Blog
/

Inside the SOC

/
September 18, 2024

FortiClient EMS Exploited: Inside the Attack Chain and Post-Exploitation Tactics

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
18
Sep 2024
Soon after CVE-2023-48788 was publicly disclosed in late March 2024, Darktrace began to see compromises in FortiClient EMS devices on customer networks. Read on to find out more about what our Threat Research team uncovered.

Cyber attacks on internet-facing systems

In the first half of 2024, the Darktrace Threat Research team observed multiple campaigns of threat actors targeting vulnerabilities in internet-facing systems, including Ivanti CS/PS appliances, Palo Alto firewall devices, and TeamCity on-premises.

These systems, which are exposed to the internet, are often targeted by threat actors to gain initial access to a network. They are constantly being scanned for vulnerabilities, known or unknown, by opportunistic actors hoping to exploit gaps in security. Unfortunately, this exposure remains a significant blind spot for many security teams, as monitoring edge infrastructure can be particularly challenging due to its distributed nature and the sheer volume of external traffic it processes.

In this blog, we discuss a vulnerability that was exploited in Fortinet’s FortiClient Endpoint Management Server (EMS) and the post-exploitation activity that Darktrace observed across multiple customer environments.

What is FortiClient EMS?

FortiClient is typically used for endpoint security, providing features such as virtual private networks (VPN), malware protection, and web filtering. The FortiClient EMS is a centralized platform used by administrators to enforce security policies and manage endpoint compliance. As endpoints are remote and distributed across various locations, the EMS needs to be accessible over the internet.

However, being exposed to the internet presents significant security risks, and exploiting vulnerabilities in the system may give an attacker unauthorized access. From there, they could conduct further malicious activities such as reconnaissance, establishing command-and-control (C2), moving laterally across the network, and accessing sensitive data.

CVE-2023-48788

CVE-2023-48788 is a critical SQL injection vulnerability in FortiClient EMS that can allow an attacker to gain unauthorized access to the system. It stems from improper neutralization of special elements used in SQL commands, which allows attackers to exploit the system through specially crafted requests, potentially leading to Remote Code Execution (RCE) [1]. This critical vulnerability was given a CVSS score of 9.8 and can be exploited without authentication.

The affected versions of FortiClient EMS include:

  • FortiClient EMS 7.2.0 to 7.2.2 (fixed in 7.2.3)
  • FortiClient EMS 7.0.1 to 7.0.10 (fixed in 7.0.11)

The vulnerability was publicly disclosed on March 12, 2024, and an exploit proof of concept was released by Horizon3.ai on March 21 [2]. Starting from March 24, almost two weeks after the initial disclosure, Darktrace began to observe at least six instances where the FortiClient EMS vulnerability had likely been exploited on customer networks. Seemingly exploited devices in multiple customer environments were observed performing anomalous activities, including the installation of Remote Monitoring and Management (RMM) tools, which was also reported by other security vendors around the same time [3].

Darktrace’s Coverage

Initial Access

To understand how the vulnerability can be exploited to gain initial access, we first need to explain some components of the FortiClient EMS:

  • The service FmcDaemon.exe is used for communication between the EMS and enrolled endpoint clients. It listens on port 8013 for incoming client connections.
  • Incoming requests are then sent to FCTDas.exe, which translates requests from other server components into SQL requests. This service interacts with the Microsoft SQL database.
  • Endpoint clients communicate with the FmcDaemon on the server on port 8013 by default.

Therefore, an SQL injection attack can be performed by crafting a malicious payload and sending it over port 8013 to the server. To carry out RCE, an attacker may send further SQL statements to enable and use the xp_cmdshell functionality of the Microsoft SQL server [2].

Shortly before post-exploitation activity began, Darktrace had observed incoming connections to some of the FortiClient EMS devices over port 8013 from the external IPs 77.246.103[.]110, 88.130.150[.]101, and 45.155.141[.]219. This likely represented the threat actors sending an SQL injection payload over port 8013 to the EMS device to validate the exploit.

Establish C2

After exploiting the vulnerability and gaining access to an EMS device on one customer network, two additional devices were seen with HTTP POST requests to 77.246.103[.]110 and 212.113.106[.]100 with a new PowerShell user agent.

Interestingly, the IP 212.113.106[.]100 has been observed in various other campaigns where threat actors have also targeted internet-facing systems and exploited other vulnerabilities. Open-source intelligence (OSINT) suggests that this indicator of compromise (IoC) is related to the Sliver C2 framework and has been used by threat actors such as APT28 (Fancy Bear) and APT29 (Cozy Bear) [4].

Unusual file downloads were also observed on four devices, including:

  • “SETUP.MSI” from 212.32.243[.]25 and 89.149.200[.]91 with a cURL user agent
  • “setup.msi” from 212.113.106[.]100 with a Windows Installer user agent
  • “run.zip” from 95.181.173[.]172 with a PowerShell user agent

The .msi files would typically contain the RMM tools Atera or ScreenConnect [5]. By installing RMM tools for C2, attackers can leverage their wide range of functionalities to carry out various tasks, such as file transfers, without the need to install additional tools. As RMM tools are designed to maintain a stable connection to remote systems, they may also allow the attackers to ensure persistent access to the compromised systems.

A scan of the endpoint 95.181.173[.]172 shows various other files such as “RunSchedulerTask.ps1” and “anydesk.exe” being hosted.

Screenshot of the endpoint 95.181.173[.]172 hosting various files [6].
Figure 1: Screenshot of the endpoint 95.181.173[.]172 hosting various files [6].

Shortly after these unusual file downloads, many of the devices were also seen with usage of RMM tools such as Splashtop, Atera, and AnyDesk. The devices were seen connecting to the following endpoints:

  • *[.]relay.splashtop[.]com
  • agent-api[.]atera[.]com
  • api[.]playanext[.]com with user agent AnyDesk/8.0.9

RMM tools have a wide range of legitimate capabilities that allow IT administrators to remotely manage endpoints. However, they can also be repurposed for malicious activities, allowing threat actors to maintain persistent access to systems, execute commands remotely, and even exfiltrate data. As the use of RMM tools can be legitimate, they offer threat actors a way to perform malicious activities while blending into normal business operations, which could evade detection by human analysts or traditional security tools.

One device was also seen making repeated SSL connections to a self-signed endpoint “azure-documents[.]com” (104.168.140[.]84) and further HTTP POSTs to “serv1[.]api[.]9hits[.]com/we/session” (128.199.207[.]131). Although the contents of these connections were encrypted, they were likely additional infrastructure used for C2 in addition to the RMM tools that were used. Self-signed certificates may also be used by an attacker to encrypt C2 communications.

Internal Reconnaissance

Following the exploit, two of the compromised devices then started to conduct internal reconnaissance activity. The following figure shows a spike in the number of internal connections made by one of the compromised devices on the customer’s environment, which typically indicates a network scan.

Advanced Search results of internal connections made an affected device.
Figure 2: Advanced Search results of internal connections made an affected device.

Reconnaissance tools such as Advanced Port Scanner (“www[.]advanced-port-scanner[.]com”) and Nmap were also seen being used by one of the devices to conduct scanning activities. Nmap is a network scanning tool commonly used by security teams for legitimate purposes like network diagnostics and vulnerability scanning. However, it can also be abused by threat actors to perform network reconnaissance, a technique known as Living off the Land (LotL). This not only reduces the need for custom or external tools but also reduces the risk of exposure, as the use of a legitimate tool in the network is unlikely to raise suspicion.

Privilege Escalation

In another affected customer network, the threat actor’s attempt to escalate their privileges was also observed, as a FortiClient EMS device was seen with an unusually large number of SMB/NTLM login failures, indicative of brute force activity. This attempt was successful, and the device was later seen authenticating with the credential “administrator”.

Figure 3: Advanced Search results of NTLM (top) and SMB (bottom) login failures.

Lateral Movement

After escalating privileges, attempts to move laterally throughout the same network were seen. One device was seen transferring the file “PSEXESVC.exe” to another device over SMB. This file is associated with PsExec, a command-line tool that allows for remote execution on other systems.

The threat actor was also observed leveraging the DCE-RPC protocol to move laterally within the network. Devices were seen with activity such as an increase in new RPC services, unusual requests to the SVCCTL endpoint, and the execution of WMI commands. The DCE-RPC protocol is typically used to facilitate communication between services on different systems and can allow one system to request services or execute commands on another.

These are further examples of LotL techniques used by threat actors exploiting CVE-2023-48788, as PsExec and the DCE-RPC protocol are often also used for legitimate administrative operations.

Accomplish Mission

In most cases, the threat actor’s end goal was not clearly observed. However, Darktrace did detect one instance where an unusually large volume of data had been uploaded to “put[.]io”, a cloud storage service, indicating that the end goal of the threat actor had been to steal potentially sensitive data.

In a recent investigation of a Medusa ransomware incident that took place in July 2024, Darktrace’s Threat Research team found that initial access to the environment had likely been gained through a FortiClient EMS device. An incoming connection from 209.15.71[.]121 over port 8013 was seen, suggesting that CVE-2023-48788 had been exploited. The device had been compromised almost three weeks before the ransomware was actually deployed, eventually resulting in the encryption of files.

Conclusion

Threat actors have continued to exploit unpatched vulnerabilities in internet-facing systems to gain initial access to a network. This highlights the importance of addressing and patching vulnerabilities as soon as they are disclosed and a fix is released. However, due to the rapid nature of exploitation, this may not always be enough. Furthermore, threat actors may even be exploiting vulnerabilities that are not yet publicly known.

As the end goals for a threat actor can differ – from data exfiltration to deploying ransomware – the post-exploitation behavior can also vary from actor to actor. However, AI security tools such as Darktrace / NETWORK can help identify and alert for post-exploitation behavior based on abnormal activity seen in the network environment.

Despite CVE-2023-48788 having been publicly disclosed and fixed in March, it appears that multiple threat actors, such as the Medusa ransomware group, have continued to exploit the vulnerability on unpatched systems. With new vulnerabilities being disclosed almost every other day, security teams may find it challenging continuously patch their systems.

As such, Darktrace / Proactive Exposure Management could also alleviate the workload of security teams by helping them identify and prioritize the most critical vulnerabilities in their network.

Credit to Emily Megan Lim (Cyber Security Analyst) and Ryan Traill (Threat Content Lead)

Appendices

References

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-48788

[2] https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/

[3] https://redcanary.com/blog/threat-intelligence/cve-2023-48788/

[4] https://www.fortinet.com/blog/threat-research/teamcity-intrusion-saga-apt29-suspected-exploiting-cve-2023-42793

[5] https://redcanary.com/blog/threat-intelligence/cve-2023-48788/

[6] https://urlscan.io/result/3678b9e2-ad61-4719-bcef-b19cadcdd929/

List of IoCs

IoC - Type - Description + Confidence

  • 212.32.243[.]25/SETUP.MSI - URL - Payload
  • 89.149.200[.]9/SETUP.MSI - URL - Payload
  • 212.113.106[.]100/setup.msi - URL - Payload
  • 95.181.173[.]172/run.zip - URL - Payload
  • serv1[.]api[.]9hits[.]com - Domain - Likely C2 endpoint
  • 128.199.207[.]131 - IP - Likely C2 endpoint
  • azure-documents[.]com - Domain - C2 endpoint
  • 104.168.140[.]84 - IP - C2 endpoint
  • 77.246.103[.]110 - IP - Likely C2 endpoint
  • 212.113.106[.]100 - IP - C2 endpoint

Darktrace Model Detections

Anomalous Connection / Callback on Web Facing Device

Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

Anomalous Connection / New User Agent to IP Without Hostname

Anomalous Connection / Posting HTTP to IP Without Hostname

Anomalous Connection / Powershell to Rare External

Anomalous Connection / Rare External SSL Self-Signed

Anomalous Connection / Suspicious Self-Signed SSL

Anomalous Server Activity / Rare External from Server

Anomalous Server Activity / New User Agent from Internet Facing System

Anomalous Server Activity / Server Activity on New Non-Standard Port - External

Compliance / Remote Management Tool On Server

Device / New User Agent

Device / New PowerShell User Agent

Device / Attack and Recon Tools

Device / ICMP Address Scan

Device / Network Range Scan

Device / Network Scan

Device / RDP Scan

Device / Suspicious SMB Scanning Activity

Anomalous Connection / Multiple SMB Admin Session

Anomalous Connection / New or Uncommon Service Control

Anomalous Connection / Unusual Admin SMB Session

Device / Increase in New RPC Services

Device / Multiple Lateral Movement Breaches

Device / New or Uncommon WMI Activity

Device / New or Unusual Remote Command Execution

Device / SMB Lateral Movement

Device / Possible SMB/NTLM Brute Force

Unusual Activity / Successful Admin Brute-Force Activity

User / New Admin Credentials on Server

Unusual Activity / Enhanced Unusual External Data Transfer

Unusual Activity / Unusual External Data Transfer

Unusual Activity / Unusual External Data to New Endpoint

Device / Large Number of Model Breaches

Device / Large Number of Model Breaches from Critical Network Device

MITRE ATT&CK Mapping

Tactic – ID: Technique

Initial Access – T1190: Exploit Public-Facing Application

Resource Development – T1587.003: Develop Capabilities: Digital Certificates

Resource Development – T1608.003: Stage Capabilities: Install Digital Certificate

Command and Control – T1071.001: Application Layer Protocol: Web Protocols

Command and Control – T1219: Remote Access Software

Execution – T1059.001: Command and Scripting Interpreter: PowerShell

Reconnaissance – T1595: Active Scanning

Reconnaissance – T1590.005: Gather Victim Network Information: IP Addresses

Discovery – T1046: Network Service Discovery

Credential Access – T1110: Brute Force

Defense Evasion,Initial Access,Persistence,Privilege Escalation – T1078: Valid Accounts

Lateral Movement – T1021.002: Remote Services: SMB/Windows Admin Shares

Lateral Movement – T1021.003: Remote Services: Distributed Component Object Model

Execution – T1569.002: System Services: Service Execution

Execution – T1047: Windows Management Instrumentation

Exfiltration – T1041: Exfiltration Over C2 Channel

Exfiltration – T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Emily Megan Lim
Cyber Analyst
Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
Share this article
CATEGORIES
McLaren
PREVENT
RESPOND
Cloud
Ransomware
Inside the SOC
Thought Leadership
Crypto
Email
Threat Finds
OT
Related blogs
No items found.
Trending blogs
1
Darktrace Releases 2024 Half-Year Threat Insights
Aug 6, 2024
2
Introducing ‘Defend Beyond’: Our promise to customers in the face of evolving threats
Aug 27, 2024
3
Darktrace: Microsoft UK Partner of the Year 2024
Jun 27, 2024
4
CDR is just NDR for the Cloud... Right?
Jul 31, 2024
5
What you need to know about the new SEC Cybersecurity rules
Jul 17, 2024

More in this series

No items found.

Blog

/

September 26, 2024

/

Inside the SOC

Thread Hijacking: How Attackers Exploit Trusted Conversations to Infiltrate Networks

Default blog imageDefault blog image

What is Thread Hijacking?

Cyberattacks are becoming increasingly stealthy and targeted, with malicious actors focusing on high-value individuals to gain privileged access to their organizations’ digital environments. One technique that has gained prominence in recent years is thread hijacking. This method allows attackers to infiltrate ongoing conversations, exploiting the trust within these threads to access sensitive systems.

Thread hijacking typically involves attackers gaining access to a user’s email account, monitoring ongoing conversations, and then inserting themselves into these threads. By replying to existing emails, they can send malicious links, request sensitive information, or manipulate the conversation to achieve their goals, such as redirecting payments or stealing credentials. Because such emails appear to come from a trusted source, they often bypass human security teams and traditional security filters.

How does threat hijacking work?

  1. Initial Compromise: Attackers first gain access to a user’s email account, often through phishing, malware, or exploiting weak passwords.
  2. Monitoring: Once inside, they monitor the user’s email threads, looking for ongoing conversations that can be exploited.
  3. Infiltration: The attacker then inserts themselves into these conversations, often replying to existing emails. Because the email appears to come from a trusted source within an ongoing thread, it bypasses many traditional security filters and raises less suspicion.
  4. Exploitation: Using the trust established in the conversation, attackers can send malicious links, request sensitive information, or manipulate the conversation to achieve their goals, such as redirecting payments or stealing credentials.

A recent incident involving a Darktrace customer saw a malicious actor attempt to manipulate trusted email communications, potentially exposing critical data. The attacker created a new mailbox rule to forward specific emails to an archive folder, making it harder for the customer to notice the malicious activity. This highlights the need for advanced detection and robust preventive tools.

Darktrace’s Self-Learning AI is able to recognize subtle deviations in normal behavior, whether in a device or a Software-as-a-Service (SaaS) user. This capability enables it to detect emerging attacks in their early stages. In this post, we’ll delve into the attacker’s tactics and illustrate how Darktrace / IDENTITY™ successfully identified and mitigated a thread hijacking attempt, preventing escalation and potential disruption to the customer’s network.

Threat hijacking attack overview & Darktrace coverage

On August 8, 2024, Darktrace detected an unusual email received by a SaaS account on a customer’s network. The email appeared to be a reply to a previous chain discussing tax and payment details, likely related to a transaction between the customer and one of their business partners.

Headers of the suspicious email received.
Figure 1: Headers of the suspicious email received.

A few hours later, Darktrace detected the same SaaS account creating a new mailbox rule named “.”, a tactic commonly used by malicious actors to evade detection when setting up new email rules [2]. This rule was designed to forward all emails containing a specific word to the user’s “Archives” folder. This evasion technique is typically used to move any malicious emails or responses to a rarely opened folder, ensuring that the genuine account holder does not see replies to phishing emails or other malicious messages sent by attackers [3].

Darktrace recognized the newly created email rule as suspicious after identifying the following parameters:

  • AlwaysDeleteOutlookRulesBlob: False
  • Force: False
  • MoveToFolder: Archive
  • Name: “.”
  • FromAddressContainsWords: [Redacted]
  • MarkAsRead: True
  • StopProcessingRules: True

Darktrace also noted that the user attempting to create this new email rule had logged into the SaaS environment from an unusual IP address. Although the IP was located in the same country as the customer and the ASN used by the malicious actor was typical for the customer’s network, the rare IP, coupled with the anomalous behavior, raised suspicions.

Figure 2: Hijacked SaaS account creating the new mailbox rule.

Given the suspicious nature of this activity, Darktrace’s Security Operations Centre (SOC) investigated the incident and alerted the customer’s security team of this incident.

Due to a public holiday in the customer's location (likely an intentional choice by the threat actor), their security team did not immediately notice or respond to the notification. Fortunately, the customer had Darktrace's Autonomous Response capability enabled, which allowed it to take action against the suspicious SaaS activity without human intervention.

In this instance, Darktrace swiftly disabled the seemingly compromised SaaS user for 24 hours. This action halted the spread of the compromise to other accounts on the customer’s SaaS platform and prevented any sensitive data exfiltration. Additionally, it provided the security team with ample time to investigate the threat and remove the user from their environment. The customer also received detailed incident reports and support through Darktrace’s Security Operations Support service, enabling direct communication with Darktrace’s expert Analyst team.

Conclusion

Ultimately, Darktrace’s anomaly-based detection allowed it to identify the subtle deviations from the user’s expected behavior, indicating a potential compromise on the customer’s SaaS platform. In this case, Darktrace detected a login to a SaaS platform from an unusual IP address, despite the attacker’s efforts to conceal their activity by using a known ASN and logging in from the expected country.

Despite the attempted SaaS hijack occurring on a public holiday when the customer’s security team was likely off-duty, Darktrace autonomously detected the suspicious login and the creation of a new email rule. It swiftly blocked the compromised SaaS account, preventing further malicious activity and safeguarding the organization from data exfiltration or escalation of the compromise.

This highlights the growing need for AI-driven security capable of responding to malicious activity in the absence of human security teams and detect subtle behavioral changes that traditional security tools.

Credit to: Ryan Traill, Threat Content Lead for his contribution to this blog

Appendices

Darktrace Model Detections

SaaS / Compliance / Anomalous New Email Rule

Experimental / Antigena Enhanced Monitoring from SaaS Client Block

Antigena / SaaS / Antigena Suspicious SaaS Activity Block

Antigena / SaaS / Antigena Email Rule Block

References

[1] https://blog.knowbe4.com/whats-the-best-name-threadjacking-or-man-in-the-inbox-attacks

[2] https://darktrace.com/blog/detecting-attacks-across-email-saas-and-network-environments-with-darktraces-combined-ai-approach

[3] https://learn.microsoft.com/en-us/defender-xdr/alert-grading-playbook-inbox-manipulation-rules

Continue reading
About the author
Maria Geronikolou
Cyber Analyst

Blog

/

September 26, 2024

/
No items found.

How AI can help CISOs navigate the global cyber talent shortage

Default blog imageDefault blog image

The global picture

4 million cybersecurity professionals are needed worldwide to protect and defend the digital world – twice the number currently in the workforce.1

Innovative technologies are transforming business operations, enabling access to new markets, personalized customer experiences, and increased efficiency. However, this digital transformation also challenges Security Operations Centers (SOCs) with managing and protecting a complex digital environment without additional resources or advanced skills.

At the same time, the cybersecurity industry is suffering a severe global skills shortage, leaving many SOCs understaffed and under-skilled. With a 72% increase in data breaches from 2021-20232, SOCs are dealing with overwhelming alert volumes from diverse security tools. Nearly 60% of cybersecurity professionals report burnout3, leading to high turnover rates. Consequently, only a fraction of alerts are thoroughly investigated, increasing the risk of undetected breaches. More than half of organizations that experienced breaches in 2024 admitted to having short-staffed SOCs.4

How AI can help organizations do more with less

Cyber defense needs to evolve at the same pace as cyber-attacks, but the global skills shortage is making that difficult. As threat actors increasingly abuse AI for malicious purposes, using defensive AI to enable innovation and optimization at scale is reshaping how organizations approach cybersecurity.

The value of AI isn’t in replacing humans, but in augmenting their efforts and enabling them to scale their defense capabilities and their value to the organization. With AI, cybersecurity professionals can operate at digital speed, analyzing vast data sets, identifying more vulnerabilities with higher accuracy, responding and triaging faster, reducing risks, and implementing proactive measures—all without additional staff.

Research indicates that organizations leveraging AI and automation extensively in security functions—such as prevention, detection, investigation, or response—reduced their average mean time to identify (MTTI) and mean time to contain (MTTC) data breaches by 33% and 43%, respectively. These organizations also managed to contain breaches nearly 100 days faster on average compared to those not using AI and automation.5

First, you've got to apply the right AI to the right security challenge. We dig into how different AI technologies can bridge specific skills gaps in the CISO’s Guide to Navigating the Cybersecurity Skills Shortage.

Cases in point: AI as a human force multiplier

Let’s take a look at just some of the cybersecurity challenges to which AI can be applied to scale defense efforts and relieve the burden on the SOC. We go further into real-life examples in our white paper.

Automated threat detection and response

AI enables 24/7 autonomous response, eliminating the need for after-hours SOC shifts and providing security leaders with peace of mind. AI can scale response efforts by analyzing vast amounts of data in real time, identifying anomalies, and initiating precise autonomous actions to contain incidents, which buys teams time for investigation and remediation.  

Triage and investigation

AI enhances the triage process by automatically categorizing and prioritizing security alerts, allowing cybersecurity professionals to focus on the most critical threats. It creates a comprehensive picture of an attack, helps identify its root cause, and generates detailed reports with key findings and recommended actions.  

Automation also significantly reduces overwhelming alert volumes and high false positive rates, enabling analysts to concentrate on high-priority threats and engage in more proactive and strategic initiatives.

Eliminating silos and improving visibility across the enterprise

Security and IT teams are overwhelmed by the technological complexity of operating multiple tools, resulting in manual work and excessive alerts. AI can correlate threats across the entire organization, enhancing visibility and eliminating silos, thereby saving resources and reducing complexity.

With 88% of organizations favoring a platform approach over standalone solutions, many are consolidating their tech stacks in this direction. This consolidation provides native visibility across clouds, devices, communications, locations, applications, people, and third-party security tools and intelligence.

Upskilling your existing talent in AI

As revealed in the State of AI Cybersecurity Survey 2024, only 26% of cybersecurity professionals say they have a full understanding of the different types of AI in use within security products.6

Understanding AI can upskill your existing staff, enhancing their expertise and optimizing business outcomes. Human expertise is crucial for the effective and ethical integration of AI. To enable true AI-human collaboration, cybersecurity professionals need specific training on using, understanding, and managing AI systems. To make this easier, the Darktrace ActiveAI Security Platform is designed to enable collaboration and reduce the learning curve – lowering the barrier to entry for junior or less skilled analysts.  

However, to bridge the immediate expertise gap in managing AI tools, organizations can consider expert managed services that take the day-to-day management out of the SOC’s hands, allowing them to focus on training and proactive initiatives.

Conclusion

Experts predict the cybersecurity skills gap will continue to grow, increasing operational and financial risks for organizations. AI for cybersecurity is crucial for CISOs to augment their teams and scale defense capabilities with speed, scalability, and predictive insights, while human expertise remains vital for providing the intuition and problem-solving needed for responsible and efficient AI integration.

If you’re thinking about implementing AI to solve your own cyber skills gap, consider the following:

  • Select an AI cybersecurity solution tailored to your specific business needs
  • Review and streamline existing workflows and tools – consider a platform-based approach to eliminate inefficiencies
  • Make use of managed services to outsource AI expertise
  • Upskill and reskill existing talent through training and education
  • Foster a knowledge-sharing culture with access to knowledge bases and collaboration tools

Interested in how AI could augment your SOC to increase efficiency and save resources? Read our longer CISO’s Guide to Navigating the Cybersecurity Skills Shortage.

And to better understand cybersecurity practitioners' attitudes towards AI, check out Darktrace’s State of AI Cybersecurity 2024 report.

References

  1. https://www.isc2.org/research  
  2. https://www.forbes.com/advisor/education/it-and-tech/cybersecurity-statistics/  
  3. https://www.informationweek.com/cyber-resilience/the-psychology-of-cybersecurity-burnout  
  4. https://www.ibm.com/downloads/cas/1KZ3XE9D  
  5. https://www.ibm.com/downloads/cas/1KZ3XE9D  
  6. https://darktrace.com/resources/state-of-ai-cyber-security-2024
Continue reading
About the author
The Darktrace Community
Your data. Our AI.
Elevate your network security with Darktrace AI