Guest Post: Eight cyber-threats legacy tools are missing

By: David Masson, Canada Country Manager, Darktrace

Some of the most sophisticated cyber-attacks have a common trait – they go unnoticed for weeks, months, or even years until they have caused irreparable monetary and reputational damage. More often than not, the evidence of infiltration was present – but perimeter defenses proved insufficient in detecting them until it was too late.

To give a sense of the kinds of threats that legacy tools miss, I’ve compiled a list of real-world incidents that our AI-powered technology caught but went undetected by a traditional security system. There are a near-infinite number of ways that modern attackers can compromise a network, but here are eight of the more glaring vulnerabilities we’ve detected:

  1. Insider threat: An employee with system administrator privileges decided to leave for a new job. His company had explicit restrictions on cloud usage, but as an administrator, the employee could change the rules about who could access the cloud and from where. The employee attempted to exfiltrate data from the cloud before departing, but because Darktrace provided complete visibility across the entire network infrastructure, including the cloud, the suspicious behavior was spotted. As a result, the company was able to better manage the employee’s departure.
  2. Ransomware: An attacker sent an email containing a fake invoice, supposedly coming from a trusted stationary supplier. An administrative assistant opened the attachment, and JavaScript within the document connected the computer to a server in Ukraine. Within minutes, the downloaded malware began to encrypt company files. Darktrace found the attack by identifying both the connection and download as major deviations from the user and device’s normal ‘pattern of life’, allowing the company to quarantine the infected device before damage could be done.
  3. Compromised video equipment: After a video conferencing unit started to behave strangely, it was determined that a remote attacker had compromised the camera and was sending data outside the network. The attacker moved laterally through the network and attempted to locate Point of Sale (PoS) devices, and they could have been exfiltrating sensitive audio and video. Darktrace detected the compromise after the device initiated a large upload to rare external IPs and began communicating with internal computers that it rarely connected to. Once this behavior was identified, the company immediately disconnected the camera.
  4. Penetration Testing Vulnerability: Darktrace detected a company device updating a penetration testing tool used for attacks on web services. This particular device had never used the pen testing software in the past. Over the next few days, several anomalous behaviors were detected inside the network, including two corporate devices that tried and failed to log in using administrative credentials and an SQL injection attack. The attacks were not associated with any known threat signatures, so they went unnoticed by legacy tools, but Darktrace identified the failed login attempts and the SQL injection attack as highly anomalous behavior for the network.
  5. Credential theft: A healthcare company became infected with a strain of malware built to steal user credentials. Once on the network, the malware spread by copying programs into sensitive folders on other devices and guessing login details. Every infected device was sending programs to sensitive folders on other devices at speeds faster than users could possibly have been acting. The devices were also trying to communicate with a suspicious third-party infrastructure. This particular malware used advanced stealth techniques that allowed it to avoid traditional network defenses, but Darktrace recognized the copied programs and the forced access of password managers as abnormal compared to normal network activity.
  6. Self-modifying malware: Many sophisticated attacks contain ‘active defense mechanisms’ that allow them to avoid detection by traditional cyber security monitoring. In this case, the attacker used the ‘Smoke Malware Loader’ tool, a password grabber that protects itself from detection by evolving its threat signature in real-time and generating fake, redundant traffic. By combining various anomalous factors, including the initial incoming file and beaconing to an external device, Darktrace built a detailed understanding of this highly evolved operation, and quickly determined it was threatening behavior.
  7. BitTorrent risks: Certain types of malware can break themselves up into pieces and attach to bits of torrented files, essentially distributing themselves amongst millions of data packets. In this example, a device contacted a BitTorrent network via SSH – a powerful administrative protocol which an attacker exploited to remotely control the infected device and use it as an entry point into the network. Without quick action, this infection could have developed into a serious security breach. Darktrace identified the BitTorrent behavior and the beaconing activity as highly unusual compared to normal network activity.
  8. Biometric scanner vulnerability: To restrict access to their machinery and industrial plants, a manufacturer had a biometric scanner connected to the corporate network. When Darktrace was installed, it flagged unusual Telnet connections to and from the biometric scanner. Once investigated, it was determined that an external party had compromised the scanner and had started to change its data. No signature existed for that threat type, so it would have gone unchecked by legacy controls. Darktrace’s AI defenses identified the breach in time to avoid a physical intrusion and potentially catastrophic damage.





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: