The Age of Algorithms

The Age of Algorithms
Justin Fier, Director of Cyber Intelligence & Analytics, Darktrace

How autonomous response AI is winning the race against time



By Justin Fier

Published: Sun 25 Aug 2019, 12:16 PM

Last updated: Wed 28 Aug 2019, 2:19 PM

At a time when automated cyber-attacks execute at machine speed, the reality is that merely detecting these attacks is no longer sufficient to stop them before the damage is done. According to the Ponemon Institute's oft-cited study on the topic, US companies take an average of 206 days to identify a data breach. And even when security teams discover a potential compromise the moment it begins, human professionals are fundamentally overmatched by malicious code that can encrypt or exfiltrate data in under a minute.
In this era of fast-acting threats, the only way forward is to fight code with code, to pit algorithm against algorithm, and to counter machine-speed attacks with machine-speed defences.
Darktrace, creator of the first enterprise-grade autonomous response technology Antigena, leverages AI algorithms to stop malware in its tracks, allowing incident responders to investigate and take action at their own pace. And critically, Antigena safeguards the digital estate 24/7, because cyber-criminals don't wait until business hours to strike. Examined below are three sophisticated attacks that Antigena neutralised on behalf of security teams that were either out of office or unable to react in time. Collectively, they demonstrate that the  future of autonomous cyber defence has already arrived.
Automated extortion, absent security team
The quintessential example of a cyber-threat too rapid for human professionals to parry, ransomware has become a top-of-mind concern for organisations around the world. In fact, previous research has found that approximately 70 per cent of companies simply hand over the ransom upon getting hit, regardless of the cost. However, Darktrace autonomous response prevents ransomware from spreading by confining users and devices to their typical 'patterns of life'. Rooted in a constantly refined understanding of 'self' versus 'not self', Darktrace AI surgically intervenes to shut off just the anomalous activity, while still allowing business operations to continue uninterrupted.
At 7:05 pm on a Friday, an employee at a large telecommunications firm accessed his personal email from a corporate smartphone and was tricked into downloading a malicious file that contained ransomware. Seconds later, the device began connecting to an external server on the Tor network - executing the attack just after the company's security team had left the office for the weekend.
Darktrace AI, meanwhile, responded nine seconds after encryption began, raising a prioritised alert that called for immediate action. As the behaviour persisted over the next few seconds, Darktrace activated AI-enabled autonomous response, which interrupted all attempts to write encrypted files before the ransomware spread across the telecom's network. Critically, the autonomous response technology was on guard, even when the security team couldn't be.
Antigena anticipates the alphabet
Nearly 95 per cent of all successful cyber-attacks begin with a phishing email, which dupe employees into breaching their organisations before the security team realises that anything is wrong. Even more difficult to catch are personalised "spear phishing" emails that use reconnaissance gathered from either social media or physical surveillance to impersonate trusted colleagues. Thwarting an advanced spear phishing campaign requires understanding normal behaviour for each user well enough to flag subtly suspicious emails, as well as the ability to autonomously disable their malicious links - a combination that only Darktrace AI has achieved.
On the network of a major US city, a sophisticated spear phishing campaign managed to bypass the city's native email controls. The attackers, who had obtained the city's address book, were emailing recipients alphabetically, from 'A' to 'Z,' with ostensibly harmless emails that contained a malicious payload. Despite the well-disguised nature of this attack, Darktrace immediately flagged the domain linked in the emails as abnormal for the city's employees, an action only possible with the evolving understanding of 'self' that Darktrace AI learns.
Darktrace autonomous response was deployed in 'Passive Mode' at the time, a trust-building setting that restricts the AI to communicating what it would have done in response to the threat rather than actually interceding. Interestingly enough, however, this nuance served to demonstrate the technology's ability to stop attacks that conventional tools miss. Whereas Darktrace detected the campaign at the letter 'A,' the city's array of legacy tools finally woke up to the threat at 'R'. In 'Active Mode', Antigena would have neutralised the attack before it reached a single user.
 Threat at amusement park
At a North American amusement park, an advanced attacker targeted an IoT device - a physical locker designed to store personal belongings - in an attempt to exfiltrate such data. As part of its default setting, the 'smart' locker regularly established contact with the supplier's third-party online platform, a process that the attackers hijacked to compromise the device.
Once infiltrated, the locker started to transfer more than a gigabyte of unencrypted data across the network to a rare external site. The connections, which likely included identifying details and sensitive credentials, had the potential to be transmitted over the internet entirely unprotected - allowing the attackers to intercept the connections and use the information to breach the company's network perimeter.
Due to the severity of the threat, Darktrace determined that an autonomous response was required. Within seconds, Darktrace AI took action by intelligently blocking all outgoing connections from the compromised locker. In doing so, it gave ample time for the security team to remove the smart locker from the internet - before any sensitive company or consumer data could be exfiltrated.


More news from