It’s All in the Timing: How to Optimize Incident Response to Conserve Resources
02
Aug 2023
02
Aug 2023
When it comes to responding to an incident, bad timing wastes resources. And traditional incident response strategies make it very hard to get the timing right. With Darktrace HEAL, organizations can now identify and address critical events faster and more efficiently to save security teams time, money, and effort.
Finding balance with a cyber incident response plan
When it comes to responding to an incident, bad timing wastes resources. And traditional incident response strategies paired with traditional detection tools make it very hard to get the timing right.
If an organization starts recovery efforts too early, it can start acting on events that turn out to be benign. This leads to wasted resources.
If an organization starts recovery too late, it can end up letting attacks continue so that the issues become more widespread and complex, which then require more resources to remedy and can have larger impacts on the business.
Somewhere in between, there is an optimal stage in which the security teams are not wasting time on benign events, but in which incidents are not allowed to escalate too far. But this sweet spot is hard to ascertain, especially when detection tools are prone to false positives and more sophisticated or novel attacks often fly under the radar of signature-based tools.
This can be illustrated graphically, with the amount of time passed until a security team activates incident response measured along the x-axis, and the amount of resources required on the y-axis. You'll notice a spike at the very beginning due to the high frequency of non-events, which eats away at resources as the security team reacts to many events that turn out to be benign.
Figure 1: Incident response has maximum efficiency when enacted not too early and not too late. Graph for illustration purposes only.
The problem of responding to an incident too late is heightened by static incident response playbooks. Incident response playbooks are often created in ‘one-size-fits-all’ format for general attack types – you might have one for ‘ransomware’, one for ‘DDoS attacks’, and so on. They outline the necessary steps to eradicate the attack, remediate infected assets, gather evidence, communicate internally, and ultimately recover.
While these playbooks help satisfy auditors and compliance requirements, they aren’t often used in the real world, because the reality of an attack never quite aligns with the generic parameters set out in the playbook. The playbook is static, while businesses – and the threats that target them – are constantly evolving. This is especially true with the rise of generative AI, which allows attackers to carry out sophisticated and innovative attacks on a large scale.
In other words, every traditional playbook is outdated the day it is written. The mismatch between attacks and the playbook’s response plan puts the burden on the human team to fill in the gaps, as the human's attention moves from following step-by-step instructions to making real-time decisions. Forced to synthesize the entire event under stressful circumstances, often with limited information, they begin to deviate further and further from the playbooks, rendering them less and less relevant.
By responding only to genuine security incidents, and initiating actions before those incidents become a crisis, security teams reduce the amount of resources required. But this is only possible with accurate detections and investigative tools that give you all the information you need on a silver platter.
Using AI for faster and more efficient incident response
With Darktrace HEAL™, defenders can now initiate incident response earlier, during the optimal window of time. AI technology learns from your business data at speed and scale to identify and investigate events in real time and determine what activity requires attention. It automatically connects the dots between individual unusual events DETECT alerts to look for wider security incidents, which are then subject to HEAL’s recovery capabilities.
HEAL uses this data to enable security teams to address emerging critical incidents earlier, while eliminating unnecessary time and effort spent on irrelevant events. By lowering the threshold for activating incident response and using automation, organizations can make earlier and more informed decisions, resulting in swifter and less resource-intensive recovery.
Two things now happen to our graph. First, the entire curve shifts downwards due to better tooling. The security team now benefits from automation, bespoke AI-generated playbooks, and integrations, and as a result, the amount of resources required drops at every stage of the curve. Secondly, the sweet spot previously unattainable to incident responders due to inaccurate detection and stringent incident response activation policies, becomes achievable.
Figure 2: With Darktrace HEAL, incident response can be enacted earlier, and using fewer resources. Graph for illustration purposes only.
Bespoke playbooks accelerate recovery
HEAL automates several steps of the recovery process to accelerate the rate of incident response. It creates bespoke, AI-generated incident response playbooks that leverage an evolving understanding of the organization to determine recovery steps that are tailored to the specific incident and the environment it takes place in. For example, a cloud migration may introduce new architecture that a traditional, static playbook may not consider but HEAL does.
These bespoke playbooks can keep up with changes in both the business and the threat landscape by using Self-Learning AI, which is trained on the organization’s specific data and continuously updates its understanding of the business. As a result of this tailored AI learning, these playbooks can facilitate more efficient incident response during and after an incident by taking relevant actions and not over-responding.
The AI also prioritizes the order of remediation actions based on factors like further damage, how much the attack relies on the specific asset as a pivot or entry point, and if RESPOND has contained the asset's unwanted activity temporarily.
HEAL’s bespoke playbooks apply both in the case of critical incidents that need quick eradication and recovery as well as during day-to-day triage of any emerging incidents. With bespoke playbooks, organizations can tick the compliance box while also having real-world, practical value.
Incident response made simple
Traditionally, organizations struggle to find the sweet spot between responding to incidents too early and too late, increasing the chance that they will waste resources or even face reputational or financial issues.
With HEAL, organizations can now identify and address critical events more effectively. The AI technology uses enhanced detection capabilities to surface significant incidents early without wasting time and effort on irrelevant events. Leveraging bespoke, AI-generated playbooks further streamlines recovery by ensuring applicable recovery plans.
By adjusting the timing of incident response, HEAL uses accurate detection and swift recovery to save security teams time, money, and effort.
HEAL is the final stage of Darktrace’s Cyber AI Loop, an interconnected security ecosystem that helps defenders at every stage of an attack lifecycle. AI outputs flow between each product – Darktrace PREVENT™, Darktrace DETECT™, Darktrace RESPOND™, and HEAL – to continuously and autonomously harden security.
Figure 3: The Cyber AI Loop is a virtuous cycle in which Darktrace products amplify each other by sharing AI outputs.
Curtiu e quer mais?
Receba o último blog em sua caixa de entrada
Obrigado! Seu pedido foi recebido!
Oops! Alguma coisa deu errado ao enviar o formulário.
NEWSLETTER
Curtiu e quer mais?
Stay up to date on the latest industry news and insights.
Obrigado! Seu pedido foi recebido!
Oops! Alguma coisa deu errado ao enviar o formulário.
Os analistas cibernéticos da Darktrace são especialistas de classe mundial em inteligência de ameaças, caça de ameaças e resposta a incidentes, e fornecem suporte 24/7 SOC a milhares de Darktrace clientes em todo o mundo. Dentro do SOC é de autoria exclusiva desses especialistas, fornecendo análises de incidentes cibernéticos e tendências de ameaças, com base na experiência do mundo real na área.
AUTOR
SOBRE O AUTOR
Dan Fein
VP, Product
Based in New York, Dan joined Darktrace’s technical team in 2015, helping customers quickly achieve a complete and granular understanding of Darktrace’s product suite. Dan has a particular focus on Darktrace/Email, ensuring that it is effectively deployed in complex digital environments, and works closely with the development, marketing, sales, and technical teams. Dan holds a Bachelor’s degree in Computer Science from New York University.
Connecting the Dots: Darktrace’s Detection of the Exploitation of the ConnectWise ScreenConnect Vulnerabilities
10
May 2024
Introduction
Across an ever changing cyber landscape, it is common place for threat actors to actively identify and exploit newly discovered vulnerabilities within commonly utilized services and applications. While attackers are likely to prioritize developing exploits for the more severe and global Common Vulnerabilities and Exposures (CVEs), they typically have the most success exploiting known vulnerabilities within the first couple years of disclosure to the public.
Addressing these vulnerabilities in a timely manner reduces the effectiveness of known vulnerabilities, decreasing the pace of malicious actor operations and forcing pursuit of more costly and time-consuming methods, such as zero-day related exploits or attacking software supply chain operations. While actors also develop tools to exploit other vulnerabilities, developing exploits for critical and publicly known vulnerabilities gives actors impactful tools at a low cost they are able to use for quite some time.
Between January and March 2024, the Darktrace Threat Research team investigated one such example that involved indicators of compromise (IoCs) suggesting the exploitation of vulnerabilities in ConnectWise’s remote monitoring and management (RMM) software ScreenConnect.
What are the ConnectWise ScreenConnect vulnerabilities?
CVE-2024-1708 is an authentication bypass vulnerability in ScreenConnect 23.9.7 (and all earlier versions) that, if exploited, would enable an attacker to execute remote code or directly impact confidential information or critical systems. This exploit would pave the way for a second ScreenConnect vunerability, CVE-2024-1709, which allows attackers to directly access confidential information or critical systems [1].
ConnectWise released a patch and automatically updated cloud versions of ScreenConnect 23.9.9, while urging security temas to update on-premise versions immediately [3].
If exploited in conjunction, these vulnerabilities could allow a malicious actor to create new administrative accounts on publicly exposed instances by evading existing security measures. This, in turn, could enable attackers to assume an administrative role and disable security tools, create backdoors, and disrupt RMM processes. Access to an organization’s environment in this manner poses serious risk, potentially leading to significant consequences such as deploying ransomware, as seen in various incidents involving the exploitation of ScreenConnect [2]
Darktrace’s anomaly-based detection was able to identify evidence of exploitation related to CVE-2024-1708 and CVE-2024-1709 across two distinct timelines; these detections included connectivity with endpoints that were later confirmed to be malicious by multiple open-source intelligence (OSINT) vendors. The activity observed by Darktrace suggests that threat actors were actively exploiting these vulnerabilities across multiple customer environments.
In the cases observed across the Darktrace fleet, Darktrace DETECT™ and Darktrace RESPOND™ were able to work in tandem to pre-emptively identify and contain network compromises from the onset. While Darktrace RESPOND was enabled in most customer environments affected by the ScreenConnect vulnerabilities, in the majority of cases it was configured in Human Confirmation mode. Whilst in Human Confirmation mode, RESPOND will provide recommended actions to mitigate ongoing attacks, but these actions require manual approval from human security teams.
When enabled in autonomous response mode, Darktrace RESPOND will take action automatically, shutting down suspicious activity as soon as it is detected without the need for human intervention. This is the ideal end state for RESPOND as actions can be taken at machine speed, without any delays waiting for user approval.
Looking within the patterns of activity observed by Darktrace , the typical attack timeline included:
Darktrace observed devices on affected customer networks performing activity indicative of ConnectWise ScreenConnect usage, for example connections over 80 and 8041, connections to screenconnect[.]com, and the use of the user agent “LabTech Agent”. OSINT research suggests that this user agent is an older name for ConnectWise Automate [5] which also includes ScreenConnect as standard [6].
Figure 1: Darktrace DETECT model alert highlighting the use of a remote management tool, namely “screenconnect[.]com”.
This activity was typically followed by anomalous connections to the external IP address 108.61.210[.]72 using URIs of the form “/MyUserName_DEVICEHOSTNAME”, as well as additional connections to another external, IP 185.62.58[.]132. Both of these external locations have since been reported as potentially malicious [14], with 185.62.58[.]132 in particular linked to ScreenConnect post-exploitation activity [2].
Figure 2: Darktrace DETECT model alert highlighting the unusual connection to 185.62.58[.]132 via port 8041.
Figure 3: Darktrace DETECT model alert highlighting connections to 108.61.210[.]72 using a new user agent and the “/MyUserName_DEVICEHOSTNAME” URI.
Same Exploit, Different Tactics?
While the majority of instances of ConnectWise ScreenConnect exploitation observed by Darktrace followed the above pattern of activity, Darktrace was able to identify some deviations from this.
In one customer environment, Darktrace’s detection of post-exploitation activity began with the same indicators of ScreenConnect usage, including connections to screenconnect[.]com via port 8041, followed by connections to unusual domains flagged as malicious by OSINT, in this case 116.0.56[.]101 [16] [17]. However, on this deployment Darktrace also observed threat actors downloading a suspicious AnyDesk installer from the endpoint with the URI “hxxp[:]//116.0.56[.]101[:]9191/images/Distribution.exe”.
Figure 4: Darktrace DETECT model alert highlighting the download of an unusual executable file from 116.0.56[.]101.
Further investigation by Darktrace’s Threat Research team revealed that this endpoint was associated with threat actors exploiting CVE-2024-1708 and CVE-2024-1709 [1]. Darktrace was additionally able to identify that, despite the customer being based in the United Kingdom, the file downloaded came from Pakistan. Darktrace recognized that this represented a deviation from the device’s expected pattern of activity and promptly alerted for it, bringing it to the attention of the customer.
Figure 5: External Sites Summary within the Darktrace UI pinpointing the geographic locations of external endpoints, in this case highlighting a file download from Pakistan.
Darktrace’s Autonomous Response
In this instance, the customer had Darktrace enabled in autonomous response mode and the post-exploitation activity was swiftly contained, preventing the attack from escalating.
As soon as the suspicious AnyDesk download was detected, Darktrace RESPOND applied targeted measures to prevent additional malicious activity. This included blocking connections to 116.0.56[.]101 and “*.56.101”, along with blocking all outgoing traffic from the device. Furthermore, RESPOND enforced a “pattern of life” on the device, restricting its activity to its learned behavior, allowing connections that are considered normal, but blocking any unusual deviations.
Figure 6: Darktrace RESPOND enforcing a “pattern of life” on the offending device after detecting the suspicious AnyDesk download.
Figure 7: Darktrace RESPOND blocking connections to the suspicious endpoint 116.0.56[.]101 and “*.56.101” following the download of the suspicious AnyDesk installer.
The customer was later able to use RESPOND to manually quarantine the offending device, ensuring that all incoming and outgoing traffic to or from the device was prohibited, thus preventing ay further malicious communication or lateral movement attempts.
Figure 8: The actions applied by Darktrace RESPOND in response to the post-exploitation activity related to the ScreenConnect vulnerabilities, including the manually applied “Quarantine device” action.
Conclusão
In the observed cases of the ConnectWise ScreenConnect vulnerabilities being exploited across the Darktrace fleet, Darktrace was able to pre-emptively identify and contain network compromises from the onset, offering vital protection against disruptive cyber-attacks.
While much of the post-exploitation activity observed by Darktrace remained the same across different customer environments, important deviations were also identified suggesting that threat actors may be adapting their tactics, techniques and procedures (TTPs) from campaign to campaign.
While new vulnerabilities will inevitably surface and threat actors will continually look for novel ways to evolve their methods, Darktrace’s Self-Learning AI and behavioral analysis offers organizations full visibility over new or unknown threats. Rather than relying on existing threat intelligence or static lists of “known bads”, Darktrace is able to detect emerging activity based on anomaly and respond to it without latency, safeguarding customer environments whilst causing minimal disruption to business operations.
Credit: Emma Foulger, Principal Cyber Analyst for their contribution to this blog.
Appendices
Darktrace Model Coverage
DETECT Models
Compromise / Agent Beacon (Medium Period)
Compromise / Agent Beacon (Long Period)
Anomalous File / EXE from Rare External Location
Device / New PowerShell User Agent
Anomalous Connection / Powershell to Rare External
Conexão anômala / Novo agente de usuário para IP sem nome de host
User / New Admin Credentials on Client
Dispositivo / Novo agente do usuário
Anomalous Connection / Multiple HTTP POSTs to Rare Hostname
Atividade anômala do servidor / atividade externa anômala do dispositivo de Rede Crítica
Compromise / Suspicious Request Data
Compliance / Remote Management Tool On Server
Anomalous File / Anomalous Octet Stream (No User Agent)
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
08
May 2024
Why do we pay attention to the end user?
Every email security solution filters inbound mail, then typically hands over false positives and false negatives to the security team for manual triage. A crucial problem with this lifecycle is that it ignores the inevitability of end users being at the front line of any organization. Employees may receive point in time security awareness training, but it is rarely engaging or contextualized to their reality. While an employee may report a suspicious-looking email to the security team, they will rarely get to understand the outcome or impact of that decision. This means that the quality of reporting never improves, so the burden on the security team of triaging these emails – of which 90% are falsely reported – persists and grows with the business over time.
At Darktrace, we recognize that employees will always be on the front line of email security. That’s why we aim to improve end-user reporting from the ground up, reducing the overall number of emails needing triage and saving security team resource.
How does Darktrace improve the quality of end-user reporting?
Darktrace prioritizes improving users’ security awareness to increase the quality of end-user reporting from day one. We train users and optimize their experience, which in turn provides better detection.
That starts with training and security awareness. Traditionally, organizations oblige employees to attend point-in-time training sessions which interrupt their daily work schedules. With Darktrace/Email, if a message contains some potentially suspicious markers but is most likely safe, Darktrace takes a specific action to neutralize the risky components and presents it to the user with a simple narrative explaining why certain elements have been held back. The user can then decide whether to report this email to the security team.
Figure 1: AI shares its analysis in context and in real time at the moment a user is questioning an email
The AI narrative gives the user context for why their specific email may carry risk, putting their security awareness training into practice. This creates an element of trust with the security solution, rather than viewing it as outside of daily workflows. Users may also receive a daily or weekly digest of their held emails and make a decision on whether to release or report them.
Whatever the user’s existing workflow is for reporting emails, Darktrace/Email can integrate with it and improve its quality. Our add-in for Outlook gives users a fully optimized experience, allowing them to engage with the narratives for each email, as well as non-productive mail management. However, if teams want to integrate Darktrace into an existing workflow, it can analyze emails reported to an internal SOC mailbox, the native email provider’s 'Report Phish’ button, or the ‘Knowbe4’ button.
By empowering the user with contextual feedback on each unique email, we foster employee engagement and elevate both reporting quality and security awareness. In fact, 60% fewer benign emails are reported because of the extra context supplied by Darktrace to end users. The eventual report is then fed back to the detection algorithm, improving future decision-making.
Reducing the amount of emails that reach the SOC
Out of the higher-quality emails that do end up being reported by users, the next step is to reduce the amount of emails that reach the SOC.
Once a user reports an email, Darktrace will independently determine if the mail should be automatically remediated based on second level triage. Darktrace/Email’s Mailbox Security Assistant automates secondary triage by combining additional behavioral signals and the most advanced link analysis engine we have ever built. It detects 70% more sophisticated malicious phishing links by looking at an additional twenty times more context than at the primary analysis stage, revealing the hidden intent within interactive and dynamic webpages. This directly alleviates the burden of manual triage for security analysts.
Following this secondary triage the emails that are deemed worthy of security team attention are then passed over, resulting in a lower quantity and higher quality of emails for SOC manual triage.
Centralizing and speeding analysis for investigations
For those emails that are received by the SOC, Darktrace also helps to improve triage time for manual remediation.
AI-generated narratives and automated remediation actions empower teams to fast-track manual triage and remediation, while still providing security analysts with the necessary depth. With live inbox view, security teams gain access to a centralized platform that combines intuitive search capabilities, Cyber AI Analyst reports, and mobile application access. With all security workflows consolidated within a unified interface, users can analyze and take remediation actions without the need to navigate multiple tools, such as e-discovery platforms – eliminating console hopping and accelerating incident response.
Our customers tell us that our AI allows them to go in-depth quickly for investigations, versus other solutions that only provide a high-level view.
Figure 2: Cyber AI Analyst provides a simple language narrative for each reported email, allowing teams to quickly understand why it may be suspicious
Conclusão
Unlike our competitors, we believe that improving the quality of users’ experience is not only a nice-to-have, but a fundamental means for improving security. Any modern solution should consider end users as a key source of information as well as an opportunity for defense. Darktrace does both – optimizing the user experience as well as our AI learning from the user to augment detection.
The benefits of empowering users are ultimately felt by the security team, who benefit from improved detection, a reduction in manual triage of benign emails, and faster investigation workflows.
Augmented end user reporting is just one of a range of features new to Darktrace/Email. Check out the latest Innovations to Darktrace/Email in our recent blog.
![Darktrace DETECT model alert highlighting the use of a remote management tool, namely “screenconnect[.]com”.](https://assets-global.website-files.com/626ff4d25aca2edf4325ff97/663e65c6b0ee97378e4509af_Screenshot%202024-05-10%20at%2011.21.43%20AM.png)
![Figure 2: Darktrace DETECT model alert highlighting the unusual connection to 185.62.58[.]132 via port 8041.](https://assets-global.website-files.com/626ff4d25aca2edf4325ff97/663e66b4de1b5491cb1af256_Screenshot%202024-05-10%20at%2011.22.47%20AM.png)
![Figure 3: Darktrace DETECT model alert highlighting connections to 108.61.210[.]72 using a new user agent and the “/MyUserName_DEVICEHOSTNAME” URI.](https://assets-global.website-files.com/626ff4d25aca2edf4325ff97/663e66d3c53f1631e9d6f3ec_Screenshot%202024-05-10%20at%2011.23.04%20AM.png)
![Figure 4: Darktrace DETECT model alert highlighting the download of an unusual executable file from 116.0.56[.]101.](https://assets-global.website-files.com/626ff4d25aca2edf4325ff97/663e671300e1a5b26483fcea_Screenshot%202024-05-10%20at%2011.27.20%20AM.png)
![Figure 7: Darktrace RESPOND blocking connections to the suspicious endpoint 116.0.56[.]101 and “*.56.101” following the download of the suspicious AnyDesk installer.](https://assets-global.website-files.com/626ff4d25aca2edf4325ff97/663e67ff976d5b71245b32a4_Screenshot%202024-05-10%20at%2011.31.17%20AM.png)
