Compliance is often an afterthought for security teams responding to cyber security incidents, with many organizations seeing compliance issues as “rule breaking employees” rather than legitimate threats to their network. However, even seemingly innocuous compliance breaches can significantly damage a company’s finances and reputation if not properly addressed.

Adhering to cyber security standards and regulatory requirements is essential, but can often result in “tick box compliance” wherein meeting standards does not result in a reduction of non-compliant activity, lacking tangible impact for many organizations. Protecting data is of paramount importance, especially given the implementation of numerous data protection laws concerned with protecting sensitive data, such as Personally Identifiable Information (PII), financial information, and Protected Health Information (PHI). However, many compliance breaches which do not result in data loss go unadressed, inevitably leading to vulnerabilities within the network that are advantageous to threat actors. Darktrace detects compliance issues in real time and escalates them accordingly, using a dedicated compliance model stack. It highlights incidents of concern, from insecure password storage to device updates, ensuring that users adhere to company standards.

Finding ways to prioritize and quickly triage through these compliance issues, rather than focusing on log auditing or more manually intensive processes, can result in immense gains for security teams.  

Darktrace Coverage of Compliance Breaches   

Incident: Outgoing Operational Technology Connection 

Compliance issues in Operational Technology (OT) are difficult to detect using traditional security measures. The OT space faces unique challenges, such as legacy systems, limited visibility, and convergence between OT and Information Technology (IT). Darktrace’s compliance stack includes an OT-specific subset, allowing users to quickly identify and remediate issues as they arise.

In early 2022, Darktrace observed a compliance incident on the network of a customer based in the energy sector when an individual inserted a mobile phone SIM card into the Human-Machine Interface (HMI) of an Industrial Control System (ICS). The HMI proceeded to access several non-compliant external endpoints, including Facebook. Typically IT and OT networks should be air-gapped to keep critical industrial infrastructure protected and operational.

In this case, Darktrace DETECT triggered a compliance model breach (ICS:: OT Compliance External Connection) and the customer was quickly able mitigate the issue before any meaningful harm could be done to the network.

Incident: Personal Email Use in Corporate Setting

The email space contains a litany of compliance standards and is one of the most common places where security standards are breached, with research demonstrating that “91% of all cyber attacks start with a phishing email.”^[1]

In late October 2022, Darktrace/Email identified an email from the recipient’s personal address containing a suspicious link. As the user regularly sent emails between their corporate and personal addresses, this freemail address was a known correspondent. However, this personal email address had been compromised and sent a phishing email to the user’s corporate address. Darktrace/Email immediately identified the suspicious link and alerted the customer, recommending that their security team lock the link. Unfortunately, the customer did not have autonomous response actions for Email enabled, so the recipient was able to open the link and input their corporate credentials on the phishing page. 

Not only is Darktrace/Email able to assess and mitigate threats from personal email addresses, it can also identify suspicious links inside these emails that may have evaded traditional security measures by using a known correspondence. By enabling autonomous response actions, Darktrace/Email is able to follow this up by instantaneously locking such links, ensuring they cannot be opened and preventing the account from being compromised.

Incident: Multi-Factor Authentication for SaaS Accounts

A desire for increased efficiency and cost-effectiveness are two of the reasons underpinning the widespread adoption of cloud-based Software-as-a-Service (SaaS) solutions. However, third-party SaaS environments are not always held to the same compliance standards as traditional on-premisis network infrastructure.

Multi-factor Authentication (MFA) in SaaS environments requires users to prove their identity in at least two ways before granting them access to applications. This significantly reduces the risk of compromise,  but it is not a silver-bullet to prevent account compromise and is still not universally adopted as a baseline security practice.

In October 2022, Darktrace observed an unusual login from a rare IP address on the SaaS account of a customer that did not have MFA employed. Following this initial access, the actor created a new rule and sent emails containing suspicious links to several internal recipients. Further investigation revealed that the link directed to a fake Office365 login portal intended to harvest user credentials. Darktrace/Email and RESPOND for Apps worked in tandem to instantaneously detect this suspicious activity and force the user to log out, while alerting the customer’s security team to the incident.  As a security practice, MFA provides an additional but not guaranteed means of protecting companies from internal theft, data loss, and external access from malicious actors, but its effectiveness is contingent on its roll out across a company. Darktrace DETECT and RESPOND provide an autonomous early warning system and additional layer of security to quickly isolate and contain compromised accounts even in the absence of MFA.

Conclusion

Compliance standards are the building blocks for the cyber hygiene of any organization, but in the current cyber security landscape simply adhering to standards is not enough to close gaps from non-compliant behavior. Following up compliance standard obedience supported by additional measures and technology to tackle compliance breaches significantly reduces the risk of compromise and data breaches, in addition to financial and reputational damage. Ensuring compliance issues are not disregarded as background noise by security teams will help to ensure that minor breaches do not escalate and become legitimate threats.

Darktrace’s suite of products provides an additional layer of detection and autonomous response, alerting customers to ongoing compliance issues and preventing them from causing genuine harm or compromise to the network.

Credit to: Rachel Resznekov, Cyber Security Analyst, Roberto Romeu, Senior SOC Analyst 

Appendices

External Sources: 

hxxps[:]//www[.]comptia[.]org/content/articles/what-is-cybersecurity-compliance#\

hxxps[:]//darkcubed[.]com/compliance

hxxps[:]//www[.]zeguro[.]com/blog/cybersecurity-compliance-101

hxxps[:]//www[.]itgovernanceusa[.]com/cybersecurity-standards

hxxps[:]//www[.]linkedin[.]com/pulse/dangers-using-personal-email-work-partners-plus

hxxps[:]//www[.]metacompliance[.]com/lp/ultimate-guide-phishing^‍

^[1] hxxps[:]//www[.]metacompliance[.]com/lp/ultimate-guide-phishing