Darktrace Threat Detection
Challenges of threat detection in cybersecurity
Evolving Threats
- Cyber threats are becoming more sophisticated.
- Advanced persistent threats (APTs) and zero-day exploits often bypass traditional detection by mimicking legitimate system processes.
- Insider threats and zero days are impossible to stop with tools that rely on historical attack data
Data Overload
- Organizations generate massive amounts of data expanding far beyond on-prem into virtual environments, cloud networks, and hybrid cloud.
- Securing devices outside of the corporate network or ones that are off-VPN
- This data can overwhelm monitoring systems, making it tough to analyze logs and alerts.
- Balancing detection systems is tricky—too sensitive, and you get false positives; not sensitive enough, and threats slip through.
Technology Integration Challenges
- New tech complicates threat detection.
- Encrypted communications, while necessary for privacy, can hide malicious activities.
- Small and medium businesses often lack the resources for effective detection.
Compliance and Adaptation
- Integrating new detection tools with existing systems is a challenge.
- Compliance with regulations adds to the complexity.
- Emerging technologies like IoT and cloud computing require constant updates to detection strategies.
Effectively respond to unusual activity without business disruption
- Business continuity is a huge concern for organizations especially those with operational technology that provide critical resources to people
How is Darktrace's threat detection unique?
Traditional NDR solutions: These solutions rely on historical attack data and operate independently of other security technologies, making them blind to novel threats and attacks that traverse multiple areas of an organization’s environment.
Darktrace / NETWORK Threat Detection: Learns what is normal behavior for your entire network, intelligently detecting any activity that could cause business disruption without relying on signatures, rules, or threat intelligence.
Darktrace / NETWORK learns what is normal behavior for your entire network, intelligently detecting any activity that could cause business disruption without relying on signatures, rules or threat intelligence. Our Self-Learning AI contextualizes every network connection and autonomously responds to both known and novel threats in real time, taking targeted actions without disrupting business operations.
Darktrace works across the entire digital ecosystem of your organization to track the full scope of every incident – from email, network and cloud applications to endpoint devices and Operational Technology (OT).
How does Darktrace use AI to detect threats?
Darktrace uses a multi-layered AI approach to continuously learn and understand a digital environment
At its core, Darktrace’s Self-Learning AI has a foundation of multiple unsupervised machine learning techniques including:
Unsupervised machine learning: Understand new information and decide if something never seen before is suspicious (includes neural networks, clustering methods, regularization, probabilistic and anomaly detection)
Bayesian probabilistic methods: Allows models to be efficiently updated and controlled in real time
Generative and applied AI: Run simulated phishing campaigns, tabletop exercises, and realistic drills
Deep-neural networks: Replicate the thought processes of humans
Graph theory: Understands the incredibly complex relationships between people, systems, organizations, and supply chains
Offensive AI such as GANs: Help to test and improve our ability to counter AI-driven attacks
Natural language processing: Interpret and produce human consumable output
Darktrace threat detection examples
Detection of SmokeLoader Malware
Darktrace / NETWORK achieves enterprise ransomware protection that can detect and stop loader malware like SmokeLoader. In this customer’s case, our AI autonomously investigated suspicious network activity – relating seemingly isolated connections into a broader C2 incident – and alerted the security team.
Detection of dropbox phishing
When one company was targeted by a Dropbox phishing email scam, Darktrace used AI cybersecurity to identify the attack and keep it away from the targeted employee. While the employee eventually clicked the malicious link anyways, Darktrace was still able to neutralize the attack before it disrupted business.
Detection of Gootloader Malware
Cyber-attackers used Gootloader malware in an attempt to compromise the network of an American company. Gootloader can download additional malicious payloads, allowing threat actors to steal information or encrypt files for ransom.
Darktrace’s network security tools detected the unusual activity of the compromised device, including beaconing, SMB scanning, and downloading suspicious files. Using AI in cyber security allowed Darktrace to identify and neutralize Gootloader, protecting the company’s network.
Types of threat detection in cybersecurity
Signature-Based Detection
Description: Relies on known patterns (signatures) of malicious code to detect threats. If a file or network traffic matches a known signature, it is flagged as a threat. The drawback of this is that novel or zero-day threats avoid detection from these systems.
Example: Traditional antivirus software.
Heuristic-Based Detection
Description: Emerging in the 1980’s and 1990’s Heuristic-Based Detection uses algorithms to identify new threats by analyzing the behavior and characteristics of files or activities, even if they don't match known signatures. However, this method is still an attacker-centric approach. Meaning, it aims to identify threats by checking their relevance to other known threats. Still missing more sophisticated attack attempts.
Anomaly-Based Detection
Description: Anomaly-based detection establishes a baseline of normal behavior and flags deviations from this baseline as potential threats. Using this method of threat detection allows for better detection of unknown threats or zero-days because this detection system focuses on user/network activity to detect abnormal activity. Anomaly detection can identify threats that do not exhibit obvious malicious properties but behave in ways that are atypical for the system or user, such as insider threats or sophisticated APTs.
Drawbacks: These systems may struggle to adapt to changing environments, constantly needing tuning and updating of their baseline. As such, there is potential for it to detect a high number of false positives if there are changes in an organizations behaviour.
AI-Based Solutions
Description: AI-based solutions utilize AI and ML to analyze vast amounts of data, identify patterns, and detect threats with higher accuracy. These systems can include but are not limited to anomaly detection. When AI is applied to anomaly-based detection the AI models can adjust baselines dynamically, accounting for changes in the environment and user behavior, reducing false positives, improving their detection capabilities.
Drawbacks: These systems are reliant on data to bring good results. Thus, their effectiveness is contingent on the quality and quantity of data they receive.
Supervised Machine Learning
Description: One of the most common types of AI in security today is supervised machine learning models that are trained on known attack data and attacker behavior. Supervised machine learning is defined by its use of labeled datasets to train algorithms to classify data or predict outcomes accurately.
These models are commonly found in Extended Detection and Response (XDR) solutions. They are trained on massive volumes of structured, labeled attack data and threat intelligence, and they perform extremely well at stopping those known attacks. This makes them a good starting point for any security stack.
Drawbacks: However, these models can fall short when they encounter something they haven’t seen before. If the model hasn’t been trained on a specific pattern, it can easily miss it. Additionally, co-mingled benign or legitimate data (syslog, network traffic, etc.) can cause big problems in the efficacy and accuracy of this AI’s performance. And, just like most AI, testing and validation is crucial to ensuring accurate outcomes.
Insider threat detection
There are generally two types of insider threats: malicious and non-malicious, or accidental. For organizations managing OT, both types originate from personnel who have legitimate privileged access to OT networks and have insider knowledge of assets, configurations, locations, security controls, or vulnerabilities. Of increasing concern to security teams, these personnel can also include external contractors, such as vendors or consultants, who require high levels of access to perform their role.
Detecting insider threats requires a multifaceted approach that combines technology, policies, and human factors.
Here is how Darktrace detects insider threats:
Darktrace’s anomaly-based threat detection is uniquely positioned to detect insider threats. Both accidental and malicious disruption may use legitimate privileged access to target Purdue Level 1 and 2 controllers and programmers to alter operations. The actor will alter the routine functionality of the process control environment, which can be detected and alerted by a security tool which understands normal and can spot deviations.
Read more here on how Darktrace / OT detects threats in an OT environment
Can Darktrace detect zero-day threats?
Darktrace AI detection capabilities enable it to identify and stop zero-day threats.
For more insights on how Darktrace stops zero-day threats read this blog:
“Self-Learning AI for Zero-Day and N-Day Attack Defense”
“How Darktrace Neutralizes Zero-Day Ransomware Attacks”
“Darktrace Detection of Unattributed Ransomware”
Read more here to learn about zero-day threats, vulnerabilities, and exploits:
Zero-day threats definition: A recently discovered security vulnerability in computer software that has no currently available fix or patch. Its name comes from the reality that vendors have “zero days” to act and respond.
Zero-day vulnerabilities: Flaws or weaknesses in software, hardware, or firmware that are unknown to the vendor or developer. Attackers exploit these vulnerabilities before they are discovered and patched.
Zero-Day Exploits: Specific attacks that leverage zero-day vulnerabilities. These exploits are created by attackers to take advantage of the unknown flaws, often resulting in unauthorized access, data theft, or system compromise.
Zero-Day Malware: Malware that is designed to exploit zero-day vulnerabilities. This type of malware can include viruses, worms, trojans, ransomware, and other malicious software that takes advantage of unpatched flaws.