Blog
/

Thought Leadership

/
November 3, 2021

How Hackers Blend Into Environments by Living Off the Land

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
03
Nov 2021
Discover how cyber-criminals blend in using Living off the Land techniques. Learn how Self-Learning AI can detect attacks leveraging this strategy in real time.

What is Living off the Land attack?

While the term was first coined in 2013, Living off the Land tools, techniques, and procedures (TTPs) have boomed in popularity in recent years. In part, this is because the traditional approach of defensive security — blocklisting file hashes, domains, and other traces of threats encountered in previous attacks — is ill-equipped to identify these attacks. So these stealthy, often fileless attacks, have pushed their way into the mainstream.

Definition and overview

Living off the Land is a strategy which involves threat actors leveraging the utilities readily available within the target organization’s digital environment to move through the cyber kill chain. This is a popular method because It is often cheaper, easier, and more effective to make use of an organization’s own infrastructure in an attempt to attack rather than writing bespoke malware for every heist.

How does Living off the Land attack work?

Living off the Land attacks have a particular history in highly organized, targeted hacking. Advanced Persistent Threat (APT) groups have long favored Living off the Land TTPs, since evasion is a top priority. And trends show that ransomware groups are opting for human-operated ransomware that relies heavily on Living off the Land techniques, instead of commodity malware.

Among some of the most commonly used tools exploited for nefarious purposes are Powershell, Windows Management Interface (WMI), and PsExec. These tools are regularly used by network administrators as part of their daily routines, and traditional security tools reliant on static rules and signatures often have a hard time distinguishing between legitimate and malicious use.

Living off the Land attack techniques

Before a threat actor turns your infrastructure against you in a Living off the Land attack, they must be able to execute commands on a targeted system. Therefore, Living off the Land attacks are a post-infection framework for network reconnaissance, lateral movement, and persistence.

Once a device is infected, there are hundreds of system tools at the attacker’s disposal – these may be pre-installed on the system or downloaded via Microsoft-signed binaries. And, in the wrong hands, other trusted third-party administration tools on the network can also turn from friend to foe.

As Living off the Land techniques evolve, a single typical attack is hard to determine. However, we can group these TTPs in broader categories.

Microsoft-signed Living off the Land TTPs

Microsoft is ubiquitous in the business world and across industries. The Living off the Land Binaries and Scripts (LOLBAS) project aims to document all Microsoft-signed binaries and scripts that include functionality for APT groups in Living off the Land attacks. To date, there are 135 system tools on this list that are vulnerable to misuse, each aiding a different objective. These could be the creation of new user accounts, data compression and exfiltration, system information gathering, launching processes on a target destination or even the disablement of security services. Both Microsoft’s documentation of vulnerable pre-installed tools and the LOLBAS project are growing, non-exhaustive lists.

Command line exploitation

When it comes to delivering a malicious payload to the target, WMI (WMIC.exe), the command line tool (cmd.exe), and PowerShell (powershell.exe) were used most frequently by attackers, according to a recent study. These commonly exploited command line utilities are used during the configuration of security settings and system properties, provide sensitive network or device status updates, and facilitate the transfer and execution of files between devices.

Specifically, the command line group shares three key traits:

  1. They are readily available on Windows systems.
  2. They are frequently used by most administrators or internal processes to perform everyday tasks.
  3. They can perform their core functionalities without writing data to a disk.

Mimikatz

Mimikatz differs from other tools in that it is not pre-installed on most systems. It is an open-source utility used for the dumping of passwords, hashes, PINs and Kerberos tickets. While some network administrators may use Mimikatz to perform internal vulnerability assessments, it is not readily available on Windows systems.

Traditional security approaches used to detect the download, installation, and use of Mimikatz are often insufficient. There exists a wide range of verified and well documented techniques for obfuscating tooling like Mimikatz, meaning even an unsophisticated attacker can subvert basic string or hash-based detections.

Tips for stopping Living off the Land attacks

Living off the Land techniques have proven incredibly effective at enabling attackers to blend into organizations’ digital environments. It is normal for millions of credentials, network tools, and processes to be logged each day across a single digital ecosystem. So how can defenders spot malicious use of legitimate tools amidst this digital noise?

Network hygiene: As with most threats, basic network hygiene is the first step. This includes implementing the principle of least privilege, de-activating all unnecessary programs, setting up software whitelisting, and performing asset and application inventory checks. However, while these measures are a step in the right direction, with enough time a sophisticated attacker will always manage to work their way around them.

Self-Learning AI technology: This technology, exclusive to Darktrace, has become fundamental in shining a light on attackers using an organization’s own infrastructure against them. It learns any given unique digital environment from the ground up, understanding the ‘pattern of life’ for every device and user. Living off the Land attacks are therefore identified in real time from a series of subtle deviations. This might include a new credential or unusual SMB / DCE-RPC usage.

Its deep understanding of the business enables it to spot attacks that fly under the radar of other tools. With a Living off the Land attack, the AI will recognize that although usage of particular tool might be normal for an organization, the way in which that tool is used allows the AI to reveal seemingly benign behavior as unmistakably malicious.

Example of Self-Learning AI

Self-Learning AI might observe the frequent usage of Powershell user-agents across multiple devices, but will only report an incident if the user agent is observed on a device at an unusual time.

Similarly, Darktrace might observe WMI commands being sent between thousands of combinations of devices each day, but will only alert on such activity if the commands are uncommon for both the source and the destination.

And even the subtle indicators of Mimikatz exploitation, like new credential usage or uncommon SMB traffic, will not be buried among the normal operations of the infrastructure.

Final thoughts on Living off the Land techniques

Living off the Land techniques aren’t going away any time soon. Recognizing this, security teams are beginning to move away from ‘legacy’-based defenses that rely on historical attack data to catch the next attack, and towards AI that uses a bespoke and evolving understanding of its surroundings to detect subtle deviations indicative of a threat – even if that threat makes use of legitimate tools.

Thanks to Darktrace analysts Isabel Finn and Paul Jennings for their insights on the above threat find and supporting MITRE ATT&CK mapping.

Learn more about Self-Learning AI

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Oakley Cox
Director of Product

Oakley is a Product Manager within the Darktrace R&D team. He collaborates with global customers, including all critical infrastructure sectors and Government agencies, to ensure Darktrace/OT remains the first in class solution for OT Cyber Security. He draws on 7 years’ experience as a Cyber Security Consultant to organizations across EMEA, APAC and ANZ. His research into cyber-physical security has been published by Cyber Security journals and by CISA. Oakley has a Doctorate (PhD) from the University of Oxford.

Book a 1-1 meeting with one of our experts
Share this article
Core coverages

More in this series

No items found.

Blog

/

September 6, 2024

/

Inside the SOC

Lifting the Fog: Darktrace’s Investigation into Fog Ransomware

Default blog imageDefault blog image

Introduction to Fog Ransomware

As ransomware attacks continue to be launched at an alarming rate, Darktrace’s Threat Research team has identified that familiar strains like Akira, LockBit, and BlackBasta remain among the most prevalent threats impacting its customers, as reported in the First 6: Half-Year Threat Report 2024. Despite efforts by law agencies, like dismantling the infrastructure of cybercriminals and shutting down their operations [2], these groups continue to adapt and evolve.

As such, it is unsurprising that new ransomware variants are regularly being created and launched to get round law enforcement agencies and increasingly adept security teams. One recent example of this is Fog ransomware.

What is Fog ransomware?

Fog ransomware is strain that first appeared in the wild in early May 2024 and has been observed actively using compromised virtual private network (VPN) credentials to gain access to organization networks in the education sector in the United States.

Darktrace's detection of Fog Ransomware

In June 2024, Darktrace observed instances of Fog ransomware across multiple customer environments. The shortest time observed from initial access to file encryption in these attacks was just 2 hours, underscoring the alarming speed with which these threat actors can achieve their objectives.

Darktrace identified key activities typical of a ransomware kill chain, including enumeration, lateral movement, encryption, and data exfiltration. In most cases, Darktrace was able to successfully halt the progression Fog attacks in their early stages by applying Autonomous Response actions such as quarantining affected devices and blocking suspicious external connections.

To effectively illustrate the typical kill chain of Fog ransomware, this blog focuses on customer environments that did not have Darktrace’s Autonomous Response enabled. In these cases, the attack progressed unchecked and reached its intended objectives until the customer received Darktrace’s alerts and intervened.

Darktrace’s Coverage of Fog Ransomware

Initial Intrusion

After actors had successfully gained initial access into customer networks by exploiting compromised VPN credentials, Darktrace observed a series of suspicious activities, including file shares, enumeration and extensive scanning. In one case, a compromised domain controller was detected making outgoing NTLM authentication attempts to another internal device, which was subsequently used to establish RDP connections to a Windows server running Hyper-V.

Given that the source was a domain controller, the attacker could potentially relay the NTLM hash to obtain a domain admin Kerberos Ticket Granting Ticket (TGT). Additionally, incoming NTLM authentication attempts could be triggered by tools like Responder, and NTLM hashes used to encrypt challenge response authentication could be abused by offline brute-force attacks.

Darktrace also observed the use of a new administrative credential on one affected device, indicating that malicious actors were likely using compromised privileged credentials to conduct relay attacks.

Establish Command-and-Control Communication (C2)

In many instances of Fog ransomware investigated by Darktrace’s Threat Research team, devices were observed making regular connections to the remote access tool AnyDesk. This was exemplified by consistent communication with the endpoint “download[.]anydesk[.]com” via the URI “/AnyDesk.exe”. In other cases, Darktrace identified the use of another remote management tool, namely SplashTop, on customer servers.

In ransomware attacks, threat actors often use such legitimate remote access tools to establish command-and-control (C2) communication. The use of such services not only complicates the identification of malicious activities but also enables attackers to leverage existing infrastructure, rather than having to implement their own.

Internal Reconnaissance

Affected devices were subsequently observed making an unusual number of failed internal connections to other internal locations over ports such as 80 (HTTP), 3389 (RDP), 139 (NetBIOS) and 445 (SMB). This pattern of activity strongly indicated reconnaissance scanning behavior within affected networks. A further investigation into these HTTP connections revealed the URIs “/nice ports”/Trinity.txt.bak”, commonly associated with the use of the Nmap attack and reconnaissance tool.

Simultaneously, some devices were observed engaging in SMB actions targeting the IPC$ share and the named pipe “srvsvc” on internal devices. Such activity aligns with the typical SMB enumeration tactics, whereby attackers query the list of services running on a remote host using a NULL session, a method often employed to gather information on network resources and vulnerabilities.

Lateral Movement

As attackers attempted to move laterally through affected networks, Darktrace observed suspicious RDP activity between infected devices. Multiple RDP connections were established to new clients, using devices as pivots to propagate deeper into the networks, Following this, devices on multiple networks exhibited a high volume of SMB read and write activity, with internal share drive file names being appended with the “.flocked” extension – a clear sign of ransomware encryption. Around the same time, multiple “readme.txt” files were detected being distributed across affected networks, which were later identified as ransom notes.

Further analysis of the ransom note revealed that it contained an introduction to the Fog ransomware group, a summary of the encryption activity that had been carried out, and detailed instructions on how to communicate with the attackers and pay the ransom.

Packet capture (PCAP) of the ransom note file titled “readme.txt”.
Figure 1: Packet capture (PCAP) of the ransom note file titled “readme.txt”.

Data Exfiltration

In one of the cases of Fog ransomware, Darktrace’s Threat Research team observed potential data exfiltration involving the transfer of internal files to an unusual endpoint associated with the MEGA file storage service, “gfs302n515[.]userstorage[.]mega[.]co[.]nz”.

This exfiltration attempt suggests the use of double extortion tactics, where threat actors not only encrypt victim’s data but also exfiltrate it to threaten public exposure unless a ransom is paid. This often increases pressure on organizations as they face the risk of both data loss and reputational damage caused by the release of sensitive information.

Darktrace’s Cyber AI Analyst autonomously investigated what initially appeared to be unrelated events, linking them together to build a full picture of the Fog ransomware attack for customers’ security teams. Specifically, on affected networks Cyber AI Analyst identified and correlated unusual scanning activities, SMB writes, and file appendages that ultimately suggested file encryption.

Cyber AI Analyst’s analysis of encryption activity on one customer network.
Figure 2: Cyber AI Analyst’s analysis of encryption activity on one customer network.
Figure 3: Cyber AI Analysts breakdown of the investigation process between the linked incident events on one customer network.

Conclusion

As novel and fast-moving ransomware variants like Fog persist across the threat landscape, the time taken for from initial compromise to encryption has significantly decreased due to the enhanced skill craft and advanced malware of threat actors. This trend particularly impacts organizations in the education sector, who often have less robust cyber defenses and significant periods of time during which infrastructure is left unmanned, and are therefore more vulnerable to quick-profit attacks.

Traditional security methods may fall short against these sophisticated attacks, where stealthy actors evade detection by human-managed teams and tools. In these scenarios Darktrace’s AI-driven product suite is able to quickly detect and respond to the initial signs of compromise through autonomous analysis of any unusual emerging activity.

When Darktrace’s Autonomous Response capability was active, it swiftly mitigated emerging Fog ransomware threats by quarantining devices exhibiting malicious behavior to contain the attack and blocking the exfiltration of sensitive data, thus preventing customers from falling victim to double extortion attempts.

Credit to Qing Hong Kwa (Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore) and Ryan Traill (Threat Content Lead

Appendices

Darktrace Model Detections:

- Anomalous Server Activity::Anomalous External Activity from Critical Network Device

- Anomalous Connection::SMB Enumeration

- Anomalous Connection::Suspicious Read Write Ratio and Unusual SMB

- Anomalous Connection::Uncommon 1 GiB Outbound

- Anomalous File::Internal::Additional Extension Appended to SMB File

- Compliance::Possible Cleartext LDAP Authentication

- Compliance::Remote Management Tool On Server

- Compliance::SMB Drive Write

- Compromise::Ransomware::SMB Reads then Writes with Additional Extensions

- Compromise::Ransomware::Possible Ransom Note Write

- Compromise::Ransomware::Ransom or Offensive Words Written to SMB

- Device::Attack and Recon Tools

- User::New Admin Credentials on Client

- Unusual Activity::Anomalous SMB Move & Write

- Unusual Activity::Internal Data Transfer

- Unusual Activity::Unusual External Data Transfer

- Unusual Activity::Enhanced Unusual External Data Transfer

Darktrace Model Detections:

- Antigena::Network::External Threat::Antigena Suspicious File Block

- Antigena::Network::External Threat::Antigena Suspicious File Pattern of Life Block

- Antigena::Network::External Threat::Antigena File then New Outbound Block

- Antigena::Network::External Threat::Antigena Ransomware Block

- Antigena::Network::External Threat::Antigena Suspicious Activity Block

- Antigena::Network::Significant Anomaly::Antigena Controlled and Model Breach

- Antigena::Network::Significant Anomaly::Antigena Enhanced Monitoring from Server Block

- Antigena::Network::Significant Anomaly::Antigena Breaches Over Time Block

- Antigena::Network::Significant Anomaly::Antigena Significant Server Anomaly Block

- Antigena::Network::Insider Threat::Antigena Internal Data Transfer Block

- Antigena::Network::Insider Threat::Antigena Large Data Volume Outbound Block

- Antigena::Network::Insider Threat::Antigena SMB Enumeration Block

AI Analyst Incident Coverage

- Encryption of Files over SMB

- Scanning of Multiple Devices

- SMB Writes of Suspicious Files

MITRE ATT&CK Mapping

(Technique Name) – (Tactic) – (ID) – (Sub-Technique of)

Data Obfuscation - COMMAND AND CONTROL - T1001

Remote System Discovery - DISCOVERY - T1018

SMB/Windows Admin Shares - LATERAL MOVEMENT - T1021.002 - T1021

Rename System Utilities - DEFENSE EVASION - T1036.003 - T1036

Network Sniffing - CREDENTIAL ACCESS, DISCOVERY - T1040

Exfiltration Over C2 Channel - EXFILTRATION - T1041

Data Staged - COLLECTION - T1074

Valid Accounts - DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS - T1078

Taint Shared Content - LATERAL MOVEMENT - T1080

File and Directory Discovery - DISCOVERY - T1083

Email Collection - COLLECTION - T1114

Automated Collection - COLLECTION - T1119

Network Share Discovery - DISCOVERY - T1135

Exploit Public-Facing Application - INITIAL ACCESS - T1190

Hardware Additions - INITIAL ACCESS - T1200

Remote Access Software - COMMAND AND CONTROL - T1219

Data Encrypted for Impact - IMPACT - T1486

Pass the Hash - DEFENSE EVASION, LATERAL MOVEMENT - T1550.002 - T1550

Exfiltration to Cloud Storage - EXFILTRATION - T1567.002 - T1567

Lateral Tool Transfer - LATERAL MOVEMENT - T1570

List of Indicators of Compromise (IoCs)

IoC – Type – Description

/AnyDesk.exe - Executable File - Remote Access Management Tool

gfs302n515[.]userstorage[.]mega[.]co[.]nz- Domain - Exfiltration Domain

*.flocked - Filename Extension - Fog Ransomware Extension

readme.txt - Text File - Fog Ransom Note

xql562evsy7njcsngacphcerzjfecwotdkobn3m4uxu2gtqh26newid[.]onion - Onion Domain - Threat Actor’s Communication Channel

References

[1] https://arcticwolf.com/resources/blog/lost-in-the-fog-a-new-ransomware-threat/

[2] https://intel471.com/blog/assessing-the-disruptions-of-ransomware-gangs

[3] https://www.pcrisk.com/removal-guides/30167-fog-ransomware

Continue reading
About the author
Ryan Traill
Threat Content Lead

Blog

/

September 16, 2024

/
No items found.

What you need to know about FAA Security Protection Regulations 2024

Default blog imageDefault blog image

Overview of FAA Rules 2024

Objective

The goal of the Federal Aviation Administration amended rules is to create new design standards that protect airplane systems from intentional unauthorized electronic interactions (IUEI), which can pose safety risks. The timely motivation for this goal is due to the ongoing trend in aircraft design, which features a growing integration of airplane, engine, and propeller systems, along with expanded connectivity to both internal and external data networks and services.

“This proposed rulemaking would impose new design standards to address cybersecurity threats for transport category airplanes, engines, and propellers. The intended effect of this proposed action is to standardize the FAA’s criteria for addressing cybersecurity threats, reducing certification costs and time while maintaining the same level of safety provided by current special conditions.” (1)

Background

Increasing integration of aircraft systems with internal and external networks raises cybersecurity vulnerability concerns.

Key vulnerabilities include:  

  • Field Loadable Software
  • Maintenance laptops
  • Public networks (e.g., Internet)
  • Wireless sensors
  • USB devices
  • Satellite communications
  • Portable devices and flight bags  

Requirements for Applicants

Applicants seeking design approval must:

  • Provide isolation or protection from unauthorized access
  • Prevent inadvertent or malicious changes to aircraft systems
  • Establish procedures to maintain cybersecurity protections

Purpose

“These changes would introduce type certification and continued airworthiness requirements to protect the equipment, systems, and networks of transport category airplanes, engines, and propellers against intentional unauthorized electronic interactions (IUEI)1 that could create safety hazards. Design approval applicants would be required to identify, assess, and mitigate such hazards, and develop Instructions for Continued Airworthiness (ICA) that would ensure such protections continue in service.” (1)

Key points:

  • Introduce new design standards to address cybersecurity threats for transport category airplanes, engines, and propellers.
  • Aim to reduce certification costs and time while maintaining safety levels similar to current special conditions

Applicant Responsibilities for Identifying, Assessing, and Mitigating IUEI Risks

The proposed rule requires applicants to safeguard airplanes, engines, and propellers from intentional unauthorized electronic interactions (IUEI). To do this, they must:

  1. Identify and assess risks: Find and evaluate any potential electronic threats that could harm safety.
  2. Mitigate risks: Take steps to prevent these threats from causing problems, ensuring the aircraft remain safe and functional.

Let’s break down each of the requirements:

Performing risk analysis

“For such identification and assessment of security risk, the applicant would be required to perform a security risk analysis to identify all threat conditions associated with the system, architecture, and external or internal interfaces.”(3)

Challenge

The complexity and variety of OT devices make it difficult and time-consuming to identify and associate CVEs with assets. Security teams face several challenges:

  • Prioritization Issues: Sifting through extensive CVE lists to prioritize efforts is a struggle.
  • Patch Complications: Finding corresponding patches is complicated by manufacturer delays and design flaws.
  • Operational Constraints: Limited maintenance windows and the need for continuous operations make it hard to address vulnerabilities, often leaving them unresolved for years.
  • Inadequate Assessments: Standard CVE assessments may not fully capture the risks associated with increased connectivity, underscoring the need for a contextualized risk assessment approach.

This highlights the need for a more effective and tailored approach to managing vulnerabilities in OT environments.

Assessing severity of risks

“The FAA would expect such risk analysis to assess the severity of the effect of threat conditions on associated assets (system, architecture, etc.), consistent with the means of compliance the applicant has been using to meet the FAA’s special conditions on this topic.” (3)

Challenge

As shown by the MITRE ATT&CK® Techniques for ICS matrices, threat actors can exploit many avenues beyond just CVEs. To effectively defend against these threats, security teams need a broader perspective, considering lateral movement and multi-stage attacks.

Challenges in Vulnerability Management (VM) cycles include:

  • Initiation: VM cycles often start with email updates from the Cybersecurity and Infrastructure Security Agency (CISA), listing new CVEs from the NIST database.
  • Communication: Security practitioners must survey and forward CVE lists to networking teams at facilities that might be running the affected assets. Responses from these teams are inconsistent, leading vulnerability managers to push patches that may not fit within limited maintenance windows.
  • Asset Tracking: At many OT locations, determining if a company is running a specific firmware version can be extremely time-consuming. Teams often rely on spreadsheets and must perform manual checks by physically visiting production floors ("sneaker-netting").
  • Coordination: Plant engineers and centralized security teams must exchange information to validate asset details and manually score vulnerabilities, further complicating and delaying remediation efforts.

Determine likelihood of exploitation

“Such assessment would also need to analyze these vulnerabilities for the likelihood of exploitation.” (3)

Challenge

Even when a vulnerability is identified, its actual impact can vary significantly based on the specific configurations, processes, and technologies in use within the organization. This creates challenges for OT security practitioners:

  • Risk Assessment: Accurately assessing and prioritizing the risk becomes difficult without a clear understanding of how the vulnerability affects their unique systems.
  • Decision-Making: Practitioners may struggle to determine whether immediate action is necessary, balancing the risk of operational downtime against the need for security.
  • Potential Consequences: This uncertainty can lead to either leaving critical systems exposed or causing unnecessary disruptions by applying measures that aren't truly needed.

This complexity underscores the challenge of making informed, timely decisions in OT security environments.

Vulnerability mitigation

“The proposed regulation would then require each applicant to 'mitigate' the vulnerabilities, and the FAA expects such mitigation would occur through the applicant’s installation of single or multilayered protection mechanisms or process controls to ensure functional integrity, i.e., protection.” (3)

Challenge

OT security practitioners face a constant challenge in balancing security needs with the requirement to maintain operational uptime. In many OT environments, especially in critical infrastructure, applying security patches can be risky:

  • Risk of Downtime: Patching can disrupt essential processes, leading to significant financial losses or even safety hazards.
  • Operational Continuity vs. Security: Practitioners often prioritize operational continuity, sometimes delaying timely security updates.
  • Alternative Strategies: To protect systems without direct patching, they must implement compensating controls, further complicating security efforts.

This delicate balance between security and uptime adds complexity to the already challenging task of securing OT environments.

Establishing procedures/playbooks

“Finally, each applicant would be required to include the procedures within their instructions for continued airworthiness necessary to maintain such protections.” (3)

Challenge

SOC teams typically have a lag before their response, leading to a higher dwell time and bigger overall costs. On average, only 15% of the total cost of ransomware is affiliated with the ransom itself (2). The rest is cost from business interruption. This means it's crucial that organizations can respond and recover earlier. 

Darktrace / OT enabling compliance and enhanced cybersecurity

Darktrace's OT solution addresses the complex challenges of cybersecurity compliance in Operational Technology (OT) environments by offering a comprehensive approach to risk management and mitigation.

Key risk management features include:

  • Contextualized Risk Analysis: Darktrace goes beyond traditional vulnerability scoring, integrating IT, OT, and CVE data with MITRE techniques to map critical attack paths. This helps in identifying and prioritizing vulnerabilities based on their exposure, difficulty of exploitation, and network impact.
  • Guidance on Remediation: When patches are unavailable, Darktrace provides alternative strategies to bolster defenses around vulnerable assets, ensuring unpatched systems are not left exposed—a critical need in OT environments where operational continuity is essential.
  • AI-Driven Adaptability: Darktrace's AI continuously adapts to your organization as it grows; refining incident response playbooks bespoke to your environment in real-time. This ensures that security teams have the most up-to-date, tailored strategies, reducing response times and minimizing the impact of security incidents.

Ready to learn more?  

Darktrace / OT doesn’t just offer risk management capabilities. It is the only solution  
that leverages Self-Learning AI to understand your normal business operations, allowing you to detect and stop insider, known, unknown, and zero-day threats at scale.  

Dive deeper into how Darktrace / OT secures critical infrastructure organizations with in-depth insights on its advanced capabilities. Download the Darktrace / OT Solution Brief to explore the technology behind its AI-driven protection and see how it can transform your OT security strategy.

Curious about how Darktrace / OT enhances aviation security? Explore our customer story on Brisbane Airport to see how our solution is transforming security operations in the aviation sector.  

References

  1. https://research-information.bris.ac.uk/ws/portalfiles/portal/313646831/Catch_Me_if_You_Can.pdf
  1. https://www.bleepingcomputer.com/news/security/ransom-payment-is-roughly-15-percent-of-the-total-cost-of-ransomware-attacks/
  1. https://public-inspection.federalregister.gov/2024-17916.pdf?mod=djemCybersecruityPro&tpl=cs
Continue reading
About the author
Daniel Simonds
Director of Operational Technology
Your data. Our AI.
Elevate your network security with Darktrace AI