Evolving Threats

• Cyber threats are becoming more sophisticated.

• Advanced persistent threats (APTs) and zero-day exploits often bypass traditional detection by mimicking legitimate system processes.

• Insider threats and zero days are impossible to stop with tools that rely on historical attack data  

Data Overload

• Organizations generate massive amounts of data expanding far beyond on-prem into virtual environments, cloud networks, and hybrid cloud.

• Securing devices outside of the corporate network or ones that are off-VPN

• This data can overwhelm monitoring systems, making it tough to analyze logs and alerts.

• Balancing detection systems is tricky—too sensitive, and you get false positives; not sensitive enough, and threats slip through.

Technology Integration Challenges

• New tech complicates threat detection.

• Encrypted communications, while necessary for privacy, can hide malicious activities.

• Small and medium businesses often lack the resources for effective detection.

Compliance and Adaptation

• Integrating new detection tools with existing systems is a challenge.

• Compliance with regulations adds to the complexity.

• Emerging technologies like IoT and cloud computing require constant updates to detection strategies.

Effectively respond to unusual activity without business disruption

• Business continuity is a huge concern for organizations especially those with operational technology that provide critical resources to people

Traditional NDR solutions: These solutions rely on historical attack data and operate independently of other security technologies, making them blind to novel threats and attacks that traverse multiple areas of an organization’s environment.  

Darktrace / NETWORK Threat Detection: Learns what is normal behavior for your entire network, intelligently detecting any activity that could cause business disruption without relying on signatures, rules, or threat intelligence.

Darktrace / NETWORK learns what is normal behavior for your entire network, intelligently detecting any activity that could cause business disruption without relying on signatures, rules or threat intelligence. Our Self-Learning AI contextualizes every network connection and autonomously responds to both known and novel threats in real time, taking targeted actions without disrupting business operations. 

Darktrace works across the entire digital ecosystem of your organization to track the full scope of every incident – from email, network and cloud applications to endpoint devices and Operational Technology (OT).

Darktrace combines various machine learning types to create the AI that powers its products across the Darktrace ActiveAI Security Platform.

Plugged into the organization’s infrastructure and services, our AI ingests and analyzes the data and its interactions within the environment and forms an understanding of the normal behavior of that environment, right down to the granular details of specific users and devices. The system continually revises its understand- ing about what is normal based on evolving evidence.

This dynamic understanding of normal means that the AI engine can identify, with a high degree of precision, events or behaviors that are both anomalous and unlikely to be benign.

Our multi-layered AI comes together to achieve behavioral prediction, real-time threat detection and response, and incident investigation, all while empowering your security team with visibility and control.

Behavioral predictions

Training data

• Continuously ingests live data from the organization’s digital environment.
• Integrates third-party data and alerts for a comprehensive security picture.
• AI is uniquely trained per deployment, avoiding generalizations from large data lakes.
• High-fidelity detections tailored to each specific business.

Bayesian probabilistic methods

• Uses Bayesian models that update dynamically with new data.
• Applies unsupervised machine learning to historical and real-time data.
• Builds a ‘pattern of life’ for assets, peer groups, and the organization.
• Continuously recalculates threat levels to identify significant patterns in data flows.

Clustering algorithms

• Identifies normal behavior by comparing entities within the network.
• Uses multiple clustering techniques (matrix-based, density-based, hierarchical).
• Recognizes preexisting compromises and emerging threats before they appear malicious.
• Avoids mislearning malicious behavior as normal by comparing access, roles, and identities.

Anomaly detection models & bayesian meta-classifier

• Multi-layered AI differentiates between subtle threat indicators.
• Produces outputs with varying degrees of potential threat (risk scores, rarity scores, feature importance).
• Enables rigorous ranking and prioritization of alerts.

Threat detection

Probabilistic and decision tree models

• Correlates multiple events to analyze broader activity patterns.
• AI engine connects anomalous events to risky behavior by understanding normal activity.
• Evaluates anomalies against the MITRE ATT&CK Framework for threat behavior context.

1. Detection of SmokeLoader Malware

Darktrace / NETWORK   achieves enterprise ransomware protection that can detect and stop loader malware like SmokeLoader. In this customer’s case, our AI autonomously investigated suspicious network activity – relating seemingly isolated connections into a broader C2 incident – and alerted the security team.  

2. Detection of Gootloader Malware

Cyber-attackers used Gootloader malware in an attempt to compromise the network of an American company. Gootloader can download additional malicious payloads, allowing threat actors to steal information or encrypt files for ransom.  

Darktrace’s network security tools detected the unusual activity of the compromised device, including beaconing, SMB scanning, and downloading suspicious files. Using AI in cyber security allowed Darktrace to identify and neutralize Gootloader, protecting the company’s network.

Read the whole story on our blog

Signature-Based Detection

Description: Relies on known patterns (signatures) of malicious code to detect threats. If a file or network traffic matches a known signature, it is flagged as a threat. The drawback of this is that novel or zero-day threats avoid detection from these systems.  

Example: Traditional antivirus software.

Heuristic-Based Detection

Description: Emerging in the 1980’s and 1990’s Heuristic-Based Detection uses algorithms to identify new threats by analyzing the behavior and characteristics of files or activities, even if they don't match known signatures. However, this method is still an attacker-centric approach. Meaning, it aims to identify threats by checking their relevance to other known threats. Still missing more sophisticated attack attempts.

Anomaly-Based Detection

Description: Anomaly-based detection establishes a baseline of normal behavior and flags deviations from this baseline as potential threats. Using this method of threat detection allows for better detection of unknown threats or zero-days because this detection system focuses on user/network activity to detect abnormal activity. Anomaly detection can identify threats that do not exhibit obvious malicious properties but behave in ways that are atypical for the system or user, such as insider threats or sophisticated APTs.

Drawbacks: These systems may struggle to adapt to changing environments, constantly needing tuning and updating of their baseline. As such, there is potential for it to detect a high number of false positives if there are changes in an organizations behaviour.

AI-Based Solutions

Description: AI-based solutions utilize AI and ML to analyze vast amounts of data, identify patterns, and detect threats with higher accuracy. These systems can include but are not limited to anomaly detection. When AI is applied to anomaly-based detection the AI models can adjust baselines dynamically, accounting for changes in the environment and user behavior, reducing false positives, improving their detection capabilities.

Drawbacks: These systems are reliant on data to bring good results. Thus, their effectiveness is contingent on the quality and quantity of data they receive.

Supervised Machine Learning

Description: One of the most common types of AI in security today is supervised machine learning models that are trained on known attack data and attacker behavior. Supervised machine learning is defined by its use of labeled datasets to train algorithms to classify data or predict outcomes accurately.  

These models are commonly found in Extended Detection and Response (XDR) solutions. They are trained on massive volumes of structured, labeled attack data and threat intelligence, and they perform extremely well at stopping those known attacks. This makes them a good starting point for any security stack.

Drawbacks: However, these models can fall short when they encounter something they haven’t seen before. If the model hasn’t been trained on a specific pattern, it can easily miss it. Additionally, co-mingled benign or legitimate data (syslog, network traffic, etc.) can cause big problems in the efficacy and accuracy of this AI’s performance. And, just like most AI, testing and validation is crucial to ensuring accurate outcomes.

There are generally two types of insider threats: malicious and non-malicious, or accidental. For organizations managing OT, both types originate from personnel who have legitimate privileged access to OT networks and have insider knowledge of assets, configurations, locations, security controls, or vulnerabilities. Of increasing concern to security teams, these personnel can also include external contractors, such as vendors or consultants, who require high levels of access to perform their role.

Detecting insider threats requires a multifaceted approach that combines technology, policies, and human factors.  

Here is how Darktrace detects insider threats:

Darktrace’s anomaly-based threat detection is uniquely positioned to detect insider threats. Both accidental and malicious disruption may use legitimate privileged access to target Purdue Level 1 and 2 controllers and programmers to alter operations. The actor will alter the routine functionality of the process control environment, which can be detected and alerted by a security tool which understands normal and can spot deviations.

Read more here on how Darktrace / OT detects threats in an OT environment

Darktrace AI detection capabilities enable it to identify and stop zero-day threats.

For more insights on how Darktrace stops zero-day threats read this blog:

“Self-Learning AI for Zero-Day and N-Day Attack Defense”

“How Darktrace Neutralizes Zero-Day Ransomware Attacks”

“Darktrace Detection of Unattributed Ransomware”

Read more here to learn about zero-day threats, vulnerabilities, and exploits:

Zero-day threats definition: A recently discovered security vulnerability in computer software that has no currently available fix or patch. Its name comes from the reality that vendors have “zero days” to act and respond.

Zero-day vulnerabilities: Flaws or weaknesses in software, hardware, or firmware that are unknown to the vendor or developer. Attackers exploit these vulnerabilities before they are discovered and patched.

Zero-Day Exploits: Specific attacks that leverage zero-day vulnerabilities. These exploits are created by attackers to take advantage of the unknown flaws, often resulting in unauthorized access, data theft, or system compromise.

Zero-Day Malware: Malware that is designed to exploit zero-day vulnerabilities. This type of malware can include viruses, worms, trojans, ransomware, and other malicious software that takes advantage of unpatched flaws.

Security leaders face challenges in navigating AI vendor claims and understanding different AI technologies. This white paper explores:

• The role of supervised and unsupervised machine learning in cybersecurity
• How Large Language Models (LLMs) enhance security operations
• How Darktrace’s multi-layered AI helps security teams detect and stop novel threats

Download now to gain clarity on AI-powered cybersecurity solutions.