Blog

A l'intérieur du SOC

Growing your onion: AutoIt malware in the Darktrace kill chain

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
18
Oct 2022
18
Oct 2022
AutoIt is a scripting language designed for general purpose development. However, like many freeware languages, it has been exploited for malicious intent. Recently Darktrace captured the whole kill-chain of an AutoIt malware compromise, from delivery via email to payload download and subsequent C2.

Introduction 

Good defence is like an onion, it has layers. Each part of a security implementation should have checks built in so that if one wall is breached, there are further contingencies. Security aficionados call this ‘defence in depth’, a military concept introduced to the cyber-sphere in 2009 [1]. Since then, it has remained a central tenet when designing secure systems, digital or otherwise [2]. Despite this, the attacker’s advantage is ever-present with continued development of malware and zero-day exploits. No matter how many layers a security platform has, how can organisations be expected to protect against a threat they do not know or even understand? 

Take the case of one Darktrace customer, a government-contracted manufacturing company located in the Americas. This company possesses a modern OT and IT network comprised of several thousand devices. They have dozens of servers, a few of which host Microsoft Exchange. Every week, these few mail servers receive hundreds of malicious payloads which will ultimately attempt to make their way into over a thousand different inboxes while dodging different security gateways. Had the RESPOND portion of Darktrace for Email been properly enabled, this is where the story would have ended. However, in June 2022 an employee made an instinctual decision that could have potentially cost the company its time, money, and reputation as a government contractor. Their crime: opening an unknown html file attached to a compelling phishing email. 

Following this misstep, a download was initiated which resulted in compromise of the system via vulnerable Microsoft admin tools from endpoints largely unknown to conventional OSINT sources. Using these tools, further malicious connectivity was accomplished before finally petering out. Fortunately, their existing Microsoft security gateway was up to date on the command and control (C2) domains observed in this breach and refused the connections.

Darktrace detected this activity at every turn, from the initial email to the download and subsequent attempted C2. Cyber AI Analyst stitched the events together for easy understanding and detected Indicators of Compromise (IOCs) that were not yet flagged in the greater intelligence community and, critically, did this all at machine speed. 

So how did the attacker evade action for so long? The answer is product misconfiguration - they did not refine their ‘layers’.  

Attack Details

On the night of June 8th an employee received a malicious email. Darktrace detected that this email contained a html attachment which itself contained links to endpoints 100% rare to the network. This email also originated from a never-before-seen sender. Although it would usually have been withheld based on these factors, the customer’s Darktrace/Email deployment was set to Advisory Mode meaning it continued through to the inbox. Late the next day, this user opened the attachment which then routed them to the 100% rare endpoint ‘xberxkiw[.]club’, a probable landing page for malware that did not register on OSINT available at the time.

Figure 1- Popular OSINT VirusTotal showing zero hits against the rare endpoint 

Only seconds after reaching the endpoint, Darktrace detected the Microsoft BITS user agent reaching out to another 100% rare endpoint ‘yrioer[.]mikigertxyss[.]com’, which generated a DETECT/Network model breach, ‘Unusual BITS Activity’. This was immediately suspicious since BITS is a deprecated and insecure windows admin tool which has been known to facilitate the movement of malicious payloads into and around a network. Upon successfully establishing a connection, the affected device began downloading a self-professed .zip file. However, Darktrace detected this file to be an extension-swapped .exe file. A PCAP of this activity can be seen below in Figure 2.

Figure 2- PCAP highlighting BITs service connections and false .zip (.exe) download

This activity also triggered a correlating breach of the ‘Masqueraded File Transfer’ model and pushed a high-fidelity alert to the Darktrace Proactive Threat Notification (PTN) service. This ensured both Darktrace and the customer’s SOC team were alerted to the anomalous activity.

At this stage the local SOC were likely beginning their triage. However further connections were being made to extend the compromise on the employee’s device and the network. The file they downloaded was later revealed to be ‘AutoIT3.exe’, a default filename given to any AutoIt script. AutoIt scripts do have legitimate use cases but are often associated with malicious activity for their ability to interact with the Windows GUI and bypass client protections. After opening, these scripts would launch on the host device and probe for other weaknesses. In this case, the script may have attempted to hunt passwords/default credentials, scan the local directory for common sensitive files, or scout local antivirus software on the device. It would then share any information gathered via established C2 channels.  

After the successful download of this mismatched MIME type, the device began attempting to further establish C2 to the endpoint ‘dirirxhitoq[.]kialsoyert[.]tk’. Even though OSINT still did not flag this endpoint, Darktrace detected this outreach as suspicious and initiated its first Cyber AI Analyst investigation into the beaconing activity. Following the sixth connection made to this endpoint on the 10th of June, the infected device breached C2 models, such as ‘Agent Beacon (Long Period)’ and ‘HTTP Beaconing to Rare Destination’. 

As the beaconing continued, it was clear that internal reconnaissance from AutoIt was not widely achieved, although similar IOCs could be detected on at least two other internal devices. This may represent other users opening the same malicious email, or successful lateral movement and infection propagation from the initial user/device. However comparatively, these devices did not experience the same level of infection as the first employee’s machine and never downloaded any malicious executables. AutoIt has a history of being used to deliver information stealers, which suggests a possible motivation had wider network compromise been successful [3].

Thankfully, after the 10th of June no further exploitation was observed. This was likely due to the combined awareness and action brought by the PTN alerting, static security gateways and action from the local security team. The company were protected thanks to defence in depth.  

Darktrace Coverage

Despite this, the role of Darktrace itself cannot be understated. Darktrace/Email was integral to the early detection process and provided insight into the vector and delivery methods used by this attacker. Post-compromise, Darktrace/Network also observed the full range of suspicious activity brought about by this incursion. In particular, the AI analyst feature played a major role in reducing the time for the SOC team to triage by detecting and flagging key information regarding some of the earliest IOCs.

Figure 3- Sample information pulled by AI analyst about one of the involved endpoints

Alongside the early detection, there were several instances where RESPOND/Network would have intervened however autonomous actions were limited to a small test group and not enabled widely throughout the customer’s deployment. As such, this activity continued unimpeded- a weak layer. Figure 4 highlights the first Darktrace RESPOND action which would have been taken.

Figure 4- Upon detecting the download of a mismatched mime from a rare endpoint, Darktrace RESPOND would have blocked all connections to the rare endpoint on the relevant port in a targeted manner

This Darktrace RESPOND action provides a precise and limited response by blocking the anomalous file download. However, after continued anomalous activity, RESPOND would have strengthened its posture and enforced stronger curbs across the wider anomalous activity. This stronger enforcement is a measure designed to relegate a device to its established norm. The breach which would generate this response can be seen below:

Figure 5- After a prolonged period of anomalous activity, Darktrace RESPOND would have stepped in to enforce the typical pattern of life observed on this device

Although Darktrace RESPOND was not fully enabled, this company had an extra layer of security in the PTN service, which alerted them just minutes after the initial file download was detected, alongside details relevant to the investigation. This ensured both Darktrace analysts and their own could review the activity and begin to isolate and remediate the threat. 

Concluding Insights

Thankfully, with multiple layers in their security, the customer managed to escape this incident largely unscathed. Quick and comprehensive email and network detection, customer alerting and local gateway blocking C2 connections ensured that the infection did not have leeway to propagate laterally throughout the network. However, even though this infection did not lead to catastrophe, the fact that it happened in the first place should be a learning point. 

Had RESPOND/Email been properly configured, this threat would have been stopped before reaching its intended recipients, removing the need to rely on end-users as a security measure. Furthermore, had RESPOND/Network been utilized beyond a limited test group, this activity would have been blocked at every other step of the network-level kill chain. From the anomalous MIME download to the establishment of C2, Darktrace RESPOND would have been able to effectively isolate and quarantine this activity to the host device, without any reliance on slow-to-update OSINT sources. RESPOND allows for the automation of time-sensitive security decisions and adds a powerful layer of defence that conventional security solutions cannot provide. Although it can be difficult to relinquish human ownership of these decisions, doing so is necessary to prevent unknown attackers from infiltrating using unknown vectors to achieve unknown ends.  

In conclusion, this incident demonstrates an effective case study around detecting a threat with novel IOCs. However, it is also a reminder that a company’s security makeup can always be improved. Overall, when building security layers in a company’s ‘onion’, it is great to have the best tools, but it is even greater to use them in the best way. Only with continued refining can organisations guarantee defence in depth. 

Thanks to Connor Mooney and Stefan Rowe for their contributions.

Appendices

Darktrace Model Detections

·      Anomalous File / EXE from Rare External Location 

·      Compromise / Agent Beacon (Long Period) 

·      Compromise / HTTP Beaconing to Rare Destination 

·      Device / Large Number of Model Breaches 

·      Device / Suspicious Domain 

·      Device / Unusual BITS Activity 

·      Enhanced Monitoring: Anomalous File / Masqueraded File Transfer 

DANS LE SOC
Darktrace sont des experts de classe mondiale en matière de renseignement sur les menaces, de chasse aux menaces et de réponse aux incidents. Ils fournissent une assistance SOC 24 heures sur 24 et 7 jours sur 7 à des milliers de clients Darktrace dans le monde entier. Inside the SOC est exclusivement rédigé par ces experts et fournit une analyse des cyberincidents et des tendances en matière de menaces, basée sur une expérience réelle sur le terrain.
AUTEUR
à propos de l'auteur
Joel Davidson
Cyber Analyst
Book a 1-1 meeting with one of our experts
share this article
CAS D'UTILISATION
Aucun élément trouvé.
PLEINS FEUX SUR LES PRODUITS
Aucun élément trouvé.
Couverture de base
Aucun élément trouvé.

More in this series

Aucun élément trouvé.

Blog

A l'intérieur du SOC

Sliver C2: How Darktrace Provided a Sliver of Hope in the Face of an Emerging C2 Framework

Default blog imageDefault blog image
17
Apr 2024

Offensive Security Tools

As organizations globally seek to for ways to bolster their digital defenses and safeguard their networks against ever-changing cyber threats, security teams are increasingly adopting offensive security tools to simulate cyber-attacks and assess the security posture of their networks. These legitimate tools, however, can sometimes be exploited by real threat actors and used as genuine actor vectors.

What is Sliver C2?

Sliver C2 is a legitimate open-source command-and-control (C2) framework that was released in 2020 by the security organization Bishop Fox. Silver C2 was originally intended for security teams and penetration testers to perform security tests on their digital environments [1] [2] [5]. In recent years, however, the Sliver C2 framework has become a popular alternative to Cobalt Strike and Metasploit for many attackers and Advanced Persistence Threat (APT) groups who adopt this C2 framework for unsolicited and ill-intentioned activities.

The use of Sliver C2 has been observed in conjunction with various strains of Rust-based malware, such as KrustyLoader, to provide backdoors enabling lines of communication between attackers and their malicious C2 severs [6]. It is unsurprising, then, that it has also been leveraged to exploit zero-day vulnerabilities, including critical vulnerabilities in the Ivanti Connect Secure and Policy Secure services.

In early 2024, Darktrace observed the malicious use of Sliver C2 during an investigation into post-exploitation activity on customer networks affected by the Ivanti vulnerabilities. Fortunately for affected customers, Darktrace DETECT™ was able to recognize the suspicious network-based connectivity that emerged alongside Sliver C2 usage and promptly brought it to the attention of customer security teams for remediation.

How does Silver C2 work?

Given its open-source nature, the Sliver C2 framework is extremely easy to access and download and is designed to support multiple operating systems (OS), including MacOS, Windows, and Linux [4].

Sliver C2 generates implants (aptly referred to as ‘slivers’) that operate on a client-server architecture [1]. An implant contains malicious code used to remotely control a targeted device [5]. Once a ‘sliver’ is deployed on a compromised device, a line of communication is established between the target device and the central C2 server. These connections can then be managed over Mutual TLS (mTLS), WireGuard, HTTP(S), or DNS [1] [4]. Sliver C2 has a wide-range of features, which include dynamic code generation, compile-time obfuscation, multiplayer-mode, staged and stageless payloads, procedurally generated C2 over HTTP(S) and DNS canary blue team detection [4].

Why Do Attackers Use Sliver C2?

Amidst the multitude of reasons why malicious actors opt for Sliver C2 over its counterparts, one stands out: its relative obscurity. This lack of widespread recognition means that security teams may overlook the threat, failing to actively search for it within their networks [3] [5].

Although the presence of Sliver C2 activity could be representative of authorized and expected penetration testing behavior, it could also be indicative of a threat actor attempting to communicate with its malicious infrastructure, so it is crucial for organizations and their security teams to identify such activity at the earliest possible stage.

Darktrace’s Coverage of Sliver C2 Activity

Darktrace’s anomaly-based approach to threat detection means that it does not explicitly attempt to attribute or distinguish between specific C2 infrastructures. Despite this, Darktrace was able to connect Sliver C2 usage to phases of an ongoing attack chain related to the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPN appliances in January 2024.

Around the time that the zero-day Ivanti vulnerabilities were disclosed, Darktrace detected an internal server on one customer network deviating from its expected pattern of activity. The device was observed making regular connections to endpoints associated with Pulse Secure Cloud Licensing, indicating it was an Ivanti server. It was observed connecting to a string of anomalous hostnames, including ‘cmjk3d071amc01fu9e10ae5rt9jaatj6b.oast[.]live’ and ‘cmjft14b13vpn5vf9i90xdu6akt5k3pnx.oast[.]pro’, via HTTP using the user agent ‘curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.63.0 OpenSSL/1.0.2n zlib/1.2.7’.

Darktrace further identified that the URI requested during these connections was ‘/’ and the top-level domains (TLDs) of the endpoints in question were known Out-of-band Application Security Testing (OAST) server provider domains, namely ‘oast[.]live’ and ‘oast[.]pro’. OAST is a testing method that is used to verify the security posture of an application by testing it for vulnerabilities from outside of the network [7]. This activity triggered the DETECT model ‘Compromise / Possible Tunnelling to Bin Services’, which breaches when a device is observed sending DNS requests for, or connecting to, ‘request bin’ services. Malicious actors often abuse such services to tunnel data via DNS or HTTP requests. In this specific incident, only two connections were observed, and the total volume of data transferred was relatively low (2,302 bytes transferred externally). It is likely that the connections to OAST servers represented malicious actors testing whether target devices were vulnerable to the Ivanti exploits.

The device proceeded to make several SSL connections to the IP address 103.13.28[.]40, using the destination port 53, which is typically reserved for DNS requests. Darktrace recognized that this activity was unusual as the offending device had never previously been observed using port 53 for SSL connections.

Model Breach Event Log displaying the ‘Application Protocol on Uncommon Port’ DETECT model breaching in response to the unusual use of port 53.
Figure 1: Model Breach Event Log displaying the ‘Application Protocol on Uncommon Port’ DETECT model breaching in response to the unusual use of port 53.

Figure 2: Model Breach Event Log displaying details pertaining to the ‘Application Protocol on Uncommon Port’ DETECT model breach, including the 100% rarity of the port usage.
Figure 2: Model Breach Event Log displaying details pertaining to the ‘Application Protocol on Uncommon Port’ DETECT model breach, including the 100% rarity of the port usage.

Further investigation into the suspicious IP address revealed that it had been flagged as malicious by multiple open-source intelligence (OSINT) vendors [8]. In addition, OSINT sources also identified that the JARM fingerprint of the service running on this IP and port (00000000000000000043d43d00043de2a97eabb398317329f027c66e4c1b01) was linked to the Sliver C2 framework and the mTLS protocol it is known to use [4] [5].

An Additional Example of Darktrace’s Detection of Sliver C2

However, it was not just during the January 2024 exploitation of Ivanti services that Darktrace observed cases of Sliver C2 usages across its customer base.  In March 2023, for example, Darktrace detected devices on multiple customer accounts making beaconing connections to malicious endpoints linked to Sliver C2 infrastructure, including 18.234.7[.]23 [10] [11] [12] [13].

Darktrace identified that the observed connections to this endpoint contained the unusual URI ‘/NIS-[REDACTED]’ which contained 125 characters, including numbers, lower and upper case letters, and special characters like “_”, “/”, and “-“, as well as various other URIs which suggested attempted data exfiltration:

‘/upload/api.html?c=[REDACTED] &fp=[REDACTED]’

  • ‘/samples.html?mx=[REDACTED] &s=[REDACTED]’
  • ‘/actions/samples.html?l=[REDACTED] &tc=[REDACTED]’
  • ‘/api.html?gf=[REDACTED] &x=[REDACTED]’
  • ‘/samples.html?c=[REDACTED] &zo=[REDACTED]’

This anomalous external connectivity was carried out through multiple destination ports, including the key ports 443 and 8888.

Darktrace additionally observed devices on affected customer networks performing TLS beaconing to the IP address 44.202.135[.]229 with the JA3 hash 19e29534fd49dd27d09234e639c4057e. According to OSINT sources, this JA3 hash is associated with the Golang TLS cipher suites in which the Sliver framework is developed [14].

Conclusion

Despite its relative novelty in the threat landscape and its lesser-known status compared to other C2 frameworks, Darktrace has demonstrated its ability effectively detect malicious use of Sliver C2 across numerous customer environments. This included instances where attackers exploited vulnerabilities in the Ivanti Connect Secure and Policy Secure services.

While human security teams may lack awareness of this framework, and traditional rules and signatured-based security tools might not be fully equipped and updated to detect Sliver C2 activity, Darktrace’s Self Learning AI understands its customer networks, users, and devices. As such, Darktrace is adept at identifying subtle deviations in device behavior that could indicate network compromise, including connections to new or unusual external locations, regardless of whether attackers use established or novel C2 frameworks, providing organizations with a sliver of hope in an ever-evolving threat landscape.

Credit to Natalia Sánchez Rocafort, Cyber Security Analyst, Paul Jennings, Principal Analyst Consultant

Appendices

DETECT Model Coverage

  • Compromise / Repeating Connections Over 4 Days
  • Anomalous Connection / Application Protocol on Uncommon Port
  • Anomalous Server Activity / Server Activity on New Non-Standard Port
  • Compromis / Activité soutenue de balisage TCP vers un endpoint rare.
  • Compromise / Quick and Regular Windows HTTP Beaconing
  • Compromise / High Volume of Connections with Beacon Score
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / HTTP Beaconing to Rare Destination
  • Compromise / Sustained SSL or HTTP Increase
  • Compromise / Large Number of Suspicious Failed Connections
  • Compromise / SSL or HTTP Beacon
  • Compromise / Possible Malware HTTP Comms
  • Compromise / Possible Tunnelling to Bin Services
  • Anomalous Connection / Low and Slow Exfiltration to IP
  • Device / New User Agent
  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Numeric File Download
  • Anomalous Connection / Powershell to Rare External
  • Anomalous Server Activity / New Internet Facing System

List of Indicators of Compromise (IoCs)

18.234.7[.]23 - Destination IP - Likely C2 Server

103.13.28[.]40 - Destination IP - Likely C2 Server

44.202.135[.]229 - Destination IP - Likely C2 Server

References

[1] https://bishopfox.com/tools/sliver

[2] https://vk9-sec.com/how-to-set-up-use-c2-sliver/

[3] https://www.scmagazine.com/brief/sliver-c2-framework-gaining-traction-among-threat-actors

[4] https://github[.]com/BishopFox/sliver

[5] https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actors

[6] https://securityaffairs.com/158393/malware/ivanti-connect-secure-vpn-deliver-krustyloader.html

[7] https://www.xenonstack.com/insights/out-of-band-application-security-testing

[8] https://www.virustotal.com/gui/ip-address/103.13.28.40/detection

[9] https://threatfox.abuse.ch/browse.php?search=ioc%3A107.174.78.227

[10] https://threatfox.abuse.ch/ioc/1074576/

[11] https://threatfox.abuse.ch/ioc/1093887/

[12] https://threatfox.abuse.ch/ioc/846889/

[13] https://threatfox.abuse.ch/ioc/1093889/

[14] https://github.com/projectdiscovery/nuclei/issues/3330

Continue reading
About the author
Natalia Sánchez Rocafort
Cyber Security Analyst

Blog

Email

Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace/Email

Default blog imageDefault blog image
09
Apr 2024

Organizations Should Demand More from their Email Security

In response to a more intricate threat landscape, organizations should view email security as a critical component of their defense-in-depth strategy, rather than defending the inbox alone with a traditional Secure Email Gateway (SEG). Organizations need more than a traditional gateway – that doubles, instead of replaces, the capabilities provided by native security vendor – and require an equally granular degree of analysis across all messaging, including inbound, outbound, and lateral mail, plus Teams messages.  

Darktrace/Email is the industry’s most advanced cloud email security, powered by Self-Learning AI. It combines AI techniques to exceed the accuracy and efficiency of leading security solutions, and is the only security built to elevate, not duplicate, native email security.  

With its largest update ever, Darktrace/Email introduces the following innovations, finally allowing security teams to look beyond secure email gateways with autonomous AI:

  • AI-augmented data loss prevention to stop the entire spectrum of outbound mail threats
  • an easy way to deploy DMARC quickly with AI
  • major enhancements to streamline SOC workflows and increase the detection of sophisticated phishing links
  • expansion of Darktrace’s leading AI prevention to lateral mail, account compromise and Microsoft Teams

What’s New with Darktrace/Email  

Data Loss Prevention  

Block the entire spectrum of outbound mail threats with advanced data loss prevention that builds on tags in native email to stop unknown, accidental, and malicious data loss

Darktrace understands normal at individual user, group and organization level with a proven AI that detects abnormal user behavior and dynamic content changes. Using this understanding, Darktrace/Email actions outbound emails to stop unknown, accidental and malicious data loss.  

Traditional DLP solutions only take into account classified data, which relies on the manual input of labelling each data piece, or creating rules to catch pattern matches that try to stop data of certain types leaving the organization. But in today’s world of constantly changing data, regular expression and fingerprinting detection are no longer enough.

  • Human error – Because it understands normal for every user, Darktrace/Email can recognize cases of misdirected emails. Even if the data is correctly labelled or insensitive, Darktrace recognizes when the context in which it is being sent could be a case of data loss and warns the user.  
  • Unclassified data – Whereas traditional DLP solutions can only take action on classified data, Darktrace analyzes the range of data that is either pending labels or can’t be labeled with typical capabilities due to its understanding of the content and context of every email.  
  • Insider threat – If a malicious actor has compromised an account, data exfiltration may still be attempted on encrypted, intellectual property, or other forms of unlabelled data to avoid detection. Darktrace analyses user behaviour to catch cases of unusual data exfiltration from individual accounts.

And classification efforts already in place aren’t wasted – Darktrace/Email extends Microsoft Purview policies and sensitivity labels to avoid duplicate workflows for the security team, combining the best of both approaches to ensure organizations maintain control and visibility over their data.

End User and Security Workflows

Achieve more than 60% improvement in the quality of end-user phishing reports and detection of sophisticated malicious weblinks1

Darktrace/Email improves end-user reporting from the ground up to save security team resource. Employees will always be on the front line of email security – while other solutions assume that end-user reporting is automatically of poor quality, Darktrace prioritizes improving users’ security awareness to increase the quality of end-user reporting from day one.  

Users are empowered to assess and report suspicious activity with contextual banners and Cyber AI Analyst generated narratives for potentially suspicious emails, resulting in 60% fewer benign emails reported.  

Out of the higher-quality emails that end up being reported, the next step is to reduce the amount of emails that reach the SOC. Darktrace/Email’s Mailbox Security Assistant automates their triage with secondary analysis combining additional behavioral signals – using x20 more metrics than previously – with advanced link analysis to detect 70% more sophisticated malicious phishing links.2 This directly alleviates the burden of manual triage for security analysts.

For the emails that are received by the SOC, Darktrace/Email uses automation to reduce time spent investigating per incident. With live inbox view, security teams gain access to a centralized platform that combines intuitive search capabilities, Cyber AI Analyst reports, and mobile application access. Analysts can take remediation actions from within Darktrace/Email, eliminating console hopping and accelerating incident response.

Darktrace takes a user-focused and business-centric approach to email security, in contrast to the attack-centric rules and signatures approach of secure email gateways

Microsoft Teams

Detect threats within your Teams environment such as account compromise, phishing, malware and data loss

Around 83% of Fortune 500 companies rely on Microsoft Office products and services, particularly Teams and SharePoint.3

Darktrace now leverages the same behavioral AI techniques for Microsoft customers across 365 and Teams, allowing organizations to detect threats and signals of account compromise within their Teams environment including social engineering, malware and data loss.  

The primary use case for Microsoft Teams protection is as a potential entry vector. While messaging has traditionally been internal only, as organizations open up it is becoming an entry vector which needs to be treated with the same level of caution as email. That’s why we’re bringing our proven AI approach to Microsoft Teams, that understands the user behind the message.  

Anomalous messaging behavior is also a highly relevant indicator of whether a user has been compromised. Unlike other solutions that analyze Microsoft Teams content which focus on payloads, Darktrace goes beyond basic link and sandbox analysis and looks at actual user behavior from both a content and context perspective. This linguistic understanding isn’t bound by the requirement to match a signature to a malicious payload, rather it looks at the context in which the message has been delivered. From this analysis, Darktrace can spot the early symptoms of account compromise such as early-stage social engineering before a payload is delivered.

Lateral Mail Analysis

Detect and respond to internal mailflow with multi-layered AI to prevent account takeover, lateral phishing and data leaks

The industry’s most robust account takeover protection now prevents lateral mail account compromise. Darktrace has always looked at internal mail to inform inbound and outbound decisions, but will now elevate suspicious lateral mail behaviour using the same AI techniques for inbound, outbound and Teams analysis.

Darktrace integrates signals from across the entire mailflow and communication patterns to determine symptoms of account compromise, now including lateral mailflow

Unlike other solutions which only analyze payloads, Darktrace analyzes a whole range of signals to catch lateral movement before a payload is delivered. Contributing yet another layer to the AI behavioral profile for each user, security teams can now use signals from lateral mail to spot the early symptoms of account takeover and take autonomous actions to prevent further compromise.

DMARC

Gain in-depth visibility and control of 3rd parties using your domain with an industry-first AI-assisted DMARC

Darktrace has created the easiest path to brand protection and compliance with the new Darktrace/DMARC. This new capability continuously stops spoofing and phishing from the enterprise domain, while automatically enhancing email security and reducing the attack surface.

Darktrace/DMARC helps to upskill businesses by providing step by step guidance and automated record suggestions provide a clear, efficient road to enforcement. It allows organizations to quickly achieve compliance with requirements from Google, Yahoo, and others, to ensure that their emails are reaching mailboxes.  

Meanwhile, Darktrace/DMARC helps to reduce the overall attack surface by providing visibility over shadow-IT and third-party vendors sending on behalf of an organization’s brand, while informing recipients when emails from their domains are sent from un-authenticated DMARC source.

Darktrace/DMARC integrates with the wider Darktrace product platform, sharing insights to help further secure your business across Email Attack Path and Attack Surface management.

Conclusion

To learn more about the new innovations to Darktrace/Email download the solution brief here.

All of the new updates to Darktrace/Email sit within the new Darktrace ActiveAI Security Platform, creating a feedback loop between email security and the rest of the digital estate for better protection. Click to read more about the Darktrace ActiveAI Security Platform or to hear about the latest innovations to Darktrace/OT, the most comprehensive prevention, detection, and response solution purpose built for critical infrastructures.  

Learn about the intersection of cyber and AI by downloading the State of AI Cyber Security 2024 report to discover global findings that may surprise you, insights from security leaders, and recommendations for addressing today’s top challenges that you may face, too.

References

[1] Internal Darktrace Research

[2] Internal Darktrace Research

[3] Essential Microsoft Office Statistics in 2024

Continue reading
About the author
Carlos Gray
Product Manager
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Commencez votre essai gratuit
Darktrace AI protecting a business from cyber threats.