Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Share
06
Jan 2021
For a high-level explanation of the SolarWinds hack, watch our video below.
The SUNBURST malware attacks against SolarWinds have heightened companies’ concerns about the risk to their digital environments. Malware installed during software updates in March 2020 has allowed advanced attackers to gain unauthorized access to files that may include customer data and intellectual property.
Darktrace does not use SolarWinds, and its operations remain unaffected by this breach. However, SolarWinds is an IT discovery tool that is used by a significant number of Darktrace customers. In what follows, we explore a set of Darktrace detections that highlight and alert security teams to the types of behaviors related to this breach.
This is not an example of a SolarWinds compromise, but examples of anomalous behaviors we can expect to see from this type of breach. These examples stress the value of self-learning Cyber AI capable of understanding the evolving normal ‘patterns of life’ within an enterprise – as opposed to a signature-based approach that looks at historical data to predict today’s threat.
As Darktrace detects device activity patterns rather than known malicious signatures, detecting use of these techniques will fall into the scope of Darktrace’s capabilities without further need for configuration. The technology automatically clusters devices into ‘peer groups’, allowing it to detect cases of an individual device behaving unusually. Using a self-learning approach is the best possible mechanism to catch an attacker who gains access into your systems using a degree of stealth so as to not trigger signature-based detection.
A number of these models may fire in combination with other models in order to make a strong detection over a time-series – and this is exactly where Darktrace’s autonomous incident triage capability, Cyber AI Analyst, plays a crucial role in investigating the alerts on behalf of security teams. Cyber AI Analyst saves critical time for security teams, and its results should be treated with a high priority during this period of vigilance.
How SolarWinds was detected with AI
We want to focus on the most sophisticated details of the hands-on intrusion that in many cases followed the initial automated attack. This post-exploitation part of the attack is much more varied and stealthy. These stages are also near-impossible to predict, as they are driven by the attacker’s intentions and goals for each individual victim at this stage – making the use of signatures, threat intelligence or static use cases virtually useless.
While the automated, initial malware execution is a critical initial step to understand, the behavior was pre-configured for the malware and included the download of further payloads and the connection to domain-generation-algorithm (DGA) based subdomains of avsvmcloud[.]com. These automated first stages of the attack have been sufficiently researched in depth by the community. This post is not aiming to add anything to these findings, but instead takes a look at the potential post-infection activities.
Malware / C2 domains
The threat-actor set the hostnames on their later-stage command and control (C2) infrastructure to match a legitimate hostname found within the victim’s environment. This allowed the adversary to blend into the environment, avoid suspicion, and evade detection. They further used C2 servers in geopolitical proximity to their victims, further circumventing static geo-based trusts lists. Darktrace is unaffected by this type of tradecraft as it does not have implicit, pre-defined trust of any geo-locations.
This would be very likely to trigger the following Darktrace Cyber AI models. The models were not specifically designed to detect SolarWinds modifications but have been in place for years – they are designed to detect the subtle but significant attacker activities occurring within an organization’s network.
Compromise / Agent Beacon to New Endpoint
Compromise / SSL Beaconing to New Endpoint
Compromise / HTTP Beaconing to New Endpoint*
*The implant uses SSL, but may be identified as HTTP if using a proxy.
Lateral movement using different credentials
Once the attacker gained access to the network with compromised credentials, they moved laterally using multiple different credentials. The credentials used for lateral movement were always different from those used for remote access.
This very likely would trigger the following Cyber AI models:
User / Multiple Uncommon New Credentials on Device
Figure 1: Example breach event log showing anomalous (new) logins from a single device, with multiple user credentials
User / New Admin Credentials on Client
Figure 2: Example breach event log showing anomalous admin login
Temporary file replacement and temporary task modification
The attacker used a temporary file replacement technique to remotely execute utilities: they replaced a legitimate utility with theirs, executed their payload, and then restored the legitimate original file. They similarly manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. They routinely removed their tools – including the removal of backdoors once legitimate remote access was achieved.
This would be very likely to trigger the following Cyber AI models:
Anomalous Connection / New or Uncommon Service Control
Figure 3: Example breach showing uncommon service control
Anomalous Connection / High Volume of New or Uncommon Service Control
Figure 4: Example breach showing 10 uncommon service controls
Device / AT Service Scheduled Task
Figure 5: Breach event log shows new AT service scheduled task activity
Device / Multiple RPC Requests for Unknown Services
Figure 6: Breach shows multiple binds to unknown RPC services
Device / Anomalous SMB Followed By Multiple Model Breaches
Figure 10: Breach shows significant deviation in SMB activity from device
SolarWinds breach remembered
By understanding where credentials are used and which devices talk to each other, Cyber AI has an unprecedented and dynamic understanding of business systems. This empowers it to alert security teams to enterprise changes that could indicate cyber risk in real time.
These alerts demonstrate how AI learns ‘normal’ for the unique digital environment surrounding it, and then alerts operators to deviations, including those that are directly relevant to the SUNBURST compromise. It further provides insights into how the attacker exploited those networks that did not have the appropriate visibility and detection capabilities.
On top of these alerts, Cyber AI Analyst will also be automatically correlating these detections over time to identify patterns, generating comprehensive and intuitive incident summaries and significantly reducing triage time. Reviewing Cyber AI Analyst alerts should be given high priority over the next several weeks.
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
The CIP-015 Countdown: What Utilities Should Be Doing Before October 2028
CIP-015 what you need to know
The electric sector already knows CIP-015 is coming. The better question is whether utilities are using the time before October 1, 2028 to build an Internal Network Security Monitoring program that is defensible, auditable, and operationally useful.
I have spent most of my OT cybersecurity career around the power sector, from early NERC CIP program work as an asset owner, to consulting with utilities ranging from small municipalities and rural cooperatives to some of the largest power companies in the country, to now working with technology that helps organizations improve visibility and detection across IT and OT. One lesson has been consistent across all of those roles: compliance is not just about having a control in place. It is about being able to prove the control works.
That is where CIP-015 becomes important.
The standard is not simply asking utilities to deploy a tool inside the Electronic Security Perimeter and call the job done. CIP-015 is about improving the probability of detecting anomalous or unauthorized network activity so that organizations can improve response and recovery from an attack. That purpose is directly stated in the standard itself. (NERC)
The real work between now and October 2028 is not just buying technology. It is building an INSM capability that can collect the right data, detect meaningful activity, support evaluation, retain the right evidence, and protect that evidence from unauthorized deletion or modification.
Why CIP-015 exists
CIP-015 exists because perimeter security alone does not solve the internal visibility problem.
For years, many CIP controls have focused heavily on access management, segmentation, patching, logging, training, and other security practices that help reduce the likelihood of unauthorized access. Those controls still matter. But they do not fully answer what happens after an attacker, insider, compromised vendor account, misused credential, or malicious activity is already operating inside a trusted environment.
NERC’s technical rationale explains that Internal Network Security Monitoring focuses on the collection and analysis of network communications inside a “trust zone,” such as an ESP. In other words, CIP-015 is not only about defending the edge. It is about understanding what is happening inside the environment once traffic is already within the trusted zone. (NERC)
That is the internal visibility gap utilities need to close.
Why traditional security monitoring does not fully satisfy CIP-015
One mistake utilities should avoid is assuming that existing security event monitoring automatically solves CIP-015.
Many organizations already have logging programs tied to CIP-007, SIEM use cases, host-level security events, authentication logs, malware alerts, and incident response workflows. Those capabilities remain valuable, but they are not the same as Internal Network Security Monitoring.
Security event monitoring often tells you what happened on or to a system. INSM is intended to help show what is happening between systems, across network communications, devices, connections, and internal traffic patterns. That distinction is especially important in OT environments where adversaries may use legitimate pathways, valid credentials, native protocols, remote access, engineering workstations, or trusted systems to move inside the environment.
CIP-015 pushes utilities toward a different level of visibility: not just “did a system log something,” but “can we see and evaluate anomalous or unauthorized activity occurring inside the ESP?”
What CIP-015 requires
At a high level, CIP-015-1 requires three core capabilities.
First, under Requirement R1, Responsible Entities must implement, using a risk-based rationale, network data feeds to monitor network activity, including connections, devices, and network communications. They must also implement one or more methods to detect anomalous network activity using those feeds, and one or more methods to evaluate detected anomalous activity to determine further actions.
Requirement R2: Retaining INSM data for investigations
Second, under Requirement R2, entities must retain INSM data associated with anomalous network activity at least until the related evaluation and action are complete. The standard also notes that entities are not required to retain INSM data that is not relevant to detected anomalous activity.
Requirement R3: Protecting monitoring data from tampering
Third, under Requirement R3, entities must protect INSM data collected for R1 and retained for R2 from unauthorized deletion or modification.
Those requirements may sound straightforward, but implementation is where the challenge begins.
What should utilities be asking themselves for CIP-015?
Where are we collecting network data inside the ESP, and why are those feeds defensible?
What methods are we using to detect anomalous network activity?
How do we distinguish meaningful anomalous behavior from normal operational change?
Who evaluates detections, and how are decisions documented?
What data is retained, and how is it protected from unauthorized deletion or modification?
Can we produce evidence that proves this process has worked over time?
Those answers matter because auditors will not be looking for marketing claims. They will be looking for evidence.
Why anomaly detection is central to CIP-015 compliance
One of the most important parts of CIP-015 is also one of the easiest to oversimplify: the word anomalous.
NERC’s technical rationale provides useful context. It explains that, as used in CIP-015, “anomalous” refers to unexpected, undesired, unusual, or undetermined network traffic. It also makes clear that the term does not refer to any single proprietary technology commonly marketed as “anomaly detection.”
Understanding static baselines vs true anomaly detection
A static baseline is not the same thing as meaningful anomaly detection. If a platform observes traffic for a limited period of time, assumes that observed behavior is “normal,” and then flags future deviations without deeper context, the result can be noisy, brittle, and operationally frustrating.
In real OT environments, “normal” is not fixed. Maintenance windows, vendor access, failovers, engineering changes, testing activity, backup jobs, and operational shifts can all change behavior. Detection has to keep learning and understand context. Otherwise, the organization may end up with alerts that are technically anomalous but not practically useful.
CIP-015 is not just about producing anomalies. It is about producing meaningful detections that can be evaluated, documented, and acted upon.
What should utilities consider when looking for anomaly detection tools
Some technologies were built around behavioral analysis and anomaly detection long before CIP-015 existed. What practitioners should look for is if the technology behind the phrase can identify meaningful deviations, provide context, reduce noise, and support the evaluation and evidence expectations of the standard.
Utilities should be cautious of vendor positioning that treats “anomaly” as a simple compliance keyword. This is especially important when evaluating tools historically built around signature-based, threat-based, or rule-based detection methods that are now being positioned as anomaly detection because CIP-015 uses the term.
A platform does not solve CIP-015 simply because it can baseline traffic or generate alerts when something changes.
The question is not: Can this tool create alerts?
The question is: Can this tool identify meaningful anomalous activity with enough context, prioritization, and evidence to support evaluation and response?
Why evidence and audit readiness matter for CIP-015
In NERC CIP, the control is only part of the story. Evidence is the part that proves the control existed, worked, and was followed.
That is why CIP-015 readiness should not be treated as a simple deployment project. It should be treated as a compliance operations and evidence program.
What auditors will expect utilities to prove
For R1, examples of evidence include documentation of network data feeds and the risk-based rationale for selecting them, anomalous network detection events, INSM configuration settings, communication baselines or other detection methods, methods used to evaluate anomalous activity, and actions taken in response to detected anomalies.
For R2, evidence may include documentation of the retention process, system configurations, or system-generated reports showing retention timelines sufficient to support evaluation. For R3, evidence may include documentation showing how INSM data is protected from unauthorized deletion or modification.
Common evidence gaps that can create compliance risk
If an entity implements a platform that generates noisy detections, lacks context, does not retain the right data, cannot demonstrate how data is protected, or cannot produce useful audit evidence, the issue may not become obvious until much later. By then, an organization may discover during an audit that it cannot prove what it thought it had implemented.
That is a bad place to be.
CIP evidence gaps can create exposure that goes back over time, not just to the day the audit finding is discovered. This is why utilities need to validate the process early. Do not wait until an audit cycle to find out whether your INSM approach can stand up to scrutiny.
How utilities should prepare for CIP-015 before 2028
October 2028 may sound far away, but in utility planning terms, it is not.
Utilities should already be moving through a structured readiness process.
Assessing internal network visibility across trusted environments
Start with scope. Identify the applicable High and Medium Impact BES Cyber Systems, the relevant ESPs, and the environments where INSM requirements will apply. Then map current visibility. Where do you already have useful network monitoring? Where are you relying mostly on logs, perimeter controls, or assumptions? Where do you have limited east-west visibility inside trusted environments?
Building a defensible network data feed strategy
Next, define the network data feed strategy. CIP-015 requires a risk-based rationale, so the organization should be able to explain why specific feeds were selected and how they support detection of anomalous activity across relevant connections, devices, and communications.
Validating anomaly detection workflows
Then validate the detection method. This is where utilities need to go deeper than vendor claims. Ask how the platform identifies anomalous activity. Ask how it reduces noise. Ask what context is provided for evaluation. Ask how it handles changes in normal operations. Ask what evidence is retained and how that evidence can be produced.
Testing evidence retention and protection processes
After that, build the evaluation workflow. Who reviews detections? How are anomalies classified as benign, abnormal but not suspicious, suspicious, or potentially malicious? When does an event move into CIP-008 incident response? What documentation is created during that process?
Finally, test evidence production. Utilities should be able to show detection records, configuration settings, evaluation notes, response actions, retention records, and data protection controls before an auditor asks for them.
Where Darktrace Fits into CIP-015
This is where technology matters, but only as part of the broader program.
Darktrace was built on self-learning anomaly detection long before CIP-015 created a new compliance driver around anomalous network activity. Its value is rooted in continuous behavioral understanding, multiple analytical techniques, and the ability to identify meaningful deviations across complex IT and OT environments. That matters because CIP-015 requires more than basic alerting. It requires detection that supports evaluation, evidence, and action.
This IT and OT visibility is especially important in power utility environments. High and Medium Impact environments are not made up only of industrial protocols and field devices. Control centers, operational workstations, engineering workstations, servers, remote access systems, domain services, printers, and other enterprise-class assets often sit inside or adjacent to critical operational environments. A useful INSM capability should understand a wide range of communications across both IT and OT, not only traditional industrial protocols like Modbus, DNP3, or IEC 61850.
That distinction matters because “protocol support” can mean very different things. Identifying that a protocol is present is not the same as performing deeper packet analysis that can provide behavioral context, richer protocol understanding, and meaningful detection across the communications actually used inside the environment. For CIP-015, utilities should be asking whether a platform can help evaluate activity across both enterprise and industrial communications, because real power utility environments are rarely “OT-only.”
This is also why utilities should look carefully at how vendors use the word “anomaly.” Some platforms were designed around behavioral understanding and anomaly detection long before CIP-015 created a new compliance driver. Others may now be adopting the language because the standard uses the term. The difference matters. Utilities should ask whether the platform’s detection approach is foundational to the technology, or simply a new label applied to existing signature-based, threat-based, or rule-based methods.
In OT environments, detection quality matters. Utilities do not need more noise. They need visibility into internal communications, confidence in what is normal, context when something changes, and prioritization that helps security and operations teams focus on what matters.
A strong INSM program should help utilities move from raw monitoring to operational confidence. It should support east-west visibility, better anomaly evaluation, defensible evidence retention, protection of monitoring data, and alignment between compliance and security outcomes.
That is the right way to think about CIP-015.
Not as “deploy a tool and move on.”But as “build a capability that can be trusted, operated, and proven.”
CIP-015 is about proving your INSM capability works
The CIP-015 countdown is real, but the countdown itself is not the whole story.
The real story is what utilities do with the time that remains.
Organizations that treat CIP-015 as a checkbox may be able to say they deployed something. But organizations that treat it as an opportunity to close the internal visibility gap will gain something much more valuable: better detection, better response, better evidence, and stronger operational resilience.
The question utilities should be asking now is not whether they can produce more alerts before October 2028.
The question is whether they can prove their INSM capability actually works.
Journey of a Threat: How Multi-Layered AI Works in Darktrace / EMAIL
Darktrace / EMAIL is an implementation of the Darktrace methodology – a multi-layered AI system built into a single product. As with other Darktrace products, Darktrace / EMAIL learns the expected behaviours of an organization and its employees to identify novel threats and anomalous activity.
The diagram below represents the architecture of Darktrace / EMAIL’s multi-layered AI: a structured visualization of how intelligence is built, step by step, from raw data to actionable insight. Each layer plays a distinct role, feeding into the next: collecting data, understanding behaviour, analysing intent, making decisions, and presenting clear outcomes.
It all starts with an email
In this blog, we’ll follow a malicious email as it passes through the Darktrace / EMAIL system, showing exactly what happens as it travels through each layer of the pyramid, from basic data extraction to AI-powered metric creation, and finally deciding on any autonomous actions.
Let’s take this example email. As an end-user, you can see that this is an obvious extortion attempt where an adversary is threatening legal action if money isn’t paid within 24 hours, but how does Darktrace figure that out?
Part 1: Data Gathering
Processing of an email begins on point-of-transit for all inbound, outbound, or lateral emails. The first step is to extract information directly. This includes taking information from the headers (such as sending and receiving addresses, sender IP address, routing, and authentication protocols), as well as extraction of raw HTML and CSS data from the email itself.
This directly extracted information only allows for immediate surface level analysis, such as identifying signature-based attacks (known malicious addresses / domains), but is insufficient for identifying novel threats, complex attacks, or potential email or vendor compromise. This is where Darktrace’s AI analysis shines.
In this example, the SPF, DKIM, and DMARC authentication all passed successfully, showing that even malicious emails can still bypass these signature-based checks. Even with this success, Darktrace will continue to analyse the email.
Diving deeper into the technical information, we can see further information extracted from the headers, including aggregations from the header information, historical calculations such as the frequency and volume of emails to and from a particular domain, and much more.
Part 2: Social Graphing
Social Graphing involves the analysis of sending and receiving behaviours of different mailboxes to create peer-groups. Mailboxes who often send and receive to and from the same mailboxes, or exhibit other correlated behaviours, will be clustered together using a collection of unsupervised AI clustering systems. These groups may represent uses in the same teams who perform similar activity, groups of external facing mailboxes which often receive unsolicited emails, or groups of VIP users (such as C-suite or executives).
Social graphing is an essential component of Darktrace’s pattern of life analysis. This clustering allows Darktrace to understand the responsibilities of individuals – for example, behaviours which are anomalous for one group of users may be completely expected of another group.
In our example, the email was sent to 3 different users within the organization. As part of the social graphing, an “Association Anomaly” is calculated which indicates the likelihood that these users would receive emails from this user or domain, based on historical patterns.
Part 3: Metric Calculation
Metrics are calculated for every email, representing more complex characteristics of an email which can’t be directly extracted. Darktrace / EMAIL features over 1000 unique metrics, calculated both algorithmically and using an ensemble of AI systems.
Algorithmically calculated (non-AI) metrics include further historical calculations, and counts of features such as code blocks, and hidden text, to name a few.
AI-driven metrics include Inducement Classification which uses Natural Language Processing to identify potential phishing, solicitation, or extortion attempts; Named Entity Recognition to identify PII and other sensitive data within an email to support Data Loss Prevention; and many more.
We can follow our example email through this process and view the outcome of these metric calculations. Looking at the language metrics for this email, we can see that our email has reported a high extortion inducement, along with identification of banking information and language indicating urgency.
Part 4: Evaluation and Combination Engine (models)
Once all metrics have been calculated for an email, it gets sent to an evaluation and combination engine where the metrics are compared against blocks of logic to determine if an email contains a threat. One key model which alerted for this example message was a model to tag and block extortion attempts.
Since our example email has a high inducement score for extortion, along the presence of a bitcoin wallet address in the message, this model alerts. When a model in the engine is activated, actions are taken – in this case adding a tag to the email to flag it as extortion in the console and hold the email to prevent it from reaching the end-user mailbox.
Part 5: Meta-Modelling and Actions
Once the models have been run, the actions are taken against the email. If the email hasn’t been blocked or held, this is the point where it will reach the end-user's mailbox.
In the Darktrace / EMAIL UI, all actions models which alerted for an email and actions taken as a result can be seen. At the top of this page, you can see the alert indicating an extortion attempt along with the action to hold the message.
Alongside this, a meta-classifier is used to calculate an overall anomaly score for each email, based on how much the email differs from the pattern of life for the user. The score of the email is boosted by any actions that have taken place.
Part 6: Campaign Clustering
All emails are passed through the Darktrace / EMAIL campaign clustering system. This system creates clusters based on related features within the emails to identify groups of emails with the same sender or intent.
In our case, the email was identified as part of a campaign, alongside other emails which were also identified as extortion attempts against a small group of recipients.
Email campaigns may have additional actions applied to them if the campaign is deemed malicious, and in this case, you can see that the autonomous response was to hold all emails in the campaign. This means that if an email manages to avoid being blocked in the evaluation and combination engine but gets identified as part of the campaign, the hold action will be applied to it retroactively.
Part 7: Cyber AI Analyst
Darktrace’s Cyber AI Analyst presents key information and anomaly indicators for each email, such as further information about authentication, specific metrics, or other identified anomalies and mismatches.
Cyber AI Analyst can also utilize data from Darktrace / EMAIL to enhance its investigation of incidents from other Darktrace products, correlating relevant information to build a fuller picture. More information about the Cyber AI Analyst is available in the Darktrace AI Arsenal.
Part 8: Data Presentation (UI)
Once all processing has taken place against the email, it is presented in the Darktrace / EMAIL UI. Here, members of the SOC team can investigate incidents and anomalies, interact with malicious emails to see why they were blocked, and much more.
Our email stands out here with its 100 anomaly score. Every email which passes through a Darktrace / EMAIL will undergo the same thorough and rigorous analysis to identify potential risks, apply autonomous actions where required, and will ultimately be assigned a score to be displayed here. By providing a single overall score in the UI, rather than presenting emails in full, Darktrace / EMAIL allows SOC teams to more easily identify which emails are most important to investigate, increasing efficiency and reducing alert fatigue.
Take the next step
Many email security tools on the market that claim to be AI-driven are in fact bolting AI onto attack-centric approaches, which rely on automating the identification of known threats. These approaches struggle, and will continue to struggle, with adapting to novel, AI-generated threats.
By analyzing every email within its deeply integrated, multi-layered AI system, Darktrace / EMAIL is able to identify the subtle threats that others miss. This depth not only improves detection accuracy, but enables confident, autonomous action, giving security teams clearer insight into AI outcomes and greater control while supporting users.
%201.png)
.jpg)
