Blog
/
Compliance
/
July 17, 2024

What you need to know about the new SEC Cybersecurity rules

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
17
Jul 2024
In July 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules concerning cybersecurity incidents and disclosures. This blog describes the new rules and demonstrates how Darktrace can help organizations achieve compliance with these standards.

What is new in 2023 to SEC cybersecurity rules?

Form 8-K Item 1.05: Requiring the timely disclosure of material cybersecurity incidents.

Regulation S-K item 106: requiring registrants’ annual reports on Form 10-K to address cybersecurity risk management, strategy, and governance processes.

Comparable disclosures are required for reporting foreign private issuers on Forms 6-K and 20-F respectively.

What is Form 8-K Item 1.05 SEC cybersecurity rules?

Form 8-K Item 1.05 requires the following to be reported within four business days from when an incident is determined to be “material” (1), unless extensions are granted by the SEC under certain qualifying conditions:

“If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” (2, 3)

How does the SEC define cybersecurity incident?

Cybersecurity incident defined by the SEC means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein. (4)

How can Darktrace assist in the process of disclosing incidents to the SEC?

Accelerate reporting

Darktrace’s Cyber AI Analyst generates automated reports that synthesize discrete data points potentially indicative of cybersecurity threats, forming reports that provide an overview of the evolution and impact of a threat.

Thus, when a potential threat is identified by Darktrace, AI Analyst can quickly compile information that organizations might include in their disclosure of an occurrence they determined to be material, including the following: incident timelines, incident events, incident summary, related model breaches, investigation process (i.e., how Darktrace’s AI conducted the investigation), linked incident events, and incident details. The figure below illustrates how Darktrace compiles and presents incident information and insights in the UI.

Overview of information provided in an ‘AI Analyst Report’ that could be relevant to registrants reporting a material cybersecurity incident to the SEC
Figure 1: Overview of information provided in an ‘AI Analyst Report’ that could be relevant to registrants reporting a material cybersecurity incident to the SEC

It should be noted that Instruction 4 to the new Form 8-K Item 1.05 specifies the “registrant need not disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident” (5).

As such, the incident report generated by Darktrace may provide more information, including technical details, than is needed for the 8-K disclosure. In general, users should take appropriate measures to ensure that the information they provide in SEC reports meets the requirements outlined by the relevant regulations. Darktrace cannot recommend that an incident should be reported, nor report an incident itself.

Determine if a cybersecurity incident is material

Item 1.05 requires registrants to determine for themselves whether cybersecurity incidents qualify as ‘material’. This involves considerations such as ‘the nature scope and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.’

While it is up to the registrant to determine, consistent with existing legal standards, the materiality of an incident, Darktrace’s solution can provide relevant information which might aid in this evaluation. Darktrace’s Threat Visualizer user interface provides a 3-D visualization of an organization’s digital environment, allowing users to assess the likely degree to which an attack may have spread throughout their digital environment. Darktrace Cyber AI Analyst identifies connections among discrete occurrences of threatening activity, which can help registrants quickly assess the ‘scope and timing of an incident'.

Furthermore, in order to establish materiality it would be useful to understand how an attack might extend across recipients and environments. In the image below, Darktrace/Email identifies how a user was impacted across different platforms. In this example, Darktrace/Email identified an attacker that deployed a dual channel social engineering attack via both email and a SaaS platform in an effort to acquire login credentials. In this case, the attacker useding a legitimate SharePoint link that only reveals itself to be malicious upon click. Once the attacker gained the credentials, it proceeded to change email rules to obfuscate its activity.

Darktrace/Email presents this information in one location, making such investigations easier for the end user.

Darktrace/Email indicating a threat across SaaS and email
Figure 2: Darktrace/Email indicating a threat across SaaS and email

What is regulation S-K item 106 of the SEC cybersecurity rules?

The new rules add Item 106 to Regulation S-K requiring registrants to disclose certain information regarding their risk management, strategy, and governance relating to cybersecurity in their annual reports on Form 10-K. The new rules add Item 16K to Form 20-F to require comparable disclosure by [foreign private issuers] in their annual reports on Form 20-F. (6)

SEC cybersecurity rules: Risk management

Specifically, with respect to risk management, Item 106(b) and Item 16K(b) require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect them. The new rules include a non-exclusive list of disclosure items registrants should provide based on their facts and circumstances. (6)

SEC cybersecurity rules: Governance

With respect to governance, Item 106 and Item 16K require registrants to describe the board of directors’ oversight of risks from cybersecurity threats (including identifying any board committee or subcommittee responsible for such oversight) and management’s role in assessing and managing material risks from cybersecurity threats. (6)

How can Darktrace solutions aid in disclosing their risk management, strategy, and governance related to cybersecurity?

Impact scores

Darktrace End-to-End (E2E) leverages AI to understand the complex relationships across users and devices to model possible attack paths, giving security teams a contextual understanding of risk across their digital environments beyond isolated CVEs or CVSS scores. Additionally, teams can prioritize risk management actions to increase their cyber resilience through the E2E Advisory dashboard.

Attack paths consider:

  • Potential damages: Both the potential consequences if a given device was compromised and its immediate implications on other devices.
  • Exposure: Devices' level of interactivity and accessibility. For example, how many emails does a user get via mailing lists and from what kind of sources?
  • Impact: Where a user or asset sits in terms of the IT or business hierarchy and how they communicate with each other. Darktrace can simulate a range of possible outcomes for an uncertain event.
  • Weakness: A device’s patch latency and difficulty, a composite metric that looks at attacker MITRE methods and our own scores to determine how hard each stage of compromise is to achieve.

Because the SEC cybersecurity rules require “oversight of risks from cybersecurity threats” and “management’s role in assessing and managing material risks from cybersecurity threats” (6), the scores generated by Darktrace E2E can aid end-user’s ability to identify risks facing their organization and assign responsibilities to address those risks.

E2E attack paths leverage a deep understanding of a customer’ digital environment and highlight potential attack routes that an attacker could leverage to reach critical assets or entities. Difficulty scores (see Figure 5) allow security teams to measure potential damage, exposure, and impact of an attack on a specific asset or entity.

An example of an attack path in a digital environment
Figure 3: An example of an attack path in a digital environment

Automatic executive threat reports

Darktrace’s solution automatically produces Executive Threat Reports that present a simple visual overview of model breaches (i.e., indicators of unusual and threatening behaviors) and activity in the network environment. Reports can be customized to include extra details or restricted to high level information.

These reports can be generated on a weekly, quarterly, and yearly basis, and can be documented by registrants in relation to Item 106(b) to document parts of their efforts toward assessing, identifying, and managing material risks from cybersecurity threats.

Moreover, Cyber AI Analyst incident reports (described above) can be leveraged to document key details concerning significant previous incidents identified by the Darktrace solution that the registrant determined to be ‘material’.

While the disclosures required by Item 106(c) relate to the governance processes by which the board of directors, the management, and other responsible bodies within an organization oversee risks resulting from cybersecurity threats, the information provided by Darktrace’s Executive Threat Reports and Cyber AI Analyst incident reports can also help relevant stakeholders communicate more effectively regarding the threat landscape and previous incidents.

DISCLAIMER

The material above is provided for informational purposes only. This summary does not constitute legal or compliance advice, recommendations, or guidance. Darktrace encourages you to verify the contents of this summary with your own advisors.

References

  1. Note that the rule does not set forth any specific timeline between the incident and the materiality determination, but the materiality determination should be made without unreasonable delay.
  2. https://www.sec.gov/files/form8-k.pdf
  3. https://www.sec.gov/news/press-release/2023-139
  4. https://www.ecfr.gov/current/title-17/chapter-II/part-229
  5. https://www.sec.gov/files/form8-k.pdf
  6. https://www.sec.gov/corpfin/secg-cybersecurity
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Kendra Gonzalez Duran
Director, Field CISO

Kendra Gonzalez Duran is Director, Field CISO at Darktrace, a leading AI company for cyber defense. At Darktrace, Kendra works with leading organizations in a range of industries to deploy and operationalize cutting edge technologies. During Kendra’s tenure at Darktrace, the company has grown to over 4500 customers and has been the recipient of numerous achievements, including The Golden Bridge Awards – Company of the year and Fortress Cybersecurity Award for Antigena Email. Kendra holds a Bachelor’s degree from University of California, Berkeley and is based in Darktrace’s Los Angeles office.

Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

AI

/

March 11, 2025

Survey findings: AI Cyber Threats are a Reality, the People are Acting Now

Default blog imageDefault blog image

Artificial intelligence is changing the cybersecurity field as fast as any other, both on the offensive and defensive side. We surveyed over 1,500 cybersecurity professionals from around the world to uncover their attitudes, understanding, and priorities when it comes to AI cybersecurity in 2025. Our full report, unearthing some telling trends, is out now.

Download the full report to explore these findings in depth

How is AI impacting the threat landscape?

state of ai in cybersecurity report graphic showing ai powered cyber threats having an impact on organizations

Nearly 74% of participants say AI-powered threats are a major challenge for their organization and 90% expect these threats to have a significant impact over the next one to two years, a slight increase from last year. These statistics highlight that AI is not just an emerging risk but a present and evolving one.

As attackers harness AI to automate and scale their operations, security teams must adapt just as quickly. Organizations that fail to prioritize AI-specific security measures risk falling behind, making proactive defense strategies more critical than ever.

Some of the most pressing AI-driven cyber threats include:

  • AI-powered social engineering: Attackers are leveraging AI to craft highly personalized and convincing phishing emails, making them harder to detect and more likely to bypass traditional defenses.
  • More advanced attacks at speed and scale: AI lowers the barrier for less skilled threat actors, allowing them to launch sophisticated attacks with minimal effort.
  • Attacks targeting AI systems: Cybercriminals are increasingly going after AI itself, compromising machine learning models, tampering with training data, and exploiting vulnerabilities in AI-driven applications and APIs.

Safe and secure use of AI

AI is having an effect on the cyber-threat landscape, but it also is starting to impact every aspect of a business – from marketing to HR to operations. The accessibility of AI tools for employees improves workflows, but also poses risks like data privacy violations, shadow AI, and violation of industry regulations.

How are security practitioners accommodating for this uptick in AI use across business?

Among survey participants 45% of security practitioners say they had already established a policy on the safe and secure use of AI and around 50% are in discussions to do so.

While almost all participants acknowledge that this is a topic that needs to be addressed, the gap between discussion and execution could underscore a need for greater insight, stronger leadership commitment, and adaptable security frameworks to keep pace with AI advancements in the workplace. The most popular actions taken are:

  1. Implemented security controls to prevent unwanted exposure of corporate data when using AI technology (67%)
  2. Implemented security controls to protect against other threats/risks associated with using AI technology (62%)

This year specifically, we see further action being taken with the implementation of security controls, training, and oversight.

For a more detailed breakdown that includes results based on industry and organizational size, download the full report here.

AI threats are rising, but security teams still face major challenges

78% of CISOs say AI-powered cyber-threats are already having a significant impact on their organization, a 5% increase from last year.

While cyber professionals feel more prepared for AI powered threats than they did 12 months ago, 45% still say their organization is not adequately prepared—down from 60% last year.

Despite this optimism, key challenges remain, including:

  • A shortage of personnel to manage tools and alerts
  • Gaps in knowledge and skills related to AI-driven countermeasures

Confidence in traditional security tools vs. new AI based tools

This year, 73% of survey participants expressed confidence in their security team’s proficiency in using AI within their tool stack, marking an increase from the previous year.

However, only 50% of participants have confidence in traditional cybersecurity tools to detect and block AI-powered threats. In contrast, 75% of participants are confident in AI-powered security solutions for detecting and blocking such threats and attacks.

As leading organizations continue to implement and optimize their use of AI, they are incorporating it into an increasing number of workflows. This growing familiarity with AI is likely to boost the confidence levels of practitioners even further.

The data indicates a clear trend towards greater reliance on AI-powered security solutions over traditional tools. As organizations become more adept at integrating AI into their operations, their confidence in these advanced technologies grows.

This shift underscores the importance of staying current with AI advancements and ensuring that security teams are well-trained in utilizing these tools effectively. The increasing confidence in AI-driven solutions reflects their potential to enhance cybersecurity measures and better protect against sophisticated threats.

State of AI report

Download the full report to explore these findings in depth

The full report for Darktrace’s State of AI Cybersecurity is out now. Download the paper to dig deeper into these trends, and see how results differ by industry, region, organization size, and job title.  

Continue reading
About the author
The Darktrace Community

Blog

/

Network

/

March 11, 2025

Darktrace's Early Detection of the Latest Ivanti Exploits

Default blog imageDefault blog image

As reported in Darktrace’s 2024 Annual Threat Report, the exploitation of Common Vulnerabilities and Exposures (CVEs) in edge infrastructure has consistently been a significant concern across the threat landscape, with internet-facing assets remaining highly attractive to various threat actors.

Back in January 2024, the Darktrace Threat Research team investigated a surge of malicious activity from zero-day vulnerabilities such as those at the time on Ivanti Connect Secure (CS) and Ivanti Policy Secure (PS) appliances. These vulnerabilities were disclosed by Ivanti in January 2024 as CVE-2023-46805 (Authentication bypass vulnerability) and CVE-2024-21887 (Command injection vulnerability), where these two together allowed for unauthenticated, remote code execution (RCE) on vulnerable Ivanti systems.

What are the latest vulnerabilities in Ivanti products?

In early January 2025, two new vulnerabilities were disclosed in Ivanti CS and PS, as well as their Zero Trust Access (ZTA) gateway products.

  • CVE-2025-0282: A stack-based buffer overflow vulnerability. Successful exploitation could lead to unauthenticated remote code execution, allowing attackers to execute arbitrary code on the affected system [1]
  • CVE-2025-0283: When combined with CVE-2025-0282, this vulnerability could allow a local authenticated attacker to escalate privileges, gaining higher-level access on the affected system [1]

Ivanti also released a statement noting they are currently not aware of any exploitation of CVE-2025-0283 at the time of disclosure [1].

Darktrace coverage of Ivanti

The Darktrace Threat Research team investigated the new Ivanti vulnerabilities across their customer base and discovered suspicious activity on two customer networks. Indicators of Compromise (IoCs) potentially indicative of successful exploitation of CVE-2025-0282 were identified as early as December 2024, 11 days before they had been publicly disclosed by Ivanti.

Case 1: December 2024

Authentication with a Privileged Credential

Darktrace initially detected suspicious activity connected with the exploitation of CVE-2025-0282 on December 29, 2024, when a customer device was observed logging into the network via SMB using the credential “svc_negbackups”, before authenticating with the credential “svc_negba” via RDP.

This likely represented a threat actor attempting to identify vulnerabilities within the system or application and escalate their privileges from a basic user account to a more privileged one. Darktrace / NETWORK recognized that the credential “svc_negbackups” was new for this device and therefore deemed it suspicious.

Darktrace / NETWORK’s detection of the unusual use of a new credential.
Figure 1: Darktrace / NETWORK’s detection of the unusual use of a new credential.

Likely Malicious File Download

Shortly after authentication with the privileged credential, Darktrace observed the device performing an SMB write to the C$ share, where a likely malicious executable file, ‘DeElevate64.exe’ was detected. While this is a legitimate Windows file, it can be abused by malicious actors for Dynamic-Link Library (DLL) sideloading, where malicious files are transferred onto other devices before executing malware. There have been external reports indicating that threat actors have utilized this technique when exploiting the Ivanti vulnerabilities [2].

Darktrace’s detection the SMB write of the likely malicious file ‘DeElevate64.exe’ on December 29, 2024.
Figure 2: Darktrace’s detection the SMB write of the likely malicious file ‘DeElevate64.exe’ on December 29, 2024.

Shortly after, a high volume of SMB login failures using the credential “svc_counteract-ext” was observed, suggesting potential brute forcing activity. The suspicious nature of this activity triggered an Enhanced Monitoring model alert that was escalated to Darktrace’s Security Operations Center (SOC) for further investigation and prompt notification, as the customer was subscribed to the Security Operations Support service.  Enhanced Monitoring are high-fidelity models detect activities that are more likely to be indicative of compromise

Suspicious Scanning and Internal Reconnaissance

Darktrace then went on to observe the device carrying out network scanning activity as well as anomalous ITaskScheduler activity. Threat actors can exploit the task scheduler to facilitate the initial or recurring execution of malicious code by a trusted system process, often with elevated permissions. The same device was also seen carrying out uncommon WMI activity.

Darktrace’s detection of a suspicious network scan from the compromised device.
Figure 3: Darktrace’s detection of a suspicious network scan from the compromised device.

Further information on the suspicious scanning activity retrieved by Cyber AI Analyst, including total number of connections and ports scanned.
Figure 4: Further information on the suspicious scanning activity retrieved by Cyber AI Analyst, including total number of connections and ports scanned.
Darktrace’s detection of a significant spike in WMI activity represented by DCE_RPC protocol request increases at the time, with little to no activity observed one week either side.
Figure 5: Darktrace’s detection of a significant spike in WMI activity represented by DCE_RPC protocol request increases at the time, with little to no activity observed one week either side.

Case 2: January 2025

Suspicious File Downloads

On January 13, 2025, Darktrace began to observe activity related to the exploitation of CVE-2025-0282  on the network of another customer, with one in particular device attempting to download likely malicious files.

Firstly, Darktrace observed the device making a GET request for the file “DeElevator64.dll” hosted on the IP 104.238.130[.]185. The device proceeded to download another file, this time “‘DeElevate64.exe”. from the same IP. This was followed by the download of “DeElevator64.dll”, similar to the case observed in December 2024. External reporting indicates that this DLL has been used by actors exploiting CVE-2025-0282 to sideload backdoor into infected systems [2]

Darktrace’s detection of the download of the suspicious file “DeElevator64.dll” on January 13, 2025.
Figure 6: Darktrace’s detection of the download of the suspicious file “DeElevator64.dll” on January 13, 2025.

Suspicious Internal Activity

Just like the previous case, on January 15, the same device was observed making numerous internal connections consistent with network scanning activity, as well as DCE-RPC requests.

Just a few minutes later, Darktrace again detected the use of a new administrative credential, observing the following details:

  • domain=REDACTED hostname=DESKTOP-1JIMIV3 auth_successful=T result=success ntlm_version=2 .

The hostname observed by Darktrace, “DESKTOP-1JIMIV3,” has also been identified by other external vendors and was associated with a remote computer name seen accessing compromised accounts [2].

Darktrace also observed the device performing an SMB write of an additional file, “to.bat,” which may have represented another malicious file loaded from the DLL files that the device had downloaded earlier. It is possible this represented the threat actor attempting to deploy a remote scheduled task.

Darktrace’s detection of SMB Write of the suspicious file “to.bat”.
Figure 7: Darktrace’s detection of SMB Write of the suspicious file “to.bat”.

Further investigation revealed that the device was likely a Veeam server, with its MAC address indicating it was a VMware device. It also appeared that the Veeam server was capturing activities referenced from the hostname DESKTOP-1JIMIV3. This may be analogous to the remote computer name reported by external researchers as accessing accounts [2]. However, this activity might also suggest that while the same threat actor and tools could be involved, they may be targeting a different vulnerability in this instance.

Autonomous Response

In this case, the customer had Darktrace’s Autonomous Response capability enabled on their network. As a result, Darktrace was able to contain the compromise and shut down any ongoing suspicious connectivity by blocking internal connections and enforcing a “pattern of life” on the affected device. This action allows a device to make its usual connections while blocking any that deviate from expected behavior. These mitigative actions by Darktrace ensured that the compromise was promptly halted, preventing any further damage to the customer’s environment.

Darktrace's Autonomous Response capability actively mitigating the suspicious internal connectivity.
Figure 8: Darktrace's Autonomous Response capability actively mitigating the suspicious internal connectivity.

Conclusion

If the previous blog in January 2024 was a stark reminder of the threat posed by malicious actors exploiting Internet-facing assets, the recent activities surrounding CVE-2025-0282 and CVE-2025-0283 emphasize this even further.

Based on the telemetry available to Darktrace, a wide range of malicious activities were identified, including the malicious use of administrative credentials, the download of suspicious files, and network scanning in the cases investigated .

These activities included the download of suspicious files such as “DeElevate64.exe” and “DeElevator64.dll” potentially used by attackers to sideload backdoors into infected systems. The suspicious hostname DESKTOP-1JIMIV3 was also observed and appears to be associated with a remote computer name seen accessing compromised accounts. These activities are far from exhaustive, and many more will undoubtedly be uncovered as threat actors evolve.

Fortunately, Darktrace was able to swiftly detect and respond to suspicious network activity linked to the latest Ivanti vulnerabilities, sometimes even before these vulnerabilities were publicly disclosed.

Credit to: Nahisha Nobregas, Senior Cyber Analyst, Emma Foulger, Principle Cyber Analyst, Ryan Trail, Analyst Content Lead and the Darktrace Threat Research Team

Appendices

Darktrace Model Detections

Case 1

·      Anomalous Connection / Unusual Admin SMB Session

·      Anomalous File / EXE from Rare External Location

·      Anomalous File / Internal / Unusual SMB Script Write

·      Anomalous File / Multiple EXE from Rare External Locations

·      Anomalous File / Script from Rare External Location

·      Compliance / SMB Drive Write

·      Device / Multiple Lateral Movement Model Alerts

·      Device / Network Range Scan

·      Device / Network Scan

·      Device / New or Uncommon WMI Activity

·      Device / RDP Scan

·      Device / Suspicious Network Scan Activity

·      Device / Suspicious SMB Scanning Activity

·      User / New Admin Credentials on Client

·      User / New Admin Credentials on Server 

Case 2

·      Anomalous Connection / Unusual Admin SMB Session

·      Anomalous Connection / Unusual Admin RDP Session

·      Compliance / SMB Drive Write

·      Device / Multiple Lateral Movement Model Alerts

·      Device / SMB Lateral Movement

·      Device / Possible SMB/NTLM Brute Force

·      Device / Suspicious SMB Scanning Activity

·      Device / Network Scan

·      Device / RDP Scan

·      Device / Large Number of Model Alerts

·      Device / Anomalous ITaskScheduler Activity

·      Device / Suspicious Network Scan Activity

·      Device / New or Uncommon WMI Activity

List of IoCs Possible IoCs:

·      DeElevator64.dll

·      deelevator64.dll

·      DeElevate64.exe

·      deelevator64.dll

·      deelevate64.exe

·      to.bat

Mid-high confidence IoCs:

-       104.238.130[.]185

-       http://104.238.130[.]185/DeElevate64.exe

-       http://104.238.130[.]185/DeElevator64.dll

-       DESKTOP-1JIMIV3

References:

1.     https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways

2.     https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2025-0283/

3.     https://www.proofpoint.com/uk/blog/identity-threat-defense/privilege-escalation-attack#:~:text=In%20this%20approach%2C%20attackers%20exploit,handing%20over%20their%20login%20credentials

Continue reading
About the author
Hugh Turnbull
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI