Blog
/
AI
/
April 4, 2022

Explore Internet-Facing System Vulnerabilities

Read about 2021's top four incidents and how Darktrace's advanced threat detection technology identified and mitigated vulnerabilities. Learn more.
Written by
Sam Lister
SOC Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
SOC Analyst
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
04
Apr 2022

By virtue of their exposure, Internet-facing systems (i.e., systems which have ports open/exposed to the wider Internet) are particularly susceptible to compromise. Attackers typically compromise Internet-facing systems by exploiting zero-day vulnerabilities in applications they run. During 2021, critical zero-day vulnerabilities in the following applications were publicly disclosed:

Internet-facing systems running these applications were consequently heavily targeted by attackers. In this post, we will provide examples of compromises of these systems observed by Darktrace’s SOC team in 2021. As will become clear, successful exploitation of weaknesses in Internet-facing systems inevitably results in such systems doing things which they do not normally do. Rather than focusing on identifying attempts to exploit these weaknesses, Darktrace focuses on identifying the unusual behaviors which inevitably ensue. The purpose of this post is to highlight the effectiveness of this approach.

Exchange server compromise

In January, researchers from the cyber security company DEVCORE reported a series of critical vulnerabilities in Microsoft Exchange which they dubbed ‘ProxyLogon’.[1] ProxyLogon consists of a server-side request forgery (SSRF) vulnerability (CVE-2021-26855) and a remote code execution (RCE) vulnerability (CVE-2021-27065). Attackers were observed exploiting these vulnerabilities in the wild from as early as January 6.[2] In April, DEVCORE researchers reported another series of critical vulnerabilities in Microsoft Exchange which they dubbed ‘ProxyShell’.[3] ProxyShell consists of a pre-authentication path confusion vulnerability (CVE-2021-34473), a privilege elevation vulnerability (CVE-2021-34523), and a post-authentication RCE vulnerability (CVE-2021-31207). Attackers were first observed exploiting these vulnerabilities in the wild in August.[4] In many cases, attackers exploited the ProxyShell and ProxyLogon vulnerabilities in order to create web shells on the targeted Exchange servers. The presence of these web shells provided attackers with the means to remotely execute commands on the compromised servers.

In early August 2021, by exploiting the ProxyShell vulnerabilities, an attacker gained the rights to remotely execute PowerShell commands on an Internet-facing Exchange server within the network of a US-based transportation company. The attacker subsequently executed a number of PowerShell commands on the server. One of these commands caused the server to make a 28-minute-long SSL connection to a highly unusual external endpoint. Within a couple of hours, the attacker managed to strengthen their foothold within the network by installing AnyDesk and CobaltStrike on several internal devices. In mid-August, the attacker got the devices on which they had installed Cobalt Strike to conduct network reconnaissance and to transfer terabytes of data to the cloud storage service, MEGA. At the end of August, the attacker got the devices on which they had installed AnyDesk to execute Conti ransomware and to spread executable files and script files to further internal devices.

In this example, the attacker’s exploitation of ProxyShell immediately resulted in the Exchange Server making a long SSL connection to an unusual external endpoint. This connection caused the model Device / Long Agent Connection to New Endpoint to breach. The subsequent reconnaissance, lateral movement, C2, external data transfer, and encryption behavior brought about by the attacker were also picked up by Darktrace’s models.

A non-exhaustive list of the models that breached as a result of the behavior brought about by the attacker:

  • Device / Long Agent Connection to New Endpoint
  • Device / ICMP Address Scan
  • Anomalous Connection / SMB Enumeration
  • Anomalous Server Activity / Outgoing from Server
  • Compromise / Beacon to Young Endpoint
  • Anomalous Server Activity / Rare External from Server
  • Compromise / Fast Beaconing to DGA
  • Compromise / SSL or HTTP Beacon
  • Compromise / Sustained SSL or HTTP Increase
  • Compromise / Beacon for 4 Days
  • Anomalous Connection / Multiple HTTP POSTs to Rare Hostname
  • Unusual Activity / Enhanced Unusual External Data Transfer
  • Anomalous Connection / Data Sent to Rare Domain
  • Anomalous Connection / Uncommon 1 GiB Outbound
  • Compliance / SMB Drive Write
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Anomalous Connection / Suspicious Read Write Ratio
  • Anomalous Connection / Suspicious Read Write Ratio and Unusual SMB
  • Anomalous Connection / Sustained MIME Type Conversion
  • Unusual Activity / Anomalous SMB Move & Write
  • Unusual Activity / Unusual Internal Data Volume as Client or Server
  • Device / Suspicious File Writes to Multiple Hidden SMB Shares
  • Compromise / Ransomware / Suspicious SMB Activity
  • Anomalous File / Internal / Unusual SMB Script Write
  • Anomalous File / Internal / Masqueraded Executable SMB Write
  • Device / SMB Lateral Movement
  • Device / Multiple Lateral Movement Model Breaches

Confluence server compromise

Atlassian’s Confluence is an application which provides the means for building collaborative, virtual workspaces. In the era of remote working, the value of such an application is undeniable. The public disclosure of a critical remote code execution (RCE) vulnerability (CVE-2021-26084) in Confluence in August 2021 thus provided a prime opportunity for attackers to cause havoc. The vulnerability, which arises from the use of Object-Graph Navigation Language (OGNL) in Confluence’s tag system, provides attackers with the means to remotely execute code on vulnerable Confluence server by sending a crafted HTTP request containing a malicious parameter.[5] Attackers were first observed exploiting this vulnerability towards the end of August, and in the majority of cases, attackers exploited the vulnerability in order to install crypto-mining tools onto vulnerable servers.[6]

At the beginning of September 2021, an attacker was observed exploiting CVE-2021-26084 in order to install the crypto-mining tool, XMRig, as well as a shell script, onto an Internet-facing Confluence server within the network of an EMEA-based television and broadcasting company. Within a couple of hours, the attacker installed files associated with the crypto-mining malware, Kinsing, onto the server. The Kinsing-infected server then immediately began to communicate over HTTP with the attacker’s C2 infrastructure. Around the time of this activity, the server was observed using the MinerGate crypto-mining protocol, indicating that the server had begun to mine cryptocurrency.

In this example, the attacker’s exploitation of CVE-2021-26084 immediately resulted in the Confluence server making an HTTP GET request with an unusual user-agent string (one associated with curl in this case) to a rare external IP. This behavior caused the models Device / New User Agent, Anomalous Connection / New User Agent to IP Without Hostname, and Anomalous File / Script from Rare Location to breach. The subsequent file downloads, C2 traffic and crypto-mining activity also resulted in several models breaching.

A non-exhaustive list of the models which breached as a result of the unusual behavior brought about by the attacker:

  • Device / New User Agent
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous File / Script from Rare Location
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Internet Facing System File Download
  • Device / Initial Breach Chain Compromise
  • Anomalous Connection / Posting HTTP to IP Without Hostname
  • Compliance / Crypto Currency Mining Activity
  • Compromise / High Priority Crypto Currency Mining
  • Device / Internet Facing Device with High Priority Alert

GitLab server compromise

GitLab is an application providing services ranging from project planning to source code management. Back in April 2021, a critical RCE vulnerability (CVE-2021-22205) in GitLab was publicly reported by a cyber security researcher via the bug bounty platform, HackerOne.[7] The vulnerability, which arises from GitLab’s use of ExifTool for removing metadata from image files, [8] enables attackers to remotely execute code on vulnerable GitLab servers by uploading specially crafted image files.[9] Attackers were first observed exploiting CVE-2021-22205 in the wild in June/July.[10] A surge in exploitations of the vulnerability was observed at the end of October, with attackers exploiting the flaw in order to assemble botnets.[11] Darktrace observed a significant number of cases in which attackers exploited the vulnerability in order to install crypto-mining tools onto vulnerable GitLab servers.

On October 29, an attacker successfully exploited CVE-2021-22205 on an Internet-facing GitLab server within the network of a UK-based education provider. The organization was trialing Darktrace when this incident occurred. The attacker installed several executable files and shell scripts onto the server by exploiting the vulnerability. The attacker communicated with the compromised server (using unusual ports) for several days, before making the server transfer large volumes of data externally and download the crypto-mining tool, XMRig, as well as the botnet malware, Mirai. The server was consequently observed making connections to the crypto-mining pool, C3Pool.

In this example, the attacker’s exploitation of the vulnerability in GitLab immediately resulted in the server making an HTTP GET request with an unusual user-agent string (one associated with Wget in this case) to a rare external IP. The models Anomalous Connection / New User Agent to IP Without Hostname and Anomalous File / EXE from Rare External Location breached as a result of this behavior. The attacker’s subsequent activity on the server over the next few days resulted in frequent model breaches.

A non-exhaustive list of the models which breached as a result of the attacker’s activity on the server:

  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Multiple EXE from Rare External Locations
  • Anomalous File / Internet Facing Device with High Priority Alert
  • Anomalous File / Script from Rare Location
  • Anomalous Connection / Application Protocol on Uncommon Port
  • Anomalous Connection / Anomalous SSL without SNI to New External
  • Device / Initial Breach Chain Compromise
  • Unusual Activity / Unusual External Data to New IPs
  • Anomalous Server Activity / Outgoing from Server
  • Device / Large Number of Model Breaches from Critical Network Device
  • Anomalous Connection / Data Sent to Rare Domain
  • Compromise / Suspicious File and C2
  • Unusual Activity / Enhanced Unusual External Data Transfer
  • Compliance / Crypto Currency Mining Activity
  • Compliance / High Priority Crypto Currency Mining
  • Anomalous File / Zip or Gzip from Rare External Location
  • Compromise / Monero Mining
  • Device / Internet Facing Device with High Priority Alert
  • Anomalous Server Activity / Rare External from Server
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / Beaconing Activity To External Rare
  • Compromise / HTTP Beaconing to Rare Destination
  • Compromise / High Volume of Connections with Beacon Score
  • Anomalous File / Numeric Exe Download

Log4j server compromise

On December 9 2021, a critical RCE vulnerability (dubbed ‘Log4Shell’) in version 2 of Apache’s Log4j was publicly disclosed by researchers at LunaSec.[12] As a logging library present in potentially millions of Java applications,[13] Log4j constitutes an obscured, yet ubiquitous feature of the digital world. The vulnerability (CVE-2021-44228), which arises from Log4j’s Java Naming and Directory Interface (JNDI) Lookup feature, enables an attacker to make a vulnerable server download and execute a malicious Java class file. To exploit the vulnerability, all the attacker must do is submit a specially crafted JNDI lookup request to the server. The fact that Log4j is present in so many applications and that the exploitation of this vulnerability is so simple, Log4Shell has been dubbed the ‘most critical vulnerability of the last decade’.[14] Attackers have been exploiting Log4Shell in the wild since at least December 1.[15] Since then, attackers have been observed exploiting the vulnerability to install crypto-mining tools, Cobalt Strike, and RATs onto vulnerable servers.[16]

On December 10, one day after the public disclosure of Log4Shell, an attacker successfully exploited the vulnerability on a vulnerable Internet-facing server within the network of a US-based architecture company. By exploiting the vulnerability, the attacker managed to get the server to download and execute a Java class file named ‘Exploit69ogQNSQYz.class’. Executing the code in this file caused the server to download a shell script file and a file related to the Kinsing crypto-mining malware. The Kinsing-infected server then went on to communicate over HTTP with a C2 server. Since the customer was using the Proactive Threat Notification (PTN) service, they were immediately alerted to this activity, and the server was subsequently quarantined, preventing crypto-mining activity from taking place.

In this example, the attacker’s exploitation of the zero-day vulnerability immediately resulted in the vulnerable server making an HTTP GET request with an unusual user-agent string (one associated with Java in this case) to a rare external IP. The models Anomalous Connection / Callback on Web Facing Device and Anomalous Connection / New User Agent to IP Without Hostname breached as a result of this behavior. The device’s subsequent file downloads and C2 activity caused several Darktrace models to breach.

A non-exhaustive list of the models which breached as a result of the unusual behavior brought about by the attacker:

  • Anomalous Connection / Callback on Web Facing Device
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous File / Internet Facing System File Download
  • Anomalous File / Script from Rare External Location
  • Device / Initial Breach Chain Compromise
  • Anomalous Connection / Posting HTTP to IP Without Hostname

Round-up

It is inevitable that attackers will attempt to exploit zero-day vulnerabilities in applications running on Internet-facing devices. Whilst identifying these attempts is useful, the fact that attackers regularly exploit new zero-days makes the task of identifying attempts to exploit them akin to a game of whack-a-mole. Whilst it is uncertain which zero-day vulnerability attackers will exploit next, what is certain is that their exploitation of it will bring about unusual behavior. No matter the vulnerability, whether it be a vulnerability in Microsoft Exchange, Confluence, GitLab, or Log4j, Darktrace will identify the unusual behaviors which inevitably result from its exploitation. By identifying unusual behaviors displayed by Internet-facing devices, Darktrace thus makes it almost impossible for attackers to successfully exploit zero-day vulnerabilities without being detected.

For Darktrace customers who want to find out more about detecting potential compromises of internet-facing devices, refer here for an exclusive supplement to this blog.

Thanks to Andy Lawrence for his contributions.

Footnotes

1. https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/

2. https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

3. https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell

4. https://www.rapid7.com/blog/post/2021/08/12/proxyshell-more-widespread-exploitation-of-microsoft-exchange-servers/

5. https://www.kaspersky.co.uk/blog/confluence-server-cve-2021-26084/23376/

6. https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/

7. https://hackerone.com/reports/1154542

8. https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/

9.https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/

10. https://www.rapid7.com/blog/post/2021/11/01/gitlab-unauthenticated-remote-code-execution-cve-2021-22205-exploited-in-the-wild/

11. https://www.hackmageddon.com/2021/12/16/1-15-november-2021-cyber-attacks-timeline/

12. https://www.lunasec.io/docs/blog/log4j-zero-day/

13. https://www.csoonline.com/article/3644472/apache-log4j-vulnerability-actively-exploited-impacting-millions-of-java-based-apps.html

14. https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell

15. https://www.rapid7.com/blog/post/2021/12/15/the-everypersons-guide-to-log4shell-cve-2021-44228/

16. https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/

Written by
Sam Lister
SOC Analyst
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Sam Lister
SOC Analyst

Anomaly-based threat hunting: Darktrace's approach in action

May 8, 2025
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Watch the NIS2 Webinar
Trending blogs
1
Our Annual Survey Reveals How Security Teams Are Adapting to AI-Powered Threats
Mar 4, 2025
2
Darktrace Releases Annual 2024 Threat Insights
Feb 19, 2025
3
From Hype to Reality: How AI is Transforming Cybersecurity Practices
Feb 10, 2025
4
From Containment to Remediation: Darktrace / CLOUD & Cado Reducing MTTR
Mar 6, 2025
5
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal
Jan 14, 2025

More in this series

No items found.
Continue reading
AI
April 16, 2025

Introducing Version 2 of Darktrace’s Embedding Model for Investigation of Security Threats (DEMIST-2)

Learn how Darktrace’s DEMIST-2 embedding model delivers high-accuracy threat classification and detection across any environment, outperforming larger models with efficiency and precision.
Margaret Cunningham, PhD
Director, Security & AI Strategy, Field CISO
Read more
AI
April 16, 2025

AI Uncovered: Introducing Darktrace Incident Graph Evaluation for Security Threats (DIGEST)

Discover how Darktrace’s new DIGEST model enhances Cyber AI Analyst by using GNNs and RNNs to score and prioritize threats with expert-level precision before damage is done.
Margaret Cunningham, PhD
Director, Security & AI Strategy, Field CISO
Read more
AI
April 16, 2025

Force Multiply Your Security Team with Agentic AI: How the Industry’s Only True Cyber AI Analyst™ Saves Time and Stop Threats

See how Darktrace Cyber AI Analyst™, an agentic AI virtual analyst, cuts through alert noise, accelerates threat response, and strengthens your security team — all without adding headcount.
Ed Metcalf
Senior Director of Product Marketing, AI & Innovation Products
Read more

Blog

/

/

May 8, 2025

Anomaly-based threat hunting: Darktrace's approach in action

person working on laptopDefault blog imageDefault blog image

What is threat hunting?

Threat hunting in cybersecurity involves proactively and iteratively searching through networks and datasets to detect threats that evade existing automated security solutions. It is an important component of a strong cybersecurity posture.

There are several frameworks that Darktrace analysts use to guide how threat hunting is carried out, some of which are:

  • MITRE Attack
  • Tactics, Techniques, Procedures (TTPs)
  • Diamond Model for Intrusion Analysis
  • Adversary, Infrastructure, Victims, Capabilities
  • Threat Hunt Model – Six Steps
  • Purpose, Scope, Equip, Plan, Execute, Feedback
  • Pyramid of Pain

These frameworks are important in baselining how to run a threat hunt. There are also a combination of different methods that allow defenders diversity– regardless of whether it is a proactive or reactive threat hunt. Some of these are:

  • Hypothesis-based threat hunting
  • Analytics-driven threat hunting
  • Automated/machine learning hunting
  • Indicator of Compromise (IoC) hunting
  • Victim-based threat hunting

Threat hunting with Darktrace

At its core, Darktrace relies on anomaly-based detection methods. It combines various machine learning types that allows it to characterize what constitutes ‘normal’, based on the analysis of many different measures of a device or actor’s behavior. Those types of learning are then curated into what are called models.

Darktrace models leverage anomaly detection and integrate outputs from Darktrace Deep Packet Inspection, telemetry inputs, and additional modules, creating tailored activity detection.

This dynamic understanding allows Darktrace to identify, with a high degree of precision, events or behaviors that are both anomalous and unlikely to be benign.  On top of machine learning models for detection, there is also the ability to change and create models showcasing the tool’s diversity. The Model Editor allows security teams to specify values, priorities, thresholds, and actions they want to detect. That means a team can create custom detection models based on specific use cases or business requirements. Teams can also increase the priority of existing detections based on their own risk assessments to their environment.

This level of dexterity is particularly useful when conducting a threat hunt. As described above, and in previous ‘Inside the SOC’ blogs such a threat hunt can be on a specific threat actor, specific sector, or a  hypothesis-based threat hunt combined with ‘experimenting’ with some of Darktrace’s models.

Conducting a threat hunt in the energy sector with experimental models

In Darktrace’s recent Threat Research report “AI & Cybersecurity: The state of cyber in UK and US energy sectors” Darktrace’s Threat Research team crafted hypothesis-driven threat hunts, building experimental models and investigating existing models to test them and detect malicious activity across Darktrace customers in the energy sector.

For one of the hunts, which hypothesised utilization of PerfectData software and multi-factor authentication (MFA) bypass to compromise user accounts and destruct data, an experimental model was created to detect a Software-as-a-Service (SaaS) user performing activity relating to 'PerfectData Software’, known to allow a threat actor to exfiltrate whole mailboxes as a PST file. Experimental model alerts caused by this anomalous activity were analyzed, in conjunction with existing SaaS and email-related models that would indicate a multi-stage attack in line with the hypothesis.

Whilst hunting, Darktrace researchers found multiple model alerts for this experimental model associated with PerfectData software usage, within energy sector customers, including an oil and gas investment company, as well as other sectors. Upon further investigation, it was also found that in June 2024, a malicious actor had targeted a renewable energy infrastructure provider via a PerfectData Software attack and demonstrated intent to conduct an Operational Technology (OT) attack.

The actor logged into Azure AD from a rare US IP address. They then granted Consent to ‘eM Client’ from the same IP. Shortly after, the actor granted ‘AddServicePrincipal’ via Azure to PerfectData Software. Two days later, the actor created a  new email rule from a London IP to move emails to an RSS Feed Folder, stop processing rules, and mark emails as read. They then accessed mail items in the “\Sent” folder from a malicious IP belonging to anonymization network,  Private Internet Access Virtual Private Network (PIA VPN) [1]. The actor then conducted mass email deletions, deleting multiple instances of emails with subject “[Name] shared "[Company Name] Proposal" With You” from the  “\Sent folder”. The emails’ subject suggests the email likely contains a link to file storage for phishing purposes. The mass deletion likely represented an attempt to obfuscate a potential outbound phishing email campaign.

The Darktrace Model Alert that triggered for the mass deletes of the likely phishing email containing a file storage link.
Figure 1: The Darktrace Model Alert that triggered for the mass deletes of the likely phishing email containing a file storage link.

A month later, the same user was observed downloading mass mLog CSV files related to proprietary and Operational Technology information. In September, three months after the initial attack, another mass download of operational files occurred by this actor, pertaining to operating instructions and measurements, The observed patience and specific file downloads seemingly demonstrated an intent to conduct or research possible OT attack vectors. An attack on OT could have significant impacts including operational downtime, reputational damage, and harm to everyday operations. Darktrace alerted the impacted customer once findings were verified, and subsequent actions were taken by the internal security team to prevent further malicious activity.

Conclusion

Harnessing the power of different tools in a security stack is a key element to cyber defense. The above hypothesis-based threat hunt and custom demonstrated intent to conduct an experimental model creation demonstrates different threat hunting approaches, how Darktrace’s approach can be operationalized, and that proactive threat hunting can be a valuable complement to traditional security controls and is essential for organizations facing increasingly complex threat landscapes.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO at Darktrace) and Zoe Tilsiter (EMEA Consultancy Lead)

References

  1. https://spur.us/context/191.96.106.219

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO

Blog

/

/

May 6, 2025

Combatting the Top Three Sources of Risk in the Cloud

woman working on laptopDefault blog imageDefault blog image

With cloud computing, organizations are storing data like intellectual property, trade secrets, Personally Identifiable Information (PII), proprietary code and statistics, and other sensitive information in the cloud. If this data were to be accessed by malicious actors, it could incur financial loss, reputational damage, legal liabilities, and business disruption.

Last year data breaches in solely public cloud deployments were the most expensive type of data breach, with an average of $5.17 million USD, a 13.1% increase from the year before.

So, as cloud usage continues to grow, the teams in charge of protecting these deployments must understand the associated cybersecurity risks.

What are cloud risks?

Cloud threats come in many forms, with one of the key types consisting of cloud risks. These arise from challenges in implementing and maintaining cloud infrastructure, which can expose the organization to potential damage, loss, and attacks.

There are three major types of cloud risks:

1. Misconfigurations

As organizations struggle with complex cloud environments, misconfiguration is one of the leading causes of cloud security incidents. These risks occur when cloud settings leave gaps between cloud security solutions and expose data and services to unauthorized access. If discovered by a threat actor, a misconfiguration can be exploited to allow infiltration, lateral movement, escalation, and damage.

With the scale and dynamism of cloud infrastructure and the complexity of hybrid and multi-cloud deployments, security teams face a major challenge in exerting the required visibility and control to identify misconfigurations before they are exploited.

Common causes of misconfiguration come from skill shortages, outdated practices, and manual workflows. For example, potential misconfigurations can occur around firewall zones, isolated file systems, and mount systems, which all require specialized skill to set up and diligent monitoring to maintain

2. Identity and Access Management (IAM) failures

IAM has only increased in importance with the rise of cloud computing and remote working. It allows security teams to control which users can and cannot access sensitive data, applications, and other resources.

Cybersecurity professionals ranked IAM skills as the second most important security skill to have, just behind general cloud and application security.

There are four parts to IAM: authentication, authorization, administration, and auditing and reporting. Within these, there are a lot of subcomponents as well, including but not limited to Single Sign-On (SSO), Two-Factor Authentication (2FA), Multi-Factor Authentication (MFA), and Role-Based Access Control (RBAC).

Security teams are faced with the challenge of allowing enough access for employees, contractors, vendors, and partners to complete their jobs while restricting enough to maintain security. They may struggle to track what users are doing across the cloud, apps, and on-premises servers.

When IAM is misconfigured, it increases the attack surface and can leave accounts with access to resources they do not need to perform their intended roles. This type of risk creates the possibility for threat actors or compromised accounts to gain access to sensitive company data and escalate privileges in cloud environments. It can also allow malicious insiders and users who accidentally violate data protection regulations to cause greater damage.

3. Cross-domain threats

The complexity of hybrid and cloud environments can be exploited by attacks that cross multiple domains, such as traditional network environments, identity systems, SaaS platforms, and cloud environments. These attacks are difficult to detect and mitigate, especially when a security posture is siloed or fragmented.  

Some attack types inherently involve multiple domains, like lateral movement and supply chain attacks, which target both on-premises and cloud networks.  

Challenges in securing against cross-domain threats often come from a lack of unified visibility. If a security team does not have unified visibility across the organization’s domains, gaps between various infrastructures and the teams that manage them can leave organizations vulnerable.

Adopting AI cybersecurity tools to reduce cloud risk

For security teams to defend against misconfigurations, IAM failures, and insecure APIs, they require a combination of enhanced visibility into cloud assets and architectures, better automation, and more advanced analytics. These capabilities can be achieved with AI-powered cybersecurity tools.

Such tools use AI and automation to help teams maintain a clear view of all their assets and activities and consistently enforce security policies.

Darktrace / CLOUD is a Cloud Detection and Response (CDR) solution that makes cloud security accessible to all security teams and SOCs by using AI to identify and correct misconfigurations and other cloud risks in public, hybrid, and multi-cloud environments.

It provides real-time, dynamic architectural modeling, which gives SecOps and DevOps teams a unified view of cloud infrastructures to enhance collaboration and reveal possible misconfigurations and other cloud risks. It continuously evaluates architecture changes and monitors real-time activity, providing audit-ready traceability and proactive risk management.

Real-time visibility into cloud assets and architectures built from network, configuration, and identity and access roles. In this unified view, Darktrace / CLOUD reveals possible misconfigurations and risk paths.
Figure 1: Real-time visibility into cloud assets and architectures built from network, configuration, and identity and access roles. In this unified view, Darktrace / CLOUD reveals possible misconfigurations and risk paths.

Darktrace / CLOUD also offers attack path modeling for the cloud. It can identify exposed assets and highlight internal attack paths to get a dynamic view of the riskiest paths across cloud environments, network environments, and between – enabling security teams to prioritize based on unique business risk and address gaps to prevent future attacks.  

Darktrace’s Self-Learning AI ensures continuous cloud resilience, helping teams move from reactive to proactive defense.

[related-resource]

Continue reading
About the author
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Your data. Our AI.
Elevate your network security with Darktrace AI