Darktrace / Endpoint use cases

Securing the modern workforce

Dive into specific threat profiles and see how to reduce time-to-meaning at the endpoint, anywhere your users go.

Ransomware

Ransomware is a multi-stage attack that can begin with a single compromised endpoint device and end with company-wide data encryption. Learn what Darktrace/Endpoint can do to neutralize it at every stage.

Initial Intrusion


Stopping threats the moment they emerge on an endpoint, network or email system is the best way to prevent business disruption. Darktrace has identified well-known exploits such as Log4J, Hafnium, Kaseya without Threat Intelligence, and spots thousands of lesser-known exploits on a regular basis.

Sample analysis of Darktrace / Endpoint
Every threat is different, but some unusual patterns Darktrace / Endpoint assess include:
Unusual Incoming RDP
Unusual file download
Unusual .exe fileTorrenting

Establish Foothold and Beaconing

Darktrace / Endpoint pieces together anomalies to detect when an attacker is attempting to make contact with and remotely control a device .

Darktrace RESPOND/Endpoint neutralizes this activity blocking specific connections or enforcing the ‘pattern of life’

Sample analysis of Darktrace / Endpoint
Every threat is different, but here are some unusual patterns Darktrace / Endpoint might assess when revealing this type of attack:
Beaconing to a young endpoint
Anomalous file downloads
Beaconing activity to external rare endpoint
Connections to unusual endpoint

Data Exfiltration

Whether smash and grab or a low and slow, DETECT/Endpoint identifies subtle deviations in activity to prevent data being exfiltrated from company devices.

Darktrace RESPOND/Endpoint neutralizes this activity by blocking specific connections, enforcing the ‘pattern of life’ or quarantining the device.

Sample analysis of Darktrace / Endpoint
Every threat is different, but here are some unusual patterns Darktrace / Endpoint might assess when revealing this type of attack:
Low and slow exfiltration
Uncommon 1 GiB Outbound
Data sent to rare domain
Unusual External Data Transfer
Unusual data download / upload to rare destination

Data Encryption

Even if familiar tools and methods are used to conduct encryption - whether symmetric or asymmetric - Darktrace detects the activity without using static rules or signatures.

Darktrace RESPOND/Endpoint neutralizes this activity by blocking specific connections, enforcing the ‘pattern of life’ or quarantining the device.

DARKTRACE - Better Together

Even better when deployed with:
Sample analysis of Darktrace / Endpoint
Every threat is different, but here are some unusual patterns Darktrace / Endpoint might assess when revealing this type of attack:
Additional extension appended to SMB file
Suspicious SMB read/write ratio
Sustained MIME type conversion
Possible Ransom Note
Suspicious SMB Activity

Insider Threat

Whether a malicious leaver attempting to exfiltrate data or a careless employee misusing a company device, Darktrace’s understanding of normal patterns of life allows it to stop threats on the inside.

DARKTRACE - Better Together

Even better when deployed with:
Sample analysis of Darktrace / Endpoint
Every threat is different, but here are some unusual patterns Darktrace / Endpoint might assess when revealing this type of attack:
Sustained SSL and HTTP Increase
ICMP Address Scan
Uncommon WMI Activity
Numeric Exe Download
Anomalous File Download
Suspicious SMB Activity
Multiple Unusual File Uploads
Suspicious SMB Read/Write Ratio
Fast Beaconing to DGA

Supply Chain Attack (Third Party Software Vulnerability)

Endpoints can be used as a first point of entry for expansive supply chain attacks. Darktrace stops threats arising from the supply chain by taking immediate action at the first sign of unusual and threatening activity.

DARKTRACE - Better Together

Even better when deployed with:
Sample analysis of Darktrace / Endpoint
Every threat is different, but here are some unusual patterns Darktrace / Endpoint might assess when revealing this type of attack:
EXE from Rare External Location
New User Agent to IP Without Hostname
Beacon to Young Endpoint
Suspicious Self-Signed SSL
IPSec VPN to Rare IP

Crypto-Mining

Malicious crypto-mining can exploit endpoint hardware and is notoriously difficult to detect. It may also form just one phase of an attacker’s plan to infiltrate an organization.

Darktrace shines a light on open ports and internet-facing devices you didn’t know about, and detects the first stages of an attack before crypto-mining can even begin. It also alerts to crypto-mining activity itself, and can be configured to stop the activity autonomously.

Sample analysis of Darktrace / Network
Every threat is different, but here are some unusual patterns Darktrace / Endpoint might assess when revealing this type of attack:
Crypto Currency Mining Activity
Slow Beaconing Activity to External Rare
Suspicious Beacons to Rare PHP Endpoint
SMB Drive Write
Your data. Our AI.
Elevate your cybersecurity with Darktrace AI