Blog
/

Inside the SOC

/
March 12, 2023

How Compliance Breach Mitigation Can Prevent Compromise

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
12
Mar 2023
Compliance breaches can significantly damage a company’s finances and reputation if not properly addressed by security teams. Learn how Darktrace can help!

Compliance is often an afterthought for security teams responding to cyber security incidents, with many organizations seeing compliance issues as “rule breaking employees” rather than legitimate threats to their network. However, even seemingly innocuous compliance breaches can significantly damage a company’s finances and reputation if not properly addressed.

Adhering to cyber security standards and regulatory requirements is essential, but can often result in “tick box compliance” wherein meeting standards does not result in a reduction of non-compliant activity, lacking tangible impact for many organizations. Protecting data is of paramount importance, especially given the implementation of numerous data protection laws concerned with protecting sensitive data, such as Personally Identifiable Information (PII), financial information, and Protected Health Information (PHI). However, many compliance breaches which do not result in data loss go unadressed, inevitably leading to vulnerabilities within the network that are advantageous to threat actors. Darktrace detects compliance issues in real time and escalates them accordingly, using a dedicated compliance model stack. It highlights incidents of concern, from insecure password storage to device updates, ensuring that users adhere to company standards.

Finding ways to prioritize and quickly triage through these compliance issues, rather than focusing on log auditing or more manually intensive processes, can result in immense gains for security teams.  

Darktrace Coverage of Compliance Breaches   

Incident: Outgoing Operational Technology Connection 

Compliance issues in Operational Technology (OT) are difficult to detect using traditional security measures. The OT space faces unique challenges, such as legacy systems, limited visibility, and convergence between OT and Information Technology (IT). Darktrace’s compliance stack includes an OT-specific subset, allowing users to quickly identify and remediate issues as they arise.

In early 2022, Darktrace observed a compliance incident on the network of a customer based in the energy sector when an individual inserted a mobile phone SIM card into the Human-Machine Interface (HMI) of an Industrial Control System (ICS). The HMI proceeded to access several non-compliant external endpoints, including Facebook. Typically IT and OT networks should be air-gapped to keep critical industrial infrastructure protected and operational.

In this case, Darktrace DETECT triggered a compliance model breach (ICS:: OT Compliance External Connection) and the customer was quickly able mitigate the issue before any meaningful harm could be done to the network.

Incident: Personal Email Use in Corporate Setting

The email space contains a litany of compliance standards and is one of the most common places where security standards are breached, with research demonstrating that “91% of all cyber attacks start with a phishing email.”[1]

In late October 2022, Darktrace/Email identified an email from the recipient’s personal address containing a suspicious link. As the user regularly sent emails between their corporate and personal addresses, this freemail address was a known correspondent. However, this personal email address had been compromised and sent a phishing email to the user’s corporate address. Darktrace/Email immediately identified the suspicious link and alerted the customer, recommending that their security team lock the link. Unfortunately, the customer did not have autonomous response actions for Email enabled, so the recipient was able to open the link and input their corporate credentials on the phishing page. 

Not only is Darktrace/Email able to assess and mitigate threats from personal email addresses, it can also identify suspicious links inside these emails that may have evaded traditional security measures by using a known correspondence. By enabling autonomous response actions, Darktrace/Email is able to follow this up by instantaneously locking such links, ensuring they cannot be opened and preventing the account from being compromised.

Incident: Multi-Factor Authentication for SaaS Accounts

A desire for increased efficiency and cost-effectiveness are two of the reasons underpinning the widespread adoption of cloud-based Software-as-a-Service (SaaS) solutions. However, third-party SaaS environments are not always held to the same compliance standards as traditional on-premisis network infrastructure.

Multi-factor Authentication (MFA) in SaaS environments requires users to prove their identity in at least two ways before granting them access to applications. This significantly reduces the risk of compromise,  but it is not a silver-bullet to prevent account compromise and is still not universally adopted as a baseline security practice.

In October 2022, Darktrace observed an unusual login from a rare IP address on the SaaS account of a customer that did not have MFA employed. Following this initial access, the actor created a new rule and sent emails containing suspicious links to several internal recipients. Further investigation revealed that the link directed to a fake Office365 login portal intended to harvest user credentials. Darktrace/Email and RESPOND for Apps worked in tandem to instantaneously detect this suspicious activity and force the user to log out, while alerting the customer’s security team to the incident.  As a security practice, MFA provides an additional but not guaranteed means of protecting companies from internal theft, data loss, and external access from malicious actors, but its effectiveness is contingent on its roll out across a company. Darktrace DETECT and RESPOND provide an autonomous early warning system and additional layer of security to quickly isolate and contain compromised accounts even in the absence of MFA.

Conclusion

Compliance standards are the building blocks for the cyber hygiene of any organization, but in the current cyber security landscape simply adhering to standards is not enough to close gaps from non-compliant behavior. Following up compliance standard obedience supported by additional measures and technology to tackle compliance breaches significantly reduces the risk of compromise and data breaches, in addition to financial and reputational damage. Ensuring compliance issues are not disregarded as background noise by security teams will help to ensure that minor breaches do not escalate and become legitimate threats.

Darktrace’s suite of products provides an additional layer of detection and autonomous response, alerting customers to ongoing compliance issues and preventing them from causing genuine harm or compromise to the network.

Credit to: Rachel Resznekov, Cyber Security Analyst, Roberto Romeu, Senior SOC Analyst 

Appendices

External Sources: 

hxxps[:]//www[.]comptia[.]org/content/articles/what-is-cybersecurity-compliance#\

hxxps[:]//darkcubed[.]com/compliance

hxxps[:]//www[.]zeguro[.]com/blog/cybersecurity-compliance-101

hxxps[:]//www[.]itgovernanceusa[.]com/cybersecurity-standards

hxxps[:]//www[.]linkedin[.]com/pulse/dangers-using-personal-email-work-partners-plus

hxxps[:]//www[.]metacompliance[.]com/lp/ultimate-guide-phishing

[1] hxxps[:]//www[.]metacompliance[.]com/lp/ultimate-guide-phishing

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Rachel Resnekov
Cyber Analyst
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

November 7, 2024

/

Inside the SOC

Onomastics Gymnastics: How Darktrace Detects Spoofing and Business Email Compromise in Multi-Name Users

Default blog imageDefault blog image

Note: For privacy reasons, actual surnames and email addresses observed in these incidents below have been replaced with fictitious placeholder names, using the common Spanish names “Fulano” and “Mengano”.

Naming conventions

Modeling names and their variants of members of an organization is a critical component to properly detect if those same names and variants are being spoofed by malicious actors. For many predominantly English-speaking organizations, these variants can largely be captured by variants of a person’s given name (e.g. James-Jimmy-Jim) and a consistent, singular surname or family name (e.g. Smith). Naming conventions, however, are far from universal. This piece will review how Darktrace / EMAIL manages the common naming conventions of much of the Spanish-speaking world, and can use its modeling to create high-fidelity detections of multiple types of spoofing attempts.

A brief summary of the common convention across Spain and much of Spanish-speaking America: most people are given one or two given names (e.g. Roberto, Juan, María, Natalia), and their surnames are the first surname of their father, followed by the first surname of their mother. While there are various exceptions to this norm, the below graphic Wikipedia [1][2] highlights the general rule.

Example Spanish naming convention for father “José García Torres” and mother “María Acosta Gómez” for child “Pablo García Acosta”. If shortened to one surname, the convention holds the child would be referred to as “Pablo García”
Figure 1: Example Spanish naming convention for father “José García Torres” and mother “María Acosta Gómez” for child “Pablo García Acosta”. If shortened to one surname, the convention holds the child would be referred to as “Pablo García” [1].

Detection of improper name usage

Implicit in the above comment that shortening to one surname follows the convention of using the first surname, shortening to the second surname is often a tell-tale sign of someone unfamiliar with the person or their broader culture. This can be a useful corroborating feature in detecting a spoof attempt – analogous to a spelling error.

In the case of a Spanish customer, this misuse of name shortening contributed to the detection of a spoof attempt trying to solicit a response by impersonating an internal user forwarding information about ‘Data Protection’.

Figure 2: The Cyber AI Analyst summary of the Darktrace / EMAIL detections shows the use of the Gmail sender impersonating Isabel Maria Fulano Mengano, but incorrectly uses the second surname Mengano.

While the limited communication history from the sender and the nature of the text content already marks the mail as suspicious, Darktrace / EMAIL notes the personal name used in the email is similar to a high-value user (‘whale’ to use the terminology of spearphishing). The additional context provided by the detection of the attempted spoof prompted more severe actioning of this email, leading to a ‘Hold’ action instead of a less-severe ‘Unspoof’ action via a banner on the email.

The content summary of the sender showing the ‘Personal’ field of the email being ‘Isabel Mengano’, breaking from the standard name-shortening convention. The additional metrics identify features that might be anomalous about the sender.
Figure 3: The content summary of the sender showing the ‘Personal’ field of the email being ‘Isabel Mengano’, breaking from the standard name-shortening convention. The additional metrics identify features that might be anomalous about the sender.

Malicious email properly using both surnames

Misusing the name-shortening convention is not the only way that Darktrace / EMAIL can detect spoofing attempts. In the case of another Spanish customer,  Darktrace observed a whale impersonation being sent to 230 users with solicitation content, but no links or attachments. Although the name was modeled internally in the “Surname, Given-name” format, Darktrace identified the spoofing attempt targeting a high-value user and took action, blocking the series of emails from reaching end-user inboxes to prevent unsuspecting users from responding.

Cyber AI Analyst summary of a suspicious email
Figure 4: Cyber AI Analyst summary of a suspicious email. The personal field is visible as ‘juan fulano mengano’, which is consistent with the reverse-order modelled user ‘fulano mengano, juan’. The subject line ‘Urgent Request’ sent to 230 users gives an intuitive indicator of the emails potentially being part of a malicious solicitation campaign.

In Summary: A case of onomastics gymnastics

The variety in valid usage of human language can be a barrier to evaluating when a given text is benign or malicious. Despite this, Darktrace / EMAIL is designed to manage this variety, as exemplified by the detections of two spoofing attempts seen against organizations using the distinct Spanish-speaking world’s common naming convention. The scope of this design as seen in this onomastic context, extends to a wide range of detections surrounding emails and their behavioral anomalies.

Credit to Roberto Romeu (Principal Cyber Analyst), Justin Torres (Senior Cyber Analyst) and Natalia Sánchez Rocafort (Senior Analyst Consultant).

Darktrace / Email solution brief screenshot

Secure Your Inbox with Cutting-Edge AI Email Protection

Discover the most advanced cloud-native AI email security solution to protect your domain and brand while preventing phishing, novel social engineering, business email compromise, account takeover, and data loss.

  • Gain up to 13 days of earlier threat detection and maximize ROI on your current email security
  • Experience 20-25% more threat blocking power with Darktrace / EMAIL
  • Stop the 58% of threats bypassing traditional email security

References

[1] https://en.wikipedia.org/wiki/Naming_customs_of_Hispanic_America

[2] https://en.wikipedia.org/wiki/Spanish_naming_customs

Continue reading
About the author
Roberto Romeu
Senior SOC Analyst

Blog

/

October 31, 2024

/

OT

Understanding the NERC-CIP015 Internal Network Security Monitoring (INSM) Requirements

Default blog imageDefault blog image

Background: NERC CIP-015

In January of 2023 the Federal Energy Regulatory Commission (FERC) released FERC Order 887 which addresses a critical security gap in Critical Infrastructure Protection (CIP) standards, the lack of internal network security monitoring (INSM).

The current NERC CIP standards only require solutions that use traditional detection systems that identify malicious code based on known rules and signatures. The new legislation will now require electric cooperatives to implement INSMs to detect malicious activity in east-west network traffic. INSMs establish a baseline of network activity and detect anomalies that would bypass traditional detection systems, improving an organization’s ability to detect novel threats. Without INSM, organizations have limited visibility into malicious activities inside their networks, leaving them vulnerable if attackers breach initial defenses like firewalls and anti-virus software.

Implementation of NERC CIP-015

Once approved, Bulk Electronic Systems (BESs) will have 36 months to implement INSM, and medium-impact BESs with external routable connectivity (ERC) will have 60 months to do so.

While the approval of the NERC CIP-015 requirements have not been finalized, preparation on the part of electric cooperatives should start as soon as possible. Darktrace is committed to helping electric cooperatives meet the requirements for INSM and help reach compliance standards.

Why is internal network security monitoring important?

NERC CIP-015 aims to enhance the detection of anomalies or unauthorized network activity within CIP environments, underscoring the importance of monitoring East-West traffic within trust zones. This approach enables faster response and recovery times.

INSMs are essential to detecting threats that bypass traditional defenses. For example, insider threats, sophisticated new attack techniques, and threats that exploit compromised credentials—such as those obtained through phishing or other malicious activities—can easily bypass traditional firewalls and antivirus software. These threats either introduce novel methods or leverage legitimate access, making them difficult to detect.

INSMs don’t rely on rules and signatures to detect anomalous activity, they spot abnormalities in network traffic and create alerts based on this activity making them vital to detecting sophisticated threats. Additionally, INSM sits behind the firewall and provides detections utilizing the passive monitoring of east west and north south traffic within the enforcement boundary.

Buyers should be aware of the discrepancies between different INSMs. Some systems require constant tuning and updating, external connectivity forcing holes in segmentation or have intrusive deployments that put sensitive OT assets at risk.

What are the NERC CIP-015 requirements?

The goal of this directive is to ensure that cyber threats are identified early in the attack lifecycle by mandating implementation of security systems that detect and speed up mitigation of malicious activity.

The requirements are divided into three sections:

  • Network security monitoring
  • Data retention for anomalous activity
  • Data protection

NERC CIP-015 emphasizes the importance of having documented processes and evidence of implementation, with a focus on risk-based monitoring, anomaly detection, evaluation, retention of data, and protection against unauthorized access. Below is a breakdown of each requirement.

R1: Network Security Monitoring

The NERC CIP-015 requires the implementation of and a documented process for monitoring networks within Electronic Security Perimeters (ESPs) that contain high and medium impact BES Cyber Systems.

Key parts:

Part 1.1: Use a risk-based rationale to implement network data feeds that monitor connections, devices, and communications.

Part 1.2: Detect anomalous network activity using the data feeds.

Part 1.3: Evaluate the anomalous activity to determine necessary actions.

M1: Evidence for R1 Implementation: Documentation of processes, including risk-based rationale for data collection, detection events, configuration settings, and network baselines.

Incorporating automated solutions for network baselining is essential for effective internal monitoring, especially in diverse environments like substations and control centers. Each environment requires unique baselines—what’s typical for a substation may differ significantly from a control center, making manual monitoring impractical.

A continuous internal monitoring solution powered by artificial intelligence (AI) simplifies this challenge by instantly detecting all connected assets, dynamically learning the environment’s baseline behavior, and identifying anomalies in real-time. Unlike traditional methods, Darktrace’s AI-driven approach requires no external connectivity or repeated tuning, offering a seamless, adaptive solution for maintaining secure operations across all environments.

R2: Data Retention for Anomalous Activity

Documented processes must be in place to retain network security data related to detected anomalies until the required actions are completed.

Note: Data that does not relate to detected anomalies (Part 1.2) is not required to be retained.

M2: Evidence for Data Retention (R2): Documentation of data retention processes, system configurations, or reports showing compliance with R2.

R3: Data Protection: Implement documented processes to protect the collected security monitoring data from unauthorized deletion or modification.

M3: Evidence for Data Protection (R3): Documentation demonstrating how network security monitoring data is protected from unauthorized access or changes.

How to choose the right INSM for your organization?

Several vendors will offer INSM, but how do you choose the right solution for your organization?

Here are seven questions to help you get started evaluating potential INSM vendors:

  1. How does the solution help with ongoing compliance and reporting including CIP-015? Or any other regulations we comply with?
  2. Does the solution provide real-time monitoring of east-west traffic across critical systems? And what kind of threats has it proven capable of finding?
  3. How deep is the traffic visibility—does it offer Layer 7 (application) insights, or is it limited to Layers 3-4?
  4. Is the solution compatible with our existing infrastructure (firewalls, IDS/IPS, SIEM, OT networks)?
  5. Is this solution inline, passive, or hybrid? What impact will it have on network latency?
  6. Does the vendor have experience with electric utilities or critical infrastructure environments?
  7. Where and how are logs and monitoring data stored?

How Darktrace helps electric utilities with INSM requirements

Darktrace's ActiveAI Security Platform is uniquely designed to continuously monitor network activity and detect anomalous activity across both IT and OT environments successfully detecting insider threats and novel ransomware, while accelerating time to detection and incident reporting.

Most INSM solutions require repeated baselining, which creates more work and increases the likelihood of false positives, as even minor deviations trigger alerts. Since networks are constantly changing, baselines need to adjust in real time. Unlike these solutions, Darktrace does not depend on external connectivity or cloud access over the public internet. Our passive network analysis requires no agents or intrusive scanning, minimizing disruptions and reducing risks to OT systems.

Darktrace's AI-driven threat detection, asset management, and incident response capabilities can help organizations comply with the requirements of NERC CIP-015 for internal network security monitoring and data protection. Built specifically to deploy in OT environments, Darktrace / OT comprehensively manages, detects, evaluates, and protects network activity and anomalous events across IT and OT environments, facilitating adherence to regulatory requirements like data retention and anomaly management.

See how INSM with Darktrace can enhance your security operations, schedule a personalized demo today.

Disclaimer

The information provided in this blog is intended for informational purposes only and reflects Darktrace’s understanding of the NERC CIP-015 INSM requirements as of the publication date. While every effort has been made to ensure the accuracy and reliability of the content, Darktrace makes no warranties or representations regarding its accuracy, completeness, or applicability to specific situations. This blog does not constitute legal or compliance advice and readers are encouraged to consult with qualified professionals for guidance specific to their circumstances. Darktrace disclaims any liability for actions taken or not taken based on the information contained herein.

References

1.     https://www.nerc.com/pa/Stand/Reliability%20Standards/CIP-015-1.pdf

Continue reading
About the author
Daniel Simonds
Director of Operational Technology
Your data. Our AI.
Elevate your network security with Darktrace AI