Darktrace on where security AI goes next: ‘Turning the tables’ on attackers

The next phase of security AI will bring a greater focus on preventing attacker movement — making cyber attacks much more difficult and far less likely to succeed — through modeling probable attack paths using real data from a company’s environment, according to executives at self-learning AI firm Darktrace.

In the world of cybersecurity, it’s often brought up that “‘the bad guy only has to be right once’ — and it’s so much harder being on defense,” said Nicole Eagan, chief strategy officer and AI officer at Darktrace, in an interview.

But with Darktrace’s preventative security AI technology, which the company is now testing with early adopter customers, “we really think that this starts to turn the tables in the other direction,” Eagan said.

For the company, the work represents an expansion from its initial focus on AI-powered detection and response—in other words, “knowing yourself”—and into the realm of “knowing your enemy,” she said.

It could also signal where security AI is going next overall, given the company’s track record as a trailblazer in the space since its founding in 2013. The use of AI and machine learning (ML) for detection, for instance, is now commonplace in many security tools, such as endpoint detection and response (EDR).

Rather than starting with ideas or goals for new products, Darktrace focuses on following the research that it produces internally around identifying security challenges, said Max Heinemeyer, director of threat hunting at the company. Darktrace employs more than 100 researchers, including two dozen PhDs — and their work informs where the company’s artificial intelligence and ML technology should be applied next, Heinemeyer said.

Right now, the Darktrace research points toward preventative security as the next major area to take on with AI — with an initial focus on the area of “attack path modeling.”

Blocking the paths

Because Darktrace’s self-learning AI technology has a comprehensive understanding of a customer’s digital environment, the system can be utilized to determine what path an attacker would most likely use in order to attempt to access a company’s “crown jewels,” Heinemeyer said.

Once those priority attack paths have been determined, an organization can focus its efforts on shoring up protections against the use of those paths, according to Darktrace.

The approach is not about stopping attackers from piercing the perimeter — but rather about making it difficult for them to find the paths to valuable data once they are inside, Eagan said. By doing so, attackers’ lives “just became a lot harder,” she said.

In December, Cambridge, U.K.-based Darktrace began testing its first capabilities in attack path modeling with several dozen customers. Now, the goal is to make the initial offering generally available by the end of the company’s fiscal year (at the end of June) or early in its next fiscal year, Eagan said.

“In this calendar year, we are definitely committed to having the initial capability generally available,” she said.

Meanwhile, researchers from Darktrace’s Cyber AI Research Centre have released a new paper that helps to shed light on how the company is approaching preventative security. The paper — “Prevent: Security through Adversity” — in part highlights why existing proactive security measures can only go so far.

For instance, red/blue teaming exercises are costly and people-intensive—putting them out of reach for many companies. And in the majority of cases, blue teams fail to defend against the red team attacks, the paper notes.

However, “if a defender understands the methods of the attacker, has an awareness of their own assets, appropriately prioritises the allocation of their resources and deploys countermeasures — such that the attacker will expend resource at an asymmetric disadvantage with each attempted advance — the blue team will be victorious,” the researchers said in the paper.

Lowering the barriers

This is the underpinning for Darktrace’s initiative around preventative security AI, starting with attack path modeling.

Similar to red/blue teaming, attack path modeling until now has been a human-driven endeavor — which has meant both a major investment and imperfect results, Heinemeyer said.

With Darktrace’s system, however, “you don’t need a huge army of consultants to make it work,” he said. “So it’s really lowering the barrier to entry.”

The system works by taking telemetry from a customer’s actual environment, feeding it into the company’s attack path modeling engine, and then applying machine learning and graph theory. The result is that “without human involvement, we can say, ‘These are the most impactful attack paths,’” Heinemeyer said.

Speaking with VentureBeat, the Darktrace executives also contrasted the company’s AI-powered attack path modeling with another preventative security technology that’s now gaining momentum in the market — breach and attack simulation (BAS).

Emulation vs. simulation

The main difference is that BAS simulates attacks in an essentially fictional environment — while Darktrace actually “emulates” what an attack would most likely look like using a copy of the customer’s “real data, real people, and real processes,” Eagan said.

“We uniquely understand that environment at such a granular level from the self-learning [AI], that we can actually emulate that exact, real-world environment,” she said.

Benefits of this approach include being able to see whether the main vulnerability in a customer’s environment is people-related, or related to their systems — or is a combination of both, Eagan said. Emulation of this sort enables you to “actually see the manifestation of the impact of the attack,” she said.

In current breach and attack simulation tools, the underlying idea is to take known malware and known attacks, and run those against the organization, Heinemeyer said.

However, “that doesn’t identify the attack paths. That is basically testing for historic attacks — ‘could we detect or stop that?’” he said. “And that’s OK, that’s good — but that’s not forward-looking, and that’s not really bespoke to you. That’s why we think [our approach] is vastly different.”

Reaching the C-suite

In conversations with executives at other companies, there’s a clear interest in being able to hone in on the specific attack paths leading to the company’s “crown jewels,” Eagan said.

Current proactive security approaches, such as penetration testing and red/blue teaming, can provide lists of what needs to be patched, she noted.

But that “doesn’t communicate to the executive team and the board that these are the things that are really going to matter. And these are the areas we need to invest in, and prioritize, and focus on,” Eagan said. “And at the end of the day, I think that that prioritization and that focus is really what they want.”

Ultimately, Darktrace hopes to “democratize” a preventative cybersecurity approach that leverages “the adversarial mindset,” Heinemeyer said.

With this approach and technology, “a normal IT practitioner can quickly determine their most impactful attack paths, by themselves, and remediate them,” he said. “This makes it much easier, much more accessible, and cuts out that complexity.”

The reason that this leads to “turning the tables” on the threat actors, Eagan said, is that protecting key attack paths just makes things far more challenging for the attacker.

“It means it’s going to take them a lot more time to be able to figure out their attacks and their paths — because we will have blocked up all the high-priority ones,” she said.

“And what that means is the attackers are going to burn through resources,” Eagan said. “If you make this tremendously harder for the attackers — so they have to throw more and more bodies at this, and more and more time — that creates this asymmetry in the other direction. And that could have a real impact on the entire cyber industry.”