![]() Without Darktrace’s real-time detections and alerts – and a quick response from the security team to contain the threat - the potential ramifications of this intrusion can’t be understated. Despite only being active for a few hours, Darktrace immediately flagged the activity for further investigation. ![]() However, Darktrace’s Immune System was still able to identify the signs of malintent, given its ability to auto-detect and cluster ‘peer groups’ of users and devices, thereby still recognizing abnormal behavior on the single compromised device. This example of a sophisticated attack shows an attempt to ‘blend in’ to the noise of regular traffic. No other devices in the peer group displayed this sort of behavior.įigure 4: The device event log Detecting a threat already inside The device made several connections to this endpoint at precise, 3-hour intervals, suggesting some automated activity. An overview of the infected deviceĪfter the first model breach, Darktrace continued to monitor the infected device, graphically representing the regular connections to the malicious endpoint w.gemlabtop. However, the rarity of the IP on the network alongside the unusual behavior in comparison to other network devices led Darktrace to quickly detect this malicious beaconing. The next day, the desktop was observed downloading a suspicious executable file named d.png, and multiple similar downloads subsequently occurred.Įxecutable files are often masqueraded as other file types in order to help bypass security measures, however the mismatched file extension here was immediately detected by Darktrace and flagged for further investigation.Ī lack of OSINT for the download source at the time of this activity meant other security measures may have missed the suspicious HTTP connections. The regular nature of these connections suggests that the infection was already established on the device. Just two hours into this learning process, an adminstator’s desktop was observed making suspicious connections to multiple domains hosted on IP 78.142.XX.XXX. Immediately upon installation, Darktrace began monitoring the behavior of around 5,000 devices, establishing their ‘pattern of life’, as well as that of their peer groups, and the wider organization. ![]() Upon Darktrace’s detection, later analysis of these ‘harmless’ files suggests they could lead to possible remote access of the compromised device, with use of the Metasploit framework. The intrusion used many common evasion techniques to bypass traditional tools, including ‘Living off the Land’ techniques and masquerading malware behind commonly used file types. But Darktrace autonomously grouped the desktop into a ‘peer group’ of similar devices, recognizing that it’s behavior was anomalous in comparison to the wider group. The hacker had compromised a desktop and established Command & Control (C2), downloading executable files disguised as harmless PNG files. Despite the attacker already lurking in the system, Darktrace was able to recognize that their activity deviated from the learned ‘pattern of life’ of the rest of the organization. A cyber-criminal had already made the first steps of a critical intrusion at a European energy organization when the company deployed AI for cyber defense. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |