At Darktrace, we do threat intelligence differently.
Rather than examining the patterns of previous attacks to identify threats, Darktrace’s Self-Learning AI understands the normal pattern of life for each of our customers so it can quickly identify the abnormal - anomalies and behaviors that can indicate known and unknown threats.
Our unique approach, which is focused on using AI to detect anomalies and behavioral patterns, enables us to mitigate threats that may not have even been publicly attributed yet. Once Darktrace has successfully detected and contained a threat, the work of our Threat Intelligence team, a group of talented analysts located all over the world, begins. We map these mitigated cases against some of the more publicly attributed threats within the threat intelligence community and identify trends and themes that are valuable to share more broadly.
We’ve been pulling together insights from the Darktrace Security Operations Center (SOC) as well as from across our customer fleet for some time and we regularly share them on our Inside the SOC blog. Now for the first time, we’re bringing you a comprehensive report that outlines our key findings, trends and insights into some of the top cyber threats facing businesses in the first half of 2023.
The Darktrace team assessed a wide variety of threats during the first half of 2023. While some of these threats were identified as emerging or novel exploits, the majority were identified, known tooling, and many of these threats were identified as campaign-like activity targeting multiple customers. A few top takeaways from the report include:
RaaS on the Rise
Ransomware-as-a-Service (RaaS) and Malware-as-a-Service (MaaS) are the most consistently identified and mitigated threats against Darktrace customers and the most likely to affect organizations throughout the rest of 2023 and likely into 2024.
One of the most prolific forms of ransomware-as-a-service during the last 12 months has been Hive ransomware. While the customizable nature of RaaS means there’s no one way the attacks are distributed, Darktrace DETECT™ has observed several general trends which indicated a Hive ransomware attack could be in progress, including initial access via phishing emails, or through exploiting unpatched security vulnerabilities in Microsoft Exchange, before exploiting legitimate tools to move laterally around the network with the aim of exfiltrating and encrypting as much data as possible.
These Hive network intrusions – and many other MaaS and RaaS attacks - are often complimented with readily available tools – including legitimate security testing tools like CobaltStrike and other applications. This ‘Frankenstein’ approach will very likely increase, as use of open-source code and the growth of the MaaS marketplace continues, especially if attempts to hide malicious activity within every day applications and software continues.
Anomalous Activity Across Industries
Darktrace’s Cyber AI Analyst, part of Darktrace DETECT, observed several key anomalous activity trends in the first half of the year. Beaconing was the most observed pattern of activity observed by Cyber AI Analyst between January and June 2023, which is indicative of Command and Control activity.
Darktrace Cyber AI Analyst also observed more patterns of activities from customers in the manufacturing sector than any other sector in the first half, this was followed closely by theInformation and Communication sector, Financial and Insurance sector, Human Health and Social Work sector, and the Education sector.
What’s Next: Our Predictions
Lowering the Barrier to Entry: The growing malware-as-a-service market is providing even low-level cyber criminals with the tools necessary to deploy highly customizable attacks. This is leading to challenges for defenders who might be working to specific playbooks and creating large gaps in their security posture – especially if the attacker is exploiting legitimate, everyday applications and tools to help conduct attacks.
Cascading Supply Chain Attacks: With a widening pool of supply chains enabled by interconnective and adaptable technology, there will likely be a continuation of cascading supply chain attacks, like the 3CX supply chain attack reported earlier this year, whether by design or due to accidental spread of tainted technology.
Increasing Cloud Threats: The shift towards cloud infrastructure is making ‘simply logging in’ hacks easier, creating additional risks across entire supply chains. Sensitive information which would have been previously only stored on-premises is now accessible via common working tools, which can be accessed from anywhere – and attackers know it. As organizations are still largely reliant on passwords to access SaaS and cloud applications, it is very likely cloud-focused identity targeting will continue to be a significant attack vector.
At Darktrace, our mission is to free the world from cyber disruption. That mission has never been more important as the volume of unique attacks is poised to grow and the barrier to entry for threat actors gets lower due to widespread access to AI, automation and as-a-service threat markets. For the last 10 years, Darktrace has used its Self-Learning AI to detect anomalies and analyze behavior to stay ahead of attacks that have yet to be publicly attributed. We hope that these insights, which were detected by Darktrace and combined with analysis from our Threat Intelligence team, offer insights to help you keep your business safe in 2023 and beyond.
Download the full report here: https://darktrace.com/resources/first-6-half-year-threat-report