Archive for Darktrace

Darktrace Immune System Version 5 Launches

Posted in Commentary with tags on September 14, 2020 by itnerd

Darktrace, the world’s leading cyber AI company, today launched Version 5 of its self-learning, self-defending Darktrace Immune System, allowing security teams to meet the novel challenges presented by more dynamic ways of working. 

Darktrace was the first to use machine learning to analyze normal patterns of work, adapt on the job, and autonomously respond when changes in employees’ behaviors introduce security risks. With flexible work, Darktrace Immune System Version 5 extends protection against insider threat, data leaks, and advanced cyber-attacks beyond office walls, with lightweight client sensors and one-click integrations to provide a holistic view. 

As the C-suite balances managing employee productivity with cyber security, organizations are also accelerating digital transformation investments to support cloud-based business and customer engagement models. Darktrace Immune System Version 5 delivers security both from the cloud and for the cloud, including new Autonomous Response for SaaS applications like Microsoft365.

Digital transformation also encompasses more automation, integration, and artificial intelligence to streamline processes, extend existing investments and augment human teams. One of the most significant advancements in these areas is Darktrace Cyber AI Analyst, which mimics world-class threat analysts to prioritize, investigate and report on top threats. Investigations can now be kicked off by threats identified by people, for example the HR department, or from third-party security tools. Incidents can now also be fed into SIEMs, SOAR, or ticketing systems.

Darktrace Immune System Version 5’s numerous innovations include:

  • Extended Visibility: new ‘client sensors’ extend the Enterprise Immune System’s visibility to remote and decentralized workers, on clients on or off VPN
  • Autonomous Response for SaaS: Darktrace Antigena can now take action to stop emerging threats within Microsoft 365 and Zoom
  • Upgrade to Cyber AI Analyst: automated threat investigations and reporting can now be produced for Cloud, SaaS and Industrial environments, triggered on-demand by humans and third-party security tools
  • Dedicated SaaS Console: new, intuitive visualization of SaaS-based threats, seamlessly harmonized with other interface views
  • New One-Click Integrations – easier to integrate with a range of additional third-party security tools for telemetry, SOC workflow and active Autonomous Response integrations
  • Cloud-Native Delivery – Darktrace’s flexible delivery options include 100% cloud-hosted deployments, with AWS Marketplace or AWS QuickStart

Hazing Has Been Replaced By Hacking…. Which Means That Universities Need To Improve Their Cyber Defenses

Posted in Commentary with tags on August 7, 2020 by itnerd

School rivalry takes on a different meaning for university and college students this year, with cyber hackers advancing their methods of attack in the new normal. In the last three months alone, we’ve seen cyberattacks carried out against two of Canada’s largest universities, with both Western University and York University falling victim to a ransomware attacks.

Apparently, covering cars in shaving cream is so last century.

As the long-term shift to online learning becomes a reality, students and institutions alike will need to protect themselves when using tools such as Zoom, Slack and other platforms to complete studies online.

David Masson, Director of Enterprise Security at Darktrace had this to say about universities needing to up their game when it comes to their cyber defenses:

Universities work in an environment based on free exchange of knowledge and national and international cooperation. Threat actors know this and will seek to exploit the relative ease of access to networks provided by the nature of universities’ transparent approaches. 

Security teams who protect universities know that attackers will look to take advantage, and so they use training methods and technology to combat imminent cyber threats. Security teams also realise how difficult it is to defend themselves; it is difficult to have full visibility of their entire digital infrastructure and additionally being able to respond quickly to impending attacks. 

In order to deal with the quantity and quality of threats, which are increasingly complex and happening at machine speed thanks to attackers’ use of AI and developments in 5G, those defending universities need to embrace AI technology themselves to augment and support their security teams to regain the advantage on the defensive side in the cyber arms race.”

Darktrace’s Cyber AI Is Helping Security Analysts Act Fast And Accurately

Posted in Commentary with tags on August 6, 2020 by itnerd

Darktrace, today reported that its Cyber AI Analyst product has performed millions of threat investigations, mimicking human thought processes to zoom in on and explore potential threats, and report on the severity of an attack. Mike Beck, Global CISO at Darktrace, will be discussing these capabilities and real-world examples during a presentation at Black Hat USA on Wednesday, August 5th at 10am PDT. 

Initially released last September following a 3-year research project at Darktrace’s AI labs in Cambridge, UK, Cyber AI Analyst trains by observing world-class security analysts performing investigations – not on examples of previous attacks. The technology questions raw security alerts, seeks out additional context, and asks questions of third-party sources to come to a conclusion. Using natural language processing, the AI Analyst reports relevant findings at the right moment to security operations personnel, in their local language.

With human security analysts spending an average of 3 hours per security investigation, scaling teams to meet the demand for fast and accurate triaging has become unviable. Today, thousands of organizations rely on Cyber AI Analyst to run investigations alongside their teams, delivering a 92% time saving.

Guest Post: Darktrace Email Finds: Two WeTransfer Impersonation Attacks Caught By AI

Posted in Commentary with tags on July 31, 2020 by itnerd

By: Dan Fien, Director of Email Security Products for the Americas, Darktrace

In recent months, Antigena Email has seen a surge in email attacks claiming to be from file sharing site WeTransfer. These attacks attempt to deploy malware into a recipient’s device and further infiltrate an organization. 

This is a common technique deployed by attackers, who find success in masquerading behind the trusted brands of well-known SaaS vendors. Darktrace has recently seen similar attacks leveraging both QuickBooks and Microsoft Teams

Incident one

This email was directed at an employee in the accounts department of a leading financial services organization in the APAC region. 

Figure 1: An interactive snapshot of Antigena Email’s user interface.

The subject line of this email – “We sent you an invoice via WeTransfer” – is typical of a solicitation attack. Hidden behind a button reading ‘Get your files’ was a webpage that contained malware but displayed a login page. If a user entered their username and password in an attempt to access this ‘invoice’, the malware would harvest their credentials and send them to the attacker.

Figure 2: The fake login page, branded as Microsoft Excel, which would have likely sent the credentials to a spreadsheet controlled by the attacker.

This attack bypassed the other security tools in place, but was detected by Antigena Email due to a number of anomalies that when stitched together unmistakably reveal a threat.

Figure 3: Antigena Email’s dashboard reveals the true sender of the email.

Critical for Antigena Email’s detection of this attack was that the email contained an anomalous link. It would be highly unusual for WeTransfer to link to SharePoint – a direct competitor – in their emails. The AI also recognized that neither the employee in the accounting department, nor anyone else in the organization, had previously visited the domain in question, and deemed this email to be 100% anomalous. These details, along with other characteristics of the URL, gave Darktrace’s AI reason to tag this email with the ‘suspicious link’ tag, prompting Antigena Email to double lock the offending link and hold the message back from the recipient’s inbox.

Incident two

A second incident leveraging WeTransfer’s name was detected just a week later at a law firm in Europe. This email was more sophisticated and even more convincing, appearing to come from the legitimate WeTransfer domain. However, it still set off over a dozen Darktrace models, again prompting Antigena to lock links and hold the email back.

Figure 4: An interactive UI snapshot of the second email.

This attack went a step further. Whereas in the previous scenario the attacker simply changed the personal name, leveraging <noreply[.]com>, here the attacker manipulated the headers to make the email appear to come from the WeTransfer domain. 

Recent research that will be further unveiled at BlackHat indicates there could be as many as 18 different methods to mislead common email verification checks like Domain Keys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). Some of these techniques may be as simple as including two FROM lines in an email header, which may result in a mail server verifying the first FROM header while the email client displays the second FROM address. As a result, an email sent from an attacker’s mail server can be verified as coming from a legitimate address – in this case <noreply@wetransfer[.]com.

The familiarity of the apparent sender of this email is reflected in the ‘Depth’ and ‘Width’ scores below of 19 and 47 respectively, indicating moderate communication history. However, Antigena Email reveals that the true sender is from a rare domain, and one that is unrelated to WeTransfer.

Figure 6: The metrics of the second email.

Darktrace’s AI also detected two suspicious links within the email that were considered highly anomalous given previous communication between WeTransfer and the client. And importantly – the absence of a WeTransfer link!

Figure 7: Two links in the email were considered highly anomalous and threatening

These unusual links combined with the recognition of a spoofing attempt prompted Antigena Email to deem this email as 100% anomalous and intervene, protecting the recipient — and business — from harm. Despite this second email attack employing more sophisticated attack methods, allowing it to evade legacy email tools and closely resembling a legitimate email, Darktrace’s AI was able to recognize an even wider array of indicators that prompted it to hold the email back.

To learn more about Antigena Email, click here >

Russian Hacker Group Accused Of Targeting COVID-19 Vaccine Research In Canada, U.S. and U.K

Posted in Commentary with tags , , on July 16, 2020 by itnerd

Given the times that we live in, a vaccine is the top thing the planet must do in terms of getting the planet out of the COVID-19 pandemic. So it doesn’t exactly come as a shock that research into a vaccine is a target for hackers that belong to nation states. Case in point is the news that Russian hackers have targeted COVID-19 research:

A hacker group “almost certainly” backed by Russia has tried to steal COVID-19-related vaccine research in Canada, the U.K. and the U.S., according to intelligence agencies in all three countries.

The Communications Security Establishment (CSE), responsible for Canada’s foreign signals intelligence, said APT29 — also known as Cozy Bear and the Dukes — is behind the malicious activity.

The group was accused of hacking the Democratic National Committee before the 2016 U.S. election.

The group “almost certainly operates as part of Russian intelligence services,” the CSE said in a statement released Thursday morning in co-ordination with its international counterparts — an allegation the Kremlin immediately denied.

No shock that the Kremlin denies this as I am sure that nation sates don’t want to be associated with the activities of the hacker groups that they covertly sponsor as it gives them plausible deniability. This is important because Russia has a history of stealing intellectual property. David Masson, Director of Enterprise Security, Darktrace goes into more details about that:

The Soviet Union, and now its successor Russia, has a long and established history of stealing other countries’ intellectual property in order to satisfy national interests. In this instance, we are being warned about an APT (APT 29) linked to the Russian Intelligence Services using cyber-attacks to obtain information on COVID-19 research from medical organizations around the world. Given the recent warning from the US/UK and Canada combined, we can consider that these three countries have been victims of such attacks.

Russia is also facing the effects of this global pandemic and will be seeking “help” in order to deal with it now and in the future. Trying to gain an advantage in the fight against COVID-19 could well lead to theft of research from around the world in order to avoid otherwise necessary investment in time, money and effort (which may not be available). In the modern era, cyber-attacks have proven to be a very cost-effective way of obtaining information that may well be very difficult to get ahold of by other means. Currently the crown jewels in the COVID-19 fight will be a vaccine, so information and research on this subject are extremely valuable.

Medical research organisations, especially those working in academia often operate in a climate of trust and collaboration and will be seen as easy targets by groups such as APT29 who will exploit this. We can expect further attacks and further warnings as the pandemic wears on.

Guest Post: Darktrace Discusses A Sophisticated Phishing Campaign Leveraging Microsoft Teams

Posted in Commentary with tags on July 8, 2020 by itnerd

With the move to remote working having surged, the number of active daily users on Microsoft Teams has grown to 75 million, up from 20 million this time last year. Similar trends are being seen across Slack, Zoom, and Google Meet. With these SaaS applications becoming a staple in Canadian’s working lives, businesses should anticipate cyber-criminals to begin leveraging their household names and trusted reputation to launch email attack campaigns.

Darktrace’s AI, Antigena Email, picked up on one such attempt last month while deployed in passive mode at a multinational conglomerate – identifying 48 incoming emails that impersonated a Microsoft Teams notifications, but in fact came from an unknown sender and rare domain. The attacker was targeting employees alphabetically, seemingly working methodically through the address book.

With so much of the Canadian workforce moving to a more long-term work from home arrangement – and conference calls utilizing programs like Microsoft Teams a big part of the day-to-day – it’s imperative for businesses to safeguard themselves against threats. 

Guest Post: Darktrace Describes Why AI Is Critical For Stopping The Rising Threat Of Cyber Attacks In Industrial Environments

Posted in Commentary with tags on July 6, 2020 by itnerd

Cyber-attacks on industrial environments are on the rise. Whether caused by attacks that bleed from the IT network and spill out on to critical systems or malware that specifically targets them, cyber criminals and nation states now have the ability to cause chaos at the click of a button: halting production or even causing power outages across cities.

The potential impact of an attack on critical national infrastructure should not be understated. As smart buildings, cities and the Internet of Things become more common, vulnerabilities are growing, and state sponsored attackers are on the lookout for ways in. The lines between cyber and physical are blurring and this raises the stakes for all involved – increasing the likelihood of unintentional escalations and further complicating international relations.

The key point is that critical environments do not fail gracefully. There isn’t the option of reverting to pen and paper and muddling along. 

Now is the time to build in cyber resiliency so these systems are able to resist and fight back against cyber-attacks.

Industrial environments cannot simply be air-gapped to keep them safe and so organizations need to invest in artificial intelligence systems that can work in the background to automatically and dynamically block attacks that not only bleed from IT but originate in industrial systems.

Below are a series of industrial threat finds Darktrace AI has detected in recent weeks. These real-life threat finds are great examples of the threats facing industrial environments, as well as the vulnerability of IoT devices, and how AI is capable of stopping them in their tracks.


Like almost every other business across the globe, a US construction company transitioned to remote working.

To facilitate the transition, they protected their IT network with the usual firewalls and anti-virus software and focused on how industrial technology could continue to safely operate while employees worked from home.

What they failed to remember was that the air conditioning units back at their HQ were connected to the corporate network – so that the temperature could be automatically monitored. As attackers scanned all devices at the HQ for vulnerabilities, they noticed this air conditioning unit was left exposed and hacked into the air conditioning.

In a stroke of good timing, the company deployed Darktrace’s cyber AI – entrusting the technology to not only detect but automatically respond to cyber-attacks. Immediately, AI spotted that one air conditioning unit was acting suspiciously compared to the other 9 units and, without human intervention, stopped the hackers from pivoting into more critical industrial control systems.


Governments around the world have issued official warnings for state hackers targeting universities and research agencies in a bid to steal information on a cure for COVID-19. 

This month, at a renowned academic institution in Singapore, AI detected and automatically stopped an academic cryptocurrency malware in the organization: likely to be a variant of Shellbot. On the face of it, this attack may not seem like one aiming to steal or halt research efforts.

However cryptomining is extremely resource-intensive for security teams. It is often a tactic used by sophisticated hackers to distract security teams from a more serious attack like subtle data exfiltration. What’s more, if AI had not stepped in at machine speed, the malware could have bled into the industrial control systems at the institution, resulting in widespread outages. This would physically interrupt production of vaccines, medicines or cutting-edge technology.


IoT devices, such as Internet-connected cameras, are becoming increasingly common in personal, business and industrial environments, yet threats targeting IoT are difficult to detect and often go unnoticed since these devices effortlessly connect to digital infrastructure.

In late May, Darktrace detected Mirai malware infecting an Internet-facing CCTV surveillance camera at a Canadian logistics company. Mirai is an old threat that is still used to target IoT devices.

Having analysed this device’s transfers within the context of a continuously evolving understanding of what is normal both for this device and for the wider organization, Darktrace AI spotted some unusual behaviour: the infected camera was making connections to multiple IP addresses that were statistically rare for the network. Specifically, the compromised device began transferring large amounts of data to an IP address in China.

As there were no antivirus or other security tools covering the IoT camera, without AI this would have gone undetected – the client saw no indicators of malicious activity beyond a sluggish network. Once the client was promptly notified, the compromise was deescalated, and the client took the camera offline.

Small Businesses Online Are Prime Targets For Cyber-Attacks: Darktrace

Posted in Commentary with tags on June 25, 2020 by itnerd

As a result of the COVID-19 pandemic, Canada is paving the way in supporting brick-and-mortar businesses struggling to make ends meet through the Digital Main Street’s ShopHERE program. This program, powered by the likes of Google Canada, provides free website support and marketing tools to increase the digital presence of small businesses to sell goods and services, given the need for many businesses to take operations online.

However, as businesses scramble to move online in order to keep afloat, many small business owners overlook a major concern that could jeopardize the entire operation – safeguarding themselves from cyber threats. For some small businesses, it could be impossible to recover from a successful cyber-attack.  

David Masson, Director of Enterprise Security for Darktrace had this comment in regards to how small business owners must invest in the right technology to safeguard themselves against threats:

“The provincial and federal government’s offer to help small businesses create online stores is great news for the country. The ongoing pandemic has created a real, pressing reliance on online commerce. Moving businesses online opens up new and exciting revenue streams and can also be more efficient, particularly with customer outreach and retention.

However, there is a big concern as businesses move into the virtual realm: security. Progressing too quickly can lead to future consequences or costs, including theft of their customers’ financial details or the damaging operational downtime following a successful attack. We’ve seen time and time again that when businesses move quickly, security can often be overlooked or underemphasized. Cyber security for newly online retail businesses is very doable, but requires forethought, planning, and investment in the right technology.”

Canada Announces National Contact Tracing App…. What Are The Security And Privacy Concerns?

Posted in Commentary with tags , on June 19, 2020 by itnerd

Yesterday Prime Minister Justin Trudeau announced the federal government will begin testing a “completely voluntary” contact tracing app that can be used nationwide. You can get more details here. Every since that announcement concerns around security and privacy controls started to become top of mind. David Masson, Director of Enterprise Security for Darktrace shared with me his security concerns that are associated with contact tracing:

The debate over a centralized or a decentralized approach while using contact tracing apps continues. A decentralized approach would mean that the data stays on an individual’s phone, while a centralized one would mean that all the data from the app goes to one central body. Both approaches have their own merits.

In Canada, a unified approach to contact tracing led by the Federal Government, rather than by the individual Provinces and Territories, will relieve the Provinces and Territories of some legal and financial ramifications. A unified effort would also ensure a more collaborative process for building in security and privacy controls, and it would be more efficient for decision making. As the Federal Government makes declared decisions about the app and its development, security needs to remain a priority.  A centralized approach, however, needs to come with caveats and protections.

If it is the Federal Government ensuring that a sick person remains isolated and enforcing quarantine, there will be privacy trade-offs. We must be prepared for the future: what should we do with the data after this crisis is finally said and done? Sunset clauses should be put in place to assure the Canadian public that the highest consideration will be taken and that there will be transparency about what happens once the data is no longer needed. 

With regard to the collection of data centrally, scientists and health officials could leverage the data for good. They could use data from the apps to analyze how the virus spreads, how it impacts society, and more, which would improve our ability to deal with the outbreak. However, the Federal Government will need to ensure that any data shared for research is secure.

There will also need to be the ability to have some form of open and transparent redress for all citizens with regard to any contact tracing approach in Canada.

I then asked about the fact that this app will utilize the Apple/Google Exposure Notification API. You can find out more info about that here. The Apple/Google API is billed as best in class when it comes to privacy.does So my question was if the usage of this API made things safer? 

I think the question isn’t is it ‘safe’, but does it makes things more secure? Maybe, maybe not.

Privacy and security are not the same things. Privacy is about personal control of your own data, in particular your identity. Security is the tools that will help you control your data and some tools are better than others. Quite frequently when tools or applications are rushed to market without adequate testing, security vulnerabilities subsequently appear.

When rolling out an application that could be used by so many members of the population, governments should use the best available technology with the lowest risk for security or privacy concerns. However, even then it’s impossible to say that without a doubt an application is or is not safe and important to remember that ‘safe’ can mean different things in different contexts. 

For it to be a ‘safe’ application, the technology needs to be implemented correctly, and the app needs to be shut off when the pandemic is over. History has shown that both of these assumptions could prove to be flawed.

That’s an interesting view as reading over the details related to the Apple/Google Exposure Notification API would have had me assume that there was nothing to worry about. But clearly from what David Masson has said, I clearly hadn’t considered all the implications of what a contact tracing app like this one are. Thus I thank him for his insights on this. It’s given yours truly, as well as a lot of you a lot to think about.

Darktrace Hits $1 Billion In Bookings

Posted in Commentary with tags on June 3, 2020 by itnerd

Darktrace, the world’s leading cyber AI company, today announced that it has hit over $1 billion dollars in cumulative bookings.

Founded in 2013, Darktrace is one of the fastest-growing private companies in the world with over 1,200 employees and 3,500 customers across 110 countries. In 2020, demand has hit an all-time high, as Darktrace’s self-learning AI is uniquely positioned to adapt to defend today’s remote workforce.

The number of new customers using the Enterprise Immune System to defend cloud and SaaS environments from cyber-threats increased by 60% in March compared to January, whilst the number of organizations adopting Antigena – the company’s autonomous response capability – increased by over 30%.

Darktrace AI is a self-learning technology that is designed to understand the ‘pattern of life’ for every user across an organization. The AI is capable of analyzing and protecting the full range of digital environments – from cloud and SaaS applications, to email environments, IoT, industrial control systems, and the network. The AI detects novel threats that may otherwise go unnoticed and stops them before they escalate into a full-blown attack. 

Customers span all industries and include Petco, PBS, Banco Popular Dominicano, Micron Technology Inc, Jimmy Choo, Chantecler, and Sky Italia.