This latest blog is a game changer and a must-read. In March, Microsoft publicly disclosed the Exchange server zero-day – an ongoing campaign initiated by the Hafnium threat actor group. It has now come to light that Darktrace’s AI technology possibly detected a Hafnium attack three months before attribution.
As a result, we’re advising that your IT team may want to go as far back as early December to check security logs and tools for signs of initial intrusion into their Internet-facing Exchange services by the Hafnium campaign.
When did it all begin?
Based on similarities in techniques, tools and procedures (TTPs) observed, Darktrace has now assessed with high confidence that an attack in December on one of their clients, was the work of the Hafnium group, suggesting that their campaign was active several months earlier than assumed.
Whilst Microsoft has warned that the vulnerability is also being rapidly weaponised by other threat actors, what is reassuring is that there is now evidence that these new, unattributed campaigns, which have never been seen before, can been disrupted by Darktrace’s Cyber AI technology in real time.
How to assess your risk
In this blog, we will analyse the attack to aid organisations in their ongoing investigations, and to raise awareness that the Hafnium campaign may have been active for longer than previously disclosed. To summarise, the campaign targets Internet-facing Microsoft Exchange servers, exploiting the recently discovered ProxyLogon vulnerability (CVE-2021-26855).
In the earlier attack detected by Darktrace, the threat actor used many of the same techniques that were observed in the later Hafnium attacks, including the deployment of the low-activity China Chopper web shell, quickly followed by post-exploitation activity – attempting to move laterally and spread to critical devices in the network.
The following analysis demonstrates how Darktrace’s Enterprise Immune System detected the malicious activity, how Cyber AI Analyst automatically investigated on the incident and surfaced the alert as a top priority, and how Darktrace Antigena would have responded autonomously to shut down the attack, had it been in active mode.
Hafnium cyber-attack timeline
All the activity took place in early December 2020, almost three months before Microsoft released information about the Hafnium campaign.
Darktrace observed no signs of compromise or change in behavior from the Internet-facing Exchange server – no prior internal admin connections, no broad-scale brute-force attempts, no account takeovers, no malware copied to the server via internal channels – until all of a sudden, it began to scan the internal network. While this is not conclusive evidence that no other avenue of initial intrusion was present, the change in behavior on an administrative level points to a complete takeover of the Exchange server, rather than the compromise of a single Outlook Web Application account.
To conduct a network scan from an Exchange server, a highly privileged, operating SYSTEM-level account is required. The patch level of the Exchange server at the time of compromise appears to have been up-to-date, at least not offering a threat actor the ability to target a known vulnerability to instantly get SYSTEM-level privileges.
For this reason, Darktrace has inferred that the Exchange server zero-days that became public in early March 2021 were possibly being used in this attack observed in early December 2020.
As soon as the attackers gained access via the web shell, they used the Exchange server to scan all IPs in a single subnet on ports 80, 135, 445, 8080. This particular Exchange server had never made such a large number of new failed internal connections to that specific subnet on those key ports. As a result, Darktrace instantly alerted on the anomalous behavior, which was indicative of a network scan.
Less than an hour after the internal network scan, the compromised Exchange server was observed writing further web shells to other Exchange servers via internal SMB. Darktrace alerted on this as the initially compromised Exchange server had never accessed the other Exchange servers in this fashion over SMB, let alone writing .aspx files to Program Files remotely.
A single click allowed the security team to pivot from the alert into Darktrace’s Advanced Search, revealing further details about the written files. The full file path for the newly deployed web shells was: Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\errorFS.aspx
The attackers thus used internal SMB to compromise further Exchange servers and deploy more web shells, rather than using the Exchange zero-day exploit again to achieve the same goal. The reason for this is clear: exploits can often be unstable, and an adversary would not want to show their hand unnecessarily if it could be avoided.
While the China Chopper web shell has been deployed with many different names in the past, the file path and file name of the actual .aspx web shell bear very close resemblance to the Hafnium campaign details published by Microsoft and others in March 2021.
As threat actors often reuse naming conventions / TTPs in coherent campaigns, it again indicates that this particular attack was in some way part of the broader campaign observed in early 2021.
Further lateral movement
Minutes later, the attacker conducted further lateral movement by making more SMB drive writes to Domain Controllers. This time the attackers did not upload web shells, but malware, in the form of executables and Windows .bat files.
Darktrace alerted the security team as it was extremely unusual for the Exchange server and its peer group to make SMB drive writes to hidden shares to a Domain Controller, particularly using executables and batch files. The batch file was called ‘a.bat’. At this point, the security team could have created a packet capture for the a.bat file in Darktrace with the click of a button, inspecting the content and details of that script at the time of the intrusion.
Darktrace also listed the credentials involved in the activity, providing context into the compromised accounts. This allows an analyst to pivot rapidly around the data and further understand the scope of the intrusion.
In addition to detecting the malicious activity outlined above, Darktrace’s Cyber AI Analyst autonomously summarised the incident and reported on it, outlining the internal reconnaissance and lateral movement activity in a single, cohesive incident.
The organisation has several thousand devices covered by Darktrace’s Enterprise Immune System. Nevertheless, over the period of one week, the Hafnium intrusion was in the top five incidents highlighted in Cyber AI Analyst. Even a small or resource-stretched security team, with only a few minutes available per week to review the highest-severity incidents, could have seen and inspected this threat.
How to stop a zero-day
Large scale campaigns which target Internet-facing infrastructure and leverage zero-day exploits will continue to occur regularly, and such attacks will always succeed in evading signature-based detection. However, organisations are not helpless against the next high-profile zero-day or supply chain attack.
Detecting the movements of attackers inside a system and responding to contain in-progress threats is possible before IoCs have been provided. The methods of detection outlined above protected the company against this attack in December, and the same techniques will continue to protect the company against unknown threats in the future.
If you would benefit from further advice or support, please click below or contact us:
FREE 30 DAY TRIAL
View your entire security performance through one interface – finding and preventing potential threats from doing any harm to your infrastructure, before you realise they are there...
Protect Your Workforce
WATCH how to ensure today's dynamic workforce is protected from security threats - allowing your business to monitor and resolve real-time security vulnerabilities as they happen....
The world is currently in the midst of an IoT revolution, and it’s only speeding up. According to research by Gartner, more than 25 billion IoT devices will be active by the end of 2021. This exciting technological frontier offers businesses an opportunity to drive efficiency and behavioral insights while generating astronomical amounts of data for analysis.
Unfortunately many IoT devices lack basic security features and are an easy network entry point for hackers. As IoT devices continue to become more involved in businesses, network managers need to be wary of possible exploits and have a strong defense against intrusions. Extreme Networks’ IoT solutions provide best-in-class device fingerprinting, AI/ML insights, and IoT analytics in a simple and scalable manner.
The simplicity and ease of connecting devices to Wi-Fi or Bluetooth gives many users the impression that security isn’t necessary. Common smart devices, such as temperature sensors, light systems, and cameras are often connected to the network without considering vulnerabilities. Devices are often used without password protection and, left unprotected, they can open the door to hackers and malware with relative ease.
It can take only a few minutes for a hacker to gain access to a network through an unprotected IoT device, but months for network administrators to find and resolve the issue – not to mention potential cost and data implications. This means that, without taking proper precautions, your system can be invaded without being detected and could leave your data in jeopardy. Ransomware attacks have become more common in recent years, and unsecured IoT devices make it too easy for these intrusions to happen.
As a Black Diamond partner of Extreme Networks, their IoT solution provides customers with a complete package of security solutions to monitor all connected devices in one place, giving organisations a clear picture as to what devices are connected at any given time. IT administrators also have the ability to pick and choose which devices have access, giving them the power to boot any unwanted devices that could compromise the network’s security. Their technology also offers automated behavioral monitoring that pinpoints unusual activity, preventing hackers from going unnoticed.
IoT devices should be embraced for all they have to offer consumers and businesses. But, without proper security features, these helpful gadgets can leave your network wide open. If you are looking to stay ahead of the curve and address security issues relating to IoT, please don’t hesitate to contact one of the team at NETprotocol:
In this blog, we look at the threat landscape and how much a small investment in Disaster Recovery as a Service (DRaaS) can save you over the lifetime of your business…
Rather than picking up the pieces after an unexpected incident, DRaaS lets you proactively plan for and respond to a failure event. Whether it’s a small disaster like hardware failure or a huge disaster like a fire, hurricane or flood, DRaaS keeps you covered. With a better way to respond, you’re less likely to lose data or suffer from downtime – both of which can be costly enough to shut a business down.
Threats to Business Are Real and Growing
Business data has always been at risk from a myriad of digital attacks. Here are just a few of the threats businesses face when it comes to protecting data.
- Ransomware is becoming more sophisticated
There’s an all-out war happening in cyberspace, and when it comes to fortifying your defenses, your business is on its own. Ransomware is a particular threat as it has accounted for 81% of financial cyberattacks this year. And, while ransomware attacks may not be increasing in volume, they are becoming more sophisticated. You have to be ready to prevent ransomware, but if the worst happens and your systems get locked down, you have to be able to remediate them quickly.
- User error is a persistent problem
User error has always been the bane of security admins, but it has actually gotten worse. Spurred by COVID-19, it’s estimated that some 36 million workers will be working remotely by 2025. With so many workers scattered about, the challenge of keeping systems secure and data safe is bigger than ever. And so how do you meet the challenge?
- Climate change is bringing new disasters
According to NASA, a warming climate will lead to changes in precipitation and weather patterns, including more frequent and greater flooding for example which we have seen a lot of in the UK over recent years. Natural disasters might not be a big threat to you today, but they could be soon.
DRaaS it’s a critical line of defense if the worst does happen and so can act as a lifesaver for your business. But how do you rationalise the cost?
DRaaS Offers Protection That Pays for Itself
When disaster strikes you can help minimize your risks by having a solid disaster recovery plan in place. Paired with set recovery objectives and the right tools, a DRaaS solution pays for itself by helping you prevent data loss and downtime. According to Gartner, downtime can cost as much as $5,600 per minute. Do you know how much would you lose during a downtime event?
Calculating The Cost of Downtime…
Let’s look at a quick example to show just how expensive one failure event can be. We’ll use simplified, round numbers to illustrate the point, but, of course, the reality is more complex.
- Let’s say on average your company bills $100 per hour.
- You have 10 employees and about 75% of their time is billable to clients.
- This means your business is earning $6,000 for an eight-hour day, or $750 an hour.
Now let’s say your systems are all knocked offline and your staff can’t work for four hours. That adds up to $3,000 lost to downtime. But that’s just the start. Say you lose crucial work your team produced. Now you’re also contending with data loss. Add the cost of four hours of lost work and four hours of lost productivity and your total loss is $6,000. And that’s from a relatively small downtime event. Plus, that doesn’t include any damage to your reputation that may result.
Whilst you may be trying to jusify and quantify the cost of DRaaS, it’s worth considering that an unexpected event causing downtime could have been avoided with the right Disaster Recovery solution in place.
Downtime and data loss is costly for any business. It should be obvious that DRaaS is worth considering for your business, large or small. Think of DRaaS as an insurance policy. Pay a little now to avoid paying a lot later on. All it takes is one failure event.
And, if you’re looking for a solution that keeps all of your bases covered—no matter how severe the failure—consider booking a demo with a NETprotocol using the below contact options:
ExtremeCloud IQ is Extreme Network’s 4th generation cloud end-to-end networking solution, enabling your organisation to enhance flexibility, agility, security, and gain access to new technologies.
Fuelled by AI and ML, this cloud technology enables IT directors to manage and analyze their network through edge, campus, and data center solutions, ensuring the most efficient network experience.
WATCH HOW IT WORKS:
In his last two blog posts, Ed Koehler of Extreme Networks covered what Botnet’s are, gave a recent history of Botnets, and talked about the three functions of Botnet’s including infection and propagation, command and control, and specific attack methods. In his recent blog post, we find out why IoT is the next attack vector for Botnet’s and what you can do to mitigate the risk of an attack.
Why All the Focus on IoT?
After the 2016 Mirai attack, although most people realised it was primarily an IoT botnet, they did not consider the full impact of what had occurred. Users can easily conjure an image of ransomware, picturing a big red screen with a skull and cross bones symbol; this type of malware usually resonates more deeply due to the direct impact on users. But IoT threats, while they may not have the same reputation, can cause equal if not more damage.
Malicious cyber players quickly recognised that IoT devices were the perfect avenue for botnet development. IoT removes the need for attackers to trick victims into doing something; if the botnet can infect an IoT device on the network and that device is on the same segment or connected to users on the network, then it can hop from the IoT device to the user’s PC very much like a biological virus can hop from animal to human under the right circumstances. Well-designed botnets do not care about the end points or node specifics, and most have the ability to sit on Linux, a very common IoT operating system (OS), or any other OS such as Windows or even Android and IOS.
There are five broad reasons why IoT is such a high threat:
1. IoT devices are often unknown to the IT administration staff. Statistics show that up to 60% of IT administrators surveyed indicated that they had little or no confidence that they were aware of all IoT devices in their networks. You cannot secure what you are not aware of.
2. Many IoT devices have known vulnerabilities and can be difficult to patch or update. Also, in many instances, IoT devices have firmware levels that often are not addressed in patch or software upgrades.
3. Many IoT devices have default passwords that, even after being changed, will resurface upon reboot due to the issue noted above.
4. Often there is no clear understanding of an IoT device’s defined perimeters of behavior. This can be the case even when the device is known to IT staff. As a result, it becomes very difficult to pick out any unusual behaviors that might point to malware infection.
5. IoT systems are largely heterogenous and might include devices that we might not think of as IoT. For example, everyone would refer to building controls systems or video surveillance as IoT, but few would recognise the IP phone on their desk or the network printer in the corner of the office.
We could go on, but these serve as the major issues to the overall challenge of protecting the IoT environment. Now let’s take a quick look at methods that can be used to address these challenges.
1. Asset inventory and vulnerability assessment
The first step in getting a handle on the challenge is to do an exhaustive inventory of all devices on the network. Some cases may be straightforward, but other environments can require investigation and even manual walkthroughs to identify IoT devices that may have escaped notice. Having an audited Network Access Control (NAC) will give you a starting point, allowing IT administrators to use MAC addresses to get a rough idea of the device’s location. They can then follow up on the device, verify it, and identify it as an asset. This identification should include not only the device and type but the running software revision as well as ownership and purpose.
Once this information has been obtained, vulnerability assessments should be performed as well as investigation into the device software architecture and intended function. If possible, speak to the actual vendor to understand the device’s intention and the normal patterns of communication that should be expected. This will be important information moving forward.
It’s also important to provide awareness education to employees about the risk of bringing personal IoT devices into work. If possible, simply prohibit it or require a device registration process so that all devices can be properly audited.
2. Develop a micro-segmentation strategy for IoT
As pointed out earlier, having different types of IoT devices and users on the same network segment is a bad idea from a security perspective. IoT should always be segmented away from the normal user IT environment, and the least privilege logic should dictate the rule of segmentation design. Put simply, if a device does not require connectivity to a system, then it should not have the potential to connect. In many instances, IoT segments can be totally isolated with no connectivity to the user IT environment in any way. A good example of this is digital signage or television, which is only visual and does not need to be given access to the network otherwise. As a result, there is no need for this system to be directly connected to the enterprise IT environment. Many IoT and even Industrial Control System (ICS) fit into this category. They operate quite well in isolation or with very restricted communication.
In addition to segmentation, IT administrators should communicate with the vendor of the IoT device to understand the normal traffic behavior from the device, as well as a pattern of communication that will result in the required ‘footprint’ of connectivity. This footprint indicates the systems that the device needs to see and communicate with, allowing IT to create a traffic policy and a segmented design. These things can be the same or different. If they are the same, then the segment design is sufficient, and policy can be reduced to access only. In more complex examples, policies may be required to restrict allowed communications from the device in question. This policy must match the normalised communication patterns but deny all others. If this practice is followed diligently, then IoT systems can be effectively isolated from the normal enterprise IT environment and also from each other to prevent machine-to-machine attacks. If you have done everything correctly up to this point, you should have a series of microsegments, each with dedicated IoT systems and normalised known traffic behaviors and policies to match them.
3. Vigilance and analysis
Once a well-segmented, policy-based design is established, the next step is to maintain consistent vigilance of device behaviors within each segment. Remember that while you designed the segment, you took all required traffic patterns into account. As a result, you should have very ‘sanitary’ microsegments with normalised traffic patterns that can be monitored for anomalies or unusual behaviors. When you see unusual behaviors or anomalies, investigate them as soon as possible. Put simply, if you see an IoT device doing something that it has never done before, it is most likely not a good thing. Ideally, the device should be quarantined quickly until further investigation can take place. If an IoT device is mission-critical and always needs to be online, it requires micro-segmentation and established policies of normal behavior.
While botnets are not new, they have become increasingly sophisticated at an alarming rate and there is no sign that this trend of software evolution will end. While IoT systems have become a new favorite target for ingress and propagation due to the relative weakness of these systems from a security perspective, there are methods to address these challenges. If performed with due diligence, these methods can contribute to the overall security posture of the enterprise in question.
The best advice we can give is to never assume that you are totally secure. While we can prove that a system is not secure by compromising it, we cannot totally prove that a system is not secure by failing in the same.
About Lee & Thompson
Established in 1983, Lee & Thompson is a well-respected law practice in London which specialises in the media, technology and creative industries and represents some of the worlds most talented and high-profile celebrity names within this sector.
As a leader within their field, they pride themselves on a first-class service, adaptive approach and unique industry expertise.
The security of client data has always been an absolute priority for Lee & Thompson. In his role as Head of IT, Rob Hilton is responsible for implementing and managing the firm’s technology infrastructure, with a focus on maintaining secure, resilient and scalable access for his end-users from any location, at any time.
“Cyber Security challenges are always developing and 2020 saw unprecedented changes in work practices with the COVID pandemic. Add to that the rapid growth of IoT devices, plus the risk of complex attacks like the one against SolarWinds – and the need for a more robust approach to security becomes quite obvious,” explains Mike Batters, Technology Director at Legal IT Consultancy, NETprotocol.
Due to the increased complexities of supporting a dynamic workforce, who today could be accessing the law firm’s company and client data from any location, on any type of device; Rob Hilton had been in search of a SOC solution for some time which is capable of monitoring activity 24/7, across their entire network and IT infrastructure, from anywhere in the world.
Ultimately Lee & Thompson needed to have complete confidence that any potential security threat could be detected and stopped in real-time; whilst immediately notifying their IT team of the risk.
“We must be able to guarantee our clients that we have full visibility of how data is being used and accessed – and from a compliance perspective, be able to provide a full trail of evidence to demonstrate we have complete control at all times,” Rob explains.
“Having reviewed the market over a period of time, we were recommended Darktrace Cyber AI security platform by our long-term partners and specialist legal technology consultancy, NETprotocol,” Rob confirms.
Lee & Thompson had already seen and heard good things about Darktrace’s Cyber AI technology and so initiated a free 30-day trial to decide if the solution met their needs.
“The appliance took just a couple of days to arrive and set up was simple and straightforward. Using a unique ‘Immune System’ approach driven by AI technology, Darktrace immediately started scanning activity across our entire network, reviewing who was accessing what data and instantly flagging any potential concerns to me,” Rob continues.
It was clear within just a matter of days that Darktrace was already building up an accurate picture of what was ‘normal’ at Lee & Thompson – sending automated notifications to Rob through the Darktrace iOS app whenever it identified something as a possible concern.
“What I really liked about the technology is that it was not just looking for malicious behaviour or unknown credentials from outside of our business, but Darktrace’s AI technology can also identify when a potential insider threat is developing, notifying me of unusual or unauthorised activity also from employees within the business. There really are no blind spots with this technology!”
Prior to deploying Darktrace Cyber AI technology, Rob was depending on his already stretched team to not just keep a close eye on security parameters, but also investigate and resolve many of these manually once identified. With Darktrace, he is now able to monitor activity across his entire network through a single user interface, easily downloading reports for management to review, and most importantly, track how Darktrace has resolved the issue before the risk brings any harm.
“Lee & Thompson has always invested heavily in it’s cyber security infrastructure, however with advanced and real-time threats being so unpredictable in the present day, and with most of our staff now working remotely, Darktrace has highlighted to us how prominent the security risk is for law firms,” Rob affirms.
DarkTrace has eliminated any blind spots Lee & Thompson may have had, giving them complete visibility of their entire infrastructure, connected devices and cloud services.
Mike Batters goes on to highlight two major benefits of Lee & Thompsons deployment of Darktrace:
“Darktrace’s AI Analyst works around the clock 24/7 alerting & reacting to anomalies & potential threats as they are developing. Not only does it deliver a far superior level of security than was previously possible, it also enables Lee & Thompson’s IT team to focus their time on further developing IT to better support their business.”
Rob Hilton summarises the project and concludes:
I had always thought that Darktrace would have been out of reach financially for a boutique law firm the size of Lee & Thompson, however when we found the product was actually “in budget”, this was the icing on the cake! Thanks to their 30 day ‘proof of value’ trial, we knew what we were buying and could justify the cost without a problem.”
TO FIND OUT MORE ABOUT HOW TO REMOVE ALL SECURITY BLINDSPOTS – CLICK BELOW
Following the global data breach against software company SolarWinds which took place in March 2020, there are lessons to be learnt from these findings which can protect your law firm from experiencing a similar level of threat. In particular, investigations have highlighted the failure of signature-based tools in being able to detect advanced cyber threats.
Despite the rising number of APTs (Advanced Persistent Threats) and the sophisticated post-exploitation activity which now take place daily and are almost impossible to predict – signature based security tools – which rely solely on past data to predict future threats – are still widely used across the sector.
The Impact of the SolarWinds Attack
News of the SolarWinds attack broke around two months ago, reporting that malware had been installed during software updates, affecting nearly all levels of American government, as well as hundreds of private businesses, equating to around 18,000 of the firm’s customers – with the damage so large that it is yet to be quantified.
As investigations continue, it’s looking like the damage caused by this attack will be difficult to either detect or undo and subsequently is causing data-rich organisations to realign their approach to cyber security. The reality of the SolarWinds incident confirms that attackers are now outwitting traditional security measures and are using new and advanced forms of threat which require an updated level of protection.
As law firms large and small are becoming increasingly reliant on cloud-based services, with staff working from dispersed locations and accessing data through a range of often unknown devices, this predicament creates the perfect hunting ground for sophisticated and stealthy cyber-attacks.
How To Keep One Step Ahead of the Attackers
The most shocking elements of the SolarWinds attack is the amount of time it went unnoticed and put simply, it’s pervasiveness. Whilst the traditional approach to protecting your systems has been to secure the perimeter of the network – stopping anything malicious getting in – once a hacker infiltrates that perimeter there’s often very little to detect subsequent anomalous behaviour or to stop it. This is where there is an opportunity for any security-conscious organisation to improve.
Having recently partnered with leading Cyber AI specialists Darktrace, we have seen some interesting evidence showing how their self-learning security platform has detected the types of behaviours related to the SolarWinds breach. In his recent blog, Max Heinemeyer, Director of Threat Hunting at Darktrace provides examples of anomalous activity – equal to that which successfully infiltrated American government systems in the SolarWinds attack – but which Darktrace’s Enterprise Immune System detected for it’s clients.
Whilst signature-based tools look at historical data to predict the next threat – Darktrace’s Cyber AI works in real-time, tracking activity patterns across all devices present on your network – rather than using already-known malicious signatures. Any unusual activity present which does not fit with the normal ‘pattern of life’ within that enterprise, is therefore detected and locked until further investigation has been carried out.
Offering visibility of your entire network through a single interface, Darktrace’s AI technology automatically clusters devices into peer groups allowing it to detect cases of an individual device behaving unusually as it happens. This self-learning approach acts as an immune system would, sourcing any infection that a signature-based solution is unable to detect. WATCH HOW IT WORKS >>
Why Is The Post-Exploitation Stage So Harmful?
The post-exploitation stage of the attack is much more unpredictable and stealthy – as this is driven by the attacker’s bespoke intentions for the victim it is targeting. At this stage there’s therefore no pre-defined threat that can be distinguished – making signature-based tools and threat intelligence become almost worthless.
Max goes on to highlight in his blog some examples of anomalous and threatening behaviour taking place on a customer’s network including post-infection activities which the attacker would have used to evade a signature-based tool – had Darktrace’s AI technology not been in place. Darktrace’s Cyber AI Analyst went on to alert the client’s security team to these abnormal changes within the network and provided clear evidence of what was taking place so relevant action could be taken.
How To Stop An Attacker Evading Your Security Measures
By understanding where credentials are used and which devices talk to each other, Cyber AI has an unprecedented and dynamic understanding of business systems. This empowers it to alert security teams to enterprise changes that could indicate cyber risk in real time.
As the evidence in Max’s recent blog demonstrates – attackers have developed a range of techniques to evade traditional security tools which otherwise would have gone undetected including, setting hostnames to match a legitimate hostname on a victim’s environment, allowing the attacker to blend in without suspicion; using C2 servers in geo-political proximity to those of their victim’s, thus circumventing geo-political trust lists; moving laterally using multiple credentials which were different to those used for remote access; or applying a temporary file replacement or task modification technique to execute their payload.
Figure 1 below illustrates how Darktrace triggers this anomalous activity before any damage is caused, alerting security teams to any concerning behaviour taking place:
Figure 1: Example breach event log showing anomalous (new) logins from a single device, with multiple user credentials
These alerts demonstrate how AI learns ‘normal’ for the unique digital environment surrounding it, and then alerts operators to deviations, including those that are directly relevant to the SUNBURST compromise. It further provides insights into how the attacker exploited those networks that did not have the appropriate visibility and detection capabilities.
On top of these alerts, Cyber AI Analyst will also be automatically correlating these detections over time to identify patterns, generating comprehensive and intuitive incident summaries and significantly reducing triage time.
As law firms look to support an intensely dynamic workforce and therefore need to upscale visibility to ensure their systems and client data are safe in real-time, we invite you to watch how this can be achieved below:
Is your business operating from dispersed locations with employees working from numerous / remote environments, accessing IT systems and data through a multitude of cloud-based applications, which reside outside the protection of a defined corporate network?
In today’s increasingly digital business world, even the most private documentation is now regularly revised online, transferred over email, and stored in the cloud. This shift creates an urgent need for cyber defences that can safeguard these files across complex and hybrid infrastructures. Many firms do not employ large security teams, and few have adequately prepared themselves for the stealthy behavior and machine speed of modern cyber-attacks.
Whilst this new way of working is the future, it also compromises your security, reducing visibility and rendering the security of your network perimeter obsolete. What you need is intelligent, unified defences which protect your corporate systems and client data, no matter where your staff are working from, or what device they are accessing applications with. To find out how you can detect the full range of cyber threats across your entire workforce
WATCH THE SHORT VIDEO BELOW:
As law firms look to support an intensely dynamic workforce and therefore need to upscale visibility to ensure their systems and client data are safe in real-time, we invite you to watch how this can be achieved below:
Having worked in legal technology for over 20 years, we know that many law firms rely on Mimecast email security to detect and defend against malicious links targeting employees. We therefore read with interest a blog written by Dan Fein, Director at Darktrace – who explains the process that an e-mail gateway undertakes to rewrite these harmful links – and confirms why this sense of protection is infact a misconception and won’t provide the required security that your business needs to remain compliant and safe.
Link rewriting is a common technique that involves encoding URLs sent via email into a link that redirects the user to the gateway’s own servers. These servers contain some unique codes which then track the user and perform later checks to determine whether the link was malicious. In fact, an email gateway’s reliance on this technique is actually an indicator of one of their fundamental flaws: their reliance on rules and signatures of previously recognised threats, and their consequent inability to stop threats on the first encounter.
The reason these tools pre-emptively rewrite links is so they can make a determination later on: with the link now pointing to their own servers, they can leverage their updated assessment of that link and block a malicious site, once more information has become available (and often once ‘patient zero’ has become infected; and the damage is already done).
How Can You Measure Success?
Dan Fein goes on to discuss how you can measure success and highlights that whilst a product like Mimecast will rewrite near enough 100% of links entering your systems – even if the links are directing you to safe and trusted URLs including your ‘own’ website – this process doesn’t necessarily indicate that your data is secure.
Furthermore, whilst nearly all links are re-written, issues then arise when training your staff to identify a phishing email – as this task becomes almost impossible given nearly every link they receive reads ‘mimecast.com’. With this approach, one link can’t be distinguished as harmful from another, whilst employees also gain a ‘sense of security’ that Mimecast is there and protecting them from opening something that could be rogue or infectious – when infact Mimecast doesn’t itself have the answers at this stage.
What’s The Solution?
Whilst watching Darktrace’s Antigena Email run alongside Mimecast – Dan reveals that over the course of three days the customer received 155,008 emails containing rewritten links by Mimecast (see Figure 1). Of those emails with rewritten links, 1,478 were anomalous and were blocked by Darktrace’s AI before they reached the recipient and caused any harm. The remaining 153,530 links had been unncecessarily rewritten.
Figure 1: Over 155,000 inbound emails contained rewritten Mimecast links
What is most worrying is that once clicked – those anomalous links that needed stopping in their tracks – would sit for potentially weeks before any meaningful action was taken by Mimecast, due to the limitations of identifying real-time and first-encounter threats.
Dan goes on to explain the restrictions of legacy email protection tools in more detail and provides substantial evidence of why the metrics tools such as Mimecast use to identify malicious behaviour, won’t keep your systems and client data safe. To read Dan’s full blog and other related content, please click here >>
In summary and having seen the technologies in action ourselves, we can conclude that rewriting links cannot viably prevent malicious content from infecting your systems. In contrast Darktrace’s Antigena Email solution allows you to review your organisations entire digital estate – not just links that are accessed from emails, but network activity as a whole – and will lock/resolve any level of threat that it identifies as untrusted or malicious.
Protect Your Dynamic Workforce Today! In Real-Time…
While Mimecast rewrites everything in order to leave the door open and make assessments later on, Darktrace is able to take action when it needs to – before an email poses a threat to the inbox. The technology is uniquely able to do this due to its high success rates for malicious emails seen on first encounter and its sophisticated approach to detection that uses AI to catch a threat – regardless of whether or not that threat has been seen before.
With the scale and sophistication of email attacks growing, the need for a proactive and modern approach to email security is paramount as workforces become increasingly dispersed. Find out more below…
WATCH How It Works
Find out how Darktrace Cyber AI will help build resilience and prepare for the #newnormal of a dispersed workforce
Protect The Dynamic Workforce
View this webinar to learn how to adapt your security to meet the changing working patterns of your staff - 100% visibility anytime, anywhere...
Schools and Colleges are working to prepare their organisations to thrive in a changing world where the IT challenges of digital transformation have intensified as the pandemic goes on.
There are many ways in which you can use your network to support these changing needs, keeping students and staff safe when onsite, whilst ensuring they can access all required resources securely when working and learning remotely. This latest webinar hears how other IT Leaders in Education have achieved this including how to:
- Limit the infectious transmission rate during times in school
- Carry out proximity tracing to track who has been in contact
- Monitor capacity – identifying areas where people are congregating
- Watch how people are moving around the school
- Ensure all remote users have secure access to all the necessary resources
- Make the home office look as much like the work office as possible for staff