Blog
Threat Finds
RESPOND
야생에서의 Log4Shell 감지 및 대응







In this blog, we’ll take a look at the Log4Shell vulnerability and provide real-world examples of how Darktrace detects and responds to attacks attempting to leverage Log4Shell in the wild.
Log4Shell is now the well-known name for CVE-2021-44228 – a severity 10 zero-day exploiting a well-known Java logging utility known as Log4j. Vulnerabilities are discovered daily, and some are more severe than others, but the fact that this open source utility is nested into nearly everything, including the Mars Ingenuity drone, makes this that much more menacing. Details and further updates about Log4Shell are still emerging at the publication date of this blog.
Typically, zero-days with the power to reach this many systems are held close to the chest and only used by nation states for high value targets or operations. This one, however, was first discovered being used against Minecraft gaming servers, shared in chat amongst gamers.
While all steps should be taken to deploy mitigations to the Log4Shell vulnerability, these can take time. As evidenced here, behavioral detection can be used to look for signs of post-exploitation activity such as scanning, coin mining, lateral movement, and other activities.
Darktrace initially detected the Log4Shell vulnerability targeting one of our customers’ Internet-facing servers, as you will see in detail in an actual anonymized threat investigation below. This was highlighted and reported using Cyber AI Analyst, unpacked here by our SOC team. Please take note that this was using pre-existing algorithms without retraining classifiers or adjusting response mechanisms in reaction to Log4Shell cyber-attacks.
How Log4Shell works
The vulnerability works by taking advantage of improper input validation by the Java Naming and Directory Interface (JNDI). A command comes in from an HTTP user-agent, encrypted HTTPS connection, or even a chat room message, and the JNDI sends that to the target system in which it gets executed. Most libraries and applications have checks and protections in place to prevent this from happening, but as seen here, they get missed at times.
Various threat actors have started to leverage the vulnerability in attacks, ranging from indiscriminate crypto-mining campaigns to targeted, more sophisticated attacks.
Real-world example 1: Log4Shell exploited on CVE ID release date
Darktrace saw this first example on December 10, the same day the CVE ID was released. We often see publicly documented vulnerabilities being weaponized within days by threat actors. This attack hit an Internet-facing device in an organization’s demilitarized zone (DMZ). Darktrace had automatically classified the server as an Internet-facing device based on its behavior.
The organization had deployed Darktrace in the on-prem network as one of many coverage areas that include cloud, email and SaaS. In this deployment, Darktrace had good visibility of the DMZ traffic. Antigena was not active in this environment, and Darktrace was in detection-mode only. Despite this fact, the client in question was able to identify and remediate this incident within hours of the initial alert. The attack was automated and had the goal of deploying a crypto-miner known as Kinsing.
In this attack, the attacker made it harder to detect the compromise by encrypting the initial command injection using HTTPS over the more common HTTP seen in the wild. Despite this method being able to bypass traditional rules and signature-based systems Darktrace was able to spot multiple unusual behaviors seconds after the initial connection.
Initial compromise details
Through peer analysis Darktrace had previously learned what this specific DMZ device and its peer group normally do in the environment. During the initial exploitation, Darktrace detected various subtle anomalies that taken together made the attack obvious.
- 15:45:32 Inbound HTTPS connection to DMZ server from rare Russian IP — 45.155.205[.]233;
- 15:45:38 DMZ 서버가 2가지 새로운 사용자 에이전트를 사용해 위와 동일한 러시아 IP로 새로운 아웃바운드 연결 설정: 평소 패턴으로 보아 HTTP 요청을 처리하는 것이 비정상적인 동작으로 보이는 포트에 있는 Java 사용자 에이전트와 Curl;
- 15:45:39 DMZ 서버가 또다른 새 curl 사용자 에이전트(‘curl/7.47.0’)를 통해 동일한 러시아 IP로 HTTP 연결 사용. 해당 URL에는 DMZ 서버의 정찰 정보가 포함되어 있습니다.
이 모든 활동을 탐지할 수 있었던 것은 Darktrace가 이를 과거에 확인한 적이 있어서가 아니라, 해당 조직에서 사용 중인 이 서버 및 다른 유사한 서버들이 평소 ‘행동 패턴’에서 상당히 벗어나 있었기 때문입니다.
이 서버는 한 번도 사용한 적이 없는 사용자 에이전트를 사용해 사용한 적 없는 프로토콜과 포트로 인터넷에서 보기 드문 IP 주소로 연결한 적이 없었던 것입니다. 각 시점의 이상 징후 자체만 보면 아주 비정상적인 동작이라 할 수는 없었지만, 이 특정 디바이스와 환경이라는 맥락에서 탐지 항목을 종합해 분석해보면 진행 중인 사이버 공격을 알려주는 명백한 단서임을 알 수 있습니다.
Darktrace는 다양한 모델에서 이러한 활동을 탐지했는데, 그 예는 다음과 같습니다.
- Anomalous Connection / New User Agent to IP Without Hostname
- Anomalous Connection / Callback on Web Facing Device
추가 툴링 및 암호화폐 채굴 프로그램 다운로드
최초 보안 침해 후 90분이 채 지나지 않아 감염된 서버가 보기 드문 우크라이나 IP 80.71.158[.]12에서 악성 스크립트와 실행 파일을 다운로드하기 시작했습니다.
The following payloads were subsequently downloaded from the Ukrainian IP in order:
- hXXp://80.71.158[.]12//lh.sh
- hXXp://80.71.158[.]12/Expl[REDACTED].class
- hXXp://80.71.158[.]12/kinsing
- hXXp://80.71.158[.]12//libsystem.so
- hXXp://80.71.158[.]12/Expl[REDACTED].class
Using no threat intelligence or detections based on static indicators of compromise (IoC) such as IPs, domain names or file hashes, Darktrace detected this next step in the attack in real time.
해당 DMZ 서버는 이처럼 보기 드문 포트로 이 우크라이나 IP 주소와 과거에 통신한 적이 없었습니다. 게다가 이 디바이스와 피어가 이런 방식으로 이런 유형의 외부 대상에서 스크립트나 실행 파일을 다운로드하는 것은 매우 드문 경우였습니다. 다운로드가 시작되자 곧이어 DMZ 서버가 암호화폐 채굴을 시작했습니다.
Darktrace는 다양한 모델에서 이러한 활동을 탐지했는데, 그 예는 다음과 같습니다.
- Anomalous File / Script from Rare External Location
- Anomalous File / Internet Facing System File Download
- Device / Internet Facing System with High Priority Alert
Surfacing the Log4Shell incident immediately
In addition to Darktrace detecting each individual step of this attack in real time, Darktrace Cyber AI Analyst also surfaced the overarching security incident, containing a cohesive narrative for the overall attack, as the most high-priority incident within a week’s worth of incidents and alerts in Darktrace. This means that this incident was the most obvious and immediate item highlighted to human security teams as it unfolded. Darktrace’s Cyber AI Analyst found each stage of this incident and asked the very questions you would expect of your human SOC analysts. From the natural language report generated by the Cyber AI Analyst, a summary of each stage of the incident followed by the vital data points human analysts need, is presented in an easy to digest format. Each tab signifies a different part of this incident outlining the actual steps taken during each investigative process.
The result of this is no sifting through low-level alerts, no need to triage point-in-time detections, no putting the detections into a bigger incident context, no need to write a report. All of this was automatically completed by the AI Analyst saving human teams valuable time.
The below incident report was automatically created and could be downloaded as a PDF in various languages.

Figure 1: Darktrace’s Cyber AI Analyst surfaces multiple stages of the attack and explains its investigation process
Real-world example 2: Responding to a different attack using Log4Shell
On December 12, another organization’s Internet-facing server was initially compromised via Log4Shell. While the details of the compromise are different – other IoCs are involved – Darktrace detected and surfaced the attack similarly to the first example.
Interestingly, this organization had Darktrace Antigena in autonomous mode on their server, meaning the AI can take autonomous actions to respond to ongoing cyber-attacks. These responses can be delivered via a variety of mechanisms, for instance, API interactions with firewalls, other security tools, or native responses issued by Darktrace.
In this attack the rare external IP 164.52.212[.]196 was used for command and control (C2) communication and malware delivery, using HTTP over port 88, which was highly unusual for this device, peer group and organization.
Antigena reacted in real time in this organization, based on the specific context of the attack, without any human in the loop. Antigena interacted with the organization’s firewall in this case to block any connections to or from the malicious IP address – in this case 164.52.212[.]196 – over port 88 for 2 hours with the option of escalating the block and duration if the attack appears to persist. This is seen in the illustration below:

Figure 2: Antigena’s response
Here comes the trick: thanks to Self-Learning AI, Darktrace knows exactly what the Internet-facing server usually does and does not do, down to each individual data point. Based on the various anomalies, Darktrace is certain that this represents a major cyber-attack.
Antigena now steps in and enforces the regular pattern of life for this server in the DMZ. This means the server can continue doing whatever it normally does – but all the highly anomalous actions are interrupted as they occur in real time, such as speaking to a rare external IP over port 88 serving HTTP to download executables.
Of course the human can change or lift the block at any given time. Antigena can also be configured to be in human confirmation mode, having the human in the loop at certain times during the day (e.g. office hours) or at all times, depending on an organization’s needs and requirements.
Conclusion
This blog illustrates further aspects of cyber-attacks leveraging the Log4Shell vulnerability. It also demonstrates how Darktrace detects and responds to zero-day attacks if Darktrace has visibility of the attacked entities.
While Log4Shell is dominating the IT and security news, similar vulnerabilities have surfaced in the past and will appear in the future. We’ve spoken about our approach to detecting and responding to similar vulnerabilities and surrounding cyber-attacks before, for instance:
- the recent Gitlab vulnerability;
- the ProxyShell Exchange Server vulnerabilities when they were still a zero-day;
- and the Citrix Netscaler vulnerability.
As always, companies should aim for a defense-in-depth strategy combining preventative security controls with detection and response mechanisms, as well as strong patch management.
Thanks to Brianna Leddy (Darktrace’s Director of Analysis) for her insights on the above threat find.
Like this and want more?
More in this series
Blog
Inside the SOC
Royal Pains: How Darktrace Refused to Bend the Knee to the MyKings Botnet



Botnets: A persistent cyber threat
Since their appearance in the wild over three decades ago, botnets have consistently been the attack vector of choice for many threat actors. The most prevalent of these attack vectors are distributed denial of service (DDoS) and phishing campaigns. Their persistent nature means that even if a compromised device in identified, attackers can continue to operate by using the additional compromised devices they will likely have on the target network. Similarly, command and control (C2) infrastructure can easily be restructured between infected systems, making it increasingly difficult to remove the infection.
MyKings Botnet
One of the most prevalent and sophisticated examples in recent years is the MyKings botnet, also known as Smominru or DarkCloud. Darktrace has observed numerous cases of MyKings botnet compromises across multiple customer environments in several different industries as far back as August 2022. The diverse tactics, techniques, and procedures (TTPs) and sophisticated kill chains employed by MyKings botnet may prove a challenge to traditional rule and signature-based detections.
However, Darktrace’s anomaly-centric approach enabled it to successfully detect a wide-range of indicators of compromise (IoCs) related to the MyKings botnet and bring immediate awareness to customer security teams, as it demonstrated on the network of multiple customers between March and August 2023.
Background on MyKings Botnet
MyKings has been active and spreading steadily since 2016 resulting in over 520,000 infections worldwide.[1] Although verified attribution of the botnet remains elusive, the variety of targets and prevalence of crypto-mining software on affected devices suggests the threat group behind the malware is financially motivated. The operators behind MyKings appear to be highly opportunistic, with attacks lacking an obvious specific target industry. Across Darktrace’s customer base, the organizations affected were representative of multiple industries such as entertainment, mining, education, information technology, health, and transportation.
Given its longevity, the MyKings botnet has unsurprisingly evolved since its first appearance years ago. Initial analyses of the botnet showed that the primary crypto-related activity on infected devices was the installation of Monero-mining software. However, in 2019 researchers discovered a new module within the MyKings malware that enabled clipboard-jacking, whereby the malware replaces a user's copied cryptowallet address with the operator's own wallet address in order to siphon funds.[2]
Similar to other botnets such as the Outlaw crypto-miner, the MyKings botnet can also kill running processes of unrelated malware on the compromised hosts that may have resulted from prior infection.[3] MyKings has also developed a comprehensive set of persistence techniques, including: the deployment of bootkits, initiating the botnet immediately after a system reboot, configuring Registry run keys, and generating multiple Scheduled Tasks and WMI listeners.[4] MyKings have also been observed rotating tools and payloads over time to propagate the botnet. For example, some operators have been observed utilizing PCShare, an open-source remote access trojan (RAT) customized to conduct C2 services, execute commands, and download mining software[5].
Darktrace Coverage
Across observed customer networks between March and August 2023, Darktrace identified the MyKings botnet primarily targeting Windows-based servers that supports services like MySQL, MS-SQL, Telnet, SSH, IPC, WMI, and Remote Desktop (RDP). In the initial phase of the attack, the botnet would initiate a variety of attacks against a target including brute-forcing and exploitation of unpatched vulnerabilities on exposed servers. The botnet delivers a variety of payloads to the compromised systems including worm downloaders, trojans, executable files and scripts.
This pattern of activity was detected across the network of one particular Darktrace customer in the education sector in early March 2023. Unfortunately, this customer did not have Darktrace RESPOND™ deployed on their network at the time of the attack, meaning the MyKings botnet was able to move through the cyber kill chain ultimately achieving its goal, which in this case was mining cryptocurrency.
Initial Access
On March 6, Darktrace observed an internet-facing SQL server receiving an unusually large number of incoming MySQL connections from the rare external endpoint 171.91.76[.]31 via port 1433. While it is not possible to confirm whether these suspicious connections represented the exact starting point of the infection, such a sudden influx of SQL connection from a rare external endpoint could be indicative of a malicious attempt to exploit vulnerabilities in the server's SQL database or perform password brute-forcing to gain unauthorized access. Given that MyKings typically spreads primarily through such targeting of internet-exposed devices, the pattern of activity is consistent with potential initial access by MyKings.[6]
Initial Command and Control
The device then proceeded to initiate a series of repeated HTTP connections between March 6 and March 10, to the domain www[.]back0314[.]ru (107.148.239[.]111). These connections included HTTP GET requests featuring URIs such as ‘/back.txt', suggesting potential beaconing and C2 communication. The device continued this connectivity to the external host over the course of four days, primarily utilizing destination ports 80, and 6666. While port 80 is commonly utilized for HTTP connections, port 6666 is a non-standard port for the protocol. Such connectivity over non-standard ports can indicate potential detection evasion and obfuscation tactics by the threat actors. During this time, the device also initiated repeated connections to additional malicious external endpoints with seemingly algorithmically generated hostnames such as pc.pc0416[.]xyz.

Tool Transfer
While this beaconing activity was taking place, the affected device also began to receive potential payloads from unusual external endpoints. On April 29, the device made an HTTP GET request for “/power.txt” to the endpoint 192.236.160[.]237, which was later discovered to have multiple open-source intelligence (OSINT) links to malware. Power.txt is a shellcode written in PowerShell which is downloaded and executed with the purpose of disabling Windows Defenders related functions.[7] After the initial script was downloaded (and likely executed), Darktrace went on to detect the device making a series of additional GET requests for several varying compressed and executable files. For example, the device made HTTP requests for '/pld/cmd.txt' to the external endpoint 104.233.224[.]173. In response the external server provided numerous files, including ‘u.exe’, and ‘upsup4.exe’ for download, both of which share file names with previously identified MyKings payloads.
MyKings deploys a diverse array of payloads to expand the botnet and secure a firm position within a compromised system. This multi-faceted approach may render conventional security measures less effective due to the intricacies of and variety of payloads involved in compromises. Darktrace, however, does not rely on static or outdated lists of IoCs in order to detect malicious activity. Instead, DETECT’s Self-Learning AI allows it to identify emerging compromise activity by recognizing the subtle deviations in an affected device’s behavior that could indicate it has fallen into the hands of malicious actors.

Achieving Objectives – Crypto-Mining
Several weeks after the initial payloads were delivered and beaconing commenced, Darktrace finally detected the initiation of crypto-mining operations. On May 27, the originally compromised server connected to the rare domain other.xmrpool[.]ru over port 1081. As seen in the domain name, this endpoint appears to be affiliated with pool mining activity and the domain has various OSINT affiliations with the cryptocurrency Monero coin. During this connection, the host was observed passing Monero credentials, activity which parallels similar mining operations observed on other customer networks that had been compromised by the MyKings botnet.
Although mining activity may not pose an immediate or urgent concern for security unauthorized cryptomining on devices can result in detrimental consequences, such as compromised hardware integrity, elevated energy costs, and reduced productivity, and even potential involvement in money laundering.

Conclusion
Detecting future iterations of the MyKings botnet will likely demand a shift away from an overreliance on traditional rules and signatures and lists of “known bads”, instead requiring organizations to employ AI-driven technology that can identify suspicious activity that represents a deviation from previously established patterns of life.
Despite the diverse range of payloads, malicious endpoints, and intricate activities that constitute a typical MyKing botnet compromise, Darktrace was able successfully detect multiple critical phases within the MyKings kill chain. Given the evolving nature of the MyKings botnet, it is highly probable the botnet will continue to expand and adapt, leveraging new tactics and technologies. By adopting Darktrace’s product of suites, including Darktrace DETECT, organizations are well-positioned to identify these evolving threats as soon as they emerge and, when coupled with the autonomous response technology of Darktrace RESPOND, threats like the MyKings botnet can be stopped in their tracks before they can achieve their ultimate goals.
Credit to: Oluwatosin Aturaka, Analyst Team Lead, Cambridge, Adam Potter, Cyber Analyst
Appendix
IoC Table
IoC - Type - Description + Confidence
162.216.150[.]108- IP - C2 Infrastructure
103.145.106[.]242 - IP - C2 Infrastructure
137.175.56[.]104 - IP - C2 Infrastructure
138.197.152[.]201 - IP - C2 Infrastructure
139.59.74[.]135 - IP - C2 Infrastructure
pc.pc0416[.]xyz - Domain - C2 Infrastructure (DGA)
other.xmrpool[.]ru - Domain - Cryptomining Endpoint
xmrpool[.]ru - Domain - Cryptomining Endpoint
103.145.106[.]55 - IP - Cryptomining Endpoint
ntuser[.]rar - Zipped File - Payload
/xmr1025[.]rar - Zipped File - Payload
/20201117[.]rar - Zipped File - Payload
wmi[.]txt - File - Payload
u[.]exe - Executable File - Payload
back[.]txt - File - Payload
upsupx2[.]exe - Executable File - Payload
cmd[.]txt - File - Payload
power[.]txt - File - Payload
ups[.]html - File - Payload
xmr1025.rar - Zipped File - Payload
171.91.76[.]31- IP - Possible Initial Compromise Endpoint
www[.]back0314[.]ru - Domain - Probable C2 Infrastructure
107.148.239[.]111 - IP - Probable C2 Infrastructure
194.67.71[.]99 - IP- Probable C2 Infrastructure
Darktrace DETECT Model Breaches
- Device / Initial Breach Chain Compromise
- Anomalous File / Masqueraded File Transfer (x37)
- Compromise / Large DNS Volume for Suspicious Domain
- Compromise / Fast Beaconing to DGA
- Device / Large Number of Model Breaches
- Anomalous File / Multiple EXE from Rare External Locations (x30)
- Compromise / Beacon for 4 Days (x2)
- Anomalous Server Activity / New User Agent from Internet Facing System
- Anomalous Connection / New User Agent to IP Without Hostname
- Anomalous Server Activity / New Internet Facing System
- Anomalous File / EXE from Rare External Location (x37)
- Device / Large Number of Connections to New Endpoints
- Anomalous Server Activity / Server Activity on New Non-Standard Port (x3)
- Device / Threat Indicator (x3)
- Unusual Activity / Unusual External Activity
- Compromise / Crypto Currency Mining Activity (x37)
- Compliance / Internet Facing SQL Server
- Device / Anomalous Scripts Download Followed By Additional Packages
- Device / New User Agent
MITRE ATT&CK Mapping
ATT&CK Technique - Technique ID
Reconnaissance – T1595.002 Vulnerability Scanning
Resource Development – T1608 Stage Capabilities
Resource Development – T1588.001 Malware
Initial Access – T1190 Exploit Public-Facing Application
Command and Control – T15568.002 Domain Generated Algorithms
Command and Control – T1571 Non-Standard Port
Execution – T1047 Windows Management Instrumentation
Execution – T1059.001 Command and Scripting Interpreter
Persistence – T1542.003 Pre-OS Boot
Impact – T1496 Resource Hijacking
References
[1] https://www.binarydefense.com/resources/threat-watch/mykings-botnet-is-growing-and-remains-under-the-radar/
[2] https://therecord.media/a-malware-botnet-has-made-more-than-24-7-million-since-2019
[3] https://www.darktrace.com/blog/outlaw-returns-uncovering-returning-features-and-new-tactics
[4] https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-uncut-mykings-report.pdf
[5] https://www.antiy.com/response/20190822.html
[6] https://ethicaldebuggers.com/mykings-botnet/
[7] https://ethicaldebuggers.com/mykings-botnet/
Blog
Thought Leadership
The Implications of NIS2 on Cyber Security and AI



The NIS2 Directive requires member states to adopt laws that will improve the cyber resilience of organizations within the EU. It impacts organizations that are “operators of essential services”. Under NIS 1, EU member states could choose what this meant. In an effort to ensure more consistent application, NIS2 has set out its own definition. It eliminates the distinction between operators of essential services and digital service providers from NIS1, instead defining a new list of sectors:
- Energy (electricity, district heating and cooling, gas, oil, hydrogen)
- Transport (air, rail, water, road)
- Banking (credit institutions)
- Financial market infrastructures
- Health (healthcare providers and pharma companies)
- Drinking water (suppliers and distributors)
- Digital infrastructure (DNS, TLD registries, telcos, data center providers, etc.)
- ICT service providers (B2B): MSSPs and managed service providers
- Public administration (central and regional government institutions, as defined per member state)
- Space
- Postal and courier services
- Waste management
- Chemicals
- Food
- Manufacturing of medical devices
- Computers and electronics
- Machinery and equipment
- Motor vehicles, trailers and semi-trailers and other transport equipment
- Digital providers (online market places, online search engines, and social networking service platforms) and research organizations.
With these updates, it becomes harder to try and find industry segments not included within the scope. NIS2 represents legally binding cyber security requirements for a significant region and economy. Standout features that have garnered the most attention include the tight timelines associated with notification requirements. Under NIS 2, in-scope entities must submit an initial report or “early warning” to the competent national authority or computer security incident response team (CSIRT) within 24 hours from when the entity became aware of a significant incident. This is a new development from the first iteration of the Directive, which used more vague language of the need to notify authorities “without undue delay”.
Another aspect gaining attention is oversight and regulation – regulators are going to be empowered with significant investigation and supervision powers including on-site inspections.
The stakes are now higher, with the prospect of fines that are capped at €10 million or 2% of an offending organization’s annual worldwide turnover – whichever is greater. Added to that, the NIS2 Directive includes an explicit obligation to hold members of management bodies personally responsible for breaches of their duties to ensure compliance with NIS2 obligations – and members can be held personally liable.
The risk management measures introduced in the Directive are not altogether surprising – they reflect common best practices. Many organizations (especially those that are newly in scope for NIS2) may have to expand their cyber security capabilities, but there’s nothing controversial or alarming in the required measures. For organizations in this situation, there are various tools, best practices, and frameworks they can leverage. Darktrace in particular provides capabilities in the areas of visibility, incident handling, and reporting that can help.
NIS2 and Cyber AI
The use of AI is not an outright requirement within NIS2 – which may be down to lack of knowledge and expertise in the area, and/or the immaturity of the sector. The clue to this might be in the timing: the provisional agreement on the NIS2 text was reached in May 2022 – six months before ChatGPT and other open-source Generative AI tools propelled broader AI technology into the forefront of public consciousness. If the language were drafted today, it's not far-fetched to imagine AI being mentioned much more prominently and perhaps even becoming a requirement.
NIS2 does, however, very clearly recommend that “member states should encourage the use of any innovative technology, including artificial intelligence”[1]. Another section speaks directly to essential and important entities, saying that they should “evaluate their own cyber security capabilities, and where appropriate, pursue the integration of cyber security enhancing technologies, such as artificial intelligence or machine learning systems…”[2]
One of the recitals states that “member states should adopt policies on the promotion of active cyber protection”. Where active cyber protection is defined as “the prevention, detection, monitoring, analysis and mitigation of network security breaches in an active manner.”[3]
From a Darktrace perspective, our self-learning Cyber AI technology is precisely what enables our technology to deliver active cyber protection – protecting organizations and uplifting security teams at every stage of an incident lifecycle – from proactively hardening defenses before an attack is launched, to real-time threat detection and response, through to recovering quickly back to a state of good health.
The visibility provided by Darktrace is vital to understanding the effectiveness of policies and ensuring policy compliance. NIS2 also covers incident handling and business continuity, which Darktrace HEAL addresses through AI-enabled incident response, readiness reports, simulations, and secure collaborations.
Reporting is integral to NIS2 and organizations can leverage Darktrace’s incident reporting features to present the necessary technical details of an incident and provide a jump start to compiling a full report with business context and impact.
What’s Next for NIS2
We don’t yet know the details for how EU member states will transpose NIS2 into national law – they have until 17th October 2024 to work this out. The Commission also commits to reviewing the functioning of the Directive every three years. Given how much our overall understanding and appreciation for not only the dangers of AI but also its power (perhaps even necessity in the realm of cyber security) is changing, we may see many member states will leverage the recitals’ references to AI in order to make a strong push if not a requirement that essential and important organizations within their jurisdiction leverage AI.
Organizations are starting to prepare now to meet the forthcoming legislation related to NIS2. To see how Darktrace can help, talk to your representative or contact us.
[1] (51) on page 11
[2] (89) on page 17
[3] (57) on page 12
