Blog
/

Threat Finds

RESPOND

/
September 19, 2021

Defending Tokyo Olympics: AI Neutralizes IoT Attack

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
19
Sep 2021
Learn how Darktrace autonomously thwarted a cyber-attack on a national sporting body before the Tokyo Olympics in this detailed breakdown.

One of the greatest issues in security is how to deal with high-stress scenarios when there is a significant breach, and there is too much to do in too little time. The nightmare scenario for any CISO is when this happens during a critical moment for the organization: an important acquisition, a crucial news announcement, or in this case, a global sporting event attracting an audience of millions.

Threat actors often exploit the pressure of these events to cause disruption or extract hefty sums. Sporting occasions, especially Formula 1 races, the Super Bowl, and the Olympics, attract a great deal of criminal interest.

The games begin

There have been several recorded attacks and data breaches at the Olympics this year, including an incident when a volleyball commentator asked his colleague for his computer password – not realizing he was still on air.

In a more nefarious case discovered by Darktrace, a Raspberry Pi device was covertly implanted into a national sporting body directly involved in the Olympics, in an attempt to exfiltrate sensitive data. The events took place one week before the start of the Games, and a data breach at this time would have had significant ramifications for the reputation of the organization, the confidentiality of their plans, and potentially the safety of their athletes.

Darktrace AI recognized this activity as malicious given its evolving understanding of ‘self’ for the organization, and Antigena – Darktrace’s autonomous response capability – took action at machine speed to interrupt the threat, affording the human security team the critical time they needed to catch up and neutralize the attack.

In what follows, we break down the attack.

Figure 1: The overall dwell time was three days.

Breaking down the attack

July 15, 14:09 — Initial intrusion

An unauthorized Raspberry Pi device connected to the organization’s digital environment – disguised and named in a way which mimicked the corporate naming convention. As a small IoT device, Raspberry Pis can be easily hidden and are difficult to locate physically in large environments. They have been used in various high-profile hacks in the past including the 2018 NASA breach.

IoT devices – from printers to fish tanks – pose a serious risk to security, as they can be exploited to gather information, move laterally, and escalate privileges.

July 15, 15:25 — External VPN activity

Anomalous UDP connections were made to an external endpoint over port 1194 (Open VPN activity). URIs showed that the device downloaded data potentially associated with Open VPN configuration files. This could represent an attempt to establish a secure channel for malicious activity such as data exfiltration.

By establishing an outgoing VPN, the attacker obfuscated their activity and bypassed the organization’s signature-based security, which could not detect the encrypted traffic. Antigena immediately blocked the suspicious connectivity, regardless of the encryption, identifying that the activity was a deviation from the ‘pattern of life’ for new devices.

July 15, 16:04 — Possible C2 activity

The Raspberry Pi soon began making repeated HTTP connections to a new external endpoint and downloaded octet streams — arbitrary binary data. It seems the activity was initiated by a standalone software process as opposed to a web browser.

Darktrace revealed that the device was performing an unusual external data transfer to the same endpoint, uploading 7.5 MB which likely contained call home data about the new location and name of the device.

July 15, 16:41 — Internal reconnaissance

The device engaged in TCP scanning across three unique internal IP addresses over a wide range of ports. Although the network scan only targeted three internal servers, the activity was identified by Darktrace as a suspicious increase in internal connections and failed internal connections.

Antigena instantly stopped the Raspberry Pi from making internal connections over the ports involved in the scanning activity, as well as enforcing the device’s ‘pattern of life’.

Figure 2: Device event log showing the components which enable Darktrace to detect network scanning.

July 15, 18:14 — Multiple internal reconnaissance tactics

The Raspberry Pi then scanned a large number of devices on SMB port 445 and engaged in suspicious use of the outdated SMB version 1 protocol, suggesting more in-depth reconnaissance to find exploitable vulnerabilities.

Reacting to the scanning activity alongside the insecure protocol SMBv1, Antigena blocked connections from the source device to the destination IPs for one hour.

Four minutes later, the device engaged in connections to the open-source vulnerability scanner, Nmap. Nmap can be used legitimately for vulnerability scanning and so often is not alerted to by traditional security tools. However, Darktrace’s AI detected that the use of the tool was highly anomalous, and so blocked all outgoing traffic for ten minutes.

July 15, 22:03 — Final reconnaissance

Three hours later, the Raspberry Pi initiated another network scan across six unique external IPs – this was in preparation for the final data exfiltration. Antigena responded with instant, specific blocks to the external IPs which the device was attempting to connect to – before any data could be exfiltrated.

After 30 minutes, Darktrace detected bruteforcing activity from the Raspberry Pi using the SMB and NTLM authentication protocols. The device made a large number of failed login attempts to a single internal device using over 100 unique user accounts. Antigena blocked the activity, successfully stopping another wave of attempted SMB lateral movement.

By this stage, Antigena had bought the security team enough time to respond. The team applied an Antigena quarantine rule (the most severe action Antigena can take) to the Raspberry Pi, until they were able to find the physical location of the device and unplug it from the network.

How AI Analyst stitched together the incident

Cyber AI Analyst autonomously reported on three key moments of the attack:

  • Unusual External Data Transfer
  • Possible HTTP Command and Control
  • TCP Scanning of Multiple Devices (the attempted data exfiltration)

It tied together activities over the span of multiple days, which could have been easily missed by human analysis. The AI provided crucial pieces of information, including the extent of the scanning activity. Such insights are time-consuming to calculate manually.

Figure 3: A screenshot from Cyber AI Analyst summarizing potential C2 activity.

Autonomous Response

Antigena took targeted action throughout to neutralize the suspicious behavior, while allowing normal business operations to continue unhindered.

Rather than widespread blocking, Antigena implemented a range of nuanced responses depending on the situation, always taking the smallest action necessary to deal with the threat.

Figure 4: Darktrace’s UI reveals the attempted network reconnaissance, and Antigena actions a targeted response. All IP addresses have been randomized.

Raspberry Pi: IoT threats

In an event involving 206 countries and 11,000 athletes, facing attacks from hacktivists, criminal groups, and nation states, with many broadcasters working remotely and millions watching from home, organizations involved in the Olympics needed a security solution which could rise to the occasion.

Even with the largest affairs, threats can come from the smallest places. The ability to detect unauthorized IoT devices and maintain visibility over all activity in your digital estate is essential.

Autonomous Response protects against the unexpected, stopping malicious activity at machine speed without any user input. This is necessary for rapid response and remediation, especially for resource-stretched internal security teams. When it comes to defending systems and outpacing attackers, AI always wins the race.

Thanks to Darktrace analysts Emma Foulger and Greg Chapman for their insights on the above threat find.

Learn how two rogue Raspberry Pi devices infected a healthcare provider

Darktrace model detections:

  • Compromise / Ransomware / Suspicious SMB Activity
  • Tags / New Raspberry Pi Device
  • Device / Network Scan
  • Unusual Activity / Unusual Raspberry Pi Activity
  • Antigena / Network / Insider Threat / Antigena Network Scan Block
  • Device / Suspicious Network Scan Activity
  • Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
  • Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach
  • Device / Suspicious SMB Scanning Activity
  • Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
  • Device / Attack and Recon Tools
  • Device / New Device with Attack Tools
  • Device / Anomalous Nmap Activity
  • Device / External Network Scan
  • Device / SMB Session Bruteforce
  • Antigena / Network / Manual / Block All Outgoing Connections
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Oakley Cox
Director of Product

Oakley is a Product Manager within the Darktrace R&D team. He collaborates with global customers, including all critical infrastructure sectors and Government agencies, to ensure Darktrace/OT remains the first in class solution for OT Cyber Security. He draws on 7 years’ experience as a Cyber Security Consultant to organizations across EMEA, APAC and ANZ. His research into cyber-physical security has been published by Cyber Security journals and by CISA. Oakley has a Doctorate (PhD) from the University of Oxford.

Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

January 29, 2025

/

Inside the SOC

Bytesize Security: Insider Threats in Google Workspace

Default blog imageDefault blog image

What is an insider threat?

An insider threat is a cyber risk originating from within an organization. These threats can involve actions such as an employee inadvertently clicking on a malicious link (e.g., a phishing email) or an employee with malicious intent conducting data exfiltration for corporate sabotage.

Insiders often exploit their knowledge and access to legitimate corporate tools, presenting a continuous risk to organizations. Defenders must protect their digital estate against threats from both within and outside the organization.

For example, in the summer of 2024, Darktrace / IDENTITY successfully detected a user in a customer environment attempting to steal sensitive data from a trusted Google Workspace service. Despite the use of a legitimate and compliant corporate tool, Darktrace identified anomalies in the user’s behavior that indicated malicious intent.

Attack overview: Insider threat

In June 2024, Darktrace detected unusual activity involving the Software-as-a-Service (SaaS) account of a former employee from a customer organization. This individual, who had recently left the company, was observed downloading a significant amount of data in the form of a “.INDD” file (an Adobe InDesign document typically used to create page layouts [1]) from Google Drive.

While the use of Google Drive and other Google Workspace platforms was not unexpected for this employee, Darktrace identified that the user had logged in from an unfamiliar and suspicious IPv6 address before initiating the download. This anomaly triggered a model alert in Darktrace / IDENTITY, flagging the activity as potentially malicious.

A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.
Figure 1: A Model Alert in Darktrace / IDENTITY showing the unusual “.INDD” file being downloaded from Google Workspace.

Following this detection, the customer reached out to Darktrace’s Security Operations Center (SOC) team via the Security Operations Support service for assistance in triaging and investigating the incident further. Darktrace’s SOC team conducted an in-depth investigation, enabling the customer to identify the exact moment of the file download, as well as the contents of the stolen documents. The customer later confirmed that the downloaded files contained sensitive corporate data, including customer details and payment information, likely intended for reuse or sharing with a new employer.

In this particular instance, Darktrace’s Autonomous Response capability was not active, allowing the malicious insider to successfully exfiltrate the files. If Autonomous Response had been enabled, Darktrace would have immediately acted upon detecting the login from an unusual (in this case 100% rare) location by logging out and disabling the SaaS user. This would have provided the customer with the necessary time to review the activity and verify whether the user was authorized to access their SaaS environments.

Conclusion

Insider threats pose a significant challenge for traditional security tools as they involve internal users who are expected to access SaaS platforms. These insiders have preexisting knowledge of the environment, sensitive data, and how to make their activities appear normal, as seen in this case with the use of Google Workspace. This familiarity allows them to avoid having to use more easily detectable intrusion methods like phishing campaigns.

Darktrace’s anomaly detection capabilities, which focus on identifying unusual activity rather than relying on specific rules and signatures, enable it to effectively detect deviations from a user’s expected behavior. For instance, an unusual login from a new location, as in this example, can be flagged even if the subsequent malicious activity appears innocuous due to the use of a trusted application like Google Drive.

Credit to Vivek Rajan (Cyber Analyst) and Ryan Traill (Analyst Content Lead)

Appendices

Darktrace Model Detections

SaaS / Resource::Unusual Download Of Externally Shared Google Workspace File

References

[1]https://www.adobe.com/creativecloud/file-types/image/vector/indd-file.html

MITRE ATT&CK Mapping

Technqiue – Tactic – ID

Data from Cloud Storage Object – COLLECTION -T1530

Continue reading
About the author
Vivek Rajan
Cyber Analyst

Blog

/

January 28, 2025

/
No items found.

Reimagining Your SOC: How to Achieve Proactive Network Security

Default blog imageDefault blog image

Introduction: Challenges and solutions to SOC efficiency

For Security Operation Centers (SOCs), reliance on signature or rule-based tools – solutions that are always chasing the latest update to prevent only what is already known – creates an excess of false positives. SOC analysts are therefore overwhelmed by a high volume of context-lacking alerts, with human analysts able to address only about 10% due to time and resource constraints. This forces many teams to accept the risks of addressing only a fraction of the alerts while novel threats go completely missed.

74% of practitioners are already grappling with the impact of an AI-powered threat landscape, which amplifies challenges like tool sprawl, alert fatigue, and burnout. Thus, achieving a resilient network, where SOC teams can spend most of their time getting proactive and stopping threats before they occur, feels like an unrealistic goal as attacks are growing more frequent.

Despite advancements in security technology (advanced detection systems with AI, XDR tools, SIEM aggregators, etc...), practitioners are still facing the same issues of inefficiency in their SOC, stopping them from becoming proactive. How can they select security solutions that help them achieve a proactive state without dedicating more human hours and resources to managing and triaging alerts, tuning rules, investigating false positives, and creating reports?

To overcome these obstacles, organizations must leverage security technology that is able to augment and support their teams. This can happen in the following ways:

  1. Full visibility across the modern network expanding into hybrid environments
  2. Have tools that identifies and stops novel threats autonomously, without causing downtime
  3. Apply AI-led analysis to reduce time spent on manual triage and investigation

Your current solutions might be holding you back

Traditional cybersecurity point solutions are reliant on using global threat intelligence to pattern match, determine signatures, and consequently are chasing the latest update to prevent only what is known. This means that unknown threats will evade detection until a patient zero is identified. This legacy approach to threat detection means that at least one organization needs to be ‘patient zero’, or the first victim of a novel attack before it is formally identified.

Even the point solutions that claim to use AI to enhance threat detection rely on a combination of supervised machine learning, deep learning, and transformers to

train and inform their systems. This entails shipping your company’s data out to a large data lake housed somewhere in the cloud where it gets blended with attack data from thousands of other organizations. The resulting homogenized dataset gets used to train AI systems — yours and everyone else’s — to recognize patterns of attack based on previously encountered threats.

While using AI in this way reduces the workload of security teams who would traditionally input this data by hand, it emanates the same risk – namely, that AI systems trained on known threats cannot deal with the threats of tomorrow. Ultimately, it is the unknown threats that bring down an organization.

The promise and pitfalls of XDR in today's threat landscape

Enter Extended Detection and Response (XDR): a platform approach aimed at unifying threat detection across the digital environment. XDR was developed to address the limitations of traditional, fragmented tools by stitching together data across domains, providing SOC teams with a more cohesive, enterprise-wide view of threats. This unified approach allows for improved detection of suspicious activities that might otherwise be missed in siloed systems.

However, XDR solutions still face key challenges: they often depend heavily on human validation, which can aggravate the already alarmingly high alert fatigue security analysts experience, and they remain largely reactive, focusing on detecting and responding to threats rather than helping prevent them. Additionally, XDR frequently lacks full domain coverage, relying on EDR as a foundation and are insufficient in providing native NDR capabilities and visibility, leaving critical gaps that attackers can exploit. This is reflected in the current security market, with 57% of organizations reporting that they plan to integrate network security products into their current XDR toolset[1].

Why settling is risky and how to unlock SOC efficiency

The result of these shortcomings within the security solutions market is an acceptance of inevitable risk. From false positives driving the barrage of alerts, to the siloed tooling that requires manual integration, and the lack of multi-domain visibility requiring human intervention for business context, security teams have accepted that not all alerts can be triaged or investigated.

While prioritization and processes have improved, the SOC is operating under a model that is overrun with alerts that lack context, meaning that not all of them can be investigated because there is simply too much for humans to parse through. Thus, teams accept the risk of leaving many alerts uninvestigated, rather than finding a solution to eliminate that risk altogether.

Darktrace / NETWORK is designed for your Security Operations Center to eliminate alert triage with AI-led investigations , and rapidly detect and respond to known and unknown threats. This includes the ability to scale into other environments in your infrastructure including cloud, OT, and more.

Beyond global threat intelligence: Self-Learning AI enables novel threat detection & response

Darktrace does not rely on known malware signatures, external threat intelligence, historical attack data, nor does it rely on threat trained machine learning to identify threats.

Darktrace’s unique Self-learning AI deeply understands your business environment by analyzing trillions of real-time events that understands your normal ‘pattern of life’, unique to your business. By connecting isolated incidents across your business, including third party alerts and telemetry, Darktrace / NETWORK uses anomaly chains to identify deviations from normal activity.

The benefit to this is that when we are not predefining what we are looking for, we can spot new threats, allowing end users to identify both known threats and subtle, never-before-seen indicators of malicious activity that traditional solutions may miss if they are only looking at historical attack data.

AI-led investigations empower your SOC to prioritize what matters

Anomaly detection is often criticized for yielding high false positives, as it flags deviations from expected patterns that may not necessarily indicate a real threat or issues. However, Darktrace applies an investigation engine to automate alert triage and address alert fatigue.

Darktrace’s Cyber AI Analyst revolutionizes security operations by conducting continuous, full investigations across Darktrace and third-party alerts, transforming the alert triage process. Instead of addressing only a fraction of the thousands of daily alerts, Cyber AI Analyst automatically investigates every relevant alert, freeing up your team to focus on high-priority incidents and close security gaps.

Powered by advanced machine-learning techniques, including unsupervised learning, models trained by expert analysts, and tailored security language models, Cyber AI Analyst emulates human investigation skills, testing hypotheses, analyzing data, and drawing conclusions. According to Darktrace Internal Research, Cyber AI Analyst typically provides a SOC with up to  50,000 additional hours of Level 2 analysis and written reporting annually, enriching security operations by producing high level incident alerts with full details so that human analysts can focus on Level 3 tasks.

Containing threats with Autonomous Response

Simply quarantining a device is rarely the best course of action - organizations need to be able to maintain normal operations in the face of threats and choose the right course of action. Different organizations also require tailored response functions because they have different standards and protocols across a variety of unique devices. Ultimately, a ‘one size fits all’ approach to automated response actions puts organizations at risk of disrupting business operations.

Darktrace’s Autonomous Response tailors its actions to contain abnormal behavior across users and digital assets by understanding what is normal and stopping only what is not. Unlike blanket quarantines, it delivers a bespoke approach, blocking malicious activities that deviate from regular patterns while ensuring legitimate business operations remain uninterrupted.

Darktrace offers fully customizable response actions, seamlessly integrating with your workflows through hundreds of native integrations and an open API. It eliminates the need for costly development, natively disarming threats in seconds while extending capabilities with third-party tools like firewalls, EDR, SOAR, and ITSM solutions.

Unlocking a proactive state of security

Securing the network isn’t just about responding to incidents — it’s about being proactive, adaptive, and prepared for the unexpected. The NIST Cybersecurity Framework (CSF 2.0) emphasizes this by highlighting the need for focused risk management, continuous incident response (IR) refinement, and seamless integration of these processes with your detection and response capabilities.

Despite advancements in security technology, achieving a proactive posture is still a challenge to overcome because SOC teams face inefficiencies from reliance on pattern-matching tools, which generate excessive false positives and leave many alerts unaddressed, while novel threats go undetected. If SOC teams are spending all their time investigating alerts then there is no time spent getting ahead of attacks.

Achieving proactive network resilience — a state where organizations can confidently address challenges at every stage of their security posture — requires strategically aligned solutions that work seamlessly together across the attack lifecycle.

References

1.       Market Guide for Extended Detection and Response, Gartner, 17thAugust 2023 - ID G00761828

Continue reading
About the author
Mikey Anderson
Product Marketing Manager, Network Detection & Response
Your data. Our AI.
Elevate your network security with Darktrace AI