Blog
/
Network
/
June 21, 2024

Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks

Ensuring trust, battling ransomware, and detecting novel attacks pose critical challenges in network security. This blog explores these challenges and shows how leveraging AI-driven security solutions helps security teams stay informed and effectively safeguard their network.
Written by
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
21
Jun 2024

Understanding the Network Security Market

Old tools blind to new threats

With the rise of GenAI and novel attacks, organizations can no longer rely solely on traditional network security solutions that depend on historical attack data, such as signatures and detection rules, to identify threats. However, in many cases network security vendors and traditional solutions like IDS/IPS focus on detecting known attacks using historical data. What happens is organizations are left vulnerable to unknown and novel threats, as these approaches only detect known malicious behavior and cannot keep up with unknown threats or zero-day attacks.

Advanced threats

Darktrace's End of Year Threat Report for 2023 highlights significant changes in the cyber threat landscape, particularly due to advancements in technology such as generative AI. The report notes a substantial increase in sophisticated attacks, including those utilizing generative AI, which have made it more challenging for traditional security measures to keep up. The report also details the rise of multi-functional malware, like Black Basta ransomware, which not only encrypts data for ransom but also spreads other types of malware such as the Qbot banking trojan. These complex attacks are increasingly being deployed by advanced cybercriminal groups, underscoring the need for organizations to adopt advanced security measures that can detect and respond to novel threats in real-time.

Defenders need a solution that can level the playing field, especially when they are operating with limited resources and getting overloaded with endless alerts. Most network security tools on the market have a siloed approach and do not integrate with the rest of an organization’s digital estate, but attackers don’t operate in a single domain.

Disparate workforce

With so many organizations continuing to support a remote or hybrid working environment, the need to secure devices that are outside the corporate network or off-VPN is increasingly important. While endpoint protection or endpoint detection and response (EDR) tools are a fundamental part of any security stack, it’s not possible to install an agent on every device, which can leave blind spots in an organization’s attack surface. Managing trust and access policies is also necessary to protect identities, however this comes with its own set of challenges in terms of implementation and minimizing business disruption.

This blog will dive into these challenges and show examples of how Darktrace has helped mitigate risk and stop novel and never-before-seen threats.

Network Security Challenge 1: Managing trust

What is trust in cybersecurity?

Trust in cybersecurity means that an entity can be relied upon. This can involve a person, organization, or system to be authorized or authenticated by proving their identity is legitimate and can be trusted to have access to the network or sensitive information.

Why is trust important in cybersecurity?

Granting access and privileges to your workforce and select affiliates has profound implications for cybersecurity, brand reputation, regulatory compliance, and financial liability. In a traditional network security model, traffic gets divided into two categories — trusted and untrusted — with some entities and segments of the network deemed more creditable than others.

How do you manage trust in cybersecurity?

Zero trust is too little, but any is too much.

Modern network security challenges point to an urgent need for organizations to review and update their approaches to managing trust. External pressure to adopt zero trust security postures literally suggests trusting no one, but that impedes your freedom
to do business. IT leaders need a proven but practical process for deciding who should be allowed to use your network and how.

Questions to ask in updating Trusted User policies include:

  • What process should you follow to place trust in third
    parties and applications?
  • Do you subject trusted entities to testing and other due
    diligence first?
  • How often do you review this process — and trusted
    relationships themselves — after making initial decisions?
  • How do you tell when trusted users should no longer be
    trusted?

Once trust has been established, security teams need new and better ways to autonomously verify that those transacting within your network are indeed those trusted users that they claim to be, taking only the authorized actions you’ve allowed them to take.

Exploiting trust in the network

Insider threats have a major head start. The opposite of attacks launched by nameless, faceless strangers, insider threats originate through parties once deemed trustworthy. That might mean a current or former member of your workforce or a partner, vendor, investor, or service provider authorized by IT to access corporate systems and data. Threats also arise when a “pawn” gets unwittingly tricked into disclosing credentials or downloading malware.

Common motives for insider attacks include revenge, stealing or leaking sensitive data, taking down IT systems, stealing assets or IP, compromising your organization’s credibility, and simply harassing your workforce. Put simply, rules and signatures based security solutions won’t flag insider threats because an insider does not immediately present themselves as an intruder. Insider threats can only be stopped by an evolving understanding of ‘normal’ for every user that immediately alerts your team when trusted users do something strange.

“By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust program in place, up from less than 1% today.” [1]

Use Case: Darktrace spots an insider threat

Darktrace / OT detected a subtle deviation from normal behavior when a reprogram command was sent by an engineering workstation to a PLC controlling a pump, an action an insider threat with legitimized access to OT systems would take to alter the physical process without any malware involved. In this instance, AI Analyst, Darktrace’s investigation tool that triages events to reveal the full security incident, detected the event as unusual based on multiple metrics including the source of the command, the destination device, the time of the activity, and the command itself.  

As a result, AI Analyst created a complete security incident, with a natural language summary, the technical details of the activity, and an investigation process explaining how it came to its conclusion. By leveraging Explainable AI, a security team can quickly triage and escalate Darktrace incidents in real time before it becomes disruptive, and even when performed by a trusted insider.

Read more about insider threats here

Network Security Challenge 2: Stopping Ransomware at every stage    

What is Ransomware?

Ransomware is a type of malware that encrypts valuable files on a victim’s device, denying the account holder access, and demanding money in exchange for the encryption key. Ransomware has been increasingly difficult to deal with, especially with ransom payments being made in crypto currency which is untraceable. Ransomware can enter a system by clicking a link dangerous or downloading malicious files.

Avoiding ransomware attacks ranks at the top of most CISOs’ and risk managers’ priority lists, and with good reason. Extortion was involved in 25% of all breaches in 2022, with front-page attacks wreaking havoc across healthcare, gas pipelines, food processing plants, and other global supply chains. [2]

What else is new?

The availability of “DIY” toolkits and subscription-based ransom- ware-as-a-service (RaaS) on the dark web equips novice threat actors to launch highly sophisticated attacks at machine speed. For less than $500, virtually anyone can acquire and tweak RaaS offerings such as Philadelphia that come with accessible customer interfaces, reviews, discounts, and feature updates — all the signature features of commercial SaaS offerings.                  

Darktrace Cyber AI breaks the ransomware cycle

The preeminence of ransomware keeps security teams on high alert for indicators of attack but hypervigilance — and too many tools churning out too many alerts — quickly exhausts analysts’ bandwidth. To reverse this trend, AI needs to help prioritize and resolve versus merely detect risk.

Darktrace uses AI to recognize and contextualize possible signs of ransomware attacks as they appear in your network and across multiple domains. Viewing behaviors in the context of your organization’s normal ‘pattern of life’ updates and enhances detection that watches for a repeat of previous techniques.

Darktrace's AI brings the added advantage of continuously analyzing behavior in your environment at machine speed.

Darktrace AI also performs Autonomous Response, shutting down attacks at every stage of the ransomware cycle, including the first telltale signs of exfiltration and encryption of data for extortion purposes.

Use Case: Stopping Hive Ransomware attack

Hive is distributed via a RaaS model where its developers update and maintain the code, in return for a percentage of the eventual ransom payment, while users (or affiliates) are given the tools to carry out attacks using a highly sophisticated and complex malware they would otherwise be unable to use.

In early 2022, Darktrace / NETWORK identified several instances of Hive ransomware on the networks of multiple customers. Using its anomaly-based detection, Darktrace was able to successfully detect the attacks and multiple stages of the kill chain, including command and control (C2) activity, lateral movement, data exfiltration, and ultimately data encryption and the writing of ransom notes.

Darktrace’s AI understands customer networks and learns the expected patterns of behavior across an organization’s digital estate. Using its anomaly-based detection Darktrace is able to identify emerging threats through the detection of unusual or unexpected behavior, without relying on rules and signatures, or known IoCs.

Read the full story here

Network Security Challenge 3: Spotting Novel Attacks

You can’t predict tomorrow’s weather by reading yesterday’s forecast, yet that’s essentially what happens when network security tools only look for known attacks.

What are novel attacks?

“Novel attacks” include unknown or previously unseen exploits such as zero-days, or new variations of known threats that evade existing detection rules.

Depending on how threats get executed, the term “novel” can refer to brand new tactics, techniques, and procedures (TTPs), or to subtle new twists on perennial threats like DoS, DDoS, and Domain Name Server (DNS) attacks.

Old tools may be blind to new threats

Stopping novel threats is less about deciding whom to trust than it is about learning to spot something brand new. As we’ve seen with ransomware, the growing “aaS” attack market creates a profound paradigm shift by allowing non-technical perpetrators to tweak, customize, and coin never-before-seen threats that elude traditional network, email, VPN, and cloud security.

Tools based on traditional rules and signatures lack a frame of reference. This is where AI’s ability to spot and analyze abnormalities in the context of normal patterns of life comes into play.                        

Darktrace AI spots what other tools miss                                      

Instead of training in cloud data lakes that pool data from unrelated attacks worldwide, Darktrace AI learns about your unique environment from your environment. By flagging and analyzing everything unusual — instead of only known signs of compromise — Darktrace’s Self-Learning AI keeps security stacks from missing less obvious but potentially more dangerous events.

The real challenge here is achieving faster “time to meaning” and contextualizing behavior that might — or might not — be part of a novel attack. Darktrace/Network does not require a “patient zero” to identify a novel attack, or one exploiting a zero-day vulnerability.

Use Case: Stopping Novel Ransomware Attack

In late May 2023, Darktrace observed multiple instances of Akira ransomware affecting networks across its customer base. Thanks to its anomaly-based approach to threat detection Darktrace successfully identified the novel ransomware attacks and provided full visibility over the cyber kill chain, from the initial compromise to the eventual file encryptions and ransom notes. Darktrace identified Akira ransomware on multiple customer networks, even when threat actors were utilizing seemingly legitimate services (or spoofed versions of them) to carry out malicious activity. While this may have gone unnoticed by traditional security tools, Darktrace’s anomaly-based detection enabled it to recognize malicious activity for what it was. In cases where Darktrace’s autonomous response was enabled these attacks were mitigated in their early stages, thus minimizing any disruption or damage to customer networks.

Read the full story here

References

[1] Gartner, “Gartner Unveils Top Eight Cybersecurity Predictions for 2023-2024,” 28 March 2023.                    

[2] TechTarget, “Ransomware trends, statistics and facts in 2023,” Sean Michael Kerner, 26 January 2023.

Written by
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Mikey Anderson
Product Marketing Manager, Network Detection & Response

Cloud Security Evolution: Why Security Teams are Taking the Lead

Cloud
April 8, 2025
Pallavi Singh
Product Marketing Manager, OT Security & Compliance

Darktrace Named as Market Leader in the 2025 Omdia Market Radar for OT Cybersecurity Platforms

OT
April 4, 2025
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Watch the NIS2 Webinar
Trending blogs
1
Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats
Mar 4, 2025
2
Darktrace Releases Annual 2024 Threat Insights
Feb 19, 2025
3
From Hype to Reality: How AI is Transforming Cybersecurity Practices
Feb 10, 2025
4
From Containment to Remediation: Darktrace / CLOUD & Cado Reducing MTTR
Mar 6, 2025
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

No items found.
Continue reading
Network
March 20, 2025

Cyberhaven Supply Chain Attack: Exploiting Browser Extensions

In late 2024, Darktrace detected unusual activity linked to Cyberhaven's Chrome browser extension. Read more about Darktrace’s investigation here.
Rajendra Rushanth
Cyber Analyst
Read more
Network
March 12, 2025

Darktrace's Detection of State-Linked ShadowPad Malware

In 2024, Darktrace identified a cluster of intrusions involving the state-linked malware, ShadowPad. This blog will detail ShadowPad and the associated activities detected by Darktrace.
Sam Lister
SOC Analyst
Read more
Network
February 19, 2025

Darktrace Releases Annual 2024 Threat Insights

Explore Darktrace's Annual Threat Report 2024 for insights on the latest cyber threats and trends observed throughout the year.
The Darktrace Threat Research Team
Read more

Blog

/

/

April 16, 2025

Why Data Classification Isn’t Enough to Prevent Data Loss

women looking at laptopDefault blog imageDefault blog image

Why today’s data is fundamentally difficult to protect

Data isn’t what it used to be. It’s no longer confined to neat rows in a database, or tucked away in a secure on-prem server. Today, sensitive information moves freely between cloud platforms, SaaS applications, endpoints, and a globally distributed workforce – often in real time. The sheer volume and diversity of modern data make it inherently harder to monitor, classify, and secure. And the numbers reflect this challenge – 63% of breaches stem from malicious insiders or human error.

This complexity is compounded by an outdated reliance on manual data management. While data classification remains critical – particularly to ensure compliance with regulations like GDPR or HIPAA – the burden of managing this data often falls on overstretched security teams. Security teams are expected to identify, label, and track data across sprawling ecosystems, which can be time-consuming and error-prone. Even with automation, rigid policies that depend on pre-defined data classification miss the mark.

From a data protection perspective, if manual or basic automated classification is the sole methodology for preventing data loss, critical data will likely slip through the cracks. Security teams are left scrambling to fill the gaps, facing compliance risks and increasing operational overhead. Over time, the hidden costs of these inefficiencies pile up, draining resources and reducing the effectiveness of your entire security posture.

What traditional data classification can’t cover

Data classification plays an important role in data loss prevention, but it's only half the puzzle. It’s designed to spot known patterns and apply labels, yet the most common causes of data breaches don’t follow rules. They stem from something far harder to define: human behavior.

When Darktrace began developing its data loss detection capabilities, the question wasn’t what data to protect — it was how to understand the people using it. The numbers pointed clearly to where AI could make the biggest difference: 22% of email data breaches stem directly from user error, while malicious insider threats remain the most expensive, costing organizations an average of $4.99 million per incident.

Data classification is blind to nuance – it can’t grasp intent, context, or the subtle red flags that often precede a breach. And no amount of labeling, policy, or training can fully account for the reality that humans make mistakes. These problems require a system that sees beyond the data itself — one that understands how it’s being used, by whom, and in what context. That’s why Darktrace leans into its core strength: detecting the subtle symptoms of data loss by interpreting human behavior, not just file labels.

Achieving autonomous data protection with behavioral AI

Rather than relying on manual processes to understand what’s important, Darktrace uses its industry-leading AI to learn how your organization uses data — and spot when something looks wrong.

Its understanding of business operations allows it to detect subtle anomalies around data movement for your use cases, whether that’s a misdirected email, an insecure cloud storage link, or suspicious activity from an insider. Crucially, this detection is entirely autonomous, with no need for predefined rules or static labels.

Darktrace uses its contextual understanding of each user to stop all types of sensitive or misdirected data from leaving the organization
Fig 1: Darktrace uses its contextual understanding of each user to stop all types of sensitive or misdirected data from leaving the organization

Darktrace / EMAIL’s DLP add-on continuously learns in real time, enabling:

  • Automatic detection: Identifies risky data behavior to catch threats that traditional approaches miss – from human error to sophisticated insider threats.
  • A dynamic range of actions: Darktrace always aims to avoid business disruption in its blocking actions, but this can be adjusted according to the unique risk appetite of each customer – taking the most appropriate response for that business from a whole scale of possibilities.
  • Enhanced context: While Darktrace doesn’t require sensitivity data labeling, it integrates with Microsoft Purview to ingest sensitivity labels and enrich its understanding of the data – for even more accurate decision-making.

Beyond preventing data loss, Darktrace uses DLP activity to enhance its contextual understanding of the user itself. In other words, outbound activity can be a useful symptom in identifying a potential account compromise, or can be used to give context to that user’s inbound activity. Because Darktrace sees the whole picture of a user across their inbound, outbound, and lateral mail, as well as messaging (and into collaboration tools with Darktrace / IDENTITY), every interaction informs its continuous learning of normal.

With Darktrace, you can achieve dynamic data loss prevention for the most challenging human-related use cases – from accidental misdirected recipients to malicious insiders – that evade detection from manual classification. So don’t stand still on data protection – make the switch to autonomous, adaptive DLP that understands your business, data, and people.

[related-resource]

Continue reading
About the author
Carlos Gray
Senior Product Marketing Manager, Email

Blog

/

Email

/

April 14, 2025

Email bombing exposed: Darktrace’s email defense in action

picture of a computer screen showing a password loginDefault blog imageDefault blog image

What is email bombing?

An email bomb attack, also known as a "spam bomb," is a cyberattack where a large volume of emails—ranging from as few as 100 to as many as several thousand—are sent to victims within a short period.

How does email bombing work?

Email bombing is a tactic that typically aims to disrupt operations and conceal malicious emails, potentially setting the stage for further social engineering attacks. Parallels can be drawn to the use of Domain Generation Algorithm (DGA) endpoints in Command-and-Control (C2) communications, where an attacker generates new and seemingly random domains in order to mask their malicious connections and evade detection.

In an email bomb attack, threat actors typically sign up their targeted recipients to a large number of email subscription services, flooding their inboxes with indirectly subscribed content [1].

Multiple threat actors have been observed utilizing this tactic, including the Ransomware-as-a-Service (RaaS) group Black Basta, also known as Storm-1811 [1] [2].

Darktrace detection of email bombing attack

In early 2025, Darktrace detected an email bomb attack where malicious actors flooded a customer's inbox while also employing social engineering techniques, specifically voice phishing (vishing). The end goal appeared to be infiltrating the customer's network by exploiting legitimate administrative tools for malicious purposes.

The emails in these attacks often bypass traditional email security tools because they are not technically classified as spam, due to the assumption that the recipient has subscribed to the service. Darktrace / EMAIL's behavioral analysis identified the mass of unusual, albeit not inherently malicious, emails that were sent to this user as part of this email bombing attack.

Email bombing attack overview

In February 2025, Darktrace observed an email bombing attack where a user received over 150 emails from 107 unique domains in under five minutes. Each of these emails bypassed a widely used and reputable Security Email Gateway (SEG) but were detected by Darktrace / EMAIL.

Graph showing the unusual spike in unusual emails observed by Darktrace / EMAIL.
Figure 1: Graph showing the unusual spike in unusual emails observed by Darktrace / EMAIL.

The emails varied in senders, topics, and even languages, with several identified as being in German and Spanish. The most common theme in the subject line of these emails was account registration, indicating that the attacker used the victim’s address to sign up to various newsletters and subscriptions, prompting confirmation emails. Such confirmation emails are generally considered both important and low risk by email filters, meaning most traditional security tools would allow them without hesitation.

Additionally, many of the emails were sent using reputable marketing tools, such as Mailchimp’s Mandrill platform, which was used to send almost half of the observed emails, further adding to their legitimacy.

Darktrace / EMAIL’s detection of an email being sent using the Mandrill platform.
Figure 2: Darktrace / EMAIL’s detection of an email being sent using the Mandrill platform.
Darktrace / EMAIL’s detection of a large number of unusual emails sent during a short period of time.
Figure 3: Darktrace / EMAIL’s detection of a large number of unusual emails sent during a short period of time.

While the individual emails detected were typically benign, such as the newsletter from a legitimate UK airport shown in Figure 3, the harmful aspect was the swarm effect caused by receiving many emails within a short period of time.

Traditional security tools, which analyze emails individually, often struggle to identify email bombing incidents. However, Darktrace / EMAIL recognized the unusual volume of new domain communication as suspicious. Had Darktrace / EMAIL been enabled in Autonomous Response mode, it would have automatically held any suspicious emails, preventing them from landing in the recipient’s inbox.

Example of Darktrace / EMAIL’s response to an email bombing attack taken from another customer environment.
Figure 4: Example of Darktrace / EMAIL’s response to an email bombing attack taken from another customer environment.

Following the initial email bombing, the malicious actor made multiple attempts to engage the recipient in a call using Microsoft Teams, while spoofing the organizations IT department in order to establish a sense of trust and urgency – following the spike in unusual emails the user accepted the Teams call. It was later confirmed by the customer that the attacker had also targeted over 10 additional internal users with email bombing attacks and fake IT calls.

The customer also confirmed that malicious actor successfully convinced the user to divulge their credentials with them using the Microsoft Quick Assist remote management tool. While such remote management tools are typically used for legitimate administrative purposes, malicious actors can exploit them to move laterally between systems or maintain access on target networks. When these tools have been previously observed in the network, attackers may use them to pursue their goals while evading detection, commonly known as Living-off-the-Land (LOTL).

Subsequent investigation by Darktrace’s Security Operations Centre (SOC) revealed that the recipient's device began scanning and performing reconnaissance activities shortly following the Teams call, suggesting that the user inadvertently exposed their credentials, leading to the device's compromise.

Darktrace’s Cyber AI Analyst was able to identify these activities and group them together into one incident, while also highlighting the most important stages of the attack.

Figure 5: Cyber AI Analyst investigation showing the initiation of the reconnaissance/scanning activities.

The first network-level activity observed on this device was unusual LDAP reconnaissance of the wider network environment, seemingly attempting to bind to the local directory services. Following successful authentication, the device began querying the LDAP directory for information about user and root entries. Darktrace then observed the attacker performing network reconnaissance, initiating a scan of the customer’s environment and attempting to connect to other internal devices. Finally, the malicious actor proceeded to make several SMB sessions and NTLM authentication attempts to internal devices, all of which failed.

Device event log in Darktrace / NETWORK, showing the large volume of connections attempts over port 445.
Figure 6: Device event log in Darktrace / NETWORK, showing the large volume of connections attempts over port 445.
Darktrace / NETWORK’s detection of the number of the login attempts via SMB/NTLM.
Figure 7: Darktrace / NETWORK’s detection of the number of the login attempts via SMB/NTLM.

While Darktrace’s Autonomous Response capability suggested actions to shut down this suspicious internal connectivity, the deployment was configured in Human Confirmation Mode. This meant any actions required human approval, allowing the activities to continue until the customer’s security team intervened. If Darktrace had been set to respond autonomously, it would have blocked connections to port 445 and enforced a “pattern of life” to prevent the device from deviating from expected activities, thus shutting down the suspicious scanning.

Conclusion

Email bombing attacks can pose a serious threat to individuals and organizations by overwhelming inboxes with emails in an attempt to obfuscate potentially malicious activities, like account takeovers or credential theft. While many traditional gateways struggle to keep pace with the volume of these attacks—analyzing individual emails rather than connecting them and often failing to distinguish between legitimate and malicious activity—Darktrace is able to identify and stop these sophisticated attacks without latency.

Thanks to its Self-Learning AI and Autonomous Response capabilities, Darktrace ensures that even seemingly benign email activity is not lost in the noise.

Credit to Maria Geronikolou (Cyber Analyst and SOC Shift Supervisor) and Cameron Boyd (Cyber Security Analyst), Steven Haworth (Senior Director of Threat Modeling), Ryan Traill (Analyst Content Lead)

Appendices

[1] https://www.microsoft.com/en-us/security/blog/2024/05/15/threat-actors-misusing-quick-assist-in-social-engineering-attacks-leading-to-ransomware/

[2] https://thehackernews.com/2024/12/black-basta-ransomware-evolves-with.html

Darktrace Models Alerts

Internal Reconnaissance

·      Device / Suspicious SMB Scanning Activity

·      Device / Anonymous NTLM Logins

·      Device / Network Scan

·      Device / Network Range Scan

·      Device / Suspicious Network Scan Activity

·      Device / ICMP Address Scan

·      Anomalous Connection / Large Volume of LDAP Download

·      Device / Suspicious LDAP Search Operation

·      Device / Large Number of Model Alerts

Continue reading
About the author
Maria Geronikolou
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI