Darktrace/Endpoint use cases

Securing the modern workforce

Dive into specific threat profiles and see how to reduce time-to-meaning at the endpoint, anywhere your users go.

Ransomware

Ransomware is a multi-stage attack that can begin with a single compromised endpoint device and end with company-wide data encryption. Learn what Darktrace/Endpoint can do to neutralize it at every stage.

Initial Intrusion


Stopping threats the moment they emerge on an endpoint, network or email system is the best way to prevent business disruption. Darktrace has identified well-known exploits such as Log4J, Hafnium, Kaseya without Threat Intelligence, and spots thousands of lesser-known exploits on a regular basis.

Sample analysis of Darktrace/Endpoint
Every threat is different, but some unusual patterns Darktrace/Endpoint assess include:
Unusual Incoming RDP
Unusual file download
Unusual .exe fileTorrenting

Establish Foothold and Beaconing

Darktrace/Endpoint pieces together anomalies to detect when an attacker is attempting to make contact with and remotely control a device .

Darktrace RESPOND/Endpoint neutralizes this activity blocking specific connections or enforcing the ‘pattern of life’

Sample analysis of Darktrace/Endpoint
Every threat is different, but here are some unusual patterns Darktrace/Endpoint might assess when revealing this type of attack:
Beaconing to a young endpoint
Anomalous file downloads
Beaconing activity to external rare endpoint
Connections to unusual endpoint

Data Exfiltration

Whether smash and grab or a low and slow, DETECT/Endpoint identifies subtle deviations in activity to prevent data being exfiltrated from company devices.

Darktrace RESPOND/Endpoint neutralizes this activity by blocking specific connections, enforcing the ‘pattern of life’ or quarantining the device.

Sample analysis of Darktrace/Endpoint
Every threat is different, but here are some unusual patterns Darktrace/Endpoint might assess when revealing this type of attack:
Low and slow exfiltration
Uncommon 1 GiB Outbound
Data sent to rare domain
Unusual External Data Transfer
Unusual data download / upload to rare destination

Data Encryption

Even if familiar tools and methods are used to conduct encryption - whether symmetric or asymmetric - Darktrace detects the activity without using static rules or signatures.

Darktrace RESPOND/Endpoint neutralizes this activity by blocking specific connections, enforcing the ‘pattern of life’ or quarantining the device.

DARKTRACE - Better Together

Even better when deployed with:
Sample analysis of Darktrace/Endpoint
Every threat is different, but here are some unusual patterns Darktrace/Endpoint might assess when revealing this type of attack:
Additional extension appended to SMB file
Suspicious SMB read/write ratio
Sustained MIME type conversion
Possible Ransom Note
Suspicious SMB Activity

Insider Threat

Whether a malicious leaver attempting to exfiltrate data or a careless employee misusing a company device, Darktrace’s understanding of normal patterns of life allows it to stop threats on the inside.

DARKTRACE - Better Together

Even better when deployed with:
Sample analysis of Darktrace/Endpoint
Every threat is different, but here are some unusual patterns Darktrace/Endpoint might assess when revealing this type of attack:
Sustained SSL and HTTP Increase
ICMP Address Scan
Uncommon WMI Activity
Numeric Exe Download
Anomalous File Download
Suspicious SMB Activity
Multiple Unusual File Uploads
Suspicious SMB Read/Write Ratio
Fast Beaconing to DGA

Supply Chain Attack (Third Party Software Vulnerability)

Endpoints can be used as a first point of entry for expansive supply chain attacks. Darktrace stops threats arising from the supply chain by taking immediate action at the first sign of unusual and threatening activity.

DARKTRACE - Better Together

Even better when deployed with:
Sample analysis of Darktrace/Endpoint
Every threat is different, but here are some unusual patterns Darktrace/Endpoint might assess when revealing this type of attack:
EXE from Rare External Location
New User Agent to IP Without Hostname
Beacon to Young Endpoint
Suspicious Self-Signed SSL
IPSec VPN to Rare IP

Crypto-Mining

Malicious crypto-mining can exploit endpoint hardware and is notoriously difficult to detect. It may also form just one phase of an attacker’s plan to infiltrate an organization.

Darktrace shines a light on open ports and internet-facing devices you didn’t know about, and detects the first stages of an attack before crypto-mining can even begin. It also alerts to crypto-mining activity itself, and can be configured to stop the activity autonomously.

Sample analysis of Darktrace/Network
Every threat is different, but here are some unusual patterns Darktrace/Endpoint might assess when revealing this type of attack:
Crypto Currency Mining Activity
Slow Beaconing Activity to External Rare
Suspicious Beacons to Rare PHP Endpoint
SMB Drive Write

An Unlimited Number of Attacks

An unlimited number of responses

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.