The speed at which AI can intelligently respond to an emerging threat has proven to be a game-changer. Crucially, AI buys back time for security teams during an attack, the debilitating impact of which increases with every passing second. As we move into an era of machines fighting machines, autonomous response will be vital in averting a headline-grabbing crisis.
The quiet threat lurking within also remains a unique challenge. Insiders, especially those with privileged access, can cause crippling damage to an organisation. From a systems administrator eager to use corporate infrastructure for crypto-mining, to the non-malicious worker who unknowingly downloads malware from a phishing E-mail, insider threat is notoriously difficult to detect.
Today’s attacker also has the advantage of the entire digital infrastructure at their disposal. Networks no longer have clearly defined borders. New computing models provided by the cloud, the explosion of the Internet of Things (IoT), and the convergence of information technology (IT), and operations technology (OT) networks are blurring the lines and introducing new security blind spots, making it impossible to secure every entry point. Security teams are turning to AI for the answer, capable of detecting and responding to threats wherever they emerge.
Powered by AI, Darktrace finds and autonomously responds to never-before-seen threats that have bypassed the perimeter to find their way into an organisation’s systems. Inspired by the immune system, the technology
learns a ‘pattern of life’ for every user and device. From this ever-evolving understanding of normal, the Enterprise Immune System identifies deviations indicative of a threat. Darktrace Antigena can then take targeted autonomous action within seconds to neutralise an emerging threat before it is too late.
As we move into a new age of cyber warfare, it is a call to arms for both attackers and defenders. By embracing world-leading cyber AI, organisations are for the first time regaining the advantage over today’s ever-changing adversary—and winning. Here are some real-life examples:
1. Internet-connected Locker Attempts Data Exfiltration
At an amusement park in North America, an advanced attacker targeted an IoT device—a physical locker designed to store personal belongings—to gain access to sensitive customer data. As part of its default setting, the ‘smart’ locker regularly established contact with the supplier’s third-party online platform. The threatactor identified the source of this automated process, and hijacked it to compromise the locker.
Once infiltrated, the locker started to move over a gigabyte of unencrypted data across the network to a rare external site. The connections, which could have included identifying details or sensitive credentials, had the potential to be transmitted over the Internet entirely unprotected—giving the attackers ability to intercept the connections and use the information to breach the company’s network defences.
Making the attack particularly sophisticated and difficult to detect, the locker was sending data out in a slow but consistent manner.
Due to the severity of the threat, Darktrace determined that an autonomous response was required. Within seconds, Darktrace’s AI took action by intelligently blocking all outgoing connections from the compromised locker. In doing so, it gave ample time for the security team to remove the smart locker from the Internet without impacting normal business processes.
Darktrace’s AI is uniquely able to identify the subtlest indicators of ‘low and slow’ attacks and intuitively blocks the attack within seconds, regardless of where it originates on the network. In this case, autonomous response was critical in mitigating the risk for the amusement park, before any sensitive company or consumer data could be exfiltrated.
2. Intellectual Property Targeted by Advanced Malware
At a European medical manufacturing firm, an administrative assistant received an E-mail regarding payments with an invoice attached. Believing the attachment to be authentic, she clicked on it and unwittingly downloaded a fast-acting malware that had bypassed all other security controls.
The sophisticated malware was specifically targeting the organisation’s intellectual property, which included highly-confidential medical formulas. If these assets were compromised, the firm would be exposed to significant risk to their competitiveness and reputation.
Once the malware was downloaded on to the administrative assistant’s computer, the device rapidly began connecting to a rare external destination while trying to move laterally to other areas of the corporate network. Within two seconds, Darktrace AI identified the emerging foreign presence.
It instantly neutralised the infected device by restricting its activity to fall within its normal ‘pattern of life’. This action prevented the spread of the malware, buying back time for the organisation to take the infected device off the network. Critically, the autonomous response was surgical and proportionate, helping avert a crisis but without disrupting business operations.
When catching a threat, time is working against the security team. As demonstrated in this incident, Darktrace AI technology is capable of responding to an emerging threat in seconds—preventing it from escalating with potentially-devastating consequences.
3. Insider Runs Widespread Bitcoin Operation
It can be easy to overlook the risk that employees pose—individuals with access to sensitive data and systems, but whose digital activities are often difficult to oversee. Privileged access users in particular have the potential to inflict an enormous amount of damage—but are notoriously difficult to spot.
At a Fortune 500 E-commerce company, a disgruntled systems administrator decided to hijack power sources from the company’s infrastructure for his own monetary gain. Over several months, the employee co-opted the user credentials of 11 other users and service accounts to stealthily take over multiple machines for the purpose of crypto-mining.
On installation, Darktrace identified over 140 devices that had been using their computing processing power to mine cryptocurrency for the 30 days prior. One of the expropriated devices had connected to the rare external cryptomining destination over 170 times in just one week.
Darktrace’s ability to learn a ‘pattern of life’ for every user and device enabled the organisation to not only identify and stop the activity, but also trace the malicious activity back to a single insider: the systems administrator.
As the value of cryptocurrencies soar to new heights, the incentive for insiders and external attackers alike to exploit company infrastructure for their own profit has significantly risen. Insider threat is supercharged by new monetisation mechanisms and the premium attackers are willing to pay to access internal systems.