Blog

Threat Finds

Ransomware

Old But Still Dangerous - Dharma Ransomware Attack | Darktrace

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
05
May 2020
05
May 2020
See how Darktrace's Cyber AI detected a fast-acting Dharma ransomware attack at every stage of the life cycle to prevent further damage to the system.

Executive summary

  • In the past few weeks, Darktrace has observed an increase in attacks against internet-facing systems, such as RDP. The initial intrusions usually take place via existing vulnerabilities or stolen, legitimate credentials. The Dharma ransomware attack described in this blog post is one such example.
  • Old threats can be damaging – Dharma and its variants have been around for four years. This is a classic example of ‘legacy’ ransomware morphing and adapting to bypass traditional defenses.
  • The intrusion shows signs that indicate the threat-actors are aware of – and are actively exploiting – the COVID-19 situation.
  • In the current threat landscape surrounding COVID-19, Darktrace recommends monitoring internet-facing systems and critical servers closely – keeping track of administrative credentials and carefully considering security when rapidly deploying internet-facing infrastructure.

Introduction

In mid-April, Darktrace detected a targeted Dharma ransomware attack on a UK company. The initial point of intrusion was via RDP – this represents a very common attack method of infection that Darktrace has observed in the broader threat landscape over the past few weeks.

This blog post highlights every stage of the attack lifecycle and details the attacker’s techniques, tools and procedures (TTP) – all detected by Darktrace.

Dharma – a varient of the CrySIS malware family – first appeared in 2016 and uses multiple intrusion vectors. It distributes its malware as an attachment in a spam email, by disguising it as an installation file for legitimate software, or by exploiting an open RDP connection through internet-facing servers. When Dharma has finished encrypting files, it drops a ransom note with the contact email address in the encrypted SMB files.

Darktrace had strong, real-time detections of the attack – however the absence of eyes on the user interface prior to the encryption activity, and without Autonomous Response deployed in Active Mode, these alerts were only actioned after the ransomware was unleashed. Fortunately, it was unable to spread within the organization, thanks to human intervention at the peak of the attack. However, Darktrace Antigena in active mode would have significantly slowed down the attack.

Timeline

The timeline below provides a rough overview of the major attack phases over five days of activity.

Figure 1: A timeline of the attack

Technical analysis

Darktrace detected that the main device hit by the attack was an internet-facing RDP server (‘RDP server’). Dharma used network-level encryption here: the ransomware activity takes place over the network protocol SMB.

Below is a chronological overview of all Darktrace detections that fired during this attack: Darktrace detected and reported every single unusual or suspicious event occurring on the RDP server.

Figure 2: An overview of Darktrace detections

Initial compromise

On April 7, the RDP server began receiving a large number of incoming connections from rare IP addresses on the internet.

On April 7, the RDP server began receiving a large number of incoming connections from rare IP addresses on the internet. This means a lot of IP addresses on the internet that usually don’t connect to this company started connection attempts over RDP. The top five cookies used to authenticate show that the source IPs were located in Russia, the Netherlands, Korea, the United States, and Germany.

It is highly likely that the RDP credential used in this attack had been compromised prior to the attack – either via common brute-force methods, credential stuffing attacks, or phishing. Indeed, a TTP growing in popularity is to buy RDP credentials on marketplaces and skip to initial access.

Attempted privilege escalation

The following day, the malicious actor abused the SMB version 1 protocol, notorious for always-on null sessions which offer unauthenticated users’ information about the machine – such as password policies, usernames, group names, machine names, user and host SIDs. What followed was very unusual: the server connected externally to a rare IP address located in Morocco.

Next, the attacker attempted a failed SMB session to the external IP over an unusual port. Darktrace detected this activity as highly anomalous, as it had previously learned that SMB is usually not used in this fashion within this organization – and certainly not for external communication over this port.

Figure 3: Darktrace detecting the rare external IP address

Figure 4: The SMB session failure and the rare connection over port 1047

Command and control traffic

As the entire attack occurred over five days, this aligns with a smash-and-grab approach, rather than a highly covert, low-and-slow operation.

Two hours later, the server initiated a large number of anomalous and rare connections to external destinations located in India, China, and Italy – amongst other destinations the server had never communicated with before. The attacker was now attempting to establish persistence and create stronger channels for command and control (C2). As the entire attack occurred over five days, this aligns with a smash-and-grab approach, rather than a highly covert, low-and-slow operation.

Actions on target

Notwithstanding this approach, the malicious actor remained dormant for two days, biding their time until April 10 — a public holiday in the UK — when security teams would be notably less responsive. This pause in activity provides supporting evidence that the attack was human-driven.

Figure 5: The unusual RDP connections detected by Darktrace

The RDP server then began receiving incoming remote desktop connections from 100% rare IP addresses located in the Netherlands, Latvia, and Poland.

Internal reconnaissance

The IP address 85.93.20[.]6, hosted at the time of investigation in Panama, made two connections to the server, using an administrative credential. On April 12, as other inbound RDP connections scanned the network, the volume of data transferred by the RDP server to this IP address spiked. The RDP server never scans the internal network. Darktrace identified this as highly unusual activity.

Figure 6: Darktrace detects the anomalous external data transfer

Lateral movement and payload execution

Finally, on April 12, the attackers executed the Dharma payload at 13:45. The RDP server wrote a number of files over the SMB protocol, appended with a file extension containing a throwaway email account possibly evoking the current COVID-19 pandemic, ‘cov2020@aol[.]com’. The use of string ‘…@aol.com].ROGER’ and presence of a file named ‘FILES ENCRYPTED.txt’ resembles previous Dharma compromises.

Parallel to the encryption activity, the ransomware tried to spread and infect other machines by initiating successful SMB authentications using the same administrator credential seen during the internal reconnaissance. However, the destination devices did not encrypt any files themselves.

It was during the encryption activity that the internal IT staff pulled the plug from the compromised RDP server, thus ending the ransomware activity.

Conclusion

This incident supports the idea that ‘legacy’ ransomware may morph to resurrect itself to exploit vulnerabilities in remote working infrastructure during this pandemic.

Dharma executed here a fast-acting, planned, targeted, ransomware attack. The attackers used off-the-shelf tools (RDP, abusing SMB1 protocol) blurring detection and attribution by blending in with typical administrator activity.

Darktrace detected every stage of the attack without having to depend on threat intelligence or rules and signatures, and the internal security team acted on the malicious activity to prevent further damage.

This incident supports the idea that ‘legacy’ ransomware may morph to resurrect itself to exploit vulnerabilities in remote working infrastructure during this pandemic. Poorly-secured public-facing systems have been rushed out and security is neglected as companies prioritize availability – sacrificing security in the process. Financially-motivated actors weaponize these weak points.

The use of the COVID-related email ‘cov2020@aol[.]com’ during the attack indicates that the threat-actor is aware of and abusing the current global pandemic.

Recent attacks, such as APT41’s exploitation of the Zoho Manage Engine vulnerability last March, show that attacks against internet-facing infrastructure are gaining popularity as the initial intrusion vector. Indeed, as many as 85% of ransomware attacks use RDP as an entry vector. Ensuring that backups are isolated, configurations are hardened, and systems are patched is not enough – real-time detection of every anomalous action can help protect potential victims of ransomware.

Technical Details

Some of the detections on the RDP server:

  • Compliance / Internet Facing RDP server – exposure of critical server to Internet
  • Anomalous Connection / Application Protocol on Uncommon Port – external connections using an unusual port to rare endpoints
  • Device / Large Number of Connections to New Endpoints – indicative of peer-to-peer or scanning activity
  • Compliance / Incoming Remote Desktop – device is remotely controlled from an external source, increased rick of bruteforce
  • Compromise / Ransomware / Suspicious SMB Activity – reading and writing similar volumes of data to remote file shares, indicative of files being overwritten and encrypted
  • Anomalous File / Internal / Additional Extension Appended to SMB File – device is renaming network share files with an added extension, seen during ransomware activity

The graph below shows the timeline of Darktrace detections on the RDP server. The attack lifecycle is clearly observable.

Figure 7: The model breaches occurring over time

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Max Heinemeyer
Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Book a 1-1 meeting with one of our experts
share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.

More in this series

No items found.

Blog

Inside the SOC

Jupyter Ascending: Darktrace’s Investigation of the Adaptive Jupyter Information Stealer

Default blog imageDefault blog image
18
Jul 2024

What is Malware as a Service (MaaS)?

Malware as a Service (MaaS) is a model where cybercriminals develop and sell or lease malware to other attackers.

This approach allows individuals or groups with limited technical skills to launch sophisticated cyberattacks by purchasing or renting malware tools and services. MaaS is often provided through online marketplaces on the dark web, where sellers offer various types of malware, including ransomware, spyware, and trojans, along with support services such as updates and customer support.

The Growing MaaS Marketplace

The Malware-as-a-Service (MaaS) marketplace is rapidly expanding, with new strains of malware being regularly introduced and attracting waves of new and previous attackers. The low barrier for entry, combined with the subscription-like accessibility and lucrative business model, has made MaaS a prevalent tool for cybercriminals. As a result, MaaS has become a significant concern for organizations and their security teams, necessitating heightened vigilance and advanced defense strategies.

Examples of Malware as a Service

  • Ransomware as a Service (RaaS): Providers offer ransomware kits that allow users to launch ransomware attacks and share the ransom payments with the service provider.
  • Phishing as a Service: Services that provide phishing kits, including templates and email lists, to facilitate phishing campaigns.
  • Botnet as a Service: Renting out botnets to perform distributed denial-of-service (DDoS) attacks or other malicious activities.
  • Information Stealer: Information stealers are a type of malware specifically designed to collect sensitive data from infected systems, such as login credentials, credit card numbers, personal identification information, and other valuable data.

How does information stealer malware work?

Information stealers are an often-discussed type MaaS tool used to harvest personal and proprietary information such as administrative credentials, banking information, and cryptocurrency wallet details. This information is then exfiltrated from target networks via command-and-control (C2) communication, allowing threat actors to monetize the data. Information stealers have also increasingly been used as an initial access vector for high impact breaches including ransomware attacks, employing both double and triple extortion tactics.

After investigating several prominent information stealers in recent years, the Darktrace Threat Research team launched an investigation into indicators of compromise (IoCs) associated with another variant in late 2023, namely the Jupyter information stealer.

What is Jupyter information stealer and how does it work?

The Jupyter information stealer (also known as Yellow Cockatoo, SolarMarker, and Polazert) was first observed in the wild in late 2020. Multiple variants have since become part of the wider threat landscape, however, towards the end of 2023 a new variant was observed. This latest variant achieved greater stealth and updated its delivery method, targeting browser extensions such as Edge, Firefox, and Chrome via search engine optimization (SEO) poisoning and malvertising. This then redirects users to download malicious files that typically impersonate legitimate software, and finally initiates the infection and the attack chain for Jupyter [3][4]. In recently noted cases, users download malicious executables for Jupyter via installer packages created using InnoSetup – an open-source compiler used to create installation packages in the Windows OS.

The latest release of Jupyter reportedly takes advantage of signed digital certificates to add credibility to downloaded executables, further supplementing its already existing tactics, techniques and procedures (TTPs) for detection evasion and sophistication [4]. Jupyter does this while still maintaining features observed in other iterations, such as dropping files into the %TEMP% folder of a system and using PowerShell to decrypt and load content into memory [4]. Another reported feature includes backdoor functionality such as:

  • C2 infrastructure
  • Ability to download and execute malware
  • Execution of PowerShell scripts and commands
  • Injecting shellcode into legitimate windows applications

Darktrace Coverage of Jupyter information stealer

In September 2023, Darktrace’s Threat Research team first investigated Jupyter and discovered multiple IoCs and TTPs associated with the info-stealer across the customer base. Across most investigated networks during this time, Darktrace observed the following activity:

  • HTTP POST requests over destination port 80 to rare external IP addresses (some of these connections were also made via port 8089 and 8090 with no prior hostname lookup).
  • HTTP POST requests specifically to the root directory of a rare external endpoint.
  • Data streams being sent to unusual external endpoints
  • Anomalous PowerShell execution was observed on numerous affected networks.

Taking a further look at the activity patterns detected, Darktrace identified a series of HTTP POST requests within one customer’s environment on December 7, 2023. The HTTP POST requests were made to the root directory of an external IP address, namely 146.70.71[.]135, which had never previously been observed on the network. This IP address was later reported to be malicious and associated with Jupyter (SolarMarker) by open-source intelligence (OSINT) [5].

Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.
Figure 1: Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.

This activity triggered the Darktrace / NETWORK model, ‘Anomalous Connection / Posting HTTP to IP Without Hostname’. This model alerts for devices that have been seen posting data out of the network to rare external endpoints without a hostname. Further investigation into the offending device revealed a significant increase in external data transfers around the time Darktrace alerted the activity.

This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.
Figure 2: This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.

Packet capture (PCAP) analysis of this activity also demonstrates possible external data transfer, with the device observed making a POST request to the root directory of the malicious endpoint, 146.70.71[.]135.

PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.
Figure 3: PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.

In other cases investigated by the Darktrace Threat Research team, connections to the rare external endpoint 67.43.235[.]218 were detected on port 8089 and 8090. This endpoint was also linked to Jupyter information stealer by OSINT sources [6].

Darktrace recognized that such suspicious connections represented unusual activity and raised several model alerts on multiple customer environments, including ‘Compromise / Large Number of Suspicious Successful Connections’ and ‘Anomalous Connection / Multiple Connections to New External TCP Port’.

In one instance, a device that was observed performing many suspicious connections to 67.43.235[.]218 was later observed making suspicious HTTP POST connections to other malicious IP addresses. This included 2.58.14[.]246, 91.206.178[.]109, and 78.135.73[.]176, all of which had been linked to Jupyter information stealer by OSINT sources [7] [8] [9].

Darktrace further observed activity likely indicative of data streams being exfiltrated to Jupyter information stealer C2 endpoints.

Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.
Figure 4: Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.

In several cases, Darktrace was able to leverage customer integrations with other security vendors to add additional context to its own model alerts. For example, numerous customers who had integrated Darktrace with Microsoft Defender received security integration alerts that enriched Darktrace’s model alerts with additional intelligence, linking suspicious activity to Jupyter information stealer actors.

The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).
Figure 5: The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).

Conclusion

The MaaS ecosystems continue to dominate the current threat landscape and the increasing sophistication of MaaS variants, featuring advanced defense evasion techniques, poses significant risks once deployed on target networks.

Leveraging anomaly-based detections is crucial for staying ahead of evolving MaaS threats like Jupyter information stealer. By adopting AI-driven security tools like Darktrace / NETWORK, organizations can more quickly identify and effectively detect and respond to potential threats as soon as they emerge. This is especially crucial given the rise of stealthy information stealing malware strains like Jupyter which cannot only harvest and steal sensitive data, but also serve as a gateway to potentially disruptive ransomware attacks.

Credit to Nahisha Nobregas (Senior Cyber Analyst), Vivek Rajan (Cyber Analyst)

References

1.     https://www.paloaltonetworks.com/cyberpedia/what-is-multi-extortion-ransomware

2.     https://flashpoint.io/blog/evolution-stealer-malware/

3.     https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html

4.     https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf

5.     https://www.virustotal.com/gui/ip-address/146.70.71.135

6.     https://www.virustotal.com/gui/ip-address/67.43.235.218/community

7.     https://www.virustotal.com/gui/ip-address/2.58.14.246/community

8.     https://www.virustotal.com/gui/ip-address/91.206.178.109/community

9.     https://www.virustotal.com/gui/ip-address/78.135.73.176/community

Appendices

Darktrace Model Detections

  • Anomalous Connection / Posting HTTP to IP Without Hostname
  • Compromise / HTTP Beaconing to Rare Destination
  • Unusual Activity / Unusual External Data to New Endpoints
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / Large Number of Suspicious Successful Connections
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Excessive Posts to Root
  • Compromise / Sustained SSL or HTTP Increase
  • Security Integration / High Severity Integration Detection
  • Security Integration / Low Severity Integration Detection
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • Unusual Activity / Unusual External Data Transfer

AI Analyst Incidents:

  • Unusual Repeated Connections
  • Possible HTTP Command and Control to Multiple Endpoints
  • Possible HTTP Command and Control

List of IoCs

Indicators – Type – Description

146.70.71[.]135

IP Address

Jupyter info-stealer C2 Endpoint

91.206.178[.]109

IP Address

Jupyter info-stealer C2 Endpoint

146.70.92[.]153

IP Address

Jupyter info-stealer C2 Endpoint

2.58.14[.]246

IP Address

Jupyter info-stealer C2 Endpoint

78.135.73[.]176

IP Address

Jupyter info-stealer C2 Endpoint

217.138.215[.]105

IP Address

Jupyter info-stealer C2 Endpoint

185.243.115[.]88

IP Address

Jupyter info-stealer C2 Endpoint

146.70.80[.]66

IP Address

Jupyter info-stealer C2 Endpoint

23.29.115[.]186

IP Address

Jupyter info-stealer C2 Endpoint

67.43.235[.]218

IP Address

Jupyter info-stealer C2 Endpoint

217.138.215[.]85

IP Address

Jupyter info-stealer C2 Endpoint

193.29.104[.]25

IP Address

Jupyter info-stealer C2 Endpoint

Continue reading
About the author
Nahisha Nobregas
SOC Analyst

Blog

No items found.

What you need to know about the new SEC Cybersecurity rules

Default blog imageDefault blog image
17
Jul 2024

What is new in 2023 to SEC cybersecurity rules?

Form 8-K Item 1.05: Requiring the timely disclosure of material cybersecurity incidents.

Regulation S-K item 106: requiring registrants’ annual reports on Form 10-K to address cybersecurity risk management, strategy, and governance processes.

Comparable disclosures are required for reporting foreign private issuers on Forms 6-K and 20-F respectively.

What is Form 8-K Item 1.05 SEC cybersecurity rules?

Form 8-K Item 1.05 requires the following to be reported within four business days from when an incident is determined to be “material” (1), unless extensions are granted by the SEC under certain qualifying conditions:

“If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” (2, 3)

How does the SEC define cybersecurity incident?

Cybersecurity incident defined by the SEC means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. (4)

How can Darktrace assist in the process of disclosing incidents to the SEC?

Accelerate reporting

Darktrace’s Cyber AI Analyst generates automated reports that synthesize discrete data points potentially indicative of cybersecurity threats, forming reports that provide an overview of the evolution and impact of a threat.

Thus, when a potential threat is identified by Darktrace, AI Analyst can quickly compile information that organizations might include in their disclosure of an occurrence they determined to be material, including the following: incident timelines, incident events, incident summary, related model breaches, investigation process (i.e., how Darktrace’s AI conducted the investigation), linked incident events, and incident details. The figure below illustrates how Darktrace compiles and presents incident information and insights in the UI.

Overview of information provided in an ‘AI Analyst Report’ that could be relevant to registrants reporting a material cybersecurity incident to the SEC
Figure 1: Overview of information provided in an ‘AI Analyst Report’ that could be relevant to registrants reporting a material cybersecurity incident to the SEC

It should be noted that Instruction 4 to the new Form 8-K Item 1.05 specifies the “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident” (5).

As such, the incident report generated by Darktrace may provide more information, including technical details, than is needed for the 8-K disclosure. In general, users should take appropriate measures to ensure that the information they provide in SEC reports meets the requirements outlined by the relevant regulations. Darktrace cannot recommend that an incident should be reported, nor report an incident itself.

Determine if a cybersecurity incident is material

Item 1.05 requires registrants to determine for themselves whether cybersecurity incidents qualify as ‘material’. This involves considerations such as ‘the nature scope and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.’

While it is up to the registrant to determine, consistent with existing legal standards, the materiality of an incident, Darktrace’s solution can provide relevant information which might aid in this evaluation. Darktrace’s Threat Visualizer user interface provides a 3-D visualization of an organization’s digital environment, allowing users to assess the likely degree to which an attack may have spread throughout their digital environment. Darktrace Cyber AI Analyst identifies connections among discrete occurrences of threatening activity, which can help registrants quickly assess the ‘scope and timing of an incident'.

Furthermore, in order to establish materiality it would be useful to understand how an attack might extend across recipients and environments. In the image below, Darktrace/Email identifies how a user was impacted across different platforms. In this example, Darktrace/Email identified an attacker that deployed a dual channel social engineering attack via both email and a SaaS platform in an effort to acquire login credentials. In this case, the attacker useding a legitimate SharePoint link that only reveals itself to be malicious upon click. Once the attacker gained the credentials, it proceeded to change email rules to obfuscate its activity.

Darktrace/Email presents this information in one location, making such investigations easier for the end user.

Darktrace/Email indicating a threat across SaaS and email
Figure 2: Darktrace/Email indicating a threat across SaaS and email

What is regulation S-K item 106 of the SEC cybersecurity rules?

The new rules add Item 106 to Regulation S-K requiring registrants to disclose certain information regarding their risk management, strategy, and governance relating to cybersecurity in their annual reports on Form 10-K. The new rules add Item 16K to Form 20-F to require comparable disclosure by [foreign private issuers] in their annual reports on Form 20-F. (6)

SEC cybersecurity rules: Risk management

Specifically, with respect to risk management, Item 106(b) and Item 16K(b) require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect them. The new rules include a non-exclusive list of disclosure items registrants should provide based on their facts and circumstances. (6)

SEC cybersecurity rules: Governance

With respect to governance, Item 106 and Item 16K require registrants to describe the board of directors’ oversight of risks from cybersecurity threats (including identifying any board committee or subcommittee responsible for such oversight) and management’s role in assessing and managing material risks from cybersecurity threats. (6)

How can Darktrace solutions aid in disclosing their risk management, strategy, and governance related to cybersecurity?

Impact scores

Darktrace End-to-End (E2E) leverages AI to understand the complex relationships across users and devices to model possible attack paths, giving security teams a contextual understanding of risk across their digital environments beyond isolated CVEs or CVSS scores. Additionally, teams can prioritize risk management actions to increase their cyber resilience through the E2E Advisory dashboard.

Attack paths consider:

  • Potential damages: Both the potential consequences if a given device was compromised and its immediate implications on other devices.
  • Exposure: Devices' level of interactivity and accessibility. For example, how many emails does a user get via mailing lists and from what kind of sources?
  • Impact: Where a user or asset sits in terms of the IT or business hierarchy and how they communicate with each other. Darktrace can simulate a range of possible outcomes for an uncertain event.
  • Weakness: A device’s patch latency and difficulty, a composite metric that looks at attacker MITRE methods and our own scores to determine how hard each stage of compromise is to achieve.

Because the SEC cybersecurity rules require “oversight of risks from cybersecurity threats” and “management’s role in assessing and managing material risks from cybersecurity threats” (6), the scores generated by Darktrace E2E can aid end-user’s ability to identify risks facing their organization and assign responsibilities to address those risks.

E2E attack paths leverage a deep understanding of a customer’ digital environment and highlight potential attack routes that an attacker could leverage to reach critical assets or entities. Difficulty scores (see Figure 5) allow security teams to measure potential damage, exposure, and impact of an attack on a specific asset or entity.

An example of an attack path in a digital environment
Figure 3: An example of an attack path in a digital environment

Automatic executive threat reports

Darktrace’s solution automatically produces Executive Threat Reports that present a simple visual overview of model breaches (i.e., indicators of unusual and threatening behaviors) and activity in the network environment. Reports can be customized to include extra details or restricted to high level information.

These reports can be generated on a weekly, quarterly, and yearly basis, and can be documented by registrants in relation to Item 106(b) to document parts of their efforts toward assessing, identifying, and managing material risks from cybersecurity threats.

Moreover, Cyber AI Analyst incident reports (described above) can be leveraged to document key details concerning significant previous incidents identified by the Darktrace solution that the registrant determined to be ‘material’.

While the disclosures required by Item 106(c) relate to the governance processes by which the board of directors, the management, and other responsible bodies within an organization oversee risks resulting from cybersecurity threats, the information provided by Darktrace’s Executive Threat Reports and Cyber AI Analyst incident reports can also help relevant stakeholders communicate more effectively regarding the threat landscape and previous incidents.

DISCLAIMER

The material above is provided for informational purposes only. This summary does not constitute legal or compliance advice, recommendations, or guidance. Darktrace encourages you to verify the contents of this summary with your own advisors.

References

  1. Note that the rule does not set forth any specific timeline between the incident and the materiality determination, but the materiality determination should be made without unreasonable delay.
  2. https://www.sec.gov/files/form8-k.pdf
  3. https://www.sec.gov/news/press-release/2023-139
  4. https://www.ecfr.gov/current/title-17/chapter-II/part-229
  5. https://www.sec.gov/files/form8-k.pdf
  6. https://www.sec.gov/corpfin/secg-cybersecurity
Continue reading
About the author
Kendra Gonzalez Duran
Director of Technology Innovation
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.