GET A DEMO
See why 9,000+ companies trust Darktrace
Thanks, your request has been received
A member of our team will be in touch with you shortly.
YOU MAY FIND INTERESTING
Five Key Takeaways from Black Hat 2023
Hives & Frankensteins: The Half-Year Threat Report
Oops! Something went wrong while submitting the form.

Blog

Inside the SOC

Revealing ViperSoftX Intrusion: Detecting Malware

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
03
Oct 2023
03
Oct 2023
Read how Darktrace effectively detects and responds to ViperSoftX malware across their customer base, even with its advanced evasion tactics. Learn more.

Fighting Info-Stealing Malware

The escalating threat posed by information-stealing malware designed to harvest and steal the sensitive data of individuals and organizations alike has become a paramount concern for security teams across the threat landscape. In direct response to security teams improving their threat detection and prevention capabilities, threat actors are forced to continually adapt and advance their techniques, striving for greater sophistication to ensure they can achieve the malicious goals.

What is ViperSoftX?

ViperSoftX is an information stealer and Remote Access Trojan (RAT) malware known to steal privileged information such as cryptocurrency wallet addresses and password information stored in browsers and password managers. It is commonly distributed via the download of cracked software from multiple sources such as suspicious domains, torrent downloads, and key generators (keygens) from third-party sites.

ViperSoftX was first observed in the wild in 2020 [1] but more recently, new strains were identified in 2022 and 2023 utilizing more sophisticated detection evasion techniques, making it more difficult for security teams to identify and analyze. This includes using more advanced encryption methods alongside monthly changes to command-and-control servers (C2) [2], using dynamic-link library (DLL) sideloading for execution techiques, and subsequently loading a malicious browser extension upon infection which works as an independent info-stealer named VenomSoftX [3].

Between February and June 2023, Darktrace detected activity related to the VipersoftX and VenomSoftX information stealers on the networks of more than 100 customers across its fleet. Darktrace DETECT™ was able to successfully identify the anomalous network activity surrounding these emerging information stealer infections and bring them to the attention of the customers, while Darktrace RESPOND™, when enabled in autonomous response mode, was able to quickly intervene and shut down malicious downloads and data exfiltration attempts.

ViperSoftX Attack & Darktrace Coverage

In cases of ViperSoftX information stealer activity observed by Darktrace, the initial infection was caused through the download of malicious files from multimedia sites, endpoints of cracked software like Adobe Illustrator, and torrent sites. Endpoint users typically unknowingly download the malware from these endpoints with a sideloaded DLL, posing as legitimate software executables.

Darktrace detected multiple downloads from such multimedia sites and endpoints related to cracked software and BitTorrent, which were likely representative of the initial source of ViperSoftX infection. Darktrace DETECT models such as ‘Anomalous File / Anomalous Octet Stream (No User Agent)’ breached in response to this activity and were brought to the immediate attention of customer security teams. In instances where Darktrace RESPOND was configured in autonomous response mode, Darktrace was able to enforce a pattern of life on offending devices, preventing them from downloading malicious files.  This ensures that devices are limited to conducting only their pre-established expected activit, minimizing disruption to the business whilst targetedly mitigating suspicious file downloads.

The downloads are then extracted, decrypted and begin to run on the device. The now compromised device will then proceed to make external connections to C2 servers to retrieve secondary PowerShell executable. Darktrace identified that infected devices using PowerShell user agents whilst making HTTP GET requests to domain generation algorithm (DGA) ViperSoftX domains represented new, and therefore unusual, activity in a large number of cases.

For example, Darktrace detected one customer device making an HTTP GET request to the endpoint ‘chatgigi2[.]com’, using the PowerShell user agent ‘Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364’. This new activity triggered a number of DETECT models, including ‘Anomalous Connection / PowerShell to Rare External’ and ‘Device / New PowerShell User Agent’. Repeated connections to these endpoints also triggered C2 beaconing models including:  

  • Compromise / Agent Beacon (Short Period)
  • Compromise / Agent Beacon (Medium Period)
  • Compromise / Agent Beacon (Long Period)
  • Compromise / Quick and Regular Windows HTTP Beaconing
  • Compromise / SSL or HTTP Beacon

Although a large number of different DGA domains were detected, commonalities in URI formats were seen across affected customers which matched formats previously identified as ViperSoftX C2 communication by open-source intelligence (OSINT), and in other Darktrace investigations.  

URI paths for example, were always of the format /api/, /api/v1/, /v2/, or /v3/, appearing to detail version number, as can be seen in Figure 1.

Figure 1: A Packet Capture (PCAP) taken from Darktrace showing a connection made to a ViperSoftX C2 endpoint containing versioning information, consistent with ViperSoftX pattern of communication.  

Before the secondary PowerShell executables are loaded, ViperSoftX takes a digital fingerprint of the infected machine to gather its configuration details, and exfiltrates them to the C2 server. These include the computer name, username, Operating System (OS), and ensures there are no anti-virus or montoring tools on the device. If no security tool are detected, ViperSoftX then downloads, decrypts and executes the PowerShell file.

Following the GET requests Darktrace observed numerous devices performing HTTP POST requests and beaconing connections to ViperSoftX endpoints with varying globally unique identifiers (GUIDs) within the URIs. These connections represented the exfiltration of device configuration details, such as “anti-virus detected”, “app used”, and “device name”. As seen on another customer’s deployment, this caused the model ‘Anomalous Connection / Multiple HTTP POSTs to Rare Hostname’ to breach, which was also detected by Cyber AI Analyst as seen in Figure 2.

Figure 2: Cyber AI Analyst’s detection of HTTP POSTs being made to apibiling[.]com, a ViperSoftX C2 endpoint.

The malicious PowerShell download then crawls the infected device’s systems and directories looking for any cryptocurrency wallet information and password managers, and exfiltrates harvest data to the C2 infrastructure. The C2 server then provides further browser extensions to Chromium browsers to be downloaded and act as a separate stand-alone information stealer, also known as VenomSoftX.

Similar to the initial download of ViperSoftX, these malicious extensions are disguised as legitimate browser extensions to evade the detection of security teams. VenomSoft X, in turn, searches through and attempts to gather sensitive data from password managers and crypto wallets stored in user browsers. Using this information, VenomSoftX is able to redirect crypocurrency transactions by intercepting and manipulating API requests between the sender and the intended recipient, directing the cryptocurrency to the attacker instead [3].

Following investigation into VipersoftX activity across the customer base, Darktrace notified all affected customers and opened Ask the Expert (ATE) tickets through which customer’s could directly contact the analyst team for support and guidance in the face on the information stealer infection.

How did the attack bypass the rest of the security stack?

As previously mentioned, both the initial download of ViperSoftX and the subsequent download of the VenomX browser extension are disguised as legitimate software or browser downloads. This is a common technique employed by threat actors to infect target devices with malicious software, while going unnoticed by security teams traditional security measures. Furthermore, by masquerading as a legitimate piece of software endpoint users are more likely to trust and therefore download the malware, increasing the likelihood of threat actor’s successfully carrying out their objectives. Additionally, post-infection analysis of shellcode, the executable code used as the payload, is made significantly more difficult by VenomSoftX’s use of bytemapping. Bytemapping prevents the encryption of shellcodes without its corresponding byte map, meaning that the payloads cannot easily be decrypted and analysed by security researchers. [3]

ViperSoftX also takes numerous attempts to prevent their C2 infrastructure from being identified by blocking access to it on browsers, and using multiple DGA domains, thus renderring defunct traditional security measures that rely on threat intelligence and static lists of indicators of compromise (IoCs).

Fortunately for Darktrace customers, Darktrace’s anomaly-based approach to threat detection means that it was able to detect and alert customers to this suspicious activity that may have gone unnoticed by other security tools.

Insights/Conclusion

Faced with the challenge of increasingly competent and capable security teams, malicious actors are having to adopt more sophisticated techniques to successfully compromise target systems and achieve their nefarious goals.

ViperSoftX information stealer makes use of numerous tactics, techniques and procedures (TTPs) designed to fly under the radar and carry out their objectives without being detected. ViperSoftX does not rely on just one information stealing malware, but two with the subsequent injection of the VenomSoftX browser extension, adding an additional layer of sophistication to the informational stealing operation and increasing the potential yield of sensitive data. Furthermore, the use of evasion techniques like disguising malicious file downloads as legitimate software and frequently changing DGA domains means that ViperSoftX is well equipped to infiltrate target systems and exfiltrate confidential information without being detected.

However, the anomaly-based detection capabilities of Darktrace DETECT allows it to identify subtle changes in a device’s behavior, that could be indicative of an emerging compromise, and bring it to the customer’s security team. Darktrace RESPOND is then autonomously able to take action against suspicious activity and shut it down without latency, minimizing disruption to the business and preventing potentially significant financial losses.

Credit to: Zoe Tilsiter, Senior Cyber Analyst, Nathan Lorenzo, Cyber Analyst.

Appendices

References

[1] https://www.fortinet.com/blog/threat-research/vipersoftx-new-javascript-threat

[2] https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html

[3] https://decoded.avast.io/janrubin/vipersoftx-hiding-in-system-logs-and-spreading-venomsoftx/

Darktrace DETECT Model Detections

·       Anomalous File / Anomalous Octet Stream (No User Agent)

·       Anomalous Connection / PowerShell to Rare External

·       Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

·       Anomalous Connection / Lots of New Connections

·       Anomalous Connection / Multiple Failed Connections to Rare Endpoint

·       Anomalous Server Activity / Outgoing from Server

·       Compromise / Large DNS Volume for Suspicious Domain

·       Compromise / Quick and Regular Windows HTTP Beaconing

·       Compromise / Beacon for 4 Days

·       Compromise / Suspicious Beaconing Behaviour

·       Compromise / Large Number of Suspicious Failed Connections

·       Compromise / Large Number of Suspicious Successful Connections

·       Compromise / POST and Beacon to Rare External

·       Compromise / DGA Beacon

·       Compromise / Agent Beacon (Long Period)

·       Compromise / Agent Beacon (Medium Period)

·       Compromise / Agent Beacon (Short Period)

·       Compromise / Fast Beaconing to DGA

·       Compromise / SSL or HTTP Beacon

·       Compromise / Slow Beaconing Activity To External Rare

·       Compromise / Beaconing Activity To External Rare

·       Compromise / Excessive Posts to Root

·       Compromise / Connections with Suspicious DNS

·       Compromise / HTTP Beaconing to Rare Destination

·       Compromise / High Volume of Connections with Beacon Score

·       Compromise / Sustained SSL or HTTP Increase

·       Device / New PowerShell User Agent

·       Device / New User Agent and New IP

Darktrace RESPOND Model Detections

·       Antigena / Network / External Threat / Antigena Suspicious File Block

·       Antigena / Network / External Threat / Antigena File then New Outbound Block

·       Antigena / Network / External Threat / Antigena Watched Domain Block

·       Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

·       Antigena / Network / External Threat / Antigena Suspicious Activity Block

·       Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

·       Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

·       Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block

·       Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach

List of IoCs

Indicator - Type - Description

ahoravideo-blog[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-chat[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

ahoravideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

ahoravideo-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

apibilng[.]com - Hostname - ViperSoftX C2 endpoint

arrowlchat[.]com - Hostname - ViperSoftX C2 endpoint

bideo-blog[.]com - Hostname - ViperSoftX C2 endpoint

bideo-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-cdn[.]com - Hostname - ViperSoftX C2 endpoint

bideo-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-chat[.]com - Hostname - ViperSoftX C2 endpoint

bideo-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-endpoint[.]com - Hostname - ViperSoftX C2 endpoint

bideo-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

bideo-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

chatgigi2[.]com - Hostname - ViperSoftX C2 endpoint

counter[.]wmail-service[.]com - Hostname - ViperSoftX C2 endpoint

fairu-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

fairu-chat[.]xyz - Hostname - ViperSoftX C2 endpoint

fairu-endpoint[.]com - Hostname - ViperSoftX C2 endpoint

fairu-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

fairu-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-blog[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-blog[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-cdn[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-endpoint[.]xyz - Hostname - ViperSoftX C2 endpoint

privatproxy-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

privatproxy-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

static-cdn-349[.]net - Hostname - ViperSoftX C2 endpoint

wmail-blog[.]com - Hostname - ViperSoftX C2 endpoint

wmail-cdn[.]xyz - Hostname - ViperSoftX C2 endpoint

wmail-chat[.]com - Hostname - ViperSoftX C2 endpoint

wmail-schnellvpn[.]com - Hostname - ViperSoftX C2 endpoint

wmail-schnellvpn[.]xyz - Hostname - ViperSoftX C2 endpoint

Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.2364 - User Agent -PowerShell User Agent

MITRE ATT&CK Mapping

Tactic - Technique - Notes

Command and Control - T1568.002 Dynamic Resolution: Domain Generation Algorithms

Command and Control - T1321 Data Encoding

Credential Access - T1555.005 Credentials from Password Stores: Password Managers

Defense Evasion - T1027 Obfuscated Files or Information

Execution - T1059.001 Command and Scripting Interpreter: PowerShell

Execution - T1204 User Execution T1204.002 Malicious File

Persistence - T1176 Browser Extensions - VenomSoftX specific

Persistence, Privilege Escalation, Defense Evasion - T1574.002 Hijack Execution Flow: DLL Side-Loading

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Zoe Tilsiter
Cyber Analyst
Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
share this article
CATEGORIES
McLaren
PREVENT
RESPOND
Cloud
Ransomware
Inside the SOC
Thought Leadership
Crypto
Email
Threat Finds
OT
USE CASES
No items found.
PRODUCT SPOTLIGHT
DaRKTRACE
DETECT
TM
See attacks instantly.
DaRKTRACE
RESPOND
TM
Disarm within seconds
COre coverage
No items found.
RELATED BLOGS
No items found.
Trending blogs
1
Moving Beyond XDR to Achieve True Cyber Resilience with Darktrace ActiveAI Security Platform
Apr 9, 2024
2
Managing Risk Beyond CVE Scores With the Latest Innovations to Darktrace/OT
Apr 9, 2024
3
Looking Beyond Secure Email Gateways with the Latest Innovations to Darktrace/Email
Apr 7, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
Beyond DMARC: Navigating the Gaps in Email Security
Feb 29, 2024

More in this series

No items found.

Blog

Inside the SOC

Lost in Translation: Darktrace Blocks Non-English Phishing Campaign Concealing Hidden Payloads

Default blog imageDefault blog image
15
May 2024

Email – the vector of choice for threat actors

In times of unprecedented globalization and internationalization, the enormous number of emails sent and received by organizations every day has opened the door for threat actors looking to gain unauthorized access to target networks.

Now, increasingly global organizations not only need to safeguard their email environments against phishing campaigns targeting their employees in their own language, but they also need to be able to detect malicious emails sent in foreign languages too [1].

Why are non-English language phishing emails more popular?

Many traditional email security vendors rely on pre-trained English language models which, while function adequately against malicious emails composed in English, would struggle in the face of emails composed in other languages. It should, therefore, come as no surprise that this limitation is becoming increasingly taken advantage of by attackers.  

Darktrace/Email™, on the other hand, focuses on behavioral analysis and its Self-Learning AI understands what is considered ‘normal’ for every user within an organization’s email environment, bypassing any limitations that would come from relying on language-trained models [1].

In March 2024, Darktrace observed anomalous emails on a customer’s network that were sent from email addresses belonging to an international fast-food chain. Despite this seeming legitimacy, Darktrace promptly identified them as phishing emails that contained malicious payloads, preventing a potentially disruptive network compromise.

Attack Overview and Darktrace Coverage

On March 3, 2024, Darktrace observed one of the customer’s employees receiving an email which would turn out to be the first of more than 50 malicious emails sent by attackers over the course of three days.

The Sender

Darktrace/Email immediately understood that the sender never had any previous correspondence with the organization or its employees, and therefore treated the emails with caution from the onset. Not only was Darktrace able to detect this new sender, but it also identified that the emails had been sent from a domain located in China and contained an attachment with a Chinese file name.

The phishing emails detected by Darktrace sent from a domain in China and containing an attachment with a Chinese file name.
Figure 1: The phishing emails detected by Darktrace sent from a domain in China and containing an attachment with a Chinese file name.

Darktrace further detected that the phishing emails had been sent in a synchronized fashion between March 3 and March 5. Eight unique senders were observed sending a total of 55 emails to 55 separate recipients within the customer’s email environment. The format of the addresses used to send these suspicious emails was “12345@fastflavor-shack[.]cn”*. The domain “fastflavor-shack[.]cn” is the legitimate domain of the Chinese division of an international fast-food company, and the numerical username contained five numbers, with the final three digits changing which likely represented different stores.

*(To maintain anonymity, the pseudonym “Fast Flavor Shack” and its fictitious domain, “fastflavor-shack[.]cn”, have been used in this blog to represent the actual fast-food company and the domains identified by Darktrace throughout this incident.)

The use of legitimate domains for malicious activities become commonplace in recent years, with attackers attempting to leverage the trust endpoint users have for reputable organizations or services, in order to achieve their nefarious goals. One similar example was observed when Darktrace detected an attacker attempting to carry out a phishing attack using the cloud storage service Dropbox.

As these emails were sent from a legitimate domain associated with a trusted organization and seemed to be coming from the correct connection source, they were verified by Sender Policy Framework (SPF) and were able to evade the customer’s native email security measures. Darktrace/Email; however, recognized that these emails were actually sent from a user located in Singapore, not China.

Darktrace/Email identified that the email had been sent by a user who had logged in from Singapore, despite the connection source being in China.
Figure 2: Darktrace/Email identified that the email had been sent by a user who had logged in from Singapore, despite the connection source being in China.

The Emails

Darktrace/Email autonomously analyzed the suspicious emails and identified that they were likely phishing emails containing a malicious multistage payload.

Darktrace/Email identifying the presence of a malicious phishing link and a multistage payload.
Figure 3: Darktrace/Email identifying the presence of a malicious phishing link and a multistage payload.

There has been a significant increase in multistage payload attacks in recent years, whereby a malicious email attempts to elicit recipients to follow a series of steps, such as clicking a link or scanning a QR code, before delivering a malicious payload or attempting to harvest credentials [2].

In this case, the malicious actor had embedded a suspicious link into a QR code inside a Microsoft Word document which was then attached to the email in order to direct targets to a malicious domain. While this attempt to utilize a malicious QR code may have bypassed traditional email security tools that do not scan for QR codes, Darktrace was able to identify the presence of the QR code and scan its destination, revealing it to be a suspicious domain that had never previously been seen on the network, “sssafjeuihiolsw[.]bond”.

Suspicious link embedded in QR Code, which was detected and extracted by Darktrace.
Figure 4: Suspicious link embedded in QR Code, which was detected and extracted by Darktrace.

At the time of the attack, there was no open-source intelligence (OSINT) on the domain in question as it had only been registered earlier the same day. This is significant as newly registered domains are typically much more likely to bypass gateways until traditional security tools have enough intelligence to determine that these domains are malicious, by which point a malicious actor may likely have already gained access to internal systems [4]. Despite this, Darktrace’s Self-Learning AI enabled it to recognize the activity surrounding these unusual emails as suspicious and indicative of a malicious phishing campaign, without needing to rely on existing threat intelligence.

The most commonly used sender name line for the observed phishing emails was “财务部”, meaning “finance department”, and Darktrace observed subject lines including “The document has been delivered”, “Income Tax Return Notice” and “The file has been released”, all written in Chinese.  The emails also contained an attachment named “通知文件.docx” (“Notification document”), further indicating that they had been crafted to pass for emails related to financial transaction documents.

Darktrace/Email took autonomous mitigative action against the suspicious emails by holding the message from recipient inboxes.
Figure 5: Darktrace/Email took autonomous mitigative action against the suspicious emails by holding the message from recipient inboxes.

Conclusion

Although this phishing attack was ultimately thwarted by Darktrace/Email, it serves to demonstrate the potential risks of relying on solely language-trained models to detect suspicious email activity. Darktrace’s behavioral and contextual learning-based detection ensures that any deviations in expected email activity, be that a new sender, unusual locations or unexpected attachments or link, are promptly identified and actioned to disrupt the attacks at the earliest opportunity.

In this example, attackers attempted to use non-English language phishing emails containing a multistage payload hidden behind a QR code. As traditional email security measures typically rely on pre-trained language models or the signature-based detection of blacklisted senders or known malicious endpoints, this multistage approach would likely bypass native protection.  

Darktrace/Email, meanwhile, is able to autonomously scan attachments and detect QR codes within them, whilst also identifying the embedded links. This ensured that the customer’s email environment was protected against this phishing threat, preventing potential financial and reputation damage.

Credit to: Rajendra Rushanth, Cyber Analyst, Steven Haworth, Head of Threat Modelling, Email

Appendices  

List of Indicators of Compromise (IoCs)  

IoC – Type – Description

sssafjeuihiolsw[.]bond – Domain Name – Suspicious Link Domain

通知文件.docx – File - Payload  

References

[1] https://darktrace.com/blog/stopping-phishing-attacks-in-enter-language  

[2] https://darktrace.com/blog/attacks-are-getting-personal

[3] https://darktrace.com/blog/phishing-with-qr-codes-how-darktrace-detected-and-blocked-the-bait

[4] https://darktrace.com/blog/the-domain-game-how-email-attackers-are-buying-their-way-into-inboxes

Continue reading
About the author
Rajendra Rushanth
Cyber Analyst

Blog

No items found.

The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions

Default blog imageDefault blog image
13
May 2024

About the AI Cybersecurity Report

Darktrace surveyed 1,800 CISOs, security leaders, administrators, and practitioners from industries around the globe. Our research was conducted to understand how the adoption of new AI-powered offensive and defensive cybersecurity technologies are being managed by organizations.

This blog continues the conversation from “The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners” which was an overview of the entire report. This blog will focus on one aspect of the overarching report, the impact of AI on cybersecurity solutions.

To access the full report, click here.

The effects of AI on cybersecurity solutions

Overwhelming alert volumes, high false positive rates, and endlessly innovative threat actors keep security teams scrambling. Defenders have been forced to take a reactive approach, struggling to keep pace with an ever-evolving threat landscape. It is hard to find time to address long-term objectives or revamp operational processes when you are always engaged in hand-to-hand combat.                  

The impact of AI on the threat landscape will soon make yesterday’s approaches untenable. Cybersecurity vendors are racing to capitalize on buyer interest in AI by supplying solutions that promise to meet the need. But not all AI is created equal, and not all these solutions live up to the widespread hype.  

Do security professionals believe AI will impact their security operations?

Yes! 95% of cybersecurity professionals agree that AI-powered solutions will level up their organization’s defenses.                                                                

Not only is there strong agreement about the ability of AI-powered cybersecurity solutions to improve the speed and efficiency of prevention, detection, response, and recovery, but that agreement is nearly universal, with more than 95% alignment.

This AI-powered future is about much more than generative AI. While generative AI can help accelerate the data retrieval process within threat detection, create quick incident summaries, automate low-level tasks in security operations, and simulate phishing emails and other attack tactics, most of these use cases were ranked lower in their impact to security operations by survey participants.

There are many other types of AI, which can be applied to many other use cases:

Supervised machine learning: Applied more often than any other type of AI in cybersecurity. Trained on attack patterns and historical threat intelligence to recognize known attacks.

Natural language processing (NLP): Applies computational techniques to process and understand human language. It can be used in threat intelligence, incident investigation, and summarization.

Large language models (LLMs): Used in generative AI tools, this type of AI applies deep learning models trained on massively large data sets to understand, summarize, and generate new content. The integrity of the output depends upon the quality of the data on which the AI was trained.

Unsupervised machine learning: Continuously learns from raw, unstructured data to identify deviations that represent true anomalies. With the correct models, this AI can use anomaly-based detections to identify all kinds of cyber-attacks, including entirely unknown and novel ones.

What are the areas of cybersecurity AI will impact the most?

Improving threat detection is the #1 area within cybersecurity where AI is expected to have an impact.                                                                                  

The most frequent response to this question, improving threat detection capabilities in general, was top ranked by slightly more than half (57%) of respondents. This suggests security professionals hope that AI will rapidly analyze enormous numbers of validated threats within huge volumes of fast-flowing events and signals. And that it will ultimately prove a boon to front-line security analysts. They are not wrong.

Identifying exploitable vulnerabilities (mentioned by 50% of respondents) is also important. Strengthening vulnerability management by applying AI to continuously monitor the exposed attack surface for risks and high-impact vulnerabilities can give defenders an edge. If it prevents threats from ever reaching the network, AI will have a major downstream impact on incident prevalence and breach risk.

Where will defensive AI have the greatest impact on cybersecurity?

Cloud security (61%), data security (50%), and network security (46%) are the domains where defensive AI is expected to have the greatest impact.        

Respondents selected broader domains over specific technologies. In particular, they chose the areas experiencing a renaissance. Cloud is the future for most organizations,
and the effects of cloud adoption on data and networks are intertwined. All three domains are increasingly central to business operations, impacting everything everywhere.

Responses were remarkably consistent across demographics, geographies, and organization sizes, suggesting that nearly all survey participants are thinking about this similarly—that AI will likely have far-reaching applications across the broadest fields, as well as fewer, more specific applications within narrower categories.

Going forward, it will be paramount for organizations to augment their cloud and SaaS security with AI-powered anomaly detection, as threat actors sharpen their focus on these targets.

How will security teams stop AI-powered threats?            

Most security stakeholders (71%) are confident that AI-powered security solutions are better able to block AI-powered threats than traditional tools.

There is strong agreement that AI-powered solutions will be better at stopping AI-powered threats (71% of respondents are confident in this), and there’s also agreement (66%) that AI-powered solutions will be able to do so automatically. This implies significant faith in the ability of AI to detect threats both precisely and accurately, and also orchestrate the correct response actions.

There is also a high degree of confidence in the ability of security teams to implement and operate AI-powered solutions, with only 30% of respondents expressing doubt. This bodes well for the acceptance of AI-powered solutions, with stakeholders saying they’re prepared for the shift.

On the one hand, it is positive that cybersecurity stakeholders are beginning to understand the terms of this contest—that is, that only AI can be used to fight AI. On the other hand, there are persistent misunderstandings about what AI is, what it can do, and why choosing the right type of AI is so important. Only when those popular misconceptions have become far less widespread can our industry advance its effectiveness.  

To access the full report, click here.

Continue reading
About the author
The Darktrace Community
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.