Blog

Ransomware

Inside the SOC

Detecting a Cobalt Strike Attack With Darktrace AI

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
04
Aug 2021
04
Aug 2021
See how Darktrace AI was able to detect Cobalt Strike attacks by identifying anomalous connections and performing automated network reconnaissance.

Since its release in 2012, Cobalt Strike has become a popular platform for red teams and ethical hackers. Robust and reliable software combined with innovative features such as DNS tunnelling, lateral movement tools for privilege escalation, and PowerShell support, have made it a desirable option for organizations wanting to test their own cyber defenses. As the framework was previously only available with a commercial license, it gave security teams a distinct advantage over threat actors when preparing for attacks.

That all changed in late 2020, when a GitHub repository appeared hosting a decompiled version of the framework. Users claimed that the leaked platform did indeed function similarly, if not identically, to the commercial version, and even included a commented-out licensing check. This suddenly made the software readily available, and highly appealing for cyber-criminals: rather than requiring a paper trail and licensing, its source code was freely available for customization and use in offensive campaigns.

With sophisticated capabilities of subtle command and control (C2), privilege escalation, and lateral movement, the tools have become a favorite for ransomware gangs. Even prior to the reporting of the leaked version, 66% of ransomware attacks were found to use Cobalt Strike.

Overview of a Cobalt Strike attack

Cobalt Strike has distinctive TTPs (tools, techniques and procedures) and evasive features for each stage of the attack.

Figure 1: Cyber kill chain with Cobalt Strike

Initial compromise can be achieved with a native module for modifying emails. This includes the insertion of malicious links into existing emails or the creation of convincing spear phishing emails.

The initial payload is intentionally lightweight and can be delivered from cheaply hosted infrastructure. The smaller file size is easier to obfuscate and can be implemented in several ways, including injection into libraries or trusted processes, or creating a series of persistence mechanisms (such as turning off anti-virus prior to downloading the full payload). As such, it is remarkably difficult to detect with blocking rules or signatures.

Network reconnaissance can be done through a variety of subtle methods, using commonly used protocols such as DNS and DCE-RPC to interrogate the network. These services are frequently used in legitimate operations, so it is challenging to apply sufficiently strict controls to prevent this stage of the attack.

Lateral movement and privilege escalation are easily accessible with pre-packaged versions of common attack tools such as Mimikatz. They can interrogate an Active Directory (AD) or steal credentials, while also using SMB pipes for peer-to-peer C2. There is little space for perimeter-based security controls to monitor and restrict these abuses, even if sufficiently granular controls could be imposed.

Payload execution is a straightforward matter as Cobalt Strike beacon allows the delivery of effectively arbitrary payloads, including portability for ransomware. As the previous evasive steps can afford the attacker privileged credentials, the deployment of such payloads could look like non-threatening administrative behavior.

AI detections

Initial compromise

Cobalt Strike has utilities for creating spear phishing documents. As email remains a prolific source of perimeter breaches, threat actors will frequently implant the tool through phishes.

One such example was detected by Darktrace’s AI at Canadian manufacturer in June 2021. The compromise started when an end user appeared to open a phishing document, evidenced by connections to Adobe and VeriSign shortly prior to an HTTP connection to a rare external IP address.

A packet capture of the anomalous connection revealed the creation of an object using a base64 encoded string – a common obfuscation technique. If the customer had been using Darktrace/Email, the threat would have been nullified before it hit the mailbox.

Shortly after the HTTP connection, Darktrace identified unusual use of SSL, which appears to have been leveraged to upgrade to HTTPS using self-signed certificates. The endpoint served an executable, which was later confirmed as a Cobalt Strike beacon based on open-source intelligence (OSINT). Such beacons are supported by the framework, with a variety of common C2 protocols available to the attacker.

Figure 2: Event log for ‘Patient Zero’ of a Sodinokibi infection

Darktrace’s detection was based on the anomalous nature of the connection (suspicious violations of standard SSL protocols) and not a pre-defined rule. The initial compromise was detected in a matter of minutes.

Network reconnaissance

In another example at a Swiss telecommunications company in April 2021, Darktrace alerted the security team that a device – normally used for data collection – was engaging in suspicious lateral movement activity.

The host was abusing privileged credentials to perform AD reconnaissance and SMB enumeration. The alert then prompted a broader investigation, revealing that multiple devices, including domain controllers, were compromised with IoCs related to Cobalt Strike.

Thanks to Darktrace’s deep understanding of the business and recognition that this behavior was anomalous, the security team were able to remediate the infection before file encryption or large data exfiltration had occurred.

Privilege escalation and ransomware deployment

In a ransomware attack against a South African insurance company in May 2021, where a phishing email resulted in the deployment of ransomware, Darktrace first identified the creation of new administrative credentials. The devices which used the credentials were then seen making anomalous connections to various C2 endpoints associated with Cobalt Strike beacons.

Darktrace enabled the rapid identification of compromised hosts, which in turn allowed for a faster remediation and mitigated fears of a resurgent infection.

Cyber AI Analyst performed a machine-speed investigation of the activity, and automatically produced a report highlighting unusual connections on TCP port 4444 as well as other mail related ports. Port 4444 is the default port for Metasploit, another hacking platform which is often seen in conjunction with Cobalt Strike beacon. It then presented the human analysts with a full list of compromised hosts.

Figure 3: Cyber AI Analyst summary of an affected host using non-standard ports for C2 and subsequently scanning the network

Cobalt Strike malware

As it appears that a cheaply accessible analog of Cobalt Strike has been leaked, detection of the framework is critical to defend against active attackers. Signatures and rule-based restrictions prove ineffective in this regard, as the framework was designed specifically to evade such tools.

Darktrace offers the capability to detect malicious activity in its earliest stages, to triage at the speed of AI, and to autonomously block the proliferation of active threats.

Thanks to Darktrace analyst Roberto Romeu for his insights on the above threat find.

Learn how Darktrace caught APT41 leveraging Cobalt Strike

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Brianna Leddy
Director of Analysis

Based in San Francisco, Brianna is Director of Analysis at Darktrace. She joined the analyst team in 2016 and has since advised a wide range of enterprise customers on advanced threat hunting and leveraging Self-Learning AI for detection and response. Brianna works closely with the Darktrace SOC team to proactively alert customers to emerging threats and investigate unusual behavior in enterprise environments. Brianna holds a Bachelor’s degree in Chemical Engineering from Carnegie Mellon University.

Book a 1-1 meeting with one of our experts
share this article
COre coverage

More in this series

No items found.

Blog

Inside the SOC

Jupyter Ascending: Darktrace’s Investigation of the Adaptive Jupyter Information Stealer

Default blog imageDefault blog image
18
Jul 2024

What is Malware as a Service (MaaS)?

Malware as a Service (MaaS) is a model where cybercriminals develop and sell or lease malware to other attackers.

This approach allows individuals or groups with limited technical skills to launch sophisticated cyberattacks by purchasing or renting malware tools and services. MaaS is often provided through online marketplaces on the dark web, where sellers offer various types of malware, including ransomware, spyware, and trojans, along with support services such as updates and customer support.

The Growing MaaS Marketplace

The Malware-as-a-Service (MaaS) marketplace is rapidly expanding, with new strains of malware being regularly introduced and attracting waves of new and previous attackers. The low barrier for entry, combined with the subscription-like accessibility and lucrative business model, has made MaaS a prevalent tool for cybercriminals. As a result, MaaS has become a significant concern for organizations and their security teams, necessitating heightened vigilance and advanced defense strategies.

Examples of Malware as a Service

  • Ransomware as a Service (RaaS): Providers offer ransomware kits that allow users to launch ransomware attacks and share the ransom payments with the service provider.
  • Phishing as a Service: Services that provide phishing kits, including templates and email lists, to facilitate phishing campaigns.
  • Botnet as a Service: Renting out botnets to perform distributed denial-of-service (DDoS) attacks or other malicious activities.
  • Information Stealer: Information stealers are a type of malware specifically designed to collect sensitive data from infected systems, such as login credentials, credit card numbers, personal identification information, and other valuable data.

How does information stealer malware work?

Information stealers are an often-discussed type MaaS tool used to harvest personal and proprietary information such as administrative credentials, banking information, and cryptocurrency wallet details. This information is then exfiltrated from target networks via command-and-control (C2) communication, allowing threat actors to monetize the data. Information stealers have also increasingly been used as an initial access vector for high impact breaches including ransomware attacks, employing both double and triple extortion tactics.

After investigating several prominent information stealers in recent years, the Darktrace Threat Research team launched an investigation into indicators of compromise (IoCs) associated with another variant in late 2023, namely the Jupyter information stealer.

What is Jupyter information stealer and how does it work?

The Jupyter information stealer (also known as Yellow Cockatoo, SolarMarker, and Polazert) was first observed in the wild in late 2020. Multiple variants have since become part of the wider threat landscape, however, towards the end of 2023 a new variant was observed. This latest variant achieved greater stealth and updated its delivery method, targeting browser extensions such as Edge, Firefox, and Chrome via search engine optimization (SEO) poisoning and malvertising. This then redirects users to download malicious files that typically impersonate legitimate software, and finally initiates the infection and the attack chain for Jupyter [3][4]. In recently noted cases, users download malicious executables for Jupyter via installer packages created using InnoSetup – an open-source compiler used to create installation packages in the Windows OS.

The latest release of Jupyter reportedly takes advantage of signed digital certificates to add credibility to downloaded executables, further supplementing its already existing tactics, techniques and procedures (TTPs) for detection evasion and sophistication [4]. Jupyter does this while still maintaining features observed in other iterations, such as dropping files into the %TEMP% folder of a system and using PowerShell to decrypt and load content into memory [4]. Another reported feature includes backdoor functionality such as:

  • C2 infrastructure
  • Ability to download and execute malware
  • Execution of PowerShell scripts and commands
  • Injecting shellcode into legitimate windows applications

Darktrace Coverage of Jupyter information stealer

In September 2023, Darktrace’s Threat Research team first investigated Jupyter and discovered multiple IoCs and TTPs associated with the info-stealer across the customer base. Across most investigated networks during this time, Darktrace observed the following activity:

  • HTTP POST requests over destination port 80 to rare external IP addresses (some of these connections were also made via port 8089 and 8090 with no prior hostname lookup).
  • HTTP POST requests specifically to the root directory of a rare external endpoint.
  • Data streams being sent to unusual external endpoints
  • Anomalous PowerShell execution was observed on numerous affected networks.

Taking a further look at the activity patterns detected, Darktrace identified a series of HTTP POST requests within one customer’s environment on December 7, 2023. The HTTP POST requests were made to the root directory of an external IP address, namely 146.70.71[.]135, which had never previously been observed on the network. This IP address was later reported to be malicious and associated with Jupyter (SolarMarker) by open-source intelligence (OSINT) [5].

Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.
Figure 1: Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.

This activity triggered the Darktrace / NETWORK model, ‘Anomalous Connection / Posting HTTP to IP Without Hostname’. This model alerts for devices that have been seen posting data out of the network to rare external endpoints without a hostname. Further investigation into the offending device revealed a significant increase in external data transfers around the time Darktrace alerted the activity.

This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.
Figure 2: This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.

Packet capture (PCAP) analysis of this activity also demonstrates possible external data transfer, with the device observed making a POST request to the root directory of the malicious endpoint, 146.70.71[.]135.

PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.
Figure 3: PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.

In other cases investigated by the Darktrace Threat Research team, connections to the rare external endpoint 67.43.235[.]218 were detected on port 8089 and 8090. This endpoint was also linked to Jupyter information stealer by OSINT sources [6].

Darktrace recognized that such suspicious connections represented unusual activity and raised several model alerts on multiple customer environments, including ‘Compromise / Large Number of Suspicious Successful Connections’ and ‘Anomalous Connection / Multiple Connections to New External TCP Port’.

In one instance, a device that was observed performing many suspicious connections to 67.43.235[.]218 was later observed making suspicious HTTP POST connections to other malicious IP addresses. This included 2.58.14[.]246, 91.206.178[.]109, and 78.135.73[.]176, all of which had been linked to Jupyter information stealer by OSINT sources [7] [8] [9].

Darktrace further observed activity likely indicative of data streams being exfiltrated to Jupyter information stealer C2 endpoints.

Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.
Figure 4: Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.

In several cases, Darktrace was able to leverage customer integrations with other security vendors to add additional context to its own model alerts. For example, numerous customers who had integrated Darktrace with Microsoft Defender received security integration alerts that enriched Darktrace’s model alerts with additional intelligence, linking suspicious activity to Jupyter information stealer actors.

The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).
Figure 5: The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).

Conclusion

The MaaS ecosystems continue to dominate the current threat landscape and the increasing sophistication of MaaS variants, featuring advanced defense evasion techniques, poses significant risks once deployed on target networks.

Leveraging anomaly-based detections is crucial for staying ahead of evolving MaaS threats like Jupyter information stealer. By adopting AI-driven security tools like Darktrace / NETWORK, organizations can more quickly identify and effectively detect and respond to potential threats as soon as they emerge. This is especially crucial given the rise of stealthy information stealing malware strains like Jupyter which cannot only harvest and steal sensitive data, but also serve as a gateway to potentially disruptive ransomware attacks.

Credit to Nahisha Nobregas (Senior Cyber Analyst), Vivek Rajan (Cyber Analyst)

References

1.     https://www.paloaltonetworks.com/cyberpedia/what-is-multi-extortion-ransomware

2.     https://flashpoint.io/blog/evolution-stealer-malware/

3.     https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html

4.     https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf

5.     https://www.virustotal.com/gui/ip-address/146.70.71.135

6.     https://www.virustotal.com/gui/ip-address/67.43.235.218/community

7.     https://www.virustotal.com/gui/ip-address/2.58.14.246/community

8.     https://www.virustotal.com/gui/ip-address/91.206.178.109/community

9.     https://www.virustotal.com/gui/ip-address/78.135.73.176/community

Appendices

Darktrace Model Detections

  • Anomalous Connection / Posting HTTP to IP Without Hostname
  • Compromise / HTTP Beaconing to Rare Destination
  • Unusual Activity / Unusual External Data to New Endpoints
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / Large Number of Suspicious Successful Connections
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Excessive Posts to Root
  • Compromise / Sustained SSL or HTTP Increase
  • Security Integration / High Severity Integration Detection
  • Security Integration / Low Severity Integration Detection
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • Unusual Activity / Unusual External Data Transfer

AI Analyst Incidents:

  • Unusual Repeated Connections
  • Possible HTTP Command and Control to Multiple Endpoints
  • Possible HTTP Command and Control

List of IoCs

Indicators – Type – Description

146.70.71[.]135

IP Address

Jupyter info-stealer C2 Endpoint

91.206.178[.]109

IP Address

Jupyter info-stealer C2 Endpoint

146.70.92[.]153

IP Address

Jupyter info-stealer C2 Endpoint

2.58.14[.]246

IP Address

Jupyter info-stealer C2 Endpoint

78.135.73[.]176

IP Address

Jupyter info-stealer C2 Endpoint

217.138.215[.]105

IP Address

Jupyter info-stealer C2 Endpoint

185.243.115[.]88

IP Address

Jupyter info-stealer C2 Endpoint

146.70.80[.]66

IP Address

Jupyter info-stealer C2 Endpoint

23.29.115[.]186

IP Address

Jupyter info-stealer C2 Endpoint

67.43.235[.]218

IP Address

Jupyter info-stealer C2 Endpoint

217.138.215[.]85

IP Address

Jupyter info-stealer C2 Endpoint

193.29.104[.]25

IP Address

Jupyter info-stealer C2 Endpoint

Continue reading
About the author
Nahisha Nobregas
SOC Analyst

Blog

No items found.

What you need to know about the new SEC Cybersecurity rules

Default blog imageDefault blog image
17
Jul 2024

What is new in 2023 to SEC cybersecurity rules?

Form 8-K Item 1.05: Requiring the timely disclosure of material cybersecurity incidents.

Regulation S-K item 106: requiring registrants’ annual reports on Form 10-K to address cybersecurity risk management, strategy, and governance processes.

Comparable disclosures are required for reporting foreign private issuers on Forms 6-K and 20-F respectively.

What is Form 8-K Item 1.05 SEC cybersecurity rules?

Form 8-K Item 1.05 requires the following to be reported within four business days from when an incident is determined to be “material” (1), unless extensions are granted by the SEC under certain qualifying conditions:

“If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” (2, 3)

How does the SEC define cybersecurity incident?

Cybersecurity incident defined by the SEC means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. (4)

How can Darktrace assist in the process of disclosing incidents to the SEC?

Accelerate reporting

Darktrace’s Cyber AI Analyst generates automated reports that synthesize discrete data points potentially indicative of cybersecurity threats, forming reports that provide an overview of the evolution and impact of a threat.

Thus, when a potential threat is identified by Darktrace, AI Analyst can quickly compile information that organizations might include in their disclosure of an occurrence they determined to be material, including the following: incident timelines, incident events, incident summary, related model breaches, investigation process (i.e., how Darktrace’s AI conducted the investigation), linked incident events, and incident details. The figure below illustrates how Darktrace compiles and presents incident information and insights in the UI.

Overview of information provided in an ‘AI Analyst Report’ that could be relevant to registrants reporting a material cybersecurity incident to the SEC
Figure 1: Overview of information provided in an ‘AI Analyst Report’ that could be relevant to registrants reporting a material cybersecurity incident to the SEC

It should be noted that Instruction 4 to the new Form 8-K Item 1.05 specifies the “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident” (5).

As such, the incident report generated by Darktrace may provide more information, including technical details, than is needed for the 8-K disclosure. In general, users should take appropriate measures to ensure that the information they provide in SEC reports meets the requirements outlined by the relevant regulations. Darktrace cannot recommend that an incident should be reported, nor report an incident itself.

Determine if a cybersecurity incident is material

Item 1.05 requires registrants to determine for themselves whether cybersecurity incidents qualify as ‘material’. This involves considerations such as ‘the nature scope and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.’

While it is up to the registrant to determine, consistent with existing legal standards, the materiality of an incident, Darktrace’s solution can provide relevant information which might aid in this evaluation. Darktrace’s Threat Visualizer user interface provides a 3-D visualization of an organization’s digital environment, allowing users to assess the likely degree to which an attack may have spread throughout their digital environment. Darktrace Cyber AI Analyst identifies connections among discrete occurrences of threatening activity, which can help registrants quickly assess the ‘scope and timing of an incident'.

Furthermore, in order to establish materiality it would be useful to understand how an attack might extend across recipients and environments. In the image below, Darktrace/Email identifies how a user was impacted across different platforms. In this example, Darktrace/Email identified an attacker that deployed a dual channel social engineering attack via both email and a SaaS platform in an effort to acquire login credentials. In this case, the attacker useding a legitimate SharePoint link that only reveals itself to be malicious upon click. Once the attacker gained the credentials, it proceeded to change email rules to obfuscate its activity.

Darktrace/Email presents this information in one location, making such investigations easier for the end user.

Darktrace/Email indicating a threat across SaaS and email
Figure 2: Darktrace/Email indicating a threat across SaaS and email

What is regulation S-K item 106 of the SEC cybersecurity rules?

The new rules add Item 106 to Regulation S-K requiring registrants to disclose certain information regarding their risk management, strategy, and governance relating to cybersecurity in their annual reports on Form 10-K. The new rules add Item 16K to Form 20-F to require comparable disclosure by [foreign private issuers] in their annual reports on Form 20-F. (6)

SEC cybersecurity rules: Risk management

Specifically, with respect to risk management, Item 106(b) and Item 16K(b) require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect them. The new rules include a non-exclusive list of disclosure items registrants should provide based on their facts and circumstances. (6)

SEC cybersecurity rules: Governance

With respect to governance, Item 106 and Item 16K require registrants to describe the board of directors’ oversight of risks from cybersecurity threats (including identifying any board committee or subcommittee responsible for such oversight) and management’s role in assessing and managing material risks from cybersecurity threats. (6)

How can Darktrace solutions aid in disclosing their risk management, strategy, and governance related to cybersecurity?

Impact scores

Darktrace End-to-End (E2E) leverages AI to understand the complex relationships across users and devices to model possible attack paths, giving security teams a contextual understanding of risk across their digital environments beyond isolated CVEs or CVSS scores. Additionally, teams can prioritize risk management actions to increase their cyber resilience through the E2E Advisory dashboard.

Attack paths consider:

  • Potential damages: Both the potential consequences if a given device was compromised and its immediate implications on other devices.
  • Exposure: Devices' level of interactivity and accessibility. For example, how many emails does a user get via mailing lists and from what kind of sources?
  • Impact: Where a user or asset sits in terms of the IT or business hierarchy and how they communicate with each other. Darktrace can simulate a range of possible outcomes for an uncertain event.
  • Weakness: A device’s patch latency and difficulty, a composite metric that looks at attacker MITRE methods and our own scores to determine how hard each stage of compromise is to achieve.

Because the SEC cybersecurity rules require “oversight of risks from cybersecurity threats” and “management’s role in assessing and managing material risks from cybersecurity threats” (6), the scores generated by Darktrace E2E can aid end-user’s ability to identify risks facing their organization and assign responsibilities to address those risks.

E2E attack paths leverage a deep understanding of a customer’ digital environment and highlight potential attack routes that an attacker could leverage to reach critical assets or entities. Difficulty scores (see Figure 5) allow security teams to measure potential damage, exposure, and impact of an attack on a specific asset or entity.

An example of an attack path in a digital environment
Figure 3: An example of an attack path in a digital environment

Automatic executive threat reports

Darktrace’s solution automatically produces Executive Threat Reports that present a simple visual overview of model breaches (i.e., indicators of unusual and threatening behaviors) and activity in the network environment. Reports can be customized to include extra details or restricted to high level information.

These reports can be generated on a weekly, quarterly, and yearly basis, and can be documented by registrants in relation to Item 106(b) to document parts of their efforts toward assessing, identifying, and managing material risks from cybersecurity threats.

Moreover, Cyber AI Analyst incident reports (described above) can be leveraged to document key details concerning significant previous incidents identified by the Darktrace solution that the registrant determined to be ‘material’.

While the disclosures required by Item 106(c) relate to the governance processes by which the board of directors, the management, and other responsible bodies within an organization oversee risks resulting from cybersecurity threats, the information provided by Darktrace’s Executive Threat Reports and Cyber AI Analyst incident reports can also help relevant stakeholders communicate more effectively regarding the threat landscape and previous incidents.

DISCLAIMER

The material above is provided for informational purposes only. This summary does not constitute legal or compliance advice, recommendations, or guidance. Darktrace encourages you to verify the contents of this summary with your own advisors.

References

  1. Note that the rule does not set forth any specific timeline between the incident and the materiality determination, but the materiality determination should be made without unreasonable delay.
  2. https://www.sec.gov/files/form8-k.pdf
  3. https://www.sec.gov/news/press-release/2023-139
  4. https://www.ecfr.gov/current/title-17/chapter-II/part-229
  5. https://www.sec.gov/files/form8-k.pdf
  6. https://www.sec.gov/corpfin/secg-cybersecurity
Continue reading
About the author
Kendra Gonzalez Duran
Director of Technology Innovation
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.