Blog

Inside the SOC

PREVENT

Exploring the Cyber AI Loop as an Analyst: PREVENT/ASM & DETECT

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
02
Jan 2023
02
Jan 2023
This blog explores the use of Darktrace PREVENT/ASM and Darktrace DETECT/Network as triage tools for security teams and the increased visibility provided when they complement each other. An example and mock scenario from an Australian environmental customer is also highlighted.

On countless occasions, Darktrace has observed cyber-attacks disrupting business operations by using a vulnerable internet-facing asset as a starting point for infection. Finding that one entry point could be all a threat actor needs to compromise an entire organization. With the objective to prevent such vulnerabilities from being exploited, Darktrace’s latest product family includes Attack Surface Management (ASM) to continuously monitor customer attack surfaces for risks, high-impact vulnerabilities and potential external threats. 

An attack surface is the sum of exposed and internet-facing assets and the associated risks a hacker can exploit to carry out a cyber-attack. PREVENT/ASM uses AI to understand what external assets belong to an organization by searching beyond known servers, networks, and IPs across public data sources. 

This blog discusses how Darktrace PREVENT/ASM could combine with DETECT to find potential vulnerabilities and subsequent exploitation within network traffic. In particular, this blog will investigate the assets of a large Australian company which operates in the environmental sciences industry.   

Introducing ASM

In order to understand the link between PREVENT and DETECT, the core features of ASM should first be showcased.

Figure 1: The PREVENT/ASM dashboard.

When facing the landing page, the UI highlights the number of registered assets identified (with zero prior deployment). The tool then organizes the information gathered online in an easily assessable manner. Analysts can see vulnerable assets according to groupings like ‘Misconfiguration’, ‘Social Media Threat’ and ‘Information Leak’ which shows the type of risk posed to said assets.

Figure 2: The Network tab identifies the external facing assets and their hierarchy in a graphical format.

The Network tab helps analysts to filter further to take more rapid action on the most vulnerable assets and interact with them to gather more information. The image below has been filtered by assets with the ‘highest scoring’ risk.

Figure 3: PREVENT/ASM showing a high scoring asset.

Interacting with the showcased asset selected above allows pivoting to the following page, this provides more granular information around risk metrics and the asset itself. This includes a more detailed description of what the vulnerabilities are, as well as general information about the endpoint including its location, URL, web status and technologies used.

  Figure 4: Asset pages for an external web page at risk.

Filtering does not end here. Within the Insights tab, analysts can use the search bar to craft personalized queries and narrow their focus to specific types of risk such as vulnerable software, open ports, or potential cybersquatting attempts from malicious actors impersonating company brands. Likewise, filters can be made for assets that may be running software at risk from a new CVE. 

Figure 5: Insights page with custom queries to search for assets at risk of Log4J exploitation.

For each of the entries that can be read on the left-hand side, a query that could resemble the one on the top right exists. This allows users to locate specific findings beyond those risks that are categorized as critical. These broader searches can range from viewing the inventory as a whole, to seeing exposed APIs, expiring certificates, or potential shadow IT. Queries will return a list with all the assets matching the given criteria, and users can then explore them further by viewing the asset page as seen in Figure 4.

Compromise Scenario

Now that a basic explanation of PREVENT/ASM has been given, this scenario will continue to look at the Australian customer but show how Darktrace can follow a potential compromise of an at-risk ASM asset into the network. 

Having certain ports open could make it particularly easy for an attacker to access an internet-facing asset, particularly those sensitive ones such as 3389 (RDP), 445 (SMB), 135 (RPC Epmapper). Alternatively, a vulnerable program with a well-known exploitation could also aid the task for threat actors.

In this specific case, PREVENT/ASM identified multiple external assets that belonged to the customer with port 3389 open. One of these assets can be labelled as ‘Server A'. Whilst RDP connections can be protected with a password for a given user, if those were weak to bruteforce, it could be an easy task for an attacker to establish an admin session remotely to the victim machine.

Figure 6: Insights tab query filtering for open RDP port 3389.

N or zero-day vulnerabilities associated with the protocol could also be exploited; for example, CVE-2019-0708 exploits an RCE vulnerability in Remote Desktop where an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. 

Certain protocols are known to be sensitive according to the control they provide on a destination machine. These are developed for administrative purposes but have the potential to ease an attacker’s job if accessible. Thanks to PREVENT/ASM, security teams can anticipate such activity by having visibility over those assets that could be vulnerable. If this RDP were successfully exploited, DETECT/Network would then highlight the unusual activity performed by the compromised device as the attacker moved through the kill chain.  

There are several models within DETECT/Network which monitor for risks against internet facing assets. For example, ‘Server A’ which had an open 3389 port on ASM registered the following model breach in the network:

Figure 7: Breach log showing Anomalous Server Activity / New Internet Facing System model for ‘Server A’.

A model like this could highlight a misconfiguration that has caused an internal device to become unexpectedly open to the internet. It could also suggest a compromised device that has now been opened to the internet to allow further exploitation. If the result of a sudden change, such an asset would also be detected by ASM and highlighted within the ‘New Assets’ part of the Insights page. Ultimately this connection was not malicious, however it shows the ability for security teams to track between PREVENT to DETECT and verify an initial compromise.  

A mock scenario can take this further. Using the continued example of an open port 3389 intrusion, new RDP cookies may be registered (perhaps even administrative). This could enable further lateral movement and eventual privilege escalation. Various DETECT models would highlight actions of this nature, two examples are below:

Figure 8: RDP Lateral Movement related model breaches on customer.

Alongside efforts to move laterally, Darktrace may find attempts at reconnaissance or C2 communication from compromised internet facing devices by looking at Darktrace DETECT model breaches including ‘Network Scan’, ‘SMB Scanning’ and ‘Active Directory Reconnaissance’. In this case the network also saw repeated failed internal connections followed by the ‘LDAP Brute-Force Activity model’ around the same time as the RDP activity. Had this been malicious, DETECT would then continue to provide visibility into the C2 and eventual malware deployment stages. 

With the combined visibility of both tools, Darktrace users have support for greater triage across the whole kill chain. For customers also using RESPOND, actions will be taken from the DETECT alerting to subsequently block malicious activity. In doing so, inputs will have fed across the whole Cyber AI Loop by having learnt from PREVENT, DETECT and RESPOND.

This feed from the Cyber AI Loop works both ways. In Figure 9, below, a DETECT model breach shows a customer alert from an internet facing device: 

Figure 9: Model breach on internet-facing server.

This breach took place because an established server suddenly started serving HTTP sessions on a port commonly used for HTTPS (secure) connections. This could be an indicator that a criminal may have gained control of the device and set it to listen on the given port and enable direct connection to the attacker’s machine or command and control server. This device can be viewed by an analyst in its Darktrace PREVENT version, where new metrics can be observed from a perspective outside of the network.

Figure 10: Assets page for server. PREVENT shows few risks for this asset. 

This page reports the associated risks that could be leveraged by malicious actors. In this case, the events are not correlated, but in the event of an attack, this backwards pivoting could help to pinpoint a weak link in the chain and show what allowed the attacker into the network. In doing so this supports the remediation and recovery process. More importantly though, it allows organizations to be proactive and take appropriate security measures required before it could ever be exploited.

Concluding Thoughts

The combination of PREVENT/ASM with DETECT/Network provides wide and in-depth visibility over a company’s infrastructure. Through the Cyber AI Loop, this coverage is continually learning and updating based on inputs from both. PREVENT/ASM can show companies the potential weaknesses that a cybercriminal could take advantage of. In turn this allows them to prioritize patching, updating, and management of their internet facing assets. At the same time, Darktrace DETECT will show the anomalous behavior of any of these internet facing devices, enabling security teams or RESPOND to stop an attack. Use of these tools by an analyst together is effective in gaining informed security data which can be fed back to IT management. Leveraging this allows normal company operations to be performed without the worry of cyber disruption.

Credit to: Emma Foulger, Senior Cyber Analyst at Darktrace

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Gabriel Hernandez
Book a 1-1 meeting with one of our experts
share this article
USE CASES
No items found.

More in this series

No items found.

Blog

Thought Leadership

The State of AI in Cybersecurity: Understanding AI Technologies

Default blog imageDefault blog image
24
Jul 2024

About the State of AI Cybersecurity Report

Darktrace surveyed 1,800 CISOs, security leaders, administrators, and practitioners from industries around the globe. Our research was conducted to understand how the adoption of new AI-powered offensive and defensive cybersecurity technologies are being managed by organizations.

This blog continues the conversation from “The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners”. This blog will focus on security professionals’ understanding of AI technologies in cybersecurity tools.

To access download the full report, click here.

How familiar are security professionals with supervised machine learning

Just 31% of security professionals report that they are “very familiar” with supervised machine learning.

Many participants admitted unfamiliarity with various AI types. Less than one-third felt "very familiar" with the technologies surveyed: only 31% with supervised machine learning and 28% with natural language processing (NLP).

Most participants were "somewhat" familiar, ranging from 46% for supervised machine learning to 36% for generative adversarial networks (GANs). Executives and those in larger organizations reported the highest familiarity.

Combining "very" and "somewhat" familiar responses, 77% had familiarity with supervised machine learning, 74% generative AI, and 73% NLP. With generative AI getting so much media attention, and NLP being the broader area of AI that encompasses generative AI, these results may indicate that stakeholders are understanding the topic on the basis of buzz, not hands-on work with the technologies.  

If defenders hope to get ahead of attackers, they will need to go beyond supervised learning algorithms trained on known attack patterns and generative AI. Instead, they’ll need to adopt a comprehensive toolkit comprised of multiple, varied AI approaches—including unsupervised algorithms that continuously learn from an organization’s specific data rather than relying on big data generalizations.  

Different types of AI

Different types of AI have different strengths and use cases in cyber security. It’s important to choose the right technique for what you’re trying to achieve.  

Supervised machine learning: Applied more often than any other type of AI in cyber security. Trained on human attack patterns and historical threat intelligence.  

Large language models (LLMs): Applies deep learning models trained on extremely large data sets to understand, summarize, and generate new content. Used in generative AI tools.  

Natural language processing (NLP): Applies computational techniques to process and understand human language.  

Unsupervised machine learning: Continuously learns from raw, unstructured data to identify deviations that represent true anomalies.  

What impact will generative AI have on the cybersecurity field?

More than half of security professionals (57%) believe that generative AI will have a bigger impact on their field over the next few years than other types of AI.

Chart showing the types of AI expected to impact security the most
Figure 1: Chart from Darktrace's State of AI in Cybersecurity Report

Security stakeholders are highly aware of generative AI and LLMs, viewing them as pivotal to the field's future. Generative AI excels at abstracting information, automating tasks, and facilitating human-computer interaction. However, LLMs can "hallucinate" due to training data errors and are vulnerable to prompt injection attacks. Despite improvements in securing LLMs, the best cyber defenses use a mix of AI types for enhanced accuracy and capability.

AI education is crucial as industry expectations for generative AI grow. Leaders and practitioners need to understand where and how to use AI while managing risks. As they learn more, there will be a shift from generative AI to broader AI applications.

Do security professionals fully understand the different types of AI in security products?

Only 26% of security professionals report a full understanding of the different types of AI in use within security products.

Confusion is prevalent in today’s marketplace. Our survey found that only 26% of respondents fully understand the AI types in their security stack, while 31% are unsure or confused by vendor claims. Nearly 65% believe generative AI is mainly used in cybersecurity, though it’s only useful for identifying phishing emails. This highlights a gap between user expectations and vendor delivery, with too much focus on generative AI.

Key findings include:

  • Executives and managers report higher understanding than practitioners.
  • Larger organizations have better understanding due to greater specialization.

As AI evolves, vendors are rapidly introducing new solutions faster than practitioners can learn to use them. There's a strong need for greater vendor transparency and more education for users to maximize the technology's value.

To help ease confusion around AI technologies in cybersecurity, Darktrace has released the CISO’s Guide to Cyber AI. A comprehensive white paper that categorizes the different applications of AI in cybersecurity. Download the White Paper here.  

Do security professionals believe generative AI alone is enough to stop zero-day threats?

No! 86% of survey participants believe generative AI alone is NOT enough to stop zero-day threats

This consensus spans all geographies, organization sizes, and roles, though executives are slightly less likely to agree. Asia-Pacific participants agree more, while U.S. participants agree less.

Despite expecting generative AI to have the most impact, respondents recognize its limited security use cases and its need to work alongside other AI types. This highlights the necessity for vendor transparency and varied AI approaches for effective security across threat prevention, detection, and response.

Stakeholders must understand how AI solutions work to ensure they offer advanced, rather than outdated, threat detection methods. The survey shows awareness that old methods are insufficient.

To access the full report, click here.

Continue reading
About the author
The Darktrace Community

Blog

Inside the SOC

Jupyter Ascending: Darktrace’s Investigation of the Adaptive Jupyter Information Stealer

Default blog imageDefault blog image
18
Jul 2024

What is Malware as a Service (MaaS)?

Malware as a Service (MaaS) is a model where cybercriminals develop and sell or lease malware to other attackers.

This approach allows individuals or groups with limited technical skills to launch sophisticated cyberattacks by purchasing or renting malware tools and services. MaaS is often provided through online marketplaces on the dark web, where sellers offer various types of malware, including ransomware, spyware, and trojans, along with support services such as updates and customer support.

The Growing MaaS Marketplace

The Malware-as-a-Service (MaaS) marketplace is rapidly expanding, with new strains of malware being regularly introduced and attracting waves of new and previous attackers. The low barrier for entry, combined with the subscription-like accessibility and lucrative business model, has made MaaS a prevalent tool for cybercriminals. As a result, MaaS has become a significant concern for organizations and their security teams, necessitating heightened vigilance and advanced defense strategies.

Examples of Malware as a Service

  • Ransomware as a Service (RaaS): Providers offer ransomware kits that allow users to launch ransomware attacks and share the ransom payments with the service provider.
  • Phishing as a Service: Services that provide phishing kits, including templates and email lists, to facilitate phishing campaigns.
  • Botnet as a Service: Renting out botnets to perform distributed denial-of-service (DDoS) attacks or other malicious activities.
  • Information Stealer: Information stealers are a type of malware specifically designed to collect sensitive data from infected systems, such as login credentials, credit card numbers, personal identification information, and other valuable data.

How does information stealer malware work?

Information stealers are an often-discussed type MaaS tool used to harvest personal and proprietary information such as administrative credentials, banking information, and cryptocurrency wallet details. This information is then exfiltrated from target networks via command-and-control (C2) communication, allowing threat actors to monetize the data. Information stealers have also increasingly been used as an initial access vector for high impact breaches including ransomware attacks, employing both double and triple extortion tactics.

After investigating several prominent information stealers in recent years, the Darktrace Threat Research team launched an investigation into indicators of compromise (IoCs) associated with another variant in late 2023, namely the Jupyter information stealer.

What is Jupyter information stealer and how does it work?

The Jupyter information stealer (also known as Yellow Cockatoo, SolarMarker, and Polazert) was first observed in the wild in late 2020. Multiple variants have since become part of the wider threat landscape, however, towards the end of 2023 a new variant was observed. This latest variant achieved greater stealth and updated its delivery method, targeting browser extensions such as Edge, Firefox, and Chrome via search engine optimization (SEO) poisoning and malvertising. This then redirects users to download malicious files that typically impersonate legitimate software, and finally initiates the infection and the attack chain for Jupyter [3][4]. In recently noted cases, users download malicious executables for Jupyter via installer packages created using InnoSetup – an open-source compiler used to create installation packages in the Windows OS.

The latest release of Jupyter reportedly takes advantage of signed digital certificates to add credibility to downloaded executables, further supplementing its already existing tactics, techniques and procedures (TTPs) for detection evasion and sophistication [4]. Jupyter does this while still maintaining features observed in other iterations, such as dropping files into the %TEMP% folder of a system and using PowerShell to decrypt and load content into memory [4]. Another reported feature includes backdoor functionality such as:

  • C2 infrastructure
  • Ability to download and execute malware
  • Execution of PowerShell scripts and commands
  • Injecting shellcode into legitimate windows applications

Darktrace Coverage of Jupyter information stealer

In September 2023, Darktrace’s Threat Research team first investigated Jupyter and discovered multiple IoCs and TTPs associated with the info-stealer across the customer base. Across most investigated networks during this time, Darktrace observed the following activity:

  • HTTP POST requests over destination port 80 to rare external IP addresses (some of these connections were also made via port 8089 and 8090 with no prior hostname lookup).
  • HTTP POST requests specifically to the root directory of a rare external endpoint.
  • Data streams being sent to unusual external endpoints
  • Anomalous PowerShell execution was observed on numerous affected networks.

Taking a further look at the activity patterns detected, Darktrace identified a series of HTTP POST requests within one customer’s environment on December 7, 2023. The HTTP POST requests were made to the root directory of an external IP address, namely 146.70.71[.]135, which had never previously been observed on the network. This IP address was later reported to be malicious and associated with Jupyter (SolarMarker) by open-source intelligence (OSINT) [5].

Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.
Figure 1: Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.

This activity triggered the Darktrace / NETWORK model, ‘Anomalous Connection / Posting HTTP to IP Without Hostname’. This model alerts for devices that have been seen posting data out of the network to rare external endpoints without a hostname. Further investigation into the offending device revealed a significant increase in external data transfers around the time Darktrace alerted the activity.

This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.
Figure 2: This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.

Packet capture (PCAP) analysis of this activity also demonstrates possible external data transfer, with the device observed making a POST request to the root directory of the malicious endpoint, 146.70.71[.]135.

PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.
Figure 3: PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.

In other cases investigated by the Darktrace Threat Research team, connections to the rare external endpoint 67.43.235[.]218 were detected on port 8089 and 8090. This endpoint was also linked to Jupyter information stealer by OSINT sources [6].

Darktrace recognized that such suspicious connections represented unusual activity and raised several model alerts on multiple customer environments, including ‘Compromise / Large Number of Suspicious Successful Connections’ and ‘Anomalous Connection / Multiple Connections to New External TCP Port’.

In one instance, a device that was observed performing many suspicious connections to 67.43.235[.]218 was later observed making suspicious HTTP POST connections to other malicious IP addresses. This included 2.58.14[.]246, 91.206.178[.]109, and 78.135.73[.]176, all of which had been linked to Jupyter information stealer by OSINT sources [7] [8] [9].

Darktrace further observed activity likely indicative of data streams being exfiltrated to Jupyter information stealer C2 endpoints.

Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.
Figure 4: Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.

In several cases, Darktrace was able to leverage customer integrations with other security vendors to add additional context to its own model alerts. For example, numerous customers who had integrated Darktrace with Microsoft Defender received security integration alerts that enriched Darktrace’s model alerts with additional intelligence, linking suspicious activity to Jupyter information stealer actors.

The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).
Figure 5: The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).

Conclusion

The MaaS ecosystems continue to dominate the current threat landscape and the increasing sophistication of MaaS variants, featuring advanced defense evasion techniques, poses significant risks once deployed on target networks.

Leveraging anomaly-based detections is crucial for staying ahead of evolving MaaS threats like Jupyter information stealer. By adopting AI-driven security tools like Darktrace / NETWORK, organizations can more quickly identify and effectively detect and respond to potential threats as soon as they emerge. This is especially crucial given the rise of stealthy information stealing malware strains like Jupyter which cannot only harvest and steal sensitive data, but also serve as a gateway to potentially disruptive ransomware attacks.

Credit to Nahisha Nobregas (Senior Cyber Analyst), Vivek Rajan (Cyber Analyst)

References

1.     https://www.paloaltonetworks.com/cyberpedia/what-is-multi-extortion-ransomware

2.     https://flashpoint.io/blog/evolution-stealer-malware/

3.     https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html

4.     https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf

5.     https://www.virustotal.com/gui/ip-address/146.70.71.135

6.     https://www.virustotal.com/gui/ip-address/67.43.235.218/community

7.     https://www.virustotal.com/gui/ip-address/2.58.14.246/community

8.     https://www.virustotal.com/gui/ip-address/91.206.178.109/community

9.     https://www.virustotal.com/gui/ip-address/78.135.73.176/community

Appendices

Darktrace Model Detections

  • Anomalous Connection / Posting HTTP to IP Without Hostname
  • Compromise / HTTP Beaconing to Rare Destination
  • Unusual Activity / Unusual External Data to New Endpoints
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / Large Number of Suspicious Successful Connections
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Excessive Posts to Root
  • Compromise / Sustained SSL or HTTP Increase
  • Security Integration / High Severity Integration Detection
  • Security Integration / Low Severity Integration Detection
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • Unusual Activity / Unusual External Data Transfer

AI Analyst Incidents:

  • Unusual Repeated Connections
  • Possible HTTP Command and Control to Multiple Endpoints
  • Possible HTTP Command and Control

List of IoCs

Indicators – Type – Description

146.70.71[.]135

IP Address

Jupyter info-stealer C2 Endpoint

91.206.178[.]109

IP Address

Jupyter info-stealer C2 Endpoint

146.70.92[.]153

IP Address

Jupyter info-stealer C2 Endpoint

2.58.14[.]246

IP Address

Jupyter info-stealer C2 Endpoint

78.135.73[.]176

IP Address

Jupyter info-stealer C2 Endpoint

217.138.215[.]105

IP Address

Jupyter info-stealer C2 Endpoint

185.243.115[.]88

IP Address

Jupyter info-stealer C2 Endpoint

146.70.80[.]66

IP Address

Jupyter info-stealer C2 Endpoint

23.29.115[.]186

IP Address

Jupyter info-stealer C2 Endpoint

67.43.235[.]218

IP Address

Jupyter info-stealer C2 Endpoint

217.138.215[.]85

IP Address

Jupyter info-stealer C2 Endpoint

193.29.104[.]25

IP Address

Jupyter info-stealer C2 Endpoint

Continue reading
About the author
Nahisha Nobregas
SOC Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.