Blog

No items found.

Every rule has an exception: How to detect insider threat without rules

Every rule has an exception: How to detect insider threat without rulesDefault blog imageDefault blog image
21
Jun 2017
21
Jun 2017

Typically, security controls have to predefine ‘good’ and ‘bad’ behavior, but this approach inevitably leaves room for people to circumvent those rules, intentionally or otherwise. This is especially problematic when it comes to establishing rules for insiders. Too restrictive, and their workflow is impeded. Too laissez-fair, and they open themselves up to easily preventable threats.

For instance, to prevent anomalous RDP connections – either inbound or outbound – traditional security tools like firewalls often predefine which destination ports to allow and which ports to restrict. However, if an employee were to use a destination port not explicitly restricted by the firewall, they could theoretically exfiltrate data out of the network without raising any alerts.

After installing on the corporate network of a large manufacturing company, our AI technology recently spotted a rogue device making RDP connections to a rare external host that should have been blocked by the firewall.

10.230.102.143 · 00:23:18:28:3d:8c made 2 RDP connections to 100% rare external host mail.klaxcar[.]com

The company’s firewall was configured to prevent outbound RDP connections, but the rule was overly simplistic and was defined by destination port. By changing the port in use, the connections were allowed to continue.

Time: 2017-03-23 14:44:57 [UTC]
Protocol: RDP
Source: 10.230.102.143
Destination: 217.109.48.125
Destination Port: 30005

No other devices in the network had been observed connecting to that host. The activity represented a major deviation from the pattern of normality built by Darktrace’s AI algorithms. The connections lasted over ten minutes and involved the download of nearly 4MB of data.

10.230.102.143 was first seen on the network on 2017-03-23.
Total duration: 10 mins 34 secs
Total upload: 0.19 MB
Total download: 3.77 MB

Darktrace Antigena determined this activity was threatening enough to require an immediate response. It triggered an autonomous response that blocked all outgoing traffic from the device for 10 minutes, giving the security team time to identify the rogue device and stop the RDP activities.

Upon investigation, it became clear that an employee had connected their personal device to the corporate network and was attempting to send valuable intellectual property to a foreign party. The external host happened to be associated with a competing manufacturing company.

It may be tempting to conclude that the company simply needed a better firewall, but that misses the point. Legacy tools – no matter how expensive – still rely on rules, and every rule has an exception. Of course, firewalls are still an essential part of modern cyber security, but organizations need to accept that cyber-threats will always find a way around these tools.

At Darktrace, our technology doesn’t make any assumptions about maliciousness. It uses advanced machine learning and AI algorithms to learn ‘normal’ for every user and device on a network. When a threatening deviation arises, Darktrace neutralizes the threat in real time. While some of these anomalies get stopped by firewalls and other rules-based tools, subtle insider threats like these frequently go undetected.

To learn more about the threats Darktrace finds, check out our Threat Use Cases page which tells the story of how a hacker compromised the video conferencing unit in the executive boardroom.

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Andrew Tsonchev
VP of Technology

Andrew is a technical expert on cyber security and advises Darktrace’s strategic customers on advanced threat defense, AI and autonomous response. He has a background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. His comments on cyber security and the threat to critical national infrastructure have been reported in international media, including CNBC and the BBC World.

share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Every rule has an exception: How to detect insider threat without rules
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
For more information, please see our Privacy Notice.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out this article by Darktrace: Every rule has an exception: How to detect insider threat without rules