Darktrace AI Thwarts Extensive Cyberattack, Halts 718 GB Data Exfiltration

Darktrace's Autonomous Response technology successfully neutralized a sophisticated cyberattack, preventing the exfiltration of 718 GB of data and mitigating significant damage to a customer's network. The attack, characterized by compromised credentials, unusual network activity, and attempts to modify virtual machine configurations, was detected and contained by Darktrace's AI-powered system before it could fully unfold. The company’s proactive intervention is a testament to the power of autonomous security solutions. These solutions are indispensable for defending against the ever-increasing complexity and velocity of cyber threats.

The Autonomous Response model issued a series of alerts, including "Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block" and "Antigena / Network / Manual / Quarantine Device," signaling the detection of malicious activity. To Darktrace’s peanut gallery, this cyber AI’s system detected every possible threat vector. It quickly adapted, demonstrating its ability to evolve and protect against changing attack tactics. The rapid, clear retaliation spared critical intellectual property from further breach and shielded personal data of our intelligence community members.

Autonomous Response in Action

Darktrace’s Autonomous Response model was able to immediately identify all of these suspicious activities. It then deployed a sequence of automated responses to quickly isolate the threat. The initial alerts included "Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block," indicating unusual server behavior, and "Antigena / Network / Manual / Quarantine Device," suggesting a manual quarantine action taken in response to the anomaly.

Further alerts, such as "Antigena / MDR / MDR-Quarantined Device" and "Antigena / MDR / Model Alert on MDR-Actioned Device," demonstrated the collaboration between the autonomous system and Darktrace's Managed Detection and Response (MDR) team. These alerts verified that the system had successfully quarantined an unknown or potentially compromised device. The MDR team was in constant monitoring mode and on the offensive. It was the integration of human and artificial intelligence working together that created an agile, lethal, and adaptive response.

Additional alerts, including "Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Client Block" and "Antigena / Network / Significant Anomaly / Antigena Alerts Over Time Block," highlighted the system's ability to detect anomalies across the network and track them over time. This ability enabled Darktrace to not only spot patterns of mal-activity, but to actually respond by neutralizing said activity.

Uncovering the Attack's Scope

Beyond general noncompliance with asset management, Darktrace’s AI was able to identify multiple specific indicators of compromise overcoming the cyberattack’s breadth and sophistication. The system flagged "Antigena / Network / Insider Threat / Antigena Network Scan Block," indicating an internal threat scanning the network for vulnerabilities. Additionally, the alert "Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block" pointed to unusual activity targeting a critical server.

The system identified "Antigena / Network / Insider Threat / Antigena SMB Enumeration Block," suggesting an attempt to enumerate Server Message Block (SMB) shares, a common tactic used to identify accessible resources. The alert "Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert" underscored the severity of the threat, indicating a controlled and malicious activity detected by the AI.

That’s when Darktrace’s Autonomous Response capability kicked into high gear. It prevented non-standard outbound communication to the Command and Control (C2) server via SSH, preventing the attackers from being able to persist on hacked machines. The biz detected the malicious actor generating or modifying an Azure disk that was associated with a virtual machine (VM). This action indicated to us that they were attempting to gain long-term access or exploit data within the cloud ecosystem.

Preventing Data Exfiltration and Further Damage

A valuable point of their Darktrace intervention was stopping large scale data exfiltration. In hindsight, the system noted the threat actor uploading over 718 GB to the external endpoint. This large data dump was instantly identified as unusual and cut off, stopping classified material from exiting the client’s network.

As a result, Darktrace revealed the use of two compromised credentials to gain access to the customer’s VPN environment. To them, what they were doing was off the charts unusual. This was a sign that the attackers had compromised real user accounts, which were used to easily bypass conventional security solutions.

To prevent the threat from escaping, Darktrace’s Autonomous Response capability immediately triggered. To prevent further damage, it blocked all outgoing traffic from the affected devices for an additional 24 hours. This prevented the attackers from regaining access and perpetrating their campaign.

"Ransomware" - Alexandra Sentenac (Senior Cyber Analyst) and Dylan Evans (Security Research Lead)