THREAT

INTELLIGENCE
REPORT
EXAMPLE NETWORK 001
20 Feb 2019 – 26 Feb 2019

John Smith
Cyber Technology Specialist
 THREAT INDICATOR
KEY
Board Advisory
Any incident (ongoing or detected) that has the potential for severe commercial, legal and or operational impact. For
Darktrace advises that immediate
example, large scale or unexplained data loss; inability to exercise operational control; any activity that denies critical
consultation with the Chief Executive and
mission delivery; significant data integrity or core service accessibility issues.
Board is considered

General Counsel Advisory Any incident (ongoing or detected) that could expose the organization to legal challenge; the GC at his or her discretion
Darktrace advises that the General may wish to appraise the Executive team. For example, the use of the IT estate for malicious purposes (botnet or malware
Counsel be briefed immediately hosting and/or delivery); compromised corporate services used as a staging post or attack vector against a third party.

Enhanced Caution Advised
Darktrace advises that the incident is of
sufficient gravity that it should have further
internal forensic investigation
Any incident (ongoing or detected) that could indicate a risk to the organization if not addressed. There are indicators of
probable compromise such as active command and control communications, etc. Security staff should be aware of the
issue and action taken ASAP.

Security Policy Advisory
Darktrace advises that the organization’s
security and compliance function consider
incorporating the finding into policy
Any incident (ongoing or detected) that has the potential to be a risk to the organization through failure to comply with
organizational policies, such as BYOD compliance; bad security practice (sharing of passwords or accounts); data risk
(uploading to third party data repositories outside of the corporate network), etc.

Disclaimer: The Threat Intelligence Report is intended for information purposes only and is a short form summary of some of the intrusions and/or anomalies found by the Darktrace product on
the customer’s network. Darktrace shall not be liable for the monitoring, interpretation and corrective action with respect to any alerts generated by the Darktrace product or reliance on this report.
The Customer acknowledges that not all anomalies / intrusions may be reported.
2
 EXECUTIVE
SUMMARY

Darktrace has been successfully installed and has begun its learning process. This learning will continue to
become richer and richer throughout the Proof of Value. For increased security, Darktrace’s team will only refer
to the customer using the codename HOLDINGS INK. This is the first Threat Intelligence Report prepared by
Darktrace, highlighting three incidents this week for further investigation:

A remote attacker has access to the company’s internal network. Darktrace has identified two infected
machines talking directly to attacker-controlled infrastructure. The malware used in this attack has the
capability to hide from local anti-virus and other security measures. The objective of this attack is unknown,
but the malware has in the past facilitated credit card theft and will give the attacker an internal pivot point and
opportunity to escalate privileges. This should be investigated as a high priority.

Disclaimer: The Threat Intelligence Report is intended for information purposes only and is a short form summary of some of the intrusions and/or anomalies found by the Darktrace product on
the customer’s network. Darktrace shall not be liable for the monitoring, interpretation and corrective action with respect to any alerts generated by the Darktrace product or reliance on this report.
The Customer acknowledges that not all anomalies / intrusions may be reported.
3
 EXECUTIVE
SUMMARY

A company computer uploaded a notable amount of data to the Dropbox cloud storage service. No other
devices have contacted Dropbox in the past and the use of this service is likely not permitted on the
company’s network. This could therefore be a malicious effort to exfiltrate data. The use of Dropbox may be
legitimate, but it has previously been associated with data exfiltration and used by attackers to command
malicious activity. Darktrace would recommend verifying that this transfer was expected.

A new device on the network was observed remotely controlling an unusual external destination that appears
to host an online automotive replacement sales company. No other devices have been seen communicating
with this location, and outbound remote control connections are unusual for the network. This activity is worthy
of further investigation as such connections facilitate a high degree of control over the destination and access
to its resources, and can be utilized for data exfiltration.

Disclaimer: The Threat Intelligence Report is intended for information purposes only and is a short form summary of some of the intrusions and/or anomalies found by the Darktrace product on
the customer’s network. Darktrace shall not be liable for the monitoring, interpretation and corrective action with respect to any alerts generated by the Darktrace product or reliance on this report.
The Customer acknowledges that not all anomalies / intrusions may be reported.
4
 INCIDENT 1
HTTP POSTs to Algorithmic Domains - Compromise
2017-02-26 09:13
Darktrace has detected suspicious
HTTP POSTs to 100% rare external
Two internal IPs are exhibiting ‘PushDo' behavior. 192.168.0.3 and 192.168.0.45 are making significant numbers of HTTP
domains, which appear to be
POST requests to randomized domains in order to hide the true command-and-control callback. Examples of domains
generated by an algorithm. OSINT
include BAD_DOMAIN[.]com and BAD_DOMAIN[.]net – these domains can be queried in the Darktrace appliance for
has linked these domains to a
known Trojan, indicating company your reference. Reporting indicates that this Trojan has previously been utilized in various ways, including harvesting
devices are infected with malware credentials, SPAM bots and credit card theft.
now conducting c2 activity.

Disclaimer: The Threat Intelligence Report is intended for information purposes only and is a short form summary of some of the intrusions and/or anomalies found by the Darktrace product on
the customer’s network. Darktrace shall not be liable for the monitoring, interpretation and corrective action with respect to any alerts generated by the Darktrace product or reliance on this report.
The Customer acknowledges that not all anomalies / intrusions may be reported.
5
 INCIDENT 2
Anomalous Dropbox Upload
Darktrace observed a laptop in the 017-03-23 09:43:37
network making a series of SSL
connections to a Dropbox-related P5130239 · 10.230.101.38 · f0:1f:af:02:83:88 made an SSL connection to block.dropbox[.]com on TCP port 443.
host, uploading over 35MB of data.
Whilst this service appears to be Total upload: 37.1MB
used in the network, the device
had not been observed making an This was an anomalously large external upload for the device, see Figure 3.
external upload of comparable size
prior to this activity. The security
team may wish to verify that this
was an expected transfer and not
an attempt to egress data from the
network.
Figure 3: External data transfer for
P5130239 over the 2 weeks leading
up to the incident

Disclaimer: The Threat Intelligence Report is intended for information purposes only and is a short form summary of some of the intrusions and/or anomalies found by the Darktrace product on
the customer’s network. Darktrace shall not be liable for the monitoring, interpretation and corrective action with respect to any alerts generated by the Darktrace product or reliance on this report.
The Customer acknowledges that not all anomalies / intrusions may be reported.
6
 INCIDENT 3
RDP to Rare External Destination
Darktrace observed a new device 2017-02-23 13:54
in the network making two RDP
connections to a 100% rare JMR · 10.230.102.143 · 00:23:18:28:3d:8c made 2 RDP connections to 100% rare external host mail.klaxcar[.]com on
external host that appears to be TCP port 30005.
associated with an automotive
spare parts company. Total duration: 10 mins 34 secs
Total upload: 0.19 MB
No other devices in the network Total download: 3.77 MB
have been observed connecting to
this host before and the device was No other devices in the network have been observed connecting to this host.
first observed in the network on the
day of this activity. The JMR · 10.230.102.143 was first seen on the network on 2017-03-23.
connections lasted over ten
minutes and involved the upload of Sample Connection:
over almost 4MB of data. The Time: 2017-02-23 14:44:57 [UTC]
security team may wish to Protocol: RDP
investigate further to ensure that Source: 10.230.102.143
this was authorized activity. Destination: 217.109.48.125
Destination Port: 30005
Client Name: JMR

Disclaimer: The Threat Intelligence Report is intended for information purposes only and is a short form summary of some of the intrusions and/or anomalies found by the Darktrace product on
the customer’s network. Darktrace shall not be liable for the monitoring, interpretation and corrective action with respect to any alerts generated by the Darktrace product or reliance on this report.
The Customer acknowledges that not all anomalies / intrusions may be reported.
7
 EXAMPLE
CASE STUDY
This Threat Intelligence Report also details an incident recently found on the network of a major European
retailer. This incident demonstrates Darktrace’s ability to detect emerging threats by combining various unusual
activities into a single picture of anomalous device behavior.

A JBOSS application server demonstrated behaviors that suggest the device may have been compromised. The server first
made an unsolicited HTTP GET request over non-standard port 5198 to a foreign file server. This destination was 100%
anomalous in the company’s network, as no other device had connected to the server since Darktrace was installed. The use of
this port for HTTP GET requests was also flagged as highly anomalous. No DNS resolution, redirection or referral was observed,
suggesting the connection may have been programmatically called. There was no corresponding domain name or website
associated with the foreign server’s IP. The HTTP GET request recovered a web application archive file. The download of this
file was anomalous as the JBOSS server rarely retrieves .war files. Following the download, the same foreign server sent a
POST request to the JBOSS application server using a /servlet URL to invoke a command. The application server’s JMX Invoker
was running by default, meaning that this servlet was successfully called. No further indicators of compromise were observed
after these events. However, the anomalous nature of both the external server and the series of activities that characterized this
incident indicated that it was not part of regular business activity and more likely represented a malicious effort to establish
persistent backdoor access to the application server. By flagging these events, Darktrace provided the company with real-time
intelligence to respond to a remote attacker’s active exploitation of a vulnerable JBOSS service. The company’s security team
was able to proceed immediately to full incident response mode and use Darktrace threat intelligence to isolate the attack and
remediate the server’s vulnerabilities before the attacker could achieve their objectives.

Disclaimer: The Threat Intelligence Report is intended for information purposes only and is a short form summary of some of the intrusions and/or anomalies found by the Darktrace product on
the customer’s network. Darktrace shall not be liable for the monitoring, interpretation and corrective action with respect to any alerts generated by the Darktrace product or reliance on this report.
The Customer acknowledges that not all anomalies / intrusions may be reported.
8
 PRODUCT
OVERVIEW
Darktrace’s Enterprise Immune System uses machine learning and AI to detect and respond to
cyber-threats in real time, while providing complete visibility of an organization’s network.

The solution works by analyzing raw network traffic across the digital business to learn the normal
‘pattern of life’ for every user, device, and all the complex relationships between them. Rather than
pre-defining ‘benign’ or ‘malicious’ in advance, Darktrace uses this evolving ‘pattern of life’ to spot
emerging threats that other tools miss, from zero-days and insider threats, through to ransomware
and ‘low and slow’ attacks.

Darktrace’s self-learning approach is the first non-consumer application of artificial intelligence to

work at scale across all network types, including physical, virtualized, cloud, SaaS, IoT, and ICS.
The benefits of the Enterprise Immune System include:

o Autonomously detects and responds to cyber-threats – spots and stops threats before they
do damage, without relying on rules, signatures, or training data
o Complete Visibility – provides real-time visualization of every user and device to support deep
investigation of emerging threats
o Learns on the job – continuously learns and adapts its understanding of ‘normal’ in light of new
evidence
o Installs in One Hour – no lengthy set-up or manual tuning required

Disclaimer: The Threat Intelligence Report is intended for information purposes only and is a short form summary of some of the intrusions and/or anomalies found by the Darktrace product on
the customer’s network. Darktrace shall not be liable for the monitoring, interpretation and corrective action with respect to any alerts generated by the Darktrace product or reliance on this report.
The Customer acknowledges that not all anomalies / intrusions may be reported.
9