In the second installment of a 2-part series, Max Heinemeyer analyzes the rise of deceptive attacks & insider threats found by Darktrace AI in 2018.
For security professionals around the world, it is hardly a secret that cyber-attacks are becoming ever more difficult to detect — incorporating stealthier tactics and even automated elements to breach the network perimeter. Yet despite the increasing sophistication of these threats, the greatest security risk confronting today’s businesses, governments, and nonprofits continues to be their own employees.
Such credentialed network users present a relatively easy avenue into the digital estate for cyber-criminals who manage to deceive them. From banking trojans that are spread using social engineering to cryptocurrency mining carried out by disgruntled workers, the past year witnessed a significant upswing in threats that either exploited the fallibility of employees or which were authored by employees themselves.
By monitoring and analyzing raw traffic from all our clients’ users, internet-connected devices, and cloud deployments, we saw a number of trends emerge in 2018. As the second installment of a two-part series, this article will review specifically those attack trends that involve trickery, subtlety, and the art of deception. Because, as organizations deploy the latest technologies and tools to improve their cyber defenses, the weakest link in our network security is not a machine — it is human.
Banking trojan attacks increased by 239%
Named after the legendary act of Grecian subterfuge, today a trojan horse refers to a malicious computer program that misleads its user of its actual purpose, taking advantage of the fundamental weakness of human error inherent to any security posture. Over the last 12 months, the incidence of banking trojans in particular — which harvest the credentials of online banking customers from infected machines — has increased by a staggering 239% across our customer base.
This dramatic increase may be a consequence of the declining popularity of ransomware for monetary gain: it seems that banking trojans are, at least at present, a more profitable tool for cyber-criminals. Unlike ransomware, banking trojans do not rely on a victim’s conscious willingness to pay; rather, they use deception to perform transactions without the victim’s knowledge. And as the number of ransomware incidents declined in 2018, it seems that subtler attacks have become the weapons of choice for cyber-crime.
The proliferation of banking trojans has been accompanied by a growing sophistication in the malware itself, with many banking trojans having expanded beyond their original target of online banking access. Indeed, advanced trojans like Emotet now deliver other forms of malware as payloads, after using fraudulent emails, online advertisements, and other forms of social engineering to breach the perimeter.
Cryptocurrency-related incidents up 78%
Figure 1: Cryptocurrency values declined precipitously in 2018 after rapid growth.
Alongside the increase in banking trojans, Darktrace detected 78% growth in the frequency of another under-the-radar threat: crypto-jacking. Defined as the secret usage of computing power to mine cryptocurrency, crypto-jacking operates by the opposite logic of ransomware, acting as a parasite on an organization’s computing systems or injecting hidden code into an organization’s web pages. Whereas ransomware attackers demand payment immediately, cryptocurrency miners seek to go unnoticed for as long as possible.
Deceptive threats like banking trojans and crypto-jacking are particularly elusive when they originate from insiders. In one Fortune 500 e-commerce company this year, Darktrace discovered a privileged access user — a disgruntled systems administrator — hijacking power sources from the company’s infrastructure for his own monetary gain. The employee co-opted other users’ credentials and service accounts to stealthily take over multiple machines for the purpose of crypto-mining.
At the same time, the growth rate of cryptocurrency-related threats is less than in the previous year, likely as a result of the dramatic fall in the value of most cryptocurrencies (see Figure 1). But with many experts anticipating these values to bounce back, we expect crypto-jacking to become far more common in the years to come. The cyber-criminal ecosystem still responds to macroeconomic factors, and as payment systems continue to evolve, so too will attackers’ revenue streams.
The weakest link: still people
The rapid escalation of deceptive and subtle threats — from banking trojans that gain access with social engineering to crypto-jacking carried out by insiders to targeted spear phishing emails — is the product of a fundamental flaw with the traditional approach to cyber defense, which entails securing the perimeter against known threats. Indeed, once an employee, maliciously or inadvertently, compromises the network from the inside, protecting the perimeter does little good. And as we look ahead to 2019, a year likely to be even more dominated by deceptive attacks and internal threats, organizations must seek to better understand their own networks to recognize whenever something is, ever so slightly, amiss.
Like this and want more?
Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Newsletter
Enjoying the blog?
Sign up to receive the latest news and insights from the Darktrace newsletter – delivered directly to your inbox
Thanks for signing up!
Look out for your first newsletter, coming soon.
Oops! Something went wrong while submitting the form.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Max Heinemeyer
Global Field CISO
Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.
CNAPP Alone Isn’t Enough: Focusing on CDR for Real-Time Cross Domain Protection
Forecasts predict public cloud spending will soar to over $720 billion by 2025, with 90%[1] of organizations embracing a hybrid cloud approach by 2027. These figures could also be eclipsed as more businesses unearth the potential impact that AI can make on their productivity. The pace of evolution is staggering, but one thing hasn’t changed: the cloud security market is a maze of complexity. Filled with acronyms, overlapping capabilities, and endless use cases tailored to every buyer persona.
On top of this, organizations face a fragmented landscape of security tools, each designed to cover just one slice of the cloud security puzzle. Then there’s CNAPP (Cloud-Native Application Protection Platform) — a broad platform promising to do it all but often falling short, especially around providing runtime detection and response capabilities. It’s no wonder organizations struggle to cut through the noise and find the precision they require.
Looking more closely at what CNAPP has to offer, it can feel like as if it is all you would ever need, but is that really the case?
Strengths and limitations of CNAPP
A CNAPP is undeniably a compelling solution, originally coming from CSPM (Cloud Security Posture Management), it provided organizations with a snapshot of their deployed cloud assets, highlighting whether they were as secure as intended. However, this often resulted in an overwhelming list of issues to fix, leaving organizations unsure where to focus their energy for maximum impact.
To address this, CNAPP’s evolved, incorporating capabilities like; identifying software vulnerabilities, mapping attack paths, and understanding which identities could act within the cloud. The goal became clear: prioritize fixes to reduce the risk of compromise.
But what if we could avoid these problems altogether? Imagine deploying software securely from the start — preventing the merging of vulnerable packages and ensuring proper configurations in production environments by shifting left. This preventative approach is vital to any “secure by design” strategy, CNAPP’s again evolving to add this functionality alongside.
However, as applications grow more complex, so do the variety and scope of potential issues. The responsibility for addressing these challenges often falls to engineers, who are left balancing the pressure to write code with the burden of fixing critical findings that may never even pose a real risk to the organization.
While CNAPP serves as an essential risk prevention tool — focusing on hygiene, compliance, and enabling organizations to deploy high-quality code on well-configured infrastructure — its role is largely limited to reducing the potential for issues. Once applications and infrastructure are live, the game changes. Security’s focus shifts to detecting unwanted activity and responding to real-time risks.
Limitations of CNAPP
Here’s where CNAPP shows its limitations:
1. Blind spots for on-premises workloads
Designed for cloud-native environments, it can leave blind spots for workloads that remain on-premises — a significant concern given that 90% of organizations are expected to adopt a hybrid cloud strategy by 2027. These blind spots can increase the risk of cross-domain attacks, underscoring the need for a solution that goes beyond purely prevention but adds real-time detection and response.
2. Detecting and mitigating cross-domain threats
Adversaries have evolved to exploit the complexity of hybrid and cloud environments through cross-domain attacks. These attacks span multiple domains — including traditional network environments, identity systems, SaaS platforms, and cloud environments — making them exceptionally difficult to detect and mitigate. Attackers are human and will naturally choose the path of least resistance, why spend time writing a detailed software exploit for a vulnerability if you can just target the identity?
Imagine a scenario where an attacker compromises an organization via leaked credentials and then moves laterally, similar to the example outlined in this blog: The Price of Admission: Countering Stolen Credentials with Darktrace. If an attacker identifies cloud credentials and moves into the cloud control plane, they could access additional sensitive data. Without a detection platform that monitors these areas for unusual activity, while working to consolidate findings into a unified timeline, detecting these types of attacks becomes incredibly challenging.
A CNAPP might only point to a potential misconfiguration of an identity or for example a misconfiguration around secret storage, but it cannot detect when that misconfiguration has been exploited — let alone respond to it.
Identity is more than just a role or username; it is essentially an access point for attackers to leverage and move between different areas of a digital estate. Real-time monitoring of human and non-human identities is crucial for understanding intent, spotting anomalies, and preventing possible attacks before they spread.
Non-human roles, such as service accounts or automation tooling, often operate with trust and without oversight. In 2024, the Cybersecurity and Critical Infrastructure Agency (CISA) [2] released a warning regarding new strategies employed by SolarWinds attackers. These strategies were primarily aimed at cloud infrastructure and non-human identities. The warning details how attackers leverage credentials and valid applications for malicious purposes.
With organizations opting for a hybrid approach, combining network, identity, cloud management and cloud runtime activity is essential to detecting and mitigating cross domain attacks, these are just some of the capabilities needed for effective detection and response:
AI driven automated and unified investigation of events – due to the volume of data and activity within businesses digital estates leveraging AI is vital, to enable SOC teams in understanding and facilitating proportional and effective responses.
Real-time monitoring auditing combined with anomaly detection for human and non-human identities.
A unified investigation platform that can deliver a real-time understanding of Identity, deployed cloud assets, runtime and contextual findings as well as coverage for remaining on premises workloads.
The ability to leverage threat intelligence automatically to detect potential malicious activities quickly.
The future of cloud security: Balancing risk management with real-time detection and response
Darktrace / CLOUD's CDR approach enhances CNAPP by providing the essential detection and native response needed to protect against cross-domain threats. Its agentless, default setup is both cost-effective and scalable, creating a runtime baseline that significantly boosts visibility for security teams. While proactive controls are crucial for cloud security, pairing them with Cloud Detection and Response solutions addresses a broader range of challenges.
With Darktrace / CLOUD, organizations benefit from continuous, real-time monitoring and advanced AI-driven behavioural detection, ensuring proactive detection and a robust cloud-native response. This integrated approach delivers comprehensive protection across the digital estate.
Reimagining Your SOC: Overcoming Alert Fatigue with AI-Led Investigations
The efficiency of a Security Operations Center (SOC) hinges on its ability to detect, analyze and respond to threats effectively. With advancements in AI and automation, key early SOC team metrics such as Mean Time to Detect (MTTD) have seen significant improvements:
96% of defenders believing AI-powered solutions significantly boost the speed and efficiency of prevention, detection, response, and recovery.
Organizations leveraging AI and automation can shorten their breach lifecycle by an average of 108 days compared to those without these technologies.
While tool advances have improved performance and effectiveness in the detection phase, this has not been as beneficial to the next step of the process where initial alerts are investigated further to determine their relevance and how they relate to other activities. This is often measured with the metric Mean Time to Analysis (MTTA), although some SOC teams operate a two-level process with teams for initial triage to filter out more obviously uninteresting alerts and for more detailed analysis of the remainder. SOC teams continue to grapple with alert fatigue, overwhelmed analysts, and inefficient triage processes, preventing them from achieving the operational efficiency necessary for a high-performing SOC.
Addressing this core inefficiency requires extending AI's capabilities beyond detection to streamline and optimize the following investigative workflows that underpin effective analysis.
Challenges with SOC alert investigation
Detecting cyber threats is only the beginning of a much broader challenge of SOC efficiency. The real bottleneck often lies in the investigation process.
Detection tools and techniques have evolved significantly with the use of machine learning methods, improving early threat detection. However, after a detection pops up, human analysts still typically step in to evaluate the alert, gather context, and determine whether it’s a true threat or a false alarm and why. If it is a threat, further investigation must be performed to understand the full scope of what may be a much larger problem. This phase, measured by the mean time to analysis, is critical for swift incident response.
Challenges with manual alert investigation:
Too many alerts
Alerts lack context
Cognitive load sits with analysts
Insufficient talent in the industry
Fierce competition for experienced analysts
For many organizations, investigation is where the struggle of efficiency intensifies. Analysts face overwhelming volumes of alerts, a lack of consolidated context, and the mental strain of juggling multiple systems. With a worldwide shortage of 4 million experienced level two and three SOC analysts, the cognitive burden placed on teams is immense, often leading to alert fatigue and missed threats.
Even with advanced systems in place not all potential detections are investigated. In many cases, only a quarter of initial alerts are triaged (or analyzed). However, the issue runs deeper. Triaging occurs after detection engineering and alert tuning, which often disable many alerts that could potentially reveal true threats but are not accurate enough to justify the time and effort of the security team. This means some potential threats slip through unnoticed.
Understanding alerts in the SOC: Stopping cyber incidents is hard
Let’s take a look at the cyber-attack lifecycle and the steps involved in detecting and stopping an attack:
First we need a trace of an attack…
The attack will produce some sort of digital trace. Novel attacks, insider threats, and attacker techniques such as living-off-the-land can make attacker activities extremely hard to distinguish.
A detection is created…
Then we have to detect the trace, for example some beaconing to a rare domain. Initial detection alerts being raised underpin the MTTD (mean time to detection). Reducing this initial unseen duration is where we have seen significant improvement with modern threat detection tools.
When it comes to threat detection, the possibilities are vast. Your initial lead could come from anything: an alert about unusual network activity, a potential known malware detection, or an odd email. Once that lead comes in, it’s up to your security team to investigate further and determine if this is this a legitimate threat or a false alarm and what the context is behind the alert.
Investigation begins…
It doesn’t just stop at a detection. Typically, humans also need to look at the alert, investigate, understand, analyze, and conclude whether this is a genuine threat that needs a response. We normally measure this as MTTA (mean time to analyze).
Conducting the investigation effectively requires a high degree of skill and efficiency, as every second counts in mitigating potential damage. Security teams must analyze the available data, correlate it across multiple sources, and piece together the timeline of events to understand the full scope of the incident. This process involves navigating through vast amounts of information, identifying patterns, and discerning relevant details. All while managing the pressure of minimizing downtime and preventing further escalation.
Containment begins…
Once we confirm something as a threat, and the human team determines a response is required and understand the scope, we need to contain the incident. That's normally the MTTC (mean time to containment) and can be further split into immediate and more permanent measures.
The challenge is not only in 1) detecting threats quickly, but also 2) triaging and investigating them rapidly and with precision, and 3) prioritizing the most critical findings to avoid missed opportunities. Effective investigation demands a combination of advanced tools, robust workflows, and the expertise to interpret and act on the insights they generate. Without these, organizations risk delaying critical containment and response efforts, leaving them vulnerable to greater impacts.
While there are further steps (remediation, and of course complete recovery) here we will focus on investigation.
Developing an AI analyst: How Darktrace replicates human investigation
Darktrace has been working on understanding the investigative process of a skilled analyst since 2017. By conducting internal research between Darktrace expert SOC analysts and machine learning engineers, we developed a formalized understanding of investigative processes. This understanding formed the basis of a multi-layered AI system that systematically investigates data, taking advantage of the speed and breadth afforded by machine systems.
With this research we found that the investigative process often revolves around iterating three key steps: hypothesis creation, data collection, and results evaluation.
All these details are crucial for an analyst to determine the nature of a potential threat. Similarly, they are integral components of our Cyber AI Analyst which is an integral component across our product suite. In doing so, Darktrace has been able to replicate the human-driven approach to investigating alerts using machine learning speed and scale.
Here’s how it works:
When an initial or third-party alert is triggered, the Cyber AI Analyst initiates a forensic investigation by building multiple hypotheses and gathering relevant data to confirm or refute the nature of suspicious activity, iterating as necessary, and continuously refining the original hypothesis as new data emerges throughout the investigation.
Using a combination of machine learning including supervised and unsupervised methods, NLP and graph theory to assess activity, this investigation engine conducts a deep analysis with incidents raised to the human team only when the behavior is deemed sufficiently concerning.
After classification, the incident information is organized and processed to generate the analysis summary, including the most important descriptive details, and priority classification, ensuring that critical alerts are prioritized for further action by the human-analyst team.
If the alert is deemed unimportant, the complete analysis process is made available to the human team so that they can see what investigation was performed and why this conclusion was drawn.
To illustrate this via example, if a laptop is beaconing to a rare domain, the Cyber AI Analyst would create hypotheses including whether this could be command and control traffic, data exfiltration, or something else. The AI analyst then collects data, analyzes it, makes decisions, iterates, and ultimately raises a new high-level incident alert describing and detailing its findings for human analysts to review and follow up.
Cost savings: Equivalent to adding up to 30 full-time Level 2 analysts without increasing headcount
Minimize business risk: Takes on the busy work from human analysts and elevates a team’s overall decision making
Improve security outcomes: Identifies subtle, sophisticated threats through holistic investigations
Unlocking an efficient SOC
To create a mature and proactive SOC, addressing the inefficiencies in the alert investigation process is essential. By extending AI's capabilities beyond detection, SOC teams can streamline and optimize investigative workflows, reducing alert fatigue and enhancing analyst efficiency.
This holistic approach not only improves Mean Time to Analysis (MTTA) but also ensures that SOCs are well-equipped to handle the evolving threat landscape. Embracing AI augmentation and automation in every phase of threat management will pave the way for a more resilient and proactive security posture, ultimately leading to a high-performing SOC that can effectively safeguard organizational assets.
Every relevant alert is investigated
The Cyber AI Analyst is not a generative AI system, or an XDR or SEIM aggregator that simply prompts you on what to do next. It uses a multi-layered combination of many different specialized AI methods to investigate every relevant alert from across your enterprise, native, 3rd party, and manual triggers, operating at machine speed and scale. This also positively affects detection engineering and alert tuning, because it does not suffer from fatigue when presented with low accuracy but potentially valuable alerts.
Retain and improve analyst skills
Transferring most analysis processes to AI systems can risk team skills if they don't maintain or build them and if the AI doesn't explain its process. This can reduce the ability to challenge or build on AI results and cause issues if the AI is unavailable. The Cyber AI Analyst, by revealing its investigation process, data gathering, and decisions, promotes and improves these skills. Its deep understanding of cyber incidents can be used for skill training and incident response practice by simulating incidents for security teams to handle.
Create time for cyber risk reduction
Human cybersecurity professionals excel in areas that require critical thinking, strategic planning, and nuanced decision-making. With alert fatigue minimized and investigations streamlined, your analysts can avoid the tedious data collection and analysis stages and instead focus on critical decision-making tasks such as implementing recovery actions and performing threat hunting.
Stay tuned for part 3/3
Part 3/3 in the Reimagine your SOC series explores the preventative security solutions market and effective risk management strategies.
