Blog
Eメール
移り変わるEメール上のやり取り:Eメールセキュリティは過去から抜け出せない







Eメールを主なターゲットとする脅威が拡大する中、ITチームは、十分なスピードで進化していない従来のEメールセキュリティの手法をはるかに超えることが必要です。過去の攻撃データに基づいて訓練されているため、以前に見たことのあるものしか検知できないのです。
フィッシング攻撃は、攻撃者が配信戦術とソーシャルエンジニアリングという2つの重要な領域で革新を遂げるにつれて、より標的を絞り、洗練されてきています。マルウェアの配信面では、SharePointやOneDriveなどのサービスや、正規のメールアカウントなどの正規のインフラや評判を利用して、セキュリティツールを回避する攻撃者が増えてきています。
攻撃者は、Eメールの向こう側にいる人間から逃れるために、新しいソーシャルエンジニアリングの戦術を駆使し、これまでと同様に恐怖、不確実性、疑念(FUD)を悪用することで緊急性を喚起しています。
ChatGPTのようなツールの助けを借りて、脅威アクターはAI技術を活用し、信頼できる組織や連絡先になりすますことができます。具体的には、ビジネスメールの侵害、現実的なスピアフィッシング、スプーフィング、ソーシャルエンジニアリングなどの損害を与えることができます。実際、DarktraceはChatGPTのリリース以降、フィッシングメールの平均的な言語的複雑さが17%も跳ね上がったことを検知しています。
これは、攻撃の高度化が加速し、攻撃者の参入障壁が低くなり、攻撃結果が改善された一例です。これは、攻撃環境が、洗練度が低く、インパクトが小さい、一般的なフィッシング戦術(「スプレー&プレー」アプローチ)から、ルールやシグネチャに依存するあらゆるツールの典型的な検知範囲から外れる、より標的を絞った、洗練され、インパクトの大きい攻撃へと移行するという、より広いトレンドの一部を形成しています。攻撃者のツールキットに含まれる生成AIやその他のテクノロジーによって、こうした攻撃を大規模に行うことが可能になり、以前から見られていた既知の脅威を捕らえるだけでは、もはや十分ではなくなります。

Eメールを主なターゲットとする脅威が拡大する中、大半のEメールセキュリティツールは十分な進化を遂げていません。また、過去の攻撃データから次の攻撃を予測し、今日の攻撃を明日につなげるように設計されています。
組織ではAIシステムへの移行が進んでいますが、すべてのAIが同じというわけではなく、そのAIの応用が重要です。ITおよびセキュリティチームは、コンテキストを認識し、AIを活用して深い行動分析を行うメールセキュリティに移行する必要があります。これは、何千もの組織で、他のツールをすり抜ける攻撃を見事にキャッチしてきた、実績のあるアプローチです。また、今日のEメールセキュリティは、受信トレイを保護するだけではありません。悪意のあるメールだけでなく、メールメッセージやアカウントなど、ユーザーの全方位的な視点、さらにメールがコラボレーションツールやSaaSに侵入するような範囲にも対応する必要があるのです。多くの企業にとって、問題はメールセキュリティをアップグレードすべきかどうかではなく、いつアップグレードするか、つまり、過去にとらわれたメールセキュリティにいつまで頼ることができるのかということです。
メールセキュリティ業界はいたちごっこの世界
ゲートウェイやICES(Integrated Cloud Email Security)プロバイダーには、未来を予測するために過去の攻撃に目を向けるという共通点があります。これらのツールは、過去の脅威インテリジェンスや、すでに悪意があると判断されたメールの既知の悪い要素を集めた「拒否リスト」に頼ることが多く、現代の脅威状況の現実に対応できていないのです。これらのツールの中には、AIを使用してこの欠陥のあるアプローチを改善しようとするものもあり、直接一致するものを探すだけでなく、「データ拡張」を使用して類似したメールを見つけようとします。しかし、このアプローチでは、本質的に新しい脅威が見えないことに変わりはありません。
このようなツールは、リソースを過剰に必要とする傾向があり、常にポリシーを維持し、保持されている正当なメールを解放し、悪意のあるフィッシングメールを阻止するための手作業が必要となります。個々のEメールを手動で解除するこの負担は、通常、セキュリティチームに課せられますが、このチームは小規模で複数の担当領域を持つことが多いのです。解決策としては、悪質なメールを自律的に阻止 し、正規のメールを通過させ、組織の変化に適応するテクノロジー、つまり「セット&フォーゲット」という定義に実際に適合するテクノロジーを導入することです。
挙動と文脈を意識する
業界では、「安全な」メールゲートウェイから、AIを活用したインテリジェントな思考への激変が進行中です。正しいアプローチは、エンドユーザーの行動を理解すること、つまり、各人が受信トレイをどのように使っているか、各ユーザーにとって何が「普通」であるかを理解することで、普通でないことを検知することです。また、いつ、どのように、誰と、どのようにコミュニケーションしているかというコンテキストを利用して、異常な点を発見し、何かおかしいと思ったら、その理由とともにユーザーに警告を発します。基本的には、(過去の攻撃ではなく)あなたを理解するためのシステムです。
Darktrace は、過去のデータから危険なものを学習するのではなく、各組織とそのユーザーを深く継続的に理解することで、根本的に異なるアプローチのAIを開発しました。各従業員の通常の日々の行動を複雑に理解してこそ、メールが実際にその受信者の受信箱に属するかどうかを正確に判断することができるのです。
フィッシング、ランサムウェア、請求書詐欺、役員なりすまし、あるいはもっと斬新な手法であっても、行動分析にAIを活用することでより迅速な意思決定が可能になります。悪質な脅威を初見で阻止できるため、新しい攻撃を封じるためにゼロ号患者を待つ必要がありません。検知の信頼性が高まることで、より的確な対応、つまり、警戒心から広範な包括的対応を行うのではなく、メールの最も危険な部分のみを削除する標的型対応を行うことができ、ビジネスの混乱を最小限に抑えながらリスクを低減することができます。
攻撃スペクトルに話を戻すと、マルウェアの配布や被害者の誘導に、斬新な、あるいは一見正当なインフラを使用する高度に洗練された攻撃への移行がますます進んでおり、こうしたインパクトの強い標的型攻撃を検知して適切な対応を行うことがかつてなく重要になってきています。

お客様を理解し、エンドユーザーを全方位で見渡す
現代のEメールセキュリティは、受信箱だけに限定されるものではなく、Eメールやそれ以外の場所でのユーザーの通常の行動を完全に理解する必要があることを私たちは知っています。従来のEメールツールは、侵入のポイントとしてインバウンドメールにのみ焦点を当てており、アカウントが侵害された後、Eメール攻撃の成功によって引き起こされる潜在的に壊滅的なダメージから保護することができません。

Microsoft 365、Google Workspace、Salesforce、Dropbox、そしてネットワーク上のデバイスでのユーザーの行動を把握することは、そのユーザーにとって何が正常であるかを完全に把握するために極めて重要です。デバイス(および受信箱)の感染症状を監視することは、悪意のあるメールかどうかを判断し、今後同様のメールを送信しないようにする必要があるかどうかを判断するために非常に重要です。クラウドアプリのデータと組み合わせることで、IDベースの攻撃をより全体的に把握することができます。
また、メールセキュリティと攻撃対象の外部データを結びつけることで、悪意のあるドメインをプロアクティブに発見し、攻撃が開始される前に防御を強化することができます。
従業員への教育および啓蒙活動
最終的に、Eメールに接するのは従業員です。このようなユーザーをうまく活用することができれば、よりスマートな従業員、より少ない攻撃回数、そしてより戦略的な業務に時間を割くことができるセキュリティチームを手に入れることができるのです。
最も成功するツールは、AIを活用して従業員のセキュリティ意識を向上させることができるものでしょう。明らかに悪意があり、従業員の受信トレイに決して入ってはいけないメールもありますが、潜在的に危険な要素を持つメールには、かなりのグレーゾーンが存在します。大半のセキュリティツールは、これらのメールを、たとえビジネスクリティカルなものであったとしても、完全に受信を拒否するか、あるいは無傷で通過させるかのどちらかです。しかし、このようなグレーゾーンのメールが、実はトレーニングの機会として活用できるとしたらどうでしょうか。
フィッシングシミュレーションベンダーとは対照的に、行動AIは、ユーザーの受信トレイを通じて軽いタッチでトレーニングを行うことで、組織全体のセキュリティ意識を総合的に向上させることができ、エンドユーザーを防御強化の輪に引き込むことができます。
メールセキュリティの新境地は、AIとAIとの戦いであり、遅れをとった組織は、つらい思いをすることになるかもしれません。これらのテクノロジーは、従業員の体験をどのように変え、展開をダイナミックにし、セキュリティチームを増強し、統合された防御ループの一部を形成することができるかについて、Darktraceのブログシリーズをお読みください。
[1] 複数のアクティブなフィッシングペイロードに対するDarktrace/Emailのレスポンスと、他のメールセキュリティ技術が提示した16の独立したフィードのうち最も早いものとの間に生じた検知期間の差の平均
Like this and want more?
Blog
Inside the SOC
Black Basta: Old Dogs with New Tricks



What is Black Basta?
Over the past year, security researchers have been tracking a new ransomware group, known as Black Basta, that has been observed targeted organizations worldwide to deploy double extortion ransomware attacks since early 2022. While the strain and group are purportedly new, evidence seen suggests they are an offshoot of the Conti ransomware group [1].
The group behind Black Basta run a Ransomware as a Service (RaaS) model. They work with initial access brokers who will typically already have a foothold in company infrastructure to begin their attacks. Once inside a network, they then pivot internally using numerous tools to further their attack.
Black Basta Ransomware
Like many other ransomware actors, Black Basta uses double extortion as part of its modus operandi, exfiltrating sensitive company data and using the publication of this as a second threat to affected companies. This is also advertised on a dark web site, setup by the group to apply further pressure for affected companies to make ransom payments and avoid reputational damage.
The group also seems to regularly take advantage of existing tools to undertake the earlier stages of their attacks. Notably, the Qakbot banking trojan, seems to be the malware often used to gain an initial foothold within compromised environments.
Analysis of the tools, procedures and infrastructure used by Black Basta belies a maturity to the actors behind the ransomware. Their models and practices suggest those involved are experienced individuals, and security researchers have drawn possible links to the Conti ransomware group.
As such, Black Basta is a particular concern for security teams as attacks will likely be more sophisticated, with attackers more patient and able to lie low on digital estates for longer, waiting for the opportune moment to strike.
Cyber security is an infinite game where defender and attacker are stuck as cat and mouse; as new attacks evolve, security vendors and teams respond to the new indicators of compromise (IoCs), and update their existing rulesets and lists. As a result, attackers are forced to change their stripes to evade detection or sometimes even readjust their targets and end goals.
Anomaly Based Detection
By using the power of Darktrace’s Self-Learning AI, security teams are able to detect deviations in behavior. Threat actors need to move through the kill chain to achieve their aims, and in doing so will cause affected devices within networks to deviate from their expected pattern of life. Darktrace’s anomaly-based approach to threat detection allows it recognize these subtle deviations that indicate the presence of an attacker, and stop them in their tracks.
Additionally, the ecosystem of cyber criminals has matured in the last few decades. It is well documented how many groups now operate akin to legitimate companies, with structure, departments and governance. As such, while new attack methods and tactics do appear in the wild, the maturity in their business models belie the experience of those behind the attack.
As attackers grow their business models and develop their arsenal of attack vectors, it becomes even more critical for security teams to remain vigilant to anomalies within networks, and remain agnostic to underlying IoCs and instead adopt anomaly detection tools able to identify tactics, techniques, and procedures (TTPs) that indicate attackers may be moving through a network, ahead of deployment of ransomware and data encryption.
Darktrace’s Coverage of Black Basta
In April 2023, the Darktrace Security Operations Center (SOC) assisted a customer in triaging and responding to an ongoing ransomware infection on their network. On a Saturday, the customer reached out directly to the Darktrace analyst team via the Ask the Expert service for support after they observed encrypted files and locked administrative accounts on their network. The analyst team were able to investigate and clarify the attack path, identifying affected devices and assisting the customer with their remediation. Darktrace DETECT™ observed varying IoCs and TTPs throughout the course of this attack’s kill chain; subsequent analysis into these indicators revealed this had likely been a case of Black Basta seen in the wild.
初期の侵入
The methods used by the group to gain an initial foothold in environments varies – sometimes using phishing, sometimes gaining access through a common vulnerability exposed to the internet. Black Basta actors appear to target specific organizations, as opposed to some groups who aim to hit multiple at once in a more opportunistic fashion.
In the case of the Darktrace customer likely affected by Black Basta, it is probable that the initial intrusion was out of scope. It may be that the path was via a phishing email containing an Microsoft Excel spreadsheet that launches malicious powershell commands; a noted technique for Black Basta. [3][4] Alternatively, the group may have worked with access brokers who already had a foothold within the customer’s network.
One particular device on the network was observed acting anomalously and was possibly the first to be infected. The device attempted to connect to multiple internal devices over SMB, and connected to a server that was later found to be compromised and is described throughout the course of this blog. During this connection, it wrote a file over SMB, “syncro.exe”, which is possibly a legitimate Remote Management software but could in theory be used to spread an infection laterally. Use of this tool otherwise appears sporadic for the network, and was notably unusual for the environment.
Given these timings, it is possible this activity is related to the likely Black Basta compromise. However, there is some evidence online that use of Syncro has been seen installed as part of the execution of loaders such as Batloader, potentially indicating a separate or concurrent attack [5].
Internal Reconnaissance + Lateral Movement
However the attackers gained access in this instance, the first suspicious activity observed by Darktrace originated from an infected server. The attacker used their foothold in the device to perform internal reconnaissance, enumerating large portions of the network. Darktrace DETECT’s anomaly detection noted a distinct rise in connections to a large number of subnets, particularly to closed ports associated with native Windows services, including:
- 135 (RPC)
- 139 (NetBIOS)
- 445 (SMB)
- 3389 (RDP)
During the enumeration, SMB connections were observed during which suspiciously named executable files were written:
- delete.me
- covet.me
Data Staging and Exfiltration
Around 4 hours after the scanning activity, the attackers used their knowledge gained during enumeration about the environment to begin gathering and staging data for their double extortion attempts. Darktrace observed the same infected server connecting to a file storage server, and downloading over 300 GiB of data. Darktrace DETECT identified that the connections had been made via SMB and was able to present a list of filenames to the customer, allowing their security team to determine the data that had likely been exposed to the attackers.
The SMB paths detected by Darktrace showed a range of departments’ file areas being accessed by threat actors. This suggests they were interested in getting as much varied data as possible, presumably in an attempt to ensure a large amount of valuable information was at their disposal to make any threats of releasing them more credible, and more damaging to the company.
Shortly after the download, the device made an external connection over SSH to a rare domain, dataspt[.]com, hosted in the United States. The connection itself was made over an unusual port, 2022, and Darktrace recognized that the domain was new for the network.
During this upload, the threat actors uploaded a similar volume of data to the 300GiB that had been downloaded internally earlier. Darktrace flagged the usual elements of this external upload, making the identification and triage of this exfiltration attempt easier for the customer.
On top of this, Darktrace’s autonomous investigation tool Cyber AI Analyst™ launched an investigation into this on-going activity and was able to link the external upload events to the internal download, identifying them as one exfiltration incident rather than two isolated events. AI Analyst then provided a detailed summary of the activity detected, further speeding up the identification of affected files.
Preparing for Exploitation
All the activity documented so far had occurred on a Wednesday evening. It was at this point that the burst of activity calmed, and the ransomware lay in wait within the environment. Other devices around the network, particularly those connected to by the original infected server and a domain controller, were observed performing some elements of anomalous activity, but the attack seemed to largely take a pause.
However, on the Saturday morning, 3 days later, the compromised server began to change the way it communicated with attackers by reaching out to a new command and control (C2) endpoint. It seemed that attackers were gearing up for their attack, taking advantage of the weekend to strike while security teams often run with a reduced staffing.
Darktrace identified connections to a new endpoint within 4 minutes of it first being seen on the customer’s environment. The server had begun making repeated SSL connections to the new external endpoint, faceappinc[.]com, which has been flagged as malicious by various open-source intelligence (OSINT) sources.
The observed JA3 hash (d0ec4b50a944b182fc10ff51f883ccf7) suggests that the command-line tool BITS Admin was being used to launch these connections, another suggestion of the use of mature tooling.
In addition to this, Darktrace also detected the server using an administrative credential it had never previously been associated with. Darktrace recognized that the use of this credential represented a deviation from the device’s usual activity and thus could be indicative of compromise.
The server then proceeded to use the new credential to authenticate over Keberos before writing a malicious file (“management.exe”) to the Temp directory on a number of internal devices.
Encryption
At this point, the number of anomalous activities detected from the server increased massively as the attacker seems to connect networkwide in an attempt to cause as quick and destructive an encryption effort as possible. Darktrace observed numerous files that had been encrypted by a local process. The compromised server began to write ransom notes, named “instructions_read_me.txt” to other file servers, which presumably also had successfully deployed payloads. While Black Basta actors had initially been observed dropping ransom notes named “readme.txt”, security researchers have since observed and reported an updated variant of the ransomware that drops “instructions_read_me_.txt”, the name of the file detected by Darktrace, instead [6].
Another server was also observed making repeated SSL connections to the same rare external endpoint, faceappinc[.]com. Shortly after beginning these connections, the device made an HTTP connection to a rare IP address with no hostname, 212.118.55[.]211. During this connection, the device also downloaded a suspicious executable file, cal[.]linux. OSINT research linked the hash of this file to a Black Basta Executable and Linkable File (ELF) variant, indicating that the group was highly likely behind this ransomware attack.
Of particular interest again, is how the attacker lives off the land, utilizing pre-installed Windows services. Darktrace flagged that the server was observed using PsExec, a remote management executable, on multiple devices.
Darktrace Assistance
Darktrace DETECT was able to clearly detect and provide visibility over all stages of the ransomware attack, alerting the customer with multiple model breaches and AI Analyst investigation(s) and highlighting suspicious activity throughout the course of the attack.
For example, the exfiltration of sensitive data was flagged for a number of anomalous features of the meta-data: volume; rarity of the endpoint; port and protocol used.
In total, the portion of the attack observed by Darktrace lasted about 4 days from the first model breach until the ransomware was deployed. In particular, the encryption itself was initiated on a Saturday.
The encryption event itself was initiated on a Saturday, which is not uncommon as threat actors tend to launch their destructive attacks when they expect security teams will be at their lowest capacity. The Darktrace SOC team regularly observes and assists in customer’s in the face of ransomware actors who patiently lie in wait. Attackers often choose to strike as security teams run on reduced hours of manpower, sometimes even choosing to deploy ahead of longer breaks for national or public holidays, for example.
In this case, the customer contacted Darktrace directly through the Ask the Expert (ATE) service. ATE offers customers around the clock access to Darktrace’s team of expert analysts. Customers who subscribe to ATE are able to send queries directly to the analyst team if they are in need of assistance in the face of suspicious network activity or emerging attacks.
In this example, Darktrace’s team of expert analysts worked in tandem with Cyber AI Analyst to investigate the ongoing compromise, ensuring that the investigation and response process were completed as quickly and efficiently as possible.
Thanks to Darktrace’s Self-Learning AI, the analyst team were able to quickly produce a detailed report enumerating the timeline of events. By combining the human expertise of the analyst team and the machine learning capabilities of AI Analyst, Darktrace was able to quickly identify anomalous activity being performed and the affected devices. AI Analyst was then able to collate and present this information into a comprehensive and digestible report for the customer to consult.
結論
It is likely that this ransomware attack was undertaken by the Black Basta group, or at least using tools related to their method. Although Black Basta itself is a relatively novel ransomware strain, there is a maturity and sophistication to its tactics. This indicates that this new group are actually experienced threat actors, with evidence pointing towards it being an offshoot of Conti.
The Pyramid of Pain is a well trodden model in cyber security, but it can help us understand the various features of an attack. Indicators like static C2 destinations or file hashes can easily be changed, but it’s the underlying TTPs that remain the same between attacks.
In this case, the attackers used living off the land techniques, making use of tools such as BITSAdmin, as well as using tried and tested malware such as Qakbot. While the domains and IPs involved will change, the way these malware interact and move about systems remains the same. Their fingerprint therefore causes very similar anomalies in network traffic, and this is where the strength of Darktrace lies.
Darktrace’s anomaly-based approach to threat detection means that these new attack types are quickly drawn out of the noise of everyday traffic within an environment. Once attackers have gained a foothold in a network, they will have to cause deviation from the usual pattern of a life on a network to proceed; Darktrace is uniquely placed to detect even the most subtle changes in a device’s behavior that could be indicative of an emerging threat.
Machine learning can act as a force multiplier for security teams. Working hand in hand with the Darktrace SOC, the customer was able to generate cohesive and comprehensive reporting on the attack path within days. This would be a feat for humans alone, requiring significant resources and time, but with the power of Darktrace’s Self-Learning AI, these deep and complex analyses become as easy as the click of a button.
Credit to: Matthew John, Director of Operations, SOC, Paul Jennings, Principal Analyst Consultant
Appendices
Darktrace DETECT Model Breaches
内部偵察
Device / Multiple Lateral Movement Model Breaches
Device / Large Number of Model Breaches
Device / Network Scan
Device / Anomalous RDP Followed by Multiple Model Breaches
Device / Possible SMB/NTLM Reconnaissance
Device / SMB Lateral Movement
Anomalous Connection / SMB Enumeration
Anomalous Connection / Possible Share Enumeration Activity
Device / Suspicious SMB Scanning Activity
Device / RDP Scan
Anomalous Connection / Active Remote Desktop Tunnel
Device / Increase in New RPC Services
Device / ICMP Address Scan
Download and Upload
Unusual Activity / Enhanced Unusual External Data Transfer
Unusual Activity / Unusual External Data Transfer
Anomalous Connection / Uncommon 1 GiB Outbound
Anomalous Connection / Data Sent to Rare Domain
Anomalous Connection / Download and Upload
Compliance / SSH to Rare External Destination
Anomalous Server Activity / Rare External from Server
Anomalous Server Activity / Outgoing from Server
Anomalous Connection / Application Protocol on Uncommon Port
Anomalous Connection / Multiple Connections to New External TCP Port
Device / Anomalous SMB Followed By Multiple Model Breaches
Unusual Activity / SMB Access Failures
Lateral Movement and Encryption
User / New Admin Credentials on Server
Compliance / SMB Drive Write
Device / Anomalous RDP Followed By Multiple Model Breaches
Anomalous Connection / High Volume of New or Uncommon Service Control
Anomalous Connection / New or Uncommon Service Control
Device / New or Unusual Remote Command Execution
Anomalous Connection / SMB Enumeration
Additional Beaconing and Tooling
Device / Initial Breach Chain Compromise
Device / Multiple C2 Model Breaches
Compromise / Large Number of Suspicious Failed Connections
Compromise / Sustained SSL or HTTP Increase
Compromise / SSL or HTTP Beacon
Compromise / Suspicious Beaconing Behavior
Compromise / Large Number of Suspicious Successful Connections
Compromise / High Volume of Connections with Beacon Score
Compromise / Slow Beaconing Activity To External Rare
Compromise / SSL Beaconing to Rare Destination
Compromise / Beaconing Activity To External Rare
Compromise / Beacon to Young Endpoint
Compromise / Agent Beacon to New Endpoint
Anomalous Server Activity / Rare External from Server
Anomalous Connection / Multiple Failed Connections to Rare Endpoint
Anomalous File / EXE from Rare External Location
IoC - Type - Description + Confidence
dataspt[.]com - Hostname - Highly Likely Exfiltration Server
46.22.211[.]151:2022 - IP Address and Unusual Port - Highly Likely Exfiltration Server
faceappinc[.]com - Hostname - Likely C2 Infrastructure
Instructions_read_me.txt - Filename - Almost Certain Ransom Note
212.118.55[.]211 - IP Address - Likely C2 Infrastructure
delete[.]me - Filename - Potential lateral movement script
covet[.]me - Filename - Potential lateral movement script
d0ec4b50a944b182fc10ff51f883ccf7 - JA3 Client Fingerprint - Potential Windows BITS C2 Process
/download/cal.linux - URI - Likely BlackBasta executable file
1f4dcfa562f218fcd793c1c384c3006e460213a8 - Sha1 File Hash - Likely BlackBasta executable file

参考文献
[1] https://blogs.blackberry.com/en/2022/05/black-basta-rebrand-of-conti-or-something-new
[2] https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies
[4] https://unit42.paloaltonetworks.com/atoms/blackbasta-ransomware/
[6] https://www.pcrisk.com/removal-guides/23666-black-basta-ransomware
Blog
Using AI to Help Humans Function Better During a Cyber Crisis



Within cyber security, crises are a regular occurrence. Whether due to the ever-changing tactics of threat actors or the emergence of new vulnerabilities, security teams find themselves under significant pressure and frequently find themselves in what psychologists term "crisis states."1
A crisis state refers to an internal state marked by confusion and anxiety to such an extent that previously effective coping mechanisms give way to ineffective decision-making and behaviors.2
Given the prevalence of crises in the field of cyber security, practitioners are more prone to consistently making illogical choices due to the intense pressure they experience. They also grapple with a constant influx of rapidly changing information, the need for swift decision-making, and the severe consequences of errors in judgment. They are often asked to assess hundreds of variables and uncertain factors.
The frequency of crisis states is expected to rise as generative AI empowers cyber criminals to accelerate the speed, scale, and sophistication of their attacks.
Why is it so challenging to operate effectively and efficiently during a crisis state? Several factors come into play.
Firstly, individuals are inclined to rely on their instincts, rendering them susceptible to cognitive biases. This makes it increasingly difficult to assimilate new information, process it appropriately, and arrive at logical decisions. Since crises strike unexpectedly and escalate rapidly into new unknowns, responders experience heightened stress, doubt and insecurity when deciding on a course of action.
These cognitive biases manifest in various forms. For instance, confirmation bias prompts people to seek out information that aligns with their pre-existing beliefs, while hindsight bias makes past events seem more predictable in light of present context and information.
Crises also have a profound impact on information processing and decision-making. People tend to simplify new information and often cling to the initial information they receive rather than opting for the most rational decision.
For instance, if an organization has successfully thwarted a ransomware attack in the past, a defender might assume that employing the same countermeasures will suffice for a subsequent attack. However, ransomware tactics are constantly evolving, and a subsequent attack could employ different strategies that evade the previous defenses. In a crisis state, individuals may revert to their prior strategy instead of adapting based on the latest information.
Given there are deeply embedded psychological tendencies and hard-wired decision-making processes leading to a reduction in logic during a crisis, humans need support from technology that does not suffer from the same limitations, particularly in the post-incident phase, where stress levels go into overdrive.
In the era of rapidly evolving novel attacks, security teams require a different approach: AI.
AI can serve as a valuable tool to augment human decision-making, from detection to incident response and mitigation. This is precisely why Darktrace introduced HEAL, which leverages self-learning AI to assist teams in increasing their cyber resilience and managing live incidents, helping to alleviate the cognitive burden they face.
Darktrace HEAL™ learns from your environment, including data points from real incidents and generates simulations to identify the most effective approach for remediation and restoring normal operations. This reduces the overwhelming influx of information and facilitates more effective decision-making during critical moments.
Furthermore, HEAL offers security teams the opportunity to safely simulate realistic attacks within their own environment. Using specific data points from the native environment, simulated incidents prepare security teams for a variety of circumstances which can be reviewed on a regular basis to encourage effective habit forming and reduce cognitive biases from a one-size-fits-all approach. This allows them to anticipate how attacks might unfold and better prepare themselves psychologically for potential real-world incidents.
With the right models and data, AI can significantly mitigate human bias by providing remediation recommendations grounded in evidence and providing proportionate responses based on empirical evidence rather than personal interpretations or instincts. It can act as a guiding light through the chaos of an attack, providing essential support to human security teams.
1 www.cybersecuritydive.com/news/incident-response-impacts-wellbeing/633593
2 blog.bcm-institute.org/crisis-management/making-decision-during-a-crisis