nature and Darktrace’s ability to identify them.
Read Darktrace's Annual Threat Report to discover major trends around vulnerabilities in internet-facing systems, new and re-emerging ransomware strains, and sophisticated email attacks.
Multiple campaigns target vulnerabilities in internet-facing systems
It is increasingly common for threat actors to identify and exploit newly discovered vulnerabilities in widely used services and applications, and in some cases, these vulnerability exploitations occur within hours of disclosure.
In 2024, the most significant campaigns observed involved the ongoing exploitation of zero-day and n-day vulnerabilities in edge and perimeter network technologies. In fact, in the first half of the year, 40% of all identified campaign activity came from the exploitation of internet-facing devices. Some of the most common exploitations involved Ivanti Connect Secure (CS) and Ivanti Policy Secure (PS) appliances, Palo Alto Network (PAN-OS) firewall devices, and Fortinet appliances.
Darktrace helps security teams identify suspicious behavior quickly, as demonstrated with the critical vulnerability in PAN-OS firewall devices. The vulnerability was publicly disclosed on April 11, 2024, yet with anomaly-based detection, Darktrace’s Threat Research team was able to identify a range of suspicious behavior related to exploitation of this vulnerability, including command-and-control (C2) connectivity, data exfiltration, and brute-forcing activity, as early as March 26.
That means that Darktrace and our Threat Research team detected this Common Vulnerabilities and Exposure (CVE) exploitation 16 days before the vulnerability was disclosed. Addressing critical vulnerabilities quickly massively benefits security, as teams can reduce their effectiveness by slowing malicious operations and forcing attackers to pursue more costly and time-consuming methods.
Persistent ransomware threats continue to evolve
The continued adoption of the Ransomware-as-a-Service (RaaS) model provides even less experienced threat actors with the tools needed to carry out disruptive attacks, significantly lowering the barrier to entry.
The Threat Research team tracked both novel and re-emerging strains of ransomware across the customer fleet, including Akira, LockBit, and Lynx. Within these ransomware attempts and incidents, there were notable trends in attackers’ techniques: using phishing emails as an attack vector, exploiting legitimate tools to mask C2 communication, and exfiltrating data to cloud storage services.
Read the Annual 2024 Threat Report for the complete list of prominent ransomware actors and their commonly used techniques.
Onslaught of email threats continues
With a majority of attacks originating from email, it is crucial that organizations secure the inboxes and beyond.
Between December 21, 2023, and December 18, 2024, Darktrace / EMAIL detected over 30.4 million phishing emails across the fleet. Of these, 70% successfully bypassed Domain-based Message Authentication, Reporting, and Conformance (DMARC) verification checks and 55% passed through all other existing layers of customer email security.
The abuse of legitimate services and senders continued to be a significant method for threat actors throughout 2024. By leveraging trusted platforms and domains, malicious actors can bypass traditional security measures and increase the likelihood of their phishing attempts being successful.
This past year, there was a substantial use of legitimately authenticated senders and previously established domains, with 96% of phishing emails detected by Darktrace / EMAIL utilizing existing domains rather than registering new ones.
These are not the only types of email attacks we observed. Darktrace detected over 2.7 million emails with multistage payloads.
While most traditional cybersecurity solutions struggle to cover multiple vectors and recognize each stage of complex attacks as part of wider malicious activity, Darktrace can detect and respond across email, identities, network, and cloud.
Conclusion
The Darktrace Threat Research team continues to monitor the ever-evolving threat landscape. Major patterns over the last year have revealed the importance of fast-acting, anomaly-based detection like Darktrace provides.
For example, response speed is essential when campaigns target vulnerabilities in internet-facing systems, and these vulnerabilities can be exploited by attackers within hours of their disclosure if not even before that.
Similarly, anomaly-based detection can identify hard to find threats like ransomware attacks that increasingly use living-off-the-land techniques and legitimate tools to hide malicious activity. A similar pattern can be found in the realm of email security, where attacks are also getting harder to spot, especially as they frequently exploit trusted senders, use redirects via legitimate services, and craft attacks that bypass DMARC and other layers of email security.
As attacks appear with greater complexity, speed, and camouflage, defenders must have timely detection and containment capabilities to handle all emerging threats. These hard-to-spot attacks can be identified and stopped by Darktrace.
[related-resource]
Download the full report
Discover the latest threat landscape trends and recommendations from the Darktrace Threat Research team
.avif)
