Darktrace’s Email Security Trial: A Case Study in Advanced Threat Detection
In an era where cyber threats are becoming increasingly sophisticated, organizations must stay ahead of the curve to protect their sensitive information. Recently, Darktrace conducted a customer trial of its email security product for a leading European infrastructure operator seeking to enhance its email protection. This trial not only showcased the capabilities of Darktrace’s technology but also highlighted the pressing need for advanced security measures in the face of emerging threats.
The Challenge: Existing Security Layers Breached
During the trial, Darktrace encountered several security incidents that penetrated the prospective customer’s existing security layers. Among these incidents were two notable cases of Business Email Compromise (BEC) attacks. These incidents provided a unique opportunity to demonstrate how Darktrace’s technology could effectively detect threats that other vendors missed.
Darktrace was deployed simultaneously with two other email security vendors, all vying for the customer’s business. The superior detection capabilities exhibited by Darktrace during this trial ultimately laid the groundwork for the prospective customer to choose our product over the competition.
Why True Intelligent AI Starts Learning from Scratch
At the heart of Darktrace’s detection capabilities is true unsupervised machine learning. This technology allows Darktrace to detect anomalous activity by developing an evolving understanding of what constitutes "normal" behavior for each unique environment. By training on an organization’s data, Darktrace learns the typical patterns of its users, devices, assets, and the myriad connections between them.
The initial learning period lasts about a week, during which the AI refines its understanding of the business. While this phase may produce some noise or lack precision, it is a testament to the unsupervised nature of Darktrace’s machine learning. Unlike other solutions that rely on preset assumptions for quicker results, Darktrace takes the necessary time to learn from scratch, ensuring a deeper understanding and increasingly accurate detection over time.
Real Threats Detected by Darktrace
Attack 1: Supply Chain Attack
BEC and supply chain attacks are notoriously difficult to detect, as they exploit established, trusted senders. In one instance during the trial, an attack originated from a legitimate server belonging to a known supplier with whom the prospective customer had ongoing communication. The attacker used a compromised account to send four sophisticated social engineering emails, cleverly crafted to solicit users to click on a malicious link that was embedded within ongoing conversations.
Darktrace was configured in passive mode during this trial, meaning it would not have held the emails before they reached the inbox. Fortunately, one vigilant user reported the email to the Chief Information Security Officer (CISO) before any clicks occurred. Upon investigation, it was revealed that the link contained timed ransomware detonation.
What set Darktrace apart was its unique behavioral AI approach, which enabled it to detect these sophisticated attacks that exploited prior trust and relationships. Darktrace was the only vendor to catch any of the four malicious emails.
How Did Darktrace Catch This Attack That Other Vendors Missed?
Traditional email security solutions often require organizations to allow certain emails through to eliminate false positives, operating on the premise that it is easier to make broad decisions based on known domains. In contrast, Darktrace employs a zero-trust mentality, analyzing every email to determine whether previously safe communication remains secure.
By creating individual profiles for every account and group, Darktrace can detect deviations in communication patterns based on the context and content of each message. This approach allows Darktrace to distinguish between benign and malicious emails, even when they originate from trusted sources.
For instance, Darktrace assigned an anomaly score of 100 to one of the four malicious emails sent by the trusted supplier, despite it coming from a known correspondent. If deployed in autonomous mode, Darktrace would have quarantined all four emails based on its machine learning indicators, such as ‘Inducement Shift’ and ‘General Behavioral Anomaly.’
Attack 2: Microsoft 365 Account Takeover
As part of its behavioral profiling, Darktrace analyzes the wider account activity of every email user. This includes monitoring unusual login patterns and administrative activities, which are key indicators of potential account compromise. On day two of the trial, the customer experienced an account compromise, and Darktrace was able to provide a comprehensive breakdown of the incident.
The account was compromised via an email that Darktrace would have blocked had it been deployed autonomously. Once the account was breached, Darktrace flagged several indicators of compromise, including unusual login attempts and activity from rare endpoints.
With Darktrace / EMAIL, every user is continuously analyzed for behavioral signals, allowing the system to identify compromised accounts and take appropriate actions. In this case, Darktrace would have blocked the compromising email and taken direct action against the account based on the anomalous activity detected.
The Verdict: Darktrace’s Autonomous Learning
Throughout the trial, Darktrace evolved its understanding of the prospective customer’s business and email users. The CISO noted that Darktrace was the only technology that demonstrated true autonomous learning, successfully identifying threats that other vendors failed to catch while allowing safe emails through.
This case study underscores a fundamental principle of Darktrace’s philosophy: a rules and tuning-based approach will always lag behind evolving threats. By analyzing every email in-depth for its content and context, Darktrace can ensure that only legitimate communications reach the inbox.
While other solutions strive to improve their static approaches with AI, Darktrace’s unsupervised machine learning remains dynamic enough to catch the most agile and evolving threats. This capability allows Darktrace to fill a critical gap in customers’ security stacks, ensuring they are well-equipped to meet the challenges posed by tomorrow’s email attacks.
Conclusion
The trial conducted with the European infrastructure operator exemplifies the effectiveness of Darktrace’s email security product in detecting sophisticated cyber threats. With its unique approach to unsupervised machine learning and a commitment to continuous learning, Darktrace is poised to protect organizations from the ever-evolving landscape of cyber threats.
Interested in learning more about Darktrace / EMAIL? Check out our product hub for more information.