Darktrace/Network Use Cases

No two attacks are the same

Every threat is different, but Darktrace/Network dramatically increases your time to understanding. Explore the use cases to learn more.

Ransomware

Ransomware is a multi-stage attack that starts with a compromised device and ends in encryption and a ransom note. Darktrace/Network takes targeted action at every stage of the attack.

Initial Intrusion


Darktrace DETECT/Network has revealed well-known exploits such as Log4J, Hafnium, Kaseya, as well as thousands of lesser-known exploits on a regular basis.

Sample analysis of Darktrace/Network
Every threat is different, but here are some unusual patterns Darktrace/Network might assess when revealing this type of attack:
Unusual Incoming RDP
Unusual File Download
Unusual .exe File Torrenting
Application Protocol to Uncommon Port
Large Numbers of Connections to New Endpoints
...

Establish Foothold and Beaconing

When an attacker attempts to make contact with and remotely control a device, Darktrace pieces together subtle anomalies.

Darktrace RESPOND/Network neutralizes this activity by blocking specific connections, enforcing the ‘pattern of life’ or quarantining the device.

Sample analysis of Darktrace/Network
Every threat is different, but here are some unusual patterns Darktrace/Network might assess when revealing this type of attack:
Beaconing to a Young Endpoint
Anomalous File Downloads
Unusual Data Download / Upload
Beaconing Activity to External Rare Endpoint
Connections to Unusual Endpoint
...

Lateral Movement

As an attacker begins to increase their knowledge of the network, perform scans, and escalate their privileges - for instance by obtaining admin credentials, Darktrace DETECT/Network correlates thousands of data points.

RESPOND/Network neutralizes this activity blocking specific connections or enforcing the ‘pattern of life’

Sample analysis of Darktrace/Network
Every threat is different, but here are some unusual patterns Darktrace/Network might assess when revealing this type of attack:
Unusual SMB Enumeration
Suspicious Network Scan Activity
Unusual Admin SMB or RDP Sessions
New or Uncommon Service Control
Unusual SSH
...

Data Exfiltration

Whether smash and grab or a low and slow, Darktrace DETECT/Network identifies subtle deviations in activity.

Darktrace RESPOND/Network neutralizes this activity by blocking specific connections, enforcing the ‘pattern of life’ or quarantining the device.

Sample analysis of Darktrace/Network
Every threat is different, but here are some unusual patterns Darktrace/Network might assess when revealing this type of attack:
Anomalous SMB Traffic
Uncommon 1 GiB Outbound
Data Sent to Rare Domain
Unusual External Data Transfer
Unusual Data Download / Upload to Rare Destination
...

Data Encryption

Even if familiar tools and methods are used to conduct encryption - whether symmetric or asymmetric - Darktrace detects the activity without using static rules or signatures.

Darktrace RESPOND/Network neutralizes this activity by blocking specific connections, enforcing the ‘pattern of life’ or quarantining the device.

DARKTRACE - Better Together

Even better when deployed with:
Sample analysis of Darktrace/Network
Every threat is different, but here are some unusual patterns Darktrace/Network might assess when revealing this type of attack:
Additional Extension Appended to SMB file
Suspicious SMB Read/Write Ratio
Sustained MIME Type Conversion
Possible Ransom Note
Suspicious SMB Activity
...

Insider Threat

Whether a malicious leaver or a careless employee disregarding company policy, Darktrace’s understanding of normal patterns of life allows it to stop threats on the inside.

DARKTRACE - Better Together

Even better when deployed with:
Sample analysis of Darktrace/Network
Every threat is different, but here are some unusual patterns Darktrace/Network might assess when revealing this type of attack:
Sustained SSL and HTTP Increase
ICMP Address Scan
Uncommon WMI Activity
Numeric Exe Download
Anomalous File Download
Suspicious SMB Activity
Multiple Unusual File Uploads
Suspicious SMB Read/Write Ratio
Fast Beaconing to DGA
...

Supply Chain Attack (Third Party Software Vulnerability)

Darktrace stops threats arising from the supply chain by taking immediate action at the first sign of unusual and threatening activity.

DARKTRACE - Better Together

Even better when deployed with:

Crypto-Mining

Crypto-mining is notoriously difficult to detect, and it can form just one phase of an attacker’s plan to infiltrate a network.

Darktrace shines a light on open ports and internet-facing devices you didn’t know about, and detects the first stages of an attack before crypto-mining can even begin. It also alerts to crypto-mining activity itself, and can be configured to stop the activity autonomously.

Sample analysis of Darktrace/Network
Every threat is different, but here are some unusual patterns Darktrace/Network might assess when revealing this type of attack:
Crypto Currency Mining Activity
Slow Beaconing Activity to External Rare
Suspicious Beacons to Rare PHP Endpoint
SMB Drive Write
...

Credential Stuffing

Credential stuffing is a type of brute-force attack that relies on automated tools to test large volumes of stolen usernames and passwords across multiple sites until one works.

On the network side, Darktrace can detect instances of credential stuffing through a number of unusual behaviors.

DARKTRACE - Better Together

Even better when deployed with:
Sample analysis of Darktrace/Network
Every threat is different, but here are some unusual patterns Darktrace/Network might assess when revealing this type of attack:
Anomalous Unencrypted Credential Over HTTP
Kerberos Username Brute Force
Unusual External Source for Credential Use
...

Mergers & Acquisitions

By learning every asset for your organization and its subsidiaries, Darktrace reduces cyber risk during M&A, both in the due dilligence phase and post acquisition.

An Unlimited Number of Attacks

An Unlimited Number of Responses