Blog
/
No items found.
/
December 20, 2022
No items found.

How to Select the Right Cybersecurity AI

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
20
Dec 2022
Choosing the right cybersecurity AI is crucial. Darktrace's guide provides insights and tips to help you make an informed decision.

AI has long been a buzzword – we started seeing it utilized in consumer space; in social media, e-commerce, and even in our music preference! In the past few years it has started to make its way through the enterprise space, especially in cyber security.

Increasingly, we see threat actors utilizing AI in their attack techniques. This is inevitable with the advancements in AI technology, the lower barrier to entry to the cyber security industry, and the continued profitability of being a threat actor. Surveying security decision makers across different industries like financial services and manufacturing, 77% of the respondents expect weaponized AI to lead to an increase in the scale and speed of attacks. 

Defenders are also ramping up their use of AI in cyber security – with more than 80% of the respondents agreeing that organizations require advanced defenses to combat offensive AI – resulted in a ‘cyber arms race’ with adversaries and security teams in constant pursuit of the latest technological advancements.  

The rules and signature approach is no longer sufficient in this evolving threat landscape. Because of this collective need, we will continue to see the push of AI innovations in this space as well. By 2025, cyber security technologies will account for 25% of the AI software market.

Despite the intrigue surrounding AI, many people have a limited understanding of how it truly works. The mystery of AI technology is what piques the interest of many cyber security practitioners. As an industry we also know that AI is necessary for advancement, but there is so much noise around AI and machine learning that some teams struggle to understand it. The paradox of choice leaves security teams more frustrated and confused by all the options presented to them.

Identifying True AI

You first need to define what you want the AI technology to solve. This might seem trivial, but many security teams often forget to come back to the fundamentals: what problem are you addressing? What are you trying to improve? 

Not every process needs AI; some processes will simply need automation – these are the more straightforward parts of your business. More complex and bigger systems require AI. The crux is identifying these parts of your business, applying AI and being clear of what you are going to achieve with these AI technologies. 

For example, when it comes to factory floor operations or tracking leave days of employees, businesses employ automation technologies, but when it comes to business decisions like PR strategies or new business exploration, AI is used to predict trends and help business owners make these decisions. 

Similarly, in cyber security, when dealing with known threats such as known malicious malware and hosting sites, automation is great at keeping track of them; workflows and playbooks are also best assessed with automation tools. However, when it comes to unknown unknowns like zero-day attacks, insider threats, IoT threats and supply chain attacks, AI is needed to detect and respond these threats as they emerge.

Automation is often communicated as AI, and it becomes difficult for security teams to differentiate. Automation helps you to quickly make a decision you already know you will make, whereas true AI helps you make a better decision.

Key ways to differentiate true AI from automation:

  • The Data Set: In automation, what you are looking for is very well-scoped. You already know what you are looking for – you are just accelerating the process with rules and signatures. True AI is dynamic. You no longer need to define activities that deserve your attention, the AI highlights and prioritizes this for you.
  • Bias: When you define what you are looking for, as humans inherently we impose our biases on these decisions. We are also limited by our knowledge at that point in time – this leaves out the crucial unknown unknowns.
  • Real-time: Every organization is always changing and it is important that AI takes all that data into consideration. True AI that is real time and also changes with your organization’s growth is hard to find. 

Our AI Research Centre has produced numerous papers on the applications of true AI in cyber security. The Centre comprises of more than 150 members and has more than 100 patents and patents pending. Some of the featured white papers include research on Attack Path Modeling and using AI as a preventative approach in your organization. 

Integrating AI Outputs with People, Process, and Technology


Integrating AI with People

We are living in the time of trust deficit, and that applies to AI as well. As humans we can be skeptical with AI, so how do we build trust for AI such that it works for us? This applies not only to the users of the technology, but the wider organization as well. Since this is the People pillar, the key factors to achieving trust in AI is through education, culture, and exposure. In a culture where people are open to learn and try new AI technologies, we will naturally build trust towards AI over time.

Integrating AI with Process

Then we should consider the integration of AI and its outputs into your workflow and playbooks. To make decisions around that, security managers need to be clear what their security priorities are, or which security gaps a particular technology is meant to fill. Regardless of whether you have an outsourced MSSP/SOC team, 50-strong in-house SOC team, or even just a 2-man team, it is about understanding your priorities and assigning the proper resources to them.

Integrating AI with Technology 

Finally, there is the integration of AI with your existing technology stack. Most security teams deploy different tools and services to help them achieve different goals – whether it is a tool like SIEM, a firewall, an endpoint, or services like pentesting, or vulnerability assessment exercises. One of the biggest challenges is putting all of this information together and pulling actionable insights out of them. Integration on multiple levels is always challenging with complex technologies because they technologies can rate or interpret threats differently.

Security teams often find themselves spending the most time making sense of the output of different tools and services. For example, taking the outcomes from a pentesting report and trying to enhance SOAR configurations, or looking at SOC alerts to advise firewall configurations, or taking vulnerability assessment reports to scope third-party Incident Response teams.

These tools can have a strong mastery of large volumes of data, but eventually ownership of the knowledge should still lie with the human teams – and the way to do that is with continuous feedback and integration. It is no longer efficient to use human teams to carry out this at scale and at speed. 

The Cyber AI Loop is Darktrace’s approach to cyber security. The four product families make up a key aspect of an organization’s cyber security posture. Darktrace PREVENT, DETECT, RESPOND and HEAL each feed back into a continuous, virtuous cycle, constantly strengthening each other’s abilities. 

This cycle augments humans at every stage of an incident lifecycle. For example, PREVENT may alert you to a vulnerability which holds a particularly high risk potential for your organization. It provides clear mitigation advice, and while you are on this, PREVENT will feed into DETECT and RESPOND, which are immediately poised to kick in should an attack occur in the interim. Conversely, once an attack has been contained by RESPOND, it will feed information back into PREVENT which will anticipate an attacker’s likely next move. Cyber AI Loop helps you harden security a holistic way so that month on month, year on year, the organization continuously improves its defensive posture. 

Explainable AI

Despite its complexity, AI needs to produce outputs that are clear and easy to understand in order to be useful. In the heat of the moment during a cyber incident, human teams need to quickly comprehend: What happened here? When did it happen? What devices are affected? What does it mean for my business? What should I deal with first?

To this end, Darktrace applies another level of AI on top of its initial findings that autonomously investigates in the background, reducing a mass of individual security events to just a few overall cyber incidents worthy of human review. It generates natural-language incident reports with all the relevant information for your team to make judgements in an instant. 

Figure 1: An example of how Darktrace filters individual model breaches into incidents and then critical incidents for the human to review 

Cyber AI Analyst does not only take into consideration network detection but also in your endpoints, your cloud space, IoT devices and OT devices. Cyber AI Analyst also looks at your attack surface and the risks associated to triage and show you the most prioritized alerts that if unexpected would cause maximum damage to your organization. These insights are not only delivered in real time but also unique to your environment.

This also helps address another topic that frequently comes up in conversations around AI: false positives. This is of course a valid concern: what is the point of harvesting the value of AI if it means that a small team now must look at thousands of alerts? But we have to remember that while AI allows us to make more connections over the vastness of logs, its goal is not to create more work for security teams, but to augment them instead.

To ensure that your business can continue to own these AI outputs and more importantly the knowledge, Explainable AI such as that used in Darktrace’s Cyber AI Analyst is needed to interpret the findings of AI, to ensure human teams know what happened, what action (if any) the AI took, and why. 

Conclusion

Every organization is different, and its security should reflect that. However, some fundamental common challenges of AI in cyber security are shared amongst all security teams, regardless of size, resources, industry vertical, and culture. Their cyber strategy and maturity levels are what sets them apart. Maturity is not defined by how many professional certifications or how many years of experience the team has. A mature team works together to solve problems. They understand that while AI is not the silver bullet, it is a powerful bullet that if used right, will autonomously harden the security of the complete digital ecosystem, while augmenting the humans tasked with defending it. 

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Germaine Tan
VP of Cyber Risk Management

Germaine is the Director of Analysis, APAC at Darktrace. Based in Singapore, she works with CISOs, managers and security teams all over APAC on model optimization and operationalization of Darktrace in their digital environments. She also manages the team of 17 analysts in the APAC region that threat hunts and monitors networks from all over the world. Germaine holds a Bachelor of Science in Engineering and a Masters of Science in Technology Management from Nanyang Technological University. She is CISSP, CRISC and CEH certified.

Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

November 19, 2024

/
No items found.

Darktrace Leading the Future of Network Detection and Response with Recognition from KuppingerCole

Default blog imageDefault blog image

KuppingerCole has recognized Darktrace as an overall Leader, Product Leader, Market Leader and Innovation Leader in the KuppingerCole Leadership Compass: Network Detection and Response (2024).

With the perimeter all but dissolved, Network Detection and Response (NDR) tools are quickly becoming a critical component of the security stack, as the main tool to span the modern network. NDRs connect on-premises infrastructure to cloud, remote workers, identities, SaaS applications, and IoT/OT – something not available to EDR that requires agents and isolates visibility to individual devices.

KuppingerCole Analysts AG designated Darktrace an ‘Overall Leader’ position because of our continual innovation around user-led security. Self-Learning AI together with automated triage through Cyber AI Analyst and real-time autonomous response actions have been instrumental to security teams in stopping potential threats before they become a breach. With this time saved, Darktrace is leading beyond reactive security to truly harden a network, allowing the team to spend more time in preventive security measures.

Network Detection and Response protects where others fail to reach

NDR solutions operate at the network level, deploying inside or parallel to your network to ingest raw traffic via virtual or physical sensors. This gives them unprecedented potential to identify anomalies and possible breaches in any network - far beyond simple on-prem, into dynamic virtual environments, cloud or hybrid networks, cloud applications, and even remote devices accessing the corporate network via ZTNA or VPN.

Rather than looking at processes level data, NDR can detect the lateral movement of an adversary across multiple assets by analyzing network traffic patterns which endpoint solutions may not be able to identify [1]. In the face of a growing, complex environment, organizations large and small, will benefit from using NDRs either in conjunction, or as the foundation for, their Extended Detection and Response (XDR) for a unified view that improves their overall threat detection, ease of investigation and faster response times.

Today's NDR solutions are expected to include advanced ML and artificial intelligence (AI) algorithms [1]

Traditional IDS & IPS systems are labor intensive, requiring continuous rule creation, outdated signature maintenance, and manual monitoring for false positives or incorrect actions. This is no longer viable against a higher volume and changing landscape, making NDR the natural network tool to level against these evolutions. The role of AI in NDRs is designed to meet this challenge, “to reduce both the labor need for analysis and false positives, as well as add value by improving anomaly detection and overall security posture” .

Celebrating success in leadership and innovation

Darktrace is proud to have been recognized as an NDR “Overall Leader” in KuppingerCole Analyst AG’s Leadership Compass. The report gave further recognition to Darktrace as a ‘Product Leader”, “Innovation Leader” and “Market Leader”.

Maximum scores were received for core product categories, in addition to market presence and financial strength. Particular attention was directed to our innovation. This year has seen several NDR updates via Darktrace’s ActiveAI Security Platform version 6.2 which has enhanced investigation workflows and provided new AI transparency within the toolset.

Positive scores were also received for Darktrace’s deployment ecosystem and surrounding support, minimizing the need for extraneous integrations through a unique platform architecture that connects with over 90 other vendors.

High Scores received in Darktrace’s KuppingerCole Spider Chart across Core NDR capability areas
Figure 1: High Scores received in Darktrace’s KuppingerCole Spider Chart across Core NDR capability areas

Darktrace’s pioneering AI approach sets it apart

Darktrace / NETWORK’s approach is fundamentally different to other NDRs. Continual anomaly-based detection (our Self-Learning AI), understands what is normal across each of your network entities, and then examines deviations from these behaviors rather than needing to apply static rules or ML to adversary techniques. As a result, Darktrace / NETWORK can focus on surfacing the novel threats that cannot be anticipated, whilst our proactive solutions expose gaps that can be exploited and reduce the risk of known threats.    

Across the millions of possible network events that may occur, Darktrace’s Cyber AI Analyst reduces that manual workload for SOC teams by presenting only what is most important in complete collated incidents. This accelerates SOC Level 2 analyses of incidents by 10x2, giving time back, first for any necessary response and then for preventive workflows.

Finally, when incidents begin to escalate, Darktrace can natively (or via third-party) autonomously respond and take precise actions based on a contextual understanding of both the affected assets and incident in question so that threats can be disarmed without impacting wider operations.

Within the KuppingerCole report, several standout strengths were listed:

  • Cyber AI Analyst was celebrated as a core differentiator, enhancing both visibility and investigation into critical network issues and allowing a faster response.
  • Darktrace / NETWORK was singled for its user benefits. Both a clear interface for analysts with advanced filtering and analytical tools, and efficient role-based access control (RBAC) and configuration options for administrators.
  • At the product level, Darktrace was recognized for complete network traffic analysis (NTA) capabilities allowing extensive analysis into components like application use/type, fingerprinting, source/destination communication, in addition to comprehensive protocol support across a range of network device types from IT, OT, IoT and mobiles and detailed MITRE ATT&CK mapping.
  • Finally, at the heart of it, Darktrace’s innovation was highlighted in relation to its intrinsic Self Learning AI, utilizing multiple layers of deep learning, neural networks, LLMs, NLP, Generative AI and more to understand network activity and filter it for what’s critical on an individual customer level.

Going beyond reactive security

Darktrace’s visibility and AI-enabled detection, investigation and response enable security teams to focus on hardening gaps in their network through contextual relevance & priority. Darktrace / NETWORK explicitly gives time back to security teams allowing them to focus on the bigger strategic and governance workflows that sometimes get overlooked. This is enabled through proactive solutions intrinsically connected to our NDR:

  • Darktrace / Proactive Exposure Management, which looks beyond just CVE risks to instead discover, prioritize and validate risks by business impact and how to mobilize against them early, to reduce the number of real threats security teams face.
  • Darktrace / Incident Readiness & Recovery, a solution rather than service-based approach to incident response (IR) that lets teams respond in the best way to each incident and proactively test their familiarity and effectiveness of IR workflows with sophisticated incident simulations involving their own analysts and assets.

Together, these solutions allow Darktrace / NETWORK to go beyond the traditional NDR and shift teams to a more hardened and proactive state.

Putting customers first

Customers continue to sit at the forefront of Darktrace R&D, with their emerging needs and pain points being the direct inspiration for our continued innovation.

This year Darktrace / NETWORK has protected thousands of customers against the latest attacks, from data exfil and destruction, to unapproved privilege escalation and ransomware including strains like Medusa, Qilin and AlphV BlackCat.

In each instance, Darktrace / NETWORK was able to provide a holistic lens of the anomalies present in their traffic, collated those that were important, and either responded or gave teams the ability to take targeted actions against their threats – even when adversaries pivoted. In one example of a Gootloader compromise, Darktrace ensured a SOC went from detection to recovery within 5 days, 92.8% faster than the average containment time of 69 days.

Results like these, focused on user-led security, have secured Darktrace’s position within the latest NDR Leadership Compass.

To find out more about what makes Darktrace / NETWORK special, read the full KuppingerCole report.

References

[1] Osman Celik, KuppingerCole Leadership Compass:Network Detection and Response (2024)

[2] Darktrace's AI Analyst customer fleet data

[3] https://www.ibm.com/reports/data-breach

Continue reading
About the author
Gabriel Few-Wiegratz
Product Marketing Manager

Blog

/

November 1, 2024

/

Inside the SOC

Phishing and Persistence: Darktrace’s Role in Defending Against a Sophisticated Account Takeover

Default blog imageDefault blog image

The exploitation of SaaS platforms

As businesses continue to grow and evolve, the need for sharing ideas through productivity and cloud Software-as-a-Service (SaaS) platforms is becoming increasingly crucial. However, these platforms have also become prime targets for cyber attackers.

Threat actors often exploit these widely-used services to gain unauthorized access, steal sensitive information, and disrupt business operations. The growing reliance on SaaS platforms makes them attractive entry points for cybercriminals, who use sophisticated techniques such as phishing, social engineering, and malware to compromise these systems.

Services like Microsoft 365 are regularly targeted by threat actors looking for an entry point into an organization’s environment to carry out malicious activities. Securing these platforms is crucial to protect business data and ensure operational continuity.

Darktrace / EMAIL detection of the phishing attack

In a recent case, Darktrace observed a customer in the manufacturing sector receiving a phishing email that led to a threat actor logging in and creating an email rule. Threat actors often create email rules to move emails to their inbox, avoiding detection. Additionally, Darktrace detected a spoofed domain registered by the threat actor. Despite already having access to the customer’s SaaS account, the actor seemingly registered this domain to maintain persistence on the network, allowing them to communicate with the spoofed domain and conduct further malicious activity.

Darktrace / EMAIL can help prevent compromises like this one by blocking suspicious emails as soon as they are identified. Darktrace’s AI-driven email detection and response recognizes anomalies that might indicate phishing attempts and applies mitigative actions autonomously to prevent the escalation of an attack.

Unfortunately, in this case, Darktrace was not configured in Autonomous Response mode at the time of the attack, meaning actions had to be manually applied by the customer’s security team. Had it been fully enabled, it would have held the emails, preventing them from reaching the intended recipient and stopping the attack at its inception.

However, Darktrace’s Managed Threat Detection alerted the Security Operations Center (SOC) team to the compromise, enabling them to thoroughly investigate the incident and notify the customer before further damage could occur.

The Managed Threat Detection service continuously monitors customer networks for suspicious activities that may indicate an emerging threat. When such activities are detected, alerts are sent to Darktrace’s expert Cyber Analysts for triage, significantly speeding up the remediation process.

Attack Overview

On May 2, 2024, Darktrace detected a threat actor targeting a customer in the manufacturing sector then an unusual login to their SaaS environment was observed prior to the creation of a new email rule.

Darktrace immediately identified the login as suspicious due to the rarity of the source IP (31.222.254[.]27) and ASN, coupled with the absence of multi-factor authentication (MFA), which was typically required for this account.

The new email rule was intended to mark emails as read and moved to the ‘Conversation History’ folder for inbound emails from a specific domain. The rule was named “….,,,”, likely the attacker attempting to setup their new rule with an unnoteworthy name to ensure it would not be noticed by the account’s legitimate owner. Likewise, by moving emails from a specific domain to ‘Conversation History’, a folder that is rarely used by most users, any phishing emails sent by that domain would remain undetected by the user.

Darktrace’s detection of the unusual SaaS login and subsequent creation of the new email rule “….,,,”.
Figure 1: Darktrace’s detection of the unusual SaaS login and subsequent creation of the new email rule “….,,,”.

The domain in question was identified as being newly registered and an example of a typosquat domain. Typosquatting involves registering new domains with intentional misspelling designed to convince users to visit fake, and often malicious, websites. This technique is often used in phishing campaigns to create a sense of legitimacy and trust and deceive users into providing sensitive information. In this case, the suspicious domain closely resembled several of the customer’s internal domains, indicating an attempt to impersonate the organization’s legitimate internal sites to gain the target’s trust. Furthermore, the creation of this lookalike domain suggests that the attack was highly targeted at this specific customer.

Interestingly, the threat actor registered this spoofed domain despite already having account access. This was likely intended to ensure persistence on the network without having to launch additional phishing attacks. Such use of spoofed domain could allow an attacker to maintain a foothold in their target network and escalate their malicious activities without having to regain access to the account. This persistence can be used for various purposes, including data exfiltration, spreading malware, or launching further attacks.

Following this, Darktrace detected a highly anomalous email being sent to the customer’s account from the same location as the initial unsual SaaS login. Darktrace’s anomaly-based detection is able to identify threats that human security teams and traditional signature-based methods might miss. By analyzing the expected behavior of network users, Darktrace can recognize the subtle deviations from the norm that may indicate malicious activity. Unfortunately, in this instance, without Darktrace’s Autonomous Response capability enabled, the phishing email was able to successfully reach the recipient. While Darktrace / EMAIL did suggest that the email should be held from the recipients inbox, the customer was required to manually approve it.

Despite this, the Darktrace SOC team were still able to support the customer as they were subscribed to the Managed Threat Detection service. Following the detection of the highlight anomalous activity surrounding this compromise, namely the unusual SaaS login followed by a new email rule, an alert was sent to the Darktrace SOC for immediate triage, who then contacted the customer directly urging immediate action.

Conclusion

This case underscores the need to secure SaaS platforms like Microsoft 365 against sophisticated cyber threats. As businesses increasingly rely on these platforms, they become prime targets for attackers seeking unauthorized access and disruption.

Darktrace’s anomaly-based detection and response capabilities are crucial in identifying and mitigating such threats. In this instance, Darktrace detected a phishing email that led to a threat actor logging in and creating a suspicious email rule. The actor also registered a spoofed domain to maintain persistence on the network.

Darktrace / EMAIL, with its AI-driven detection and analysis, can block suspicious emails before they reach the intended recipient, preventing attacks at their inception. Meanwhile, Darktrace’s SOC team promptly investigated the activity and alerted the customer to the compromise, enabling them to take immediate action to remediate the issue and prevent any further damage.

Credit to Vivek Rajan (Cyber Security Analyst) and Ryan Traill (Threat Content Lead).

Appendices

Darktrace Model Detections

  • SaaS / Access / Unusual External Source for SaaS Credential Use
  • SaaS / Compromise / Login From Rare Endpoint While User Is Active
  • SaaS / Resource / Unusual Access to Delegated Resource by Non Owner
  • SaaS / Email Nexus / Unusual Login Location Following Sender Spoof
  • Compliance / Anomalous New Email Rule
  • SaaS / Compromise / Unusual Login and New Email Rule

Indicators of Compromise (IoCs)

IoC - Type - Description + Confidence

31.222.254[.]27 – IP -  Suspicious Login Endpoint

MITRE ATT&CK Mapping

Tactic – Technqiue – Sub-technique of (if applicable)

Cloud Accounts - DEFENSE EVASION, PERSISTENCE, PRIVILEGE ESCALATION, INITIAL ACCESS - T1078.004 - T1078

Cloud Service Dashboard – DISCOVERY - T1538

Compromise Accounts - RESOURCE DEVELOPMENT - T1586

Steal Web Session Cookie - CREDENTIAL ACCESS - T1539

Outlook Rules – PERSISTENCE - T1137.005 - T1137

Continue reading
About the author
Vivek Rajan
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI