Blog

Leadership éclairé

RESPOND

NJ State Bar Moves Towards Business-Wide Autonomous Security

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
29
Mar 2022
29
Mar 2022
See how the New Jersey State Bar Association adopted Darktrace’s Autonomous Response technology across and stopped a sophisticated SaaS attack. Read more.

The New Jersey State Bar Association supports more than 18,000 attorneys, judges and legislators in the metropolitan New York City region. From an IT security perspective, our primary goals are to protect the sensitive data of our employees and members, and minimize the disruption to our business caused by cyber-threats.

Over the past few years, our team has become increasingly concerned about the terrifying pace at which the threat landscape is evolving. We’ve seen escalating ransomware attacks, we’ve seen attackers targeting the supply chain and exploiting SaaS platforms like Microsoft 365 and Salesforce. We see new vulnerabilities coming out all the time. On the email side, we see evolving attack techniques, with malicious links hidden in documents so that an email bypasses the first line of defense, or lateral movement against calendar invites.

The pace of attacker innovation tells us one thing: we can’t just protect ourselves against the threats that we know about; we must also prepare for those we don’t know about. What might sound like a paradox is actually achievable with the right approach.

This was one of the factors that drew us to Darktrace two years ago: its ability to learn what’s ‘normal’ for our organization and detect anomalies that indicate a cyber-threat. And it wasn’t long into the deployment that this started to yield strong results, shining a light on new vulnerabilities and activity we didn’t previously know about.

But the other major factor in that purchasing decision was Darktrace’s Autonomous Response capability. Cyber-attacks are no longer controlled by a human from start to finish. Attackers are adopting automation and machine learning to scale up and launch faster and more damaging campaigns.

Our relatively small IT team were in constant action trying to stay on top of some of the threats we faced. But even the best team in the world need to sleep. And we found attackers were taking advantage of this, conducting much of their activity outside of office hours, in the middle of the night or on weekends. This led us to the conclusion that we needed something that could respond autonomously, around the clock, to contain serious emerging threats.

Incorporating Autonomous Response into the security stack

The decision to let an AI make decisions and actively intervene in our environment was not taken lightly and prompted a number of considerations. Some people in our team were sceptical and thought it wouldn’t work, others feared that the AI would replace them and render their jobs redundant. Neither turned out to be the case.

One concern was that the AI would trip up our system, with false positives triggering unwanted actions and resulting in disruption. But after a short learning period and some relatively simple fine-tuning, its actions are now extremely precise, acting only in the case of a serious attack and intervening in a targeted way, blocking only unwanted connections without taking the device offline.

As for the AI making our humans redundant: this hasn’t happened either. We’ve found that the AI augments our team and works alongside them: it does much of the heavy lifting: the tedious, manual work, and it means our team can spend their time on things that matter, being proactive and staying on top of threats rather than always playing catch up.

It’s interesting how over time, Autonomous Response has naturally integrated with our workflow. Our experiences over the last two years have definitely prompted a change in philosophy, from a wariness towards AI to embracing a system where humans and AI work in tandem. We even use the product as an education tool: the information it gives us has become incredibly valuable for junior staff who are still learning how to respond to certain events. We’re at the point now where Darktrace is referred to almost as a sentient being; it has become another member of the team, responding to threats and protecting our business like everyone else.

Expanding Autonomous Response across the enterprise

Once we were confident in the AI’s decision-making and its ability to detect and respond to known and unknown threats around the clock, the next phase was to implement this technology across all parts of the digital estate.

When we moved to a system of remote working following the pandemic, it was important to us that Autonomous Response be brought to remote endpoint devices, so that it could be active in protecting our employees, wherever they were working from. We did already have detection and response in place on the endpoint, but by this point, Darktrace’s Autonomous Response had become so integral to our security posture that we needed to extend it to cover every base.

We also adopted Antigena Email, which uses the same underlying approach to respond to novel threats targeting the inbox, and Antigena SaaS, to respond to account takeovers in Microsoft 365.

Having a single AI approach span multiple silos serves to increase the accuracy of its decision-making: an understanding of endpoint and network traffic can help Antigena Email understand if a link in an email is threatening, for example. Or in the case of account takeover, an unusual SaaS login followed by suspicious email activity can paint a picture of one systematic attack.

The more sophisticated attackers today are unlikely to target just one corner of your digital estate. Having a single AI system connect the dots across cloud, email, network and endpoints puts us in the best possible position.

A crucial layer of defense

I liken the need for Darktrace with the need to wear a seatbelt. You hope that most of the time, you won’t need it. But when the worst happens, it can save you from a potentially fatal threat.

In early 2022 we were targeted by a very targeted, clever attack, in which the attacker adopted a variety of techniques to stay under the radar of the rest of our security stack. It began with a seemingly benign SaaS login from an expected region of the world, but from a different network within that region. We would not have seen this attack without Darktrace connecting multiple subtle anomalies. And we know that if there was some lateral movement later down the line then Antigena would kick in in a variety of different ways to shut the attack down.

As we continue to be targeted by increasingly advanced attackers, this is the kind of insurance we need. Darktrace is not the only tool we use, but it has become the foundation that everything is built on. And with Autonomous Response across our digital estate, we know we have best-in-class protection against novel attacks, no matter where or when they come in.

Hear from more Darktrace customers

DANS LE SOC
Darktrace sont des experts de classe mondiale en matière de renseignement sur les menaces, de chasse aux menaces et de réponse aux incidents. Ils fournissent une assistance SOC 24 heures sur 24 et 7 jours sur 7 à des milliers de clients Darktrace dans le monde entier. Inside the SOC est exclusivement rédigé par ces experts et fournit une analyse des cyberincidents et des tendances en matière de menaces, basée sur une expérience réelle sur le terrain.
AUTEUR
à propos de l'auteur
Dr Robert Spangler
Associate Executive Director of the New Jersey State Bar Association
Book a 1-1 meeting with one of our experts
share this article
CAS D'UTILISATION
Aucun élément trouvé.
PLEINS FEUX SUR LES PRODUITS
Aucun élément trouvé.
Couverture de base
Aucun élément trouvé.

More in this series

Aucun élément trouvé.

Blog

A l'intérieur du SOC

Lost in Translation: Darktrace Blocks Non-English Phishing Campaign Concealing Hidden Payloads

Default blog imageDefault blog image
15
May 2024

Email – the vector of choice for threat actors

In times of unprecedented globalization and internationalization, the enormous number of emails sent and received by organizations every day has opened the door for threat actors looking to gain unauthorized access to target networks.

Now, increasingly global organizations not only need to safeguard their email environments against phishing campaigns targeting their employees in their own language, but they also need to be able to detect malicious emails sent in foreign languages too [1].

Why are non-English language phishing emails more popular?

Many traditional email security vendors rely on pre-trained English language models which, while function adequately against malicious emails composed in English, would struggle in the face of emails composed in other languages. It should, therefore, come as no surprise that this limitation is becoming increasingly taken advantage of by attackers.  

Darktrace/Email™, on the other hand, focuses on behavioral analysis and its Self-Learning AI understands what is considered ‘normal’ for every user within an organization’s email environment, bypassing any limitations that would come from relying on language-trained models [1].

In March 2024, Darktrace observed anomalous emails on a customer’s network that were sent from email addresses belonging to an international fast-food chain. Despite this seeming legitimacy, Darktrace promptly identified them as phishing emails that contained malicious payloads, preventing a potentially disruptive network compromise.

Attack Overview and Darktrace Coverage

On March 3, 2024, Darktrace observed one of the customer’s employees receiving an email which would turn out to be the first of more than 50 malicious emails sent by attackers over the course of three days.

The Sender

Darktrace/Email immediately understood that the sender never had any previous correspondence with the organization or its employees, and therefore treated the emails with caution from the onset. Not only was Darktrace able to detect this new sender, but it also identified that the emails had been sent from a domain located in China and contained an attachment with a Chinese file name.

The phishing emails detected by Darktrace sent from a domain in China and containing an attachment with a Chinese file name.
Figure 1: The phishing emails detected by Darktrace sent from a domain in China and containing an attachment with a Chinese file name.

Darktrace further detected that the phishing emails had been sent in a synchronized fashion between March 3 and March 5. Eight unique senders were observed sending a total of 55 emails to 55 separate recipients within the customer’s email environment. The format of the addresses used to send these suspicious emails was “12345@fastflavor-shack[.]cn”*. The domain “fastflavor-shack[.]cn” is the legitimate domain of the Chinese division of an international fast-food company, and the numerical username contained five numbers, with the final three digits changing which likely represented different stores.

*(To maintain anonymity, the pseudonym “Fast Flavor Shack” and its fictitious domain, “fastflavor-shack[.]cn”, have been used in this blog to represent the actual fast-food company and the domains identified by Darktrace throughout this incident.)

The use of legitimate domains for malicious activities become commonplace in recent years, with attackers attempting to leverage the trust endpoint users have for reputable organizations or services, in order to achieve their nefarious goals. One similar example was observed when Darktrace detected an attacker attempting to carry out a phishing attack using the cloud storage service Dropbox.

As these emails were sent from a legitimate domain associated with a trusted organization and seemed to be coming from the correct connection source, they were verified by Sender Policy Framework (SPF) and were able to evade the customer’s native email security measures. Darktrace/Email; however, recognized that these emails were actually sent from a user located in Singapore, not China.

Darktrace/Email identified that the email had been sent by a user who had logged in from Singapore, despite the connection source being in China.
Figure 2: Darktrace/Email identified that the email had been sent by a user who had logged in from Singapore, despite the connection source being in China.

The Emails

Darktrace/Email autonomously analyzed the suspicious emails and identified that they were likely phishing emails containing a malicious multistage payload.

Darktrace/Email identifying the presence of a malicious phishing link and a multistage payload.
Figure 3: Darktrace/Email identifying the presence of a malicious phishing link and a multistage payload.

There has been a significant increase in multistage payload attacks in recent years, whereby a malicious email attempts to elicit recipients to follow a series of steps, such as clicking a link or scanning a QR code, before delivering a malicious payload or attempting to harvest credentials [2].

In this case, the malicious actor had embedded a suspicious link into a QR code inside a Microsoft Word document which was then attached to the email in order to direct targets to a malicious domain. While this attempt to utilize a malicious QR code may have bypassed traditional email security tools that do not scan for QR codes, Darktrace was able to identify the presence of the QR code and scan its destination, revealing it to be a suspicious domain that had never previously been seen on the network, “sssafjeuihiolsw[.]bond”.

Suspicious link embedded in QR Code, which was detected and extracted by Darktrace.
Figure 4: Suspicious link embedded in QR Code, which was detected and extracted by Darktrace.

At the time of the attack, there was no open-source intelligence (OSINT) on the domain in question as it had only been registered earlier the same day. This is significant as newly registered domains are typically much more likely to bypass gateways until traditional security tools have enough intelligence to determine that these domains are malicious, by which point a malicious actor may likely have already gained access to internal systems [4]. Despite this, Darktrace’s Self-Learning AI enabled it to recognize the activity surrounding these unusual emails as suspicious and indicative of a malicious phishing campaign, without needing to rely on existing threat intelligence.

The most commonly used sender name line for the observed phishing emails was “财务部”, meaning “finance department”, and Darktrace observed subject lines including “The document has been delivered”, “Income Tax Return Notice” and “The file has been released”, all written in Chinese.  The emails also contained an attachment named “通知文件.docx” (“Notification document”), further indicating that they had been crafted to pass for emails related to financial transaction documents.

 Darktrace/Email took autonomous mitigative action against the suspicious emails by holding the message from recipient inboxes.
Figure 5: Darktrace/Email took autonomous mitigative action against the suspicious emails by holding the message from recipient inboxes.

Conclusion

Although this phishing attack was ultimately thwarted by Darktrace/Email, it serves to demonstrate the potential risks of relying on solely language-trained models to detect suspicious email activity. Darktrace’s behavioral and contextual learning-based detection ensures that any deviations in expected email activity, be that a new sender, unusual locations or unexpected attachments or link, are promptly identified and actioned to disrupt the attacks at the earliest opportunity.

In this example, attackers attempted to use non-English language phishing emails containing a multistage payload hidden behind a QR code. As traditional email security measures typically rely on pre-trained language models or the signature-based detection of blacklisted senders or known malicious endpoints, this multistage approach would likely bypass native protection.  

Darktrace/Email, meanwhile, is able to autonomously scan attachments and detect QR codes within them, whilst also identifying the embedded links. This ensured that the customer’s email environment was protected against this phishing threat, preventing potential financial and reputation damage.

Credit to: Rajendra Rushanth, Cyber Analyst, Steven Haworth, Head of Threat Modelling, Email

Appendices  

List of Indicators of Compromise (IoCs)  

IoC – Type – Description

sssafjeuihiolsw[.]bond – Domain Name – Suspicious Link Domain

通知文件.docx – File - Payload  

References

[1] https://darktrace.com/blog/stopping-phishing-attacks-in-enter-language  

[2] https://darktrace.com/blog/attacks-are-getting-personal

[3] https://darktrace.com/blog/phishing-with-qr-codes-how-darktrace-detected-and-blocked-the-bait

[4] https://darktrace.com/blog/the-domain-game-how-email-attackers-are-buying-their-way-into-inboxes

Continue reading
About the author
Rajendra Rushanth
Cyber Analyst

Blog

Aucun élément trouvé.

The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions

Default blog imageDefault blog image
13
May 2024

About the AI Cybersecurity Report

Darktrace surveyed 1,800 CISOs, security leaders, administrators, and practitioners from industries around the globe. Our research was conducted to understand how the adoption of new AI-powered offensive and defensive cybersecurity technologies are being managed by organizations.

This blog continues the conversation from “The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners” which was an overview of the entire report. This blog will focus on one aspect of the overarching report, the impact of AI on cybersecurity solutions.

To access the full report, click here.

The effects of AI on cybersecurity solutions

Overwhelming alert volumes, high false positive rates, and endlessly innovative threat actors keep security teams scrambling. Defenders have been forced to take a reactive approach, struggling to keep pace with an ever-evolving threat landscape. It is hard to find time to address long-term objectives or revamp operational processes when you are always engaged in hand-to-hand combat.                  

The impact of AI on the threat landscape will soon make yesterday’s approaches untenable. Cybersecurity vendors are racing to capitalize on buyer interest in AI by supplying solutions that promise to meet the need. But not all AI is created equal, and not all these solutions live up to the widespread hype.  

Do security professionals believe AI will impact their security operations?

Yes! 95% of cybersecurity professionals agree that AI-powered solutions will level up their organization’s defenses.                                                                

Not only is there strong agreement about the ability of AI-powered cybersecurity solutions to improve the speed and efficiency of prevention, detection, response, and recovery, but that agreement is nearly universal, with more than 95% alignment.

This AI-powered future is about much more than generative AI. While generative AI can help accelerate the data retrieval process within threat detection, create quick incident summaries, automate low-level tasks in security operations, and simulate phishing emails and other attack tactics, most of these use cases were ranked lower in their impact to security operations by survey participants.

There are many other types of AI, which can be applied to many other use cases:

Supervised machine learning: Applied more often than any other type of AI in cybersecurity. Trained on attack patterns and historical threat intelligence to recognize known attacks.

Natural language processing (NLP): Applies computational techniques to process and understand human language. It can be used in threat intelligence, incident investigation, and summarization.

Large language models (LLMs): Used in generative AI tools, this type of AI applies deep learning models trained on massively large data sets to understand, summarize, and generate new content. The integrity of the output depends upon the quality of the data on which the AI was trained.

Unsupervised machine learning: Continuously learns from raw, unstructured data to identify deviations that represent true anomalies. With the correct models, this AI can use anomaly-based detections to identify all kinds of cyber-attacks, including entirely unknown and novel ones.

What are the areas of cybersecurity AI will impact the most?

Improving threat detection is the #1 area within cybersecurity where AI is expected to have an impact.                                                                                  

The most frequent response to this question, improving threat detection capabilities in general, was top ranked by slightly more than half (57%) of respondents. This suggests security professionals hope that AI will rapidly analyze enormous numbers of validated threats within huge volumes of fast-flowing events and signals. And that it will ultimately prove a boon to front-line security analysts. They are not wrong.

Identifying exploitable vulnerabilities (mentioned by 50% of respondents) is also important. Strengthening vulnerability management by applying AI to continuously monitor the exposed attack surface for risks and high-impact vulnerabilities can give defenders an edge. If it prevents threats from ever reaching the network, AI will have a major downstream impact on incident prevalence and breach risk.

Where will defensive AI have the greatest impact on cybersecurity?

Cloud security (61%), data security (50%), and network security (46%) are the domains where defensive AI is expected to have the greatest impact.        

Respondents selected broader domains over specific technologies. In particular, they chose the areas experiencing a renaissance. Cloud is the future for most organizations,
and the effects of cloud adoption on data and networks are intertwined. All three domains are increasingly central to business operations, impacting everything everywhere.

Responses were remarkably consistent across demographics, geographies, and organization sizes, suggesting that nearly all survey participants are thinking about this similarly—that AI will likely have far-reaching applications across the broadest fields, as well as fewer, more specific applications within narrower categories.

Going forward, it will be paramount for organizations to augment their cloud and SaaS security with AI-powered anomaly detection, as threat actors sharpen their focus on these targets.

How will security teams stop AI-powered threats?            

Most security stakeholders (71%) are confident that AI-powered security solutions are better able to block AI-powered threats than traditional tools.

There is strong agreement that AI-powered solutions will be better at stopping AI-powered threats (71% of respondents are confident in this), and there’s also agreement (66%) that AI-powered solutions will be able to do so automatically. This implies significant faith in the ability of AI to detect threats both precisely and accurately, and also orchestrate the correct response actions.

There is also a high degree of confidence in the ability of security teams to implement and operate AI-powered solutions, with only 30% of respondents expressing doubt. This bodes well for the acceptance of AI-powered solutions, with stakeholders saying they’re prepared for the shift.

On the one hand, it is positive that cybersecurity stakeholders are beginning to understand the terms of this contest—that is, that only AI can be used to fight AI. On the other hand, there are persistent misunderstandings about what AI is, what it can do, and why choosing the right type of AI is so important. Only when those popular misconceptions have become far less widespread can our industry advance its effectiveness.  

To access the full report, click here.

Continue reading
About the author
The Darktrace Community
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Commencez votre essai gratuit
Darktrace AI protecting a business from cyber threats.