Blog

A l'intérieur du SOC

PREVENT

Explorer la Cyber AI Loop en tant qu'analyste : PREVENT/ASM & DETECT

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
02
Jan 2023
02
Jan 2023
This blog explores the use of Darktrace PREVENT/ASM and Darktrace DETECT/Network as triage tools for security teams and the increased visibility provided when they complement each other. An example and mock scenario from an Australian environmental customer is also highlighted.

On countless occasions, Darktrace has observed cyber-attacks disrupting business operations by using a vulnerable internet-facing asset as a starting point for infection. Finding that one entry point could be all a threat actor needs to compromise an entire organization. With the objective to prevent such vulnerabilities from being exploited, Darktrace’s latest product family includes Attack Surface Management (ASM) to continuously monitor customer attack surfaces for risks, high-impact vulnerabilities and potential external threats. 

An attack surface is the sum of exposed and internet-facing assets and the associated risks a hacker can exploit to carry out a cyber-attack. PREVENT/ASM uses AI to understand what external assets belong to an organization by searching beyond known servers, networks, and IPs across public data sources. 

This blog discusses how Darktrace PREVENT/ASM could combine with DETECT to find potential vulnerabilities and subsequent exploitation within network traffic. In particular, this blog will investigate the assets of a large Australian company which operates in the environmental sciences industry.   

Introducing ASM

In order to understand the link between PREVENT and DETECT, the core features of ASM should first be showcased.

Figure 1: The PREVENT/ASM dashboard.

When facing the landing page, the UI highlights the number of registered assets identified (with zero prior deployment). The tool then organizes the information gathered online in an easily assessable manner. Analysts can see vulnerable assets according to groupings like ‘Misconfiguration’, ‘Social Media Threat’ and ‘Information Leak’ which shows the type of risk posed to said assets.

Figure 2: The Network tab identifies the external facing assets and their hierarchy in a graphical format.

The Network tab helps analysts to filter further to take more rapid action on the most vulnerable assets and interact with them to gather more information. The image below has been filtered by assets with the ‘highest scoring’ risk.

Figure 3: PREVENT/ASM showing a high scoring asset.

Interacting with the showcased asset selected above allows pivoting to the following page, this provides more granular information around risk metrics and the asset itself. This includes a more detailed description of what the vulnerabilities are, as well as general information about the endpoint including its location, URL, web status and technologies used.

  Figure 4: Asset pages for an external web page at risk.

Filtering does not end here. Within the Insights tab, analysts can use the search bar to craft personalized queries and narrow their focus to specific types of risk such as vulnerable software, open ports, or potential cybersquatting attempts from malicious actors impersonating company brands. Likewise, filters can be made for assets that may be running software at risk from a new CVE. 

Figure 5: Insights page with custom queries to search for assets at risk of Log4J exploitation.

For each of the entries that can be read on the left-hand side, a query that could resemble the one on the top right exists. This allows users to locate specific findings beyond those risks that are categorized as critical. These broader searches can range from viewing the inventory as a whole, to seeing exposed APIs, expiring certificates, or potential shadow IT. Queries will return a list with all the assets matching the given criteria, and users can then explore them further by viewing the asset page as seen in Figure 4.

Compromise Scenario

Now that a basic explanation of PREVENT/ASM has been given, this scenario will continue to look at the Australian customer but show how Darktrace can follow a potential compromise of an at-risk ASM asset into the network. 

Having certain ports open could make it particularly easy for an attacker to access an internet-facing asset, particularly those sensitive ones such as 3389 (RDP), 445 (SMB), 135 (RPC Epmapper). Alternatively, a vulnerable program with a well-known exploitation could also aid the task for threat actors.

In this specific case, PREVENT/ASM identified multiple external assets that belonged to the customer with port 3389 open. One of these assets can be labelled as ‘Server A'. Whilst RDP connections can be protected with a password for a given user, if those were weak to bruteforce, it could be an easy task for an attacker to establish an admin session remotely to the victim machine.

Figure 6: Insights tab query filtering for open RDP port 3389.

N or zero-day vulnerabilities associated with the protocol could also be exploited; for example, CVE-2019-0708 exploits an RCE vulnerability in Remote Desktop where an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. 

Certain protocols are known to be sensitive according to the control they provide on a destination machine. These are developed for administrative purposes but have the potential to ease an attacker’s job if accessible. Thanks to PREVENT/ASM, security teams can anticipate such activity by having visibility over those assets that could be vulnerable. If this RDP were successfully exploited, DETECT/Network would then highlight the unusual activity performed by the compromised device as the attacker moved through the kill chain.  

There are several models within DETECT/Network which monitor for risks against internet facing assets. For example, ‘Server A’ which had an open 3389 port on ASM registered the following model breach in the network:

Figure 7: Breach log showing Anomalous Server Activity / New Internet Facing System model for ‘Server A’.

A model like this could highlight a misconfiguration that has caused an internal device to become unexpectedly open to the internet. It could also suggest a compromised device that has now been opened to the internet to allow further exploitation. If the result of a sudden change, such an asset would also be detected by ASM and highlighted within the ‘New Assets’ part of the Insights page. Ultimately this connection was not malicious, however it shows the ability for security teams to track between PREVENT to DETECT and verify an initial compromise.  

A mock scenario can take this further. Using the continued example of an open port 3389 intrusion, new RDP cookies may be registered (perhaps even administrative). This could enable further lateral movement and eventual privilege escalation. Various DETECT models would highlight actions of this nature, two examples are below:

Figure 8: RDP Lateral Movement related model breaches on customer.

Alongside efforts to move laterally, Darktrace may find attempts at reconnaissance or C2 communication from compromised internet facing devices by looking at Darktrace DETECT model breaches including ‘Network Scan’, ‘SMB Scanning’ and ‘Active Directory Reconnaissance’. In this case the network also saw repeated failed internal connections followed by the ‘LDAP Brute-Force Activity model’ around the same time as the RDP activity. Had this been malicious, DETECT would then continue to provide visibility into the C2 and eventual malware deployment stages. 

Grâce à la visibilité combinée des deux outils, les utilisateurs de Darktrace disposent d'un support pour un meilleur triage sur l'ensemble de la chaîne d'abattage. Pour les clients qui utilisent également RESPOND les actions seront prises à partir de l'alerte DETECT pour bloquer ensuite les activités malveillantes. Ce faisant, les entrées auront alimenté l'ensemble de la Cyber AI Loop en ayant appris de PREVENT, DETECT et RESPOND.

Ce flux de la Cyber AI Loop fonctionne dans les deux sens. Dans la figure 9, ci-dessous, un DETECT modèle de violation montre une alerte client provenant d'un appareil connecté à Internet : 

Figure 9: Model breach on internet-facing server.

This breach took place because an established server suddenly started serving HTTP sessions on a port commonly used for HTTPS (secure) connections. This could be an indicator that a criminal may have gained control of the device and set it to listen on the given port and enable direct connection to the attacker’s machine or command and control server. This device can be viewed by an analyst in its Darktrace PREVENT version, where new metrics can be observed from a perspective outside of the network.

Figure 10: Assets page for server. PREVENT shows few risks for this asset. 

This page reports the associated risks that could be leveraged by malicious actors. In this case, the events are not correlated, but in the event of an attack, this backwards pivoting could help to pinpoint a weak link in the chain and show what allowed the attacker into the network. In doing so this supports the remediation and recovery process. More importantly though, it allows organizations to be proactive and take appropriate security measures required before it could ever be exploited.

Concluding Thoughts

The combination of PREVENT/ASM with DETECT/Network provides wide and in-depth visibility over a company’s infrastructure. Through the Cyber AI Loop, this coverage is continually learning and updating based on inputs from both. PREVENT/ASM can show companies the potential weaknesses that a cybercriminal could take advantage of. In turn this allows them to prioritize patching, updating, and management of their internet facing assets. At the same time, Darktrace DETECT will show the anomalous behavior of any of these internet facing devices, enabling security teams or RESPOND to stop an attack. Use of these tools by an analyst together is effective in gaining informed security data which can be fed back to IT management. Leveraging this allows normal company operations to be performed without the worry of cyber disruption.

Credit to: Emma Foulger, Senior Cyber Analyst at Darktrace

DANS LE SOC
Darktrace sont des experts de classe mondiale en matière de renseignement sur les menaces, de chasse aux menaces et de réponse aux incidents. Ils fournissent une assistance SOC 24 heures sur 24 et 7 jours sur 7 à des milliers de clients Darktrace dans le monde entier. Inside the SOC est exclusivement rédigé par ces experts et fournit une analyse des cyberincidents et des tendances en matière de menaces, basée sur une expérience réelle sur le terrain.
AUTEUR
à propos de l'auteur
Gabriel Hernandez
Book a 1-1 meeting with one of our experts
share this article
CAS D'UTILISATION
Aucun élément trouvé.

More in this series

Aucun élément trouvé.

Blog

A l'intérieur du SOC

Sliver C2: How Darktrace Provided a Sliver of Hope in the Face of an Emerging C2 Framework

Default blog imageDefault blog image
17
Apr 2024

Offensive Security Tools

As organizations globally seek to for ways to bolster their digital defenses and safeguard their networks against ever-changing cyber threats, security teams are increasingly adopting offensive security tools to simulate cyber-attacks and assess the security posture of their networks. These legitimate tools, however, can sometimes be exploited by real threat actors and used as genuine actor vectors.

What is Sliver C2?

Sliver C2 is a legitimate open-source command-and-control (C2) framework that was released in 2020 by the security organization Bishop Fox. Silver C2 was originally intended for security teams and penetration testers to perform security tests on their digital environments [1] [2] [5]. In recent years, however, the Sliver C2 framework has become a popular alternative to Cobalt Strike and Metasploit for many attackers and Advanced Persistence Threat (APT) groups who adopt this C2 framework for unsolicited and ill-intentioned activities.

The use of Sliver C2 has been observed in conjunction with various strains of Rust-based malware, such as KrustyLoader, to provide backdoors enabling lines of communication between attackers and their malicious C2 severs [6]. It is unsurprising, then, that it has also been leveraged to exploit zero-day vulnerabilities, including critical vulnerabilities in the Ivanti Connect Secure and Policy Secure services.

In early 2024, Darktrace observed the malicious use of Sliver C2 during an investigation into post-exploitation activity on customer networks affected by the Ivanti vulnerabilities. Fortunately for affected customers, Darktrace DETECT™ was able to recognize the suspicious network-based connectivity that emerged alongside Sliver C2 usage and promptly brought it to the attention of customer security teams for remediation.

How does Silver C2 work?

Given its open-source nature, the Sliver C2 framework is extremely easy to access and download and is designed to support multiple operating systems (OS), including MacOS, Windows, and Linux [4].

Sliver C2 generates implants (aptly referred to as ‘slivers’) that operate on a client-server architecture [1]. An implant contains malicious code used to remotely control a targeted device [5]. Once a ‘sliver’ is deployed on a compromised device, a line of communication is established between the target device and the central C2 server. These connections can then be managed over Mutual TLS (mTLS), WireGuard, HTTP(S), or DNS [1] [4]. Sliver C2 has a wide-range of features, which include dynamic code generation, compile-time obfuscation, multiplayer-mode, staged and stageless payloads, procedurally generated C2 over HTTP(S) and DNS canary blue team detection [4].

Why Do Attackers Use Sliver C2?

Amidst the multitude of reasons why malicious actors opt for Sliver C2 over its counterparts, one stands out: its relative obscurity. This lack of widespread recognition means that security teams may overlook the threat, failing to actively search for it within their networks [3] [5].

Although the presence of Sliver C2 activity could be representative of authorized and expected penetration testing behavior, it could also be indicative of a threat actor attempting to communicate with its malicious infrastructure, so it is crucial for organizations and their security teams to identify such activity at the earliest possible stage.

Darktrace’s Coverage of Sliver C2 Activity

Darktrace’s anomaly-based approach to threat detection means that it does not explicitly attempt to attribute or distinguish between specific C2 infrastructures. Despite this, Darktrace was able to connect Sliver C2 usage to phases of an ongoing attack chain related to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN appliances in January 2024.

Around the time that the zero-day Ivanti vulnerabilities were disclosed, Darktrace detected an internal server on one customer network deviating from its expected pattern of activity. The device was observed making regular connections to endpoints associated with Pulse Secure Cloud Licensing, indicating it was an Ivanti server. It was observed connecting to a string of anomalous hostnames, including ‘cmjk3d071amc01fu9e10ae5rt9jaatj6b.oast[.]live’ and ‘cmjft14b13vpn5vf9i90xdu6akt5k3pnx.oast[.]pro’, via HTTP using the user agent ‘curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.7’.

Darktrace further identified that the URI requested during these connections was ‘/’ and the top-level domains (TLDs) of the endpoints in question were known Out-of-band Application Security Testing (OAST) server provider domains, namely ‘oast[.]live’ and ‘oast[.]pro’. OAST is a testing method that is used to verify the security posture of an application by testing it for vulnerabilities from outside of the network [7]. This activity triggered the DETECT model ‘Compromise / Possible Tunnelling to Bin Services’, which breaches when a device is observed sending DNS requests for, or connecting to, ‘request bin’ services. Malicious actors often abuse such services to tunnel data via DNS or HTTP requests. In this specific incident, only two connections were observed, and the total volume of data transferred was relatively low (2,302 bytes transferred externally). It is likely that the connections to OAST servers represented malicious actors testing whether target devices were vulnerable to the Ivanti exploits.

The device proceeded to make several SSL connections to the IP address 103.13.28[.]40, using the destination port 53, which is typically reserved for DNS requests. Darktrace recognized that this activity was unusual as the offending device had never previously been observed using port 53 for SSL connections.

Model Breach Event Log displaying the ‘Application Protocol on Uncommon Port’ DETECT model breaching in response to the unusual use of port 53.
Figure 1: Model Breach Event Log displaying the ‘Application Protocol on Uncommon Port’ DETECT model breaching in response to the unusual use of port 53.

Figure 2: Model Breach Event Log displaying details pertaining to the ‘Application Protocol on Uncommon Port’ DETECT model breach, including the 100% rarity of the port usage.
Figure 2: Model Breach Event Log displaying details pertaining to the ‘Application Protocol on Uncommon Port’ DETECT model breach, including the 100% rarity of the port usage.

Further investigation into the suspicious IP address revealed that it had been flagged as malicious by multiple open-source intelligence (OSINT) vendors [8]. In addition, OSINT sources also identified that the JARM fingerprint of the service running on this IP and port (00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01) was linked to the Sliver C2 framework and the mTLS protocol it is known to use [4] [5].

An Additional Example of Darktrace’s Detection of Sliver C2

However, it was not just during the January 2024 exploitation of Ivanti services that Darktrace observed cases of Sliver C2 usages across its customer base.  In March 2023, for example, Darktrace detected devices on multiple customer accounts making beaconing connections to malicious endpoints linked to Sliver C2 infrastructure, including 18.234.7[.]23 [10] [11] [12] [13].

Darktrace identified that the observed connections to this endpoint contained the unusual URI ‘/NIS-[REDACTED]’ which contained 125 characters, including numbers, lower and upper case letters, and special characters like “_”, “/”, and “-“, as well as various other URIs which suggested attempted data exfiltration:

‘/upload/api.html?c=[REDACTED] &fp=[REDACTED]’

  • ‘/samples.html?mx=[REDACTED] &s=[REDACTED]’
  • ‘/actions/samples.html?l=[REDACTED] &tc=[REDACTED]’
  • ‘/api.html?gf=[REDACTED] &x=[REDACTED]’
  • ‘/samples.html?c=[REDACTED] &zo=[REDACTED]’

This anomalous external connectivity was carried out through multiple destination ports, including the key ports 443 and 8888.

Darktrace additionally observed devices on affected customer networks performing TLS beaconing to the IP address 44.202.135[.]229 with the JA3 hash 19e29534fd49dd27d09234e639c4057e. According to OSINT sources, this JA3 hash is associated with the Golang TLS cipher suites in which the Sliver framework is developed [14].

Conclusion

Despite its relative novelty in the threat landscape and its lesser-known status compared to other C2 frameworks, Darktrace has demonstrated its ability effectively detect malicious use of Sliver C2 across numerous customer environments. This included instances where attackers exploited vulnerabilities in the Ivanti Connect Secure and Policy Secure services.

While human security teams may lack awareness of this framework, and traditional rules and signatured-based security tools might not be fully equipped and updated to detect Sliver C2 activity, Darktrace’s Self Learning AI understands its customer networks, users, and devices. As such, Darktrace is adept at identifying subtle deviations in device behavior that could indicate network compromise, including connections to new or unusual external locations, regardless of whether attackers use established or novel C2 frameworks, providing organizations with a sliver of hope in an ever-evolving threat landscape.

Credit to Natalia Sánchez Rocafort, Cyber Security Analyst, Paul Jennings, Principal Analyst Consultant

Appendices

DETECT Model Coverage

  • Compromise / Repeating Connections Over 4 Days
  • Anomalous Connection / Application Protocol on Uncommon Port
  • Anomalous Server Activity / Server Activity on New Non-Standard Port
  • Compromis / Activité soutenue de balisage TCP vers un endpoint rare.
  • Compromise / Quick and Regular Windows HTTP Beaconing
  • Compromise / High Volume of Connections with Beacon Score
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / HTTP Beaconing to Rare Destination
  • Compromise / Sustained SSL or HTTP Increase
  • Compromise / Large Number of Suspicious Failed Connections
  • Compromise / SSL or HTTP Beacon
  • Compromise / Possible Malware HTTP Comms
  • Compromise / Possible Tunnelling to Bin Services
  • Anomalous Connection / Low and Slow Exfiltration to IP
  • Device / New User Agent
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Numeric File Download
  • Anomalous Connection / Powershell to Rare External
  • Anomalous Server Activity / New Internet Facing System

List of Indicators of Compromise (IoCs)

18.234.7[.]23 - Destination IP - Likely C2 Server

103.13.28[.]40 - Destination IP - Likely C2 Server

44.202.135[.]229 - Destination IP - Likely C2 Server

References

[1] https://bishopfox.com/tools/sliver

[2] https://vk9-sec.com/how-to-set-up-use-c2-sliver/

[3] https://www.scmagazine.com/brief/sliver-c2-framework-gaining-traction-among-threat-actors

[4] https://github[.]com/BishopFox/sliver

[5] https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors

[6] https://securityaffairs.com/158393/malware/ivanti-connect-secure-vpn-deliver-krustyloader.html

[7] https://www.xenonstack.com/insights/out-of-band-application-security-testing

[8] https://www.virustotal.com/gui/ip-address/103.13.28.40/detection

[9] https://threatfox.abuse.ch/browse.php?search=ioc%3A107.174.78.227

[10] https://threatfox.abuse.ch/ioc/1074576/

[11] https://threatfox.abuse.ch/ioc/1093887/

[12] https://threatfox.abuse.ch/ioc/846889/

[13] https://threatfox.abuse.ch/ioc/1093889/

[14] https://github.com/projectdiscovery/nuclei/issues/3330

Continue reading
About the author
Natalia Sánchez Rocafort
Cyber Security Analyst

Blog

Email

Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace/Email

Default blog imageDefault blog image
09
Apr 2024

Organizations Should Demand More from their Email Security

In response to a more intricate threat landscape, organizations should view email security as a critical component of their defense-in-depth strategy, rather than defending the inbox alone with a traditional Secure Email Gateway (SEG). Organizations need more than a traditional gateway – that doubles, instead of replaces, the capabilities provided by native security vendor – and require an equally granular degree of analysis across all messaging, including inbound, outbound, and lateral mail, plus Teams messages.  

Darktrace/Email is the industry’s most advanced cloud email security, powered by Self-Learning AI. It combines AI techniques to exceed the accuracy and efficiency of leading security solutions, and is the only security built to elevate, not duplicate, native email security.  

With its largest update ever, Darktrace/Email introduces the following innovations, finally allowing security teams to look beyond secure email gateways with autonomous AI:

  • AI-augmented data loss prevention to stop the entire spectrum of outbound mail threats
  • an easy way to deploy DMARC quickly with AI
  • major enhancements to streamline SOC workflows and increase the detection of sophisticated phishing links
  • expansion of Darktrace’s leading AI prevention to lateral mail, account compromise and Microsoft Teams

What’s New with Darktrace/Email  

Data Loss Prevention  

Block the entire spectrum of outbound mail threats with advanced data loss prevention that builds on tags in native email to stop unknown, accidental, and malicious data loss

Darktrace understands normal at individual user, group and organization level with a proven AI that detects abnormal user behavior and dynamic content changes. Using this understanding, Darktrace/Email actions outbound emails to stop unknown, accidental and malicious data loss.  

Traditional DLP solutions only take into account classified data, which relies on the manual input of labelling each data piece, or creating rules to catch pattern matches that try to stop data of certain types leaving the organization. But in today’s world of constantly changing data, regular expression and fingerprinting detection are no longer enough.

  • Human error – Because it understands normal for every user, Darktrace/Email can recognize cases of misdirected emails. Even if the data is correctly labelled or insensitive, Darktrace recognizes when the context in which it is being sent could be a case of data loss and warns the user.  
  • Unclassified data – Whereas traditional DLP solutions can only take action on classified data, Darktrace analyzes the range of data that is either pending labels or can’t be labeled with typical capabilities due to its understanding of the content and context of every email.  
  • Insider threat – If a malicious actor has compromised an account, data exfiltration may still be attempted on encrypted, intellectual property, or other forms of unlabelled data to avoid detection. Darktrace analyses user behaviour to catch cases of unusual data exfiltration from individual accounts.

And classification efforts already in place aren’t wasted – Darktrace/Email extends Microsoft Purview policies and sensitivity labels to avoid duplicate workflows for the security team, combining the best of both approaches to ensure organizations maintain control and visibility over their data.

End User and Security Workflows

Achieve more than 60% improvement in the quality of end-user phishing reports and detection of sophisticated malicious weblinks1

Darktrace/Email improves end-user reporting from the ground up to save security team resource. Employees will always be on the front line of email security – while other solutions assume that end-user reporting is automatically of poor quality, Darktrace prioritizes improving users’ security awareness to increase the quality of end-user reporting from day one.  

Users are empowered to assess and report suspicious activity with contextual banners and Cyber AI Analyst generated narratives for potentially suspicious emails, resulting in 60% fewer benign emails reported.  

Out of the higher-quality emails that end up being reported, the next step is to reduce the amount of emails that reach the SOC. Darktrace/Email’s Mailbox Security Assistant automates their triage with secondary analysis combining additional behavioral signals – using x20 more metrics than previously – with advanced link analysis to detect 70% more sophisticated malicious phishing links.2 This directly alleviates the burden of manual triage for security analysts.

For the emails that are received by the SOC, Darktrace/Email uses automation to reduce time spent investigating per incident. With live inbox view, security teams gain access to a centralized platform that combines intuitive search capabilities, Cyber AI Analyst reports, and mobile application access. Analysts can take remediation actions from within Darktrace/Email, eliminating console hopping and accelerating incident response.

Darktrace takes a user-focused and business-centric approach to email security, in contrast to the attack-centric rules and signatures approach of secure email gateways

Microsoft Teams

Detect threats within your Teams environment such as account compromise, phishing, malware and data loss

Around 83% of Fortune 500 companies rely on Microsoft Office products and services, particularly Teams and SharePoint.3

Darktrace now leverages the same behavioral AI techniques for Microsoft customers across 365 and Teams, allowing organizations to detect threats and signals of account compromise within their Teams environment including social engineering, malware and data loss.  

The primary use case for Microsoft Teams protection is as a potential entry vector. While messaging has traditionally been internal only, as organizations open up it is becoming an entry vector which needs to be treated with the same level of caution as email. That’s why we’re bringing our proven AI approach to Microsoft Teams, that understands the user behind the message.  

Anomalous messaging behavior is also a highly relevant indicator of whether a user has been compromised. Unlike other solutions that analyze Microsoft Teams content which focus on payloads, Darktrace goes beyond basic link and sandbox analysis and looks at actual user behavior from both a content and context perspective. This linguistic understanding isn’t bound by the requirement to match a signature to a malicious payload, rather it looks at the context in which the message has been delivered. From this analysis, Darktrace can spot the early symptoms of account compromise such as early-stage social engineering before a payload is delivered.

Lateral Mail Analysis

Detect and respond to internal mailflow with multi-layered AI to prevent account takeover, lateral phishing and data leaks

The industry’s most robust account takeover protection now prevents lateral mail account compromise. Darktrace has always looked at internal mail to inform inbound and outbound decisions, but will now elevate suspicious lateral mail behaviour using the same AI techniques for inbound, outbound and Teams analysis.

Darktrace integrates signals from across the entire mailflow and communication patterns to determine symptoms of account compromise, now including lateral mailflow

Unlike other solutions which only analyze payloads, Darktrace analyzes a whole range of signals to catch lateral movement before a payload is delivered. Contributing yet another layer to the AI behavioral profile for each user, security teams can now use signals from lateral mail to spot the early symptoms of account takeover and take autonomous actions to prevent further compromise.

DMARC

Gain in-depth visibility and control of 3rd parties using your domain with an industry-first AI-assisted DMARC

Darktrace has created the easiest path to brand protection and compliance with the new Darktrace/DMARC. This new capability continuously stops spoofing and phishing from the enterprise domain, while automatically enhancing email security and reducing the attack surface.

Darktrace/DMARC helps to upskill businesses by providing step by step guidance and automated record suggestions provide a clear, efficient road to enforcement. It allows organizations to quickly achieve compliance with requirements from Google, Yahoo, and others, to ensure that their emails are reaching mailboxes.  

Meanwhile, Darktrace/DMARC helps to reduce the overall attack surface by providing visibility over shadow-IT and third-party vendors sending on behalf of an organization’s brand, while informing recipients when emails from their domains are sent from un-authenticated DMARC source.

Darktrace/DMARC integrates with the wider Darktrace product platform, sharing insights to help further secure your business across Email Attack Path and Attack Surface management.

Conclusion

To learn more about the new innovations to Darktrace/Email download the solution brief here.

All of the new updates to Darktrace/Email sit within the new Darktrace ActiveAI Security Platform, creating a feedback loop between email security and the rest of the digital estate for better protection. Click to read more about the Darktrace ActiveAI Security Platform or to hear about the latest innovations to Darktrace/OT, the most comprehensive prevention, detection, and response solution purpose built for critical infrastructures.  

Learn about the intersection of cyber and AI by downloading the State of AI Cyber Security 2024 report to discover global findings that may surprise you, insights from security leaders, and recommendations for addressing today’s top challenges that you may face, too.

References

[1] Internal Darktrace Research

[2] Internal Darktrace Research

[3] Essential Microsoft Office Statistics in 2024

Continue reading
About the author
Carlos Gray
Product Manager
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Commencez votre essai gratuit
Darktrace AI protecting a business from cyber threats.