Cyber Intelligence:

Getting Ahead of Compromise

Executive Summary

As cyber threats become an inevitable part of the fabric of the enterprise’s digital environments, and targeted attacks are increasingly subtle and manipulative, the limitations of traditional security controls have been exposed. The defender is challenged with enhancing their visibility and insights into their own organizations’ systems, in order to regain the advantage and inform critical, timely decision-making. Cyber intelligence is central to this challenge, providing total visibility and tailored, real-time insights into emerging anomalies – as opposed to feeds of old news about previous threats. This intelligence-based approach is at the heart of the new generation of cyber defense, based on skilled people and cutting-edge ‘immune system’ technologies engaged in an ongoing process of learning, understanding and dealing with developing issues, before they turn into crises.

“Gaining ongoing insight into ecosystem vulnerabilities and threats helps anticipate and plan for risks that might sideline others who are less informed” PWC

“Darktrace provides us with absolute visibility into what is happening in real time. We can now pinpoint and target our security resources”
Louis Kangurs, Virgin Trains

Staying open for business

The breach of the network perimeter is now assumed as inevitable by today’s security professional. This is the new reality, in which network boundary technologies, while playing a critical role in a layered defensive strategy, are insu cient to defeat the targeted attacker. It is accepted that breaches are unavoidable, and that it is a case of ‘when’ rather than ‘if’. In this new world, the challenge has changed. As well as defending the boundary, the modern business needs to address the threat within, and develop an intelligence-led approach to detecting live threat within a complex information environment.

Modern organizations are dependent on their ability to do business in an open and connected marketplace. The lifeblood of the enterprise is its data, and in order to drive growth, this diverse data must ow beyond and around traditional network boundaries. It is constantly moving between the organization and its customers, suppliers, sta , partners and so on. The challenge of the CISO today is to protect data that is ‘out there’ in the wild. Indeed, the very improvements that have enabled enterprises to thrive in the last ten years – connectivity, digitization, innovation – are the very things that have exposed them to the most risk. Today’s security professionals understand the balance that must be struck when considering the sta of an organization. Employees need to be trusted as valuable assets but they also represent a signi cant threat to the integrity of the enterprise’s data and, whether malicious or negligent, their behaviors elevate risk.

While there may be a temptation to tighten these controls and introduce more stringent policies, the reality of doing business means that people will always and a way around barriers that hinder them. Anyone will tell you that you can cure any disease if you kill the patient. As businesses, we cannot afford to suffocate ourselves with laborious and impracticable security controls under the illusion that we are more ‘secure’ as a result, at the expense of our ability to be competitive, agile and e client. The challenge to today’s security professionals is to protect the enterprise’s most valuable assets while continuing to enable data to support growth.

Staying open for business within the context of an ever- changing threat landscape requires a balance between risk and bene t. The balance required is never completely stable or static, but constantly being readjusted to keep the scales equally weighted. It is a challenge that requires a subtle approach, based on a mentality of intelligence over security. Whereas cyber security assumes that defensive measures must work 100% of the time, cyber intelligence provides evidence-based insights that directly inform decision-making, surfacing high-priority issues over less significant ones, and giving the organization the best possible oversight and understanding of its own state of health, in order to implement the best treatment plan.

Living under the radar

Cyber-attacks ll the headlines week after week, with dizzying figures of customer accounts compromised and negative reputation impact making for dramatic stories. Major breaches require immediate remediate action, with time, effort and money poured into clearing up after a compromise.

The concept of a ‘clean-up’ operation after a cyber- attack is a awed one however. Organizations are never free of threats and potentially dangerous or malicious in uences. While there is huge pressure on companies post-breach to be seen to be taking action, to mitigate the reputational hit and restore customer, market and shareholder con dence, it is often a case of ‘too little, too late’. Too late because the damage is done, and too little because the adversary has gained a level of control and in ltration within the target organization that their ability to retrospectively defend themselves is limited.

The challenge of the last few years has been aggravated by the industrialization of the cyber-crime economy and the increasing sophistication of the perpetrators. Advanced exploit tools are readily available on the internet – customizable malware, laboratories for testing and previously unseen hacking techniques can be exchanged and traded – which means that taking a hold within an organization has become trivial. Once inside, incognito attacks take place that are very di cult to spot because they are careful and subtle.

Firstly, outsider attackers will typically use the authorized access credentials of an employee, to avoid tripping perimeter alarms. This makes it extremely di cult to distinguish authorized activity from a cyber-threat actor intent on doing harm. Attackers use this cloak of legitimacy to perpetrate their attack, disguising themselves amid the normal interactions of that user and the day-to-day noise of the network. Being recognized as legitimate at the point of entry allows attackers an advantage. They are considered to be ‘trusted’ and the challenge of moving within the enterprise to nd and eventually egress data or manipulate systems becomes easier.

Furthermore, attackers not only use targeted email campaigns and exploit legitimate credentials in order to pass under the radar, but they may also use zero- day exploits and purpose-built malware to achieve their goals. Subtle, well-disguised attacks are increasingly played out over long periods of time too, a testament to the adversary’s patience and persistence. An advanced threat actor may lie low in the network for days, weeks or months on end, patiently lying dormant within the
organization in order to minimize the chances of being uncovered. Indeed, the average time that it takes to detect a malicious cyber-crime attack stands at 170 days, with advanced attackers involving insiders taking 259 days on average to detect.

During this time, the adversary gradually builds up an understanding of the network and its architecture that informs the steps they take to move around the network laterally and carry out the tailored attack. While the defending organization is constantly distracted by day- to-day business issues, the attacker has the advantage of time and resource, biding their time to collect intelligence and perpetrate their operation with a high degree of con dence of what they are doing, where they need to go and how to avoid detection.

Typically, an advanced attacker will look to gain persistence, both on a host, and indeed on a network. Looking to have options in the event of detection, an attacker will attempt to in infiltrate a range of devices and servers on a network. Attackers will often be able to move within a network and develop knowledge of the tools used to detect them, allowing them to move stealthily enough to avoid detection by traditional rules- based technologies. The noise of the network, and the large volume of outputs of log-based technologies often makes it impossible to detect the subtle movement of the attacker. Despite the evidence often being discovered in the post-incident forensic phase, the defender has simply been overwhelmed by the sheer volume of noise.

Precious time

Time is therefore an extremely precious resource which the defender is often poor in. The advanced attacker meanwhile has vast resources in terms of human capital, time and funding to create capabilities that bypass the various components of traditional security stacks. Organizations consistently struggle to detect compromises at the earliest point of relevance, before damage is being or has been done, such as a large-scale data breach or a major operational interruption. Instead they nd themselves in a race against the clock to clean up and minimize financial, reputational and operational damage, in spite of the many months of preparation and lateral movement of the threat actor prior to the final attack or breach activity. As long as the attacker continues to have the time advantage over the defender, target organizations will continually be on the back foot.

Businesses need to hit the reset button, and rethink the way that they view cyber security and cyber-attacks. To start with, this means ceasing to consider these concepts as absolute states; the former is not practically viable, and the latter has no clear perimeters – a cyber-attack has no obvious starting point and no clear end either. Every attack starts with a compromise, which starts with a subtle change in the normal order of things and builds to form a chain of events that together can wield control of a foreign environment and jeopardize that environment and its contents.

In an age of countless, ever-changing threats, analyzing yesterday’s adversaries is no guarantee of protecting against tomorrow’s. Today’s attackers are using constantly adapting their techniques and strategies in order to stay persistent, and achieve longevity within your systems. The baseline of normal behavior is constantly changing.

We therefore need to start counting time differently, looking to ‘catch’ suspicious activity within the window of time between the initial compromise and the first signs of abnormality. Rather than investing in post-mortem research of past breaches and compromises, we should focus on finding tomorrow’s problems – by tuning our ears to the very subtle signals that are emitted in the noise of a busy organization. Within an enterprise IT environment, this requires two key elements:

Visibility and insight

Organizations need to take a step back when considering cyber defense strategies, first asking the question: how well do I know my own environment? As network infrastructures and intranets have grown and expanded with more and more devices, functionality and technologies, the digital architecture of an organization of any significant size is typically very complex. IT security managers and risk directors often lack visibility of the very systems that they manage, accessing only data siloes and focusing on specific parts of the organization where there are known problems to resolve.

Total visibility of all digital interactions and communications, not just a subset of them, is critical because it allows security professionals to make the best possible decisions, based on an understanding of the bigger picture. With visibility of the global trends and patterns that are happening on a day-to-day basis across the enterprise, these individuals are in a better position to configure security controls and the network environment, identify vulnerabilities or rogue employees, and indeed curb live cyber-threats. Seeing and understanding what is going on in real time is the first step to seeing what should not be happening – however subtle the deviation is.

Intelligent analysis and abnormality detection

With situational awareness of the entirety of an organization’s activity, new technologies can be leveraged to analyze it, and form a constantly-evolving picture of normality. Fundamental advances in probabilistic mathematics and machine learning have made this approach possible, delivered by technology that learns what is normal and abnormal within a particular organizational environment on a continual basis, and surfaces probabilistically anomalous events in real time.

Anomalies, or deviations from learnt normal behaviors across devices, networks and users, must be genuine and based on a dynamic understanding of the environment. Abnormal behavior can often be dealt with in a responsible way by business units – but only if it is detected early. Organizations need to liberate themselves from the task of sifting through masses of security alerts, produced based on prede ned assumptions of what constitutes ‘a threat,’ and instead employ tailored intelligence that illuminates the digital enterprise environment and informs decision- making. Ultimately, mitigating risk is a continual exercise of informed decision-making by business professionals – the ability to focus on the right decisions and areas of concern requires a new generation of technology that is self-learning, probabilistic and adaptive.

Cyber intelligence vs Threat intelligence

‘Threat intelligence’ is a term that has been given to the collection and sharing of information about identified threats. Essentially it refers to a database or feed of information that must be matched against an organization’s security alerts, logs and other forensics data to determine if a specific activity is a threat to the organization. If a detection can be correlated with a piece of threat data, it may be used to help protect against similar attacks that are still circulating.

The fundamental aw of sharing information about past attacks is that it is retrospective and does not help organizations defend against tomorrow’s fresh attacks. It is requires at least one organization to get burnt by each new attack vector in order to nd it, limiting itself to telling you about previous attacks, in the assumption that the same attack might replicate itself. Typically, it takes months for a new attack vector or technique to manifest in threat intelligence feeds. In the meantime, your enterprise is vulnerable to those same attacks that have yet to be revealed and shared by prior victims. At worst, it is a mass of inapplicable data that distracts from the core objective of the organization, which is to defend against future attacks, not past ones. It is little solace to know that your organization was the rst to discover, and su er, a new threat and the rst to add it to the threat feed, for others to protect themselves.

Intelligence about threats must be tailored to an organization to be useful, and must feed into a human being at some point, in order for di cult decisions to be made. The best intelligence is that which assists human beings in the decision-making process, and gives them the best degree of con dence that those decisions are correct, appropriate and, most importantly, timely enough to avoid a full-scale data breach, operational interruption or reputational hit.

True cyber intelligence is not about identifying past threats and attack vectors, therefore, but is focused on understanding exactly what is happening within the organizations, to a level of granularity that will expose even very subtle and quiet actions. Clever intelligence is about analyzing this detailed, real-time information in such a way as to correlate multiple weak indicators and form a picture of understanding from that data.

Indeed, within the context of national security and law enforcement, ‘intelligence’ refers to the special insights that directly inform decisions around how to tackle specific risks and threats, before the adversary has seized the initiative and forced you onto the back foot. It provides evidence-based knowledge that allows human beings to determine how and when to take action, and in turn to assess the e effectiveness of those decisions on an ongoing basis, as the context inevitably changes.

For organizations looking to take proactive action against cyber adversaries during their attack missions, these questions are critical and require high-quality intelligence, the result of advanced, context-aware analysis of a broad range of factors that contribute to an attack taking place. Cyber intelligence must drive decisions while compromises are nascent and manageable, in a timeframe that allows those decisions to be effective and avoids a crisis at its logical conclusion.

Better focus, more action

Attack techniques and methodologies are virtually impossible to predict, with yesterday’s attacks looking different to tomorrow’s one, or the one the day after. Internal vulnerabilities are a constant issue that require continual assessment. In this environment of countless threats existing within the organization at any given time, comprehensive visibility is required into the happenings of our own organizations to work out where to focus our attention, and establish cyber defense priorities in real time. Yet the overload of the security events and incidents that are frequently produced by the gamut of conventional security tools has often had the perverse e ect of engendering inactivity, on the part of the security or IT function, due to the sheer volume of alerts that are surfaced, or the un-actionable nature of the information that is being fed back.

Security practitioners must be able to hone in on threats, in a way that makes sense to the organization, rather than spend valuable time on thousands of context-less alarms. Taking advantage of each enterprise’s unique configuration, the time your employees come to work, the types of devices they use and the way they use them, the resources that they access, etc. etc. is critical, because no adversary has such details for their attack planning. This granularity of activity must be leveraged by employing self-learning ‘immune system’ technologies that can see and intelligently analyze this data, establishing an implicit understanding of its level of normality or otherwise, and surface anomalies in real time that must be dealt with by the business in a timely fashion.


The cyber intelligence function is crucial to the new risk mitigation strategies that are being put in place to deal with tomorrow’s threats, providing organizations with actionable knowledge and evidence that they would not otherwise have access to, and allowing them to deal with the genesis of a compromise, at the point that the abnormality emerges.

Advanced mathematical technologies can leverage this ‘home advantage’ within very complex and dynamic environments. Next-generation solutions need to be highly sensitive to extremely low-level noise and catch the tweaks in normal behavior that manifest themselves as anomalous, based on an evolving understanding of what constitutes normality for that particular organization at any given moment in time.

Being able to cope with subtle actions and quiet compromise is key to being able to detect and address the early stages of compromise before they snowball into uncontrollable cyber incidents that culminate in major financial, operational or reputational damage to the organization. An Enterprise Immune System approach does this, by continually learning, spotting and analyzing the faint traces and weak indicators that necessarily precede each potential disaster, rather than turning up on the crime scene to work out what went so terribly wrong.


About Darktrace

Winner of the Queen’s Award for Enterprise in Innovation 2016, Darktrace is one of the world’s leading cyber threat defense companies. Its Enterprise Immune System technology detects and responds to previously unidentified threats, powered by machine learning and mathematics developed by specialists from the University of Cambridge. Without using rules or signatures, Darktrace is uniquely capable of understanding the ‘pattern of life’ of every device, user and network within an organization, and defends against evolving threats that bypass all other systems. Some of the world’s largest corporations rely on Darktrace’s self-learning technology in sectors including energy and utilities, financial services, telecommunications, healthcare, manufacturing, retail and transportation. Darktrace is headquartered in Cambridge, UK and San Francisco, with 20 global offices including Auckland, Johannesburg, Lima, London, Milan, Mumbai, Paris, Seoul, Singapore, Sydney, Tokyo, Toronto and Washington D.C.

Contact Us

US: +1 (415) 243 3940
Europe: +44 (0) 1223 324 114
APAC: +65 6248 4516

Email: info@darktrace.com