Behavioral Models for Early Detection and Effective Threat Hunting

a great event. Um, so yeah, and also thank you for for attending. I know it's a mid-after afternoon sort of uh lunch lunch food coma. Um, so but yeah, we're going to talk about China. Uh, a little bit about a little bit about me. Um, I used to live in China, did three and a half years there. Uh, different stints. Um and so that's always been sort of an important thing for me and then um that morphed into working within um CISA sort of cyber infrastructure security agency and the US government did that for about 7 years um and then did a leazison role to to the UK uh GCHQ NCSC um another government agency and now sort of work

at at Dark Trace been with Dark Trace now for about 3 years and been running the threat research uh focus for for about two years. Uh and so we're just going to talk first quickly around how Dark Trace works so you guys understand sort of the anomaly based sort of um approach. We'll talk about the ecosystem and how that's progressed. Um we'll go through some incident case studies uh some takeaways um some some things that we've seen but also sort of map back to sort of sca advisories or NCSC and then talk about some of the models and meta models that we've been using for detection. So um so this is just sort of a pyramid of

one example of our NDR system on different um approaches of how we use anomaly based detection and we use unsupervised leaning learning um sort of machine learning uh different aspects and so you can kind of see it in the pyramid where we use multiple parallel uh abilities as well as hierarchical and try to give um sort of the the end user an idea about what's happening in the environment based on behavior. your threat context as well as sort of giving that sort of investigation sort of period and sort of go through different hypotheses and then spit out something. And that's where you see sort of the the sort of fifth uh layer where it's evaluating those um different hypotheses

and giving context. And then after that it'll shoot out something around sort of hey how do we do graph theory relationship based and and sort of establish a pattern of life? What's happening on that identity? what's happening on that device, that server and trying to give context and to use neural sort of um network understanding to provide that sort of final piece to to the uh security analyst. And so another way to look at it would be okay if this is your data. um you just take all your business data, overlay a lot of different mathematical algorithms, tie it to a lot of different um best practice cyber security concepts and then that sort of shoots out those

things and we sort of look through a behavioral understanding, classify that, use sort of graph theory and behees and sort of metaclassifiers to understand what's going on, what's normal, what's not normal, and then run that sort of hypothesis all over again. And then we'll run it through the that's where your model alert comes. and then their model alert um will either sort of hey this violates um sort of best practice or something that's weird anomalous to your network and that'll shoot it out and that's something that then it'll be triaged by what we call our our cyber AI analyst that's been trained on our sock for about six or seven years and to sort of use investigative engine to provide

sort of a deeper understanding on on what that looks like. So um that's about as much as I'm going to say about about dark trace. Um, so we'll go into into China now. Um, and in this case, oh, went a little bit too fast there. Um, we did, okay, well, there's a ghost in the machine, but anyway, um, Crimson Echo was was the title of it, and we'll get to that later, but, um, essentially it was a three-year look at, um, Chinese intrusion sets that we observed. uh and we wanted to understand sort of hey how do if we look back and say hey we think China and this level of confidence medium high low whatever it was uh and

sort of see what are we seeing in terms of patterns uh and sort of key takeaways and and sort of dive into that and so for us um both married in terms of my experience now at Dark Trace but at CISO and NTSC um the way Chinese Nexus cyber operations have evolved are very much strategic continuous planning um detection of short dwell time intrusion should not be interpreted as tradecraft failure. That's just an option to choose that they did that. Um and western security models are are certain are failing, right? Because they're overly instancentric and reliant on well too systemically vulnerable to identity risk. And so what's changed over time originally with China was just about

intellectual property theft is morphed into sort of initiative tying for their sort of classic domestic uh or foreign foreign policy initiative u but also sort of holding critical infrastructure at risk. And so I think uh the best way for us to understand how Chinese tradecraftraft has changed is to look back uh around how that all started. And so for me I was I was living in China between phase two and phase three. Um in phase one you look at sort of okay there's informal patriotic hacking. There's low sophistication high volume. Then mid 2000 2010 a1 mandant that's you know sort of a a hallmark moment for a lot of sort of threat research. Um and you start to see

gradual but slow integration into into the Chinese government and what they're what they're trying to accomplish. But still economic espionage, IP theft, that's sort of the main phase. But you also see clear malware and infrastructure patterns. You could kind of see them come through the channel and say, "Yeah, no, it's China." Um, and that's changed particularly in phase three and in phase 4. um in in mid two 2010 to 2020 particularly with 2015 the shi Obama agreement in increased west attribution around that and also the internal restructuring of MSS and PLA in terms of what that is and in terms of MSS less sort of hands-on more more prepeters around sort of like instead of

MSS Chungdu that you're thinking about ABG41 and those subcontractors that are supporting those operations but also offensive of cyber growth in the private sector then blurs that attribution line. So it makes it diffic diff difficult for the west to be able to sort of pinpoint hey um this is this is Chinese government um and particularly focus on managed service providers supply chain um cloud hopper from PWC comes in mind in terms of a a significant report and then now the last sort of five years particularly oriented at at identity really good at at sort of laying low um obviously network ed focus smash and grab um but also really good at sort of living off the and maintaining high

OPSSAs uh and sort of holding that um access as a strategic asset, holding critical infrastructure at risk to sort of change that mentality um of a national security official in the event that there was a sort of hot flash in Taiwan. The the other thing that we saw was two distinct operator models and again just because one is doesn't necessarily mean the other. So smash and grab is the most common one I think people see just because they take advantage of the latest vulnerability or whatever it is, right? Um and in this case, this is what our timeline showed. Rapid expectation for media gain time horizon was median 10 days. The detection sort of tolerance

was rather high. Did they really care if they get caught? Not really. What's going to happen to them? Not much. in terms of low and slow long-term persistence for strategic positioning. This is all the work around Volt Typhoon before it was Volt Typhoon weeks, months, years. Uh and they have redundant persistence and they have a very high tolerance, really good at sort of high Oopsac. And so if you look at sort of constants and variables about those operator models, then you look at so don't tie these two together. They're separate categories. But if you look at some of the variables, what's the latest vulnerability? what's the latest sort of Chinese malware plug X or brickstorm or

whatever it is these are things that are going to change infrastructure C2 spin up cloud spin up down down doesn't really matter right that's is something that they're going to use as as a variable to their operations what's constant is it's identitycentric right and they're focused on maintaining a lot of different identities maintaining redundant persistence focused on operational straight once they get into the target how long are they going to stay the target driven investment tied back to the sort of one belt, one road initiative. And so those are things that we should sort of pay attention to as defenders around what that looks like. And so for us, we had about 80 cases and

now we're we're picking up more now that we've used it. We'll get into the meta model here in a bit, but for us, what we saw in terms of targeting patterns worldwide. So for Dark Trace, we have about 10,000 customers all around the world. And and so we saw about 88% of the observed cases from us were would be classified as critical infrastructure. In the US observed cases targeted US were 20% of those and those were focused on transportation, government services, gas and oil. Um whereas AMIA it was focused more on communications manufacturing and I think it was interesting from the US you saw a lot of cases that were not just IP theft and

strategic sort of uh sectors in terms of competition but in in AMIA it was interesting was the number one for example in Germany was automotive and engineering in France it was retail in Italy it was IT and defense so it's interesting to see how the strategic sectors to the GDP is exactly what China is going for. Now, if we think about tactics and techniques, I don't think this is anything new from everyone in terms of living off the land, native binaries, trusted admin tools, very much like evasion techniques such as DLL sideloading. 63% of the exploitation of internet facing systems. Yep, that makes sense. So, in terms of case studies, we have three or four here. Europe had rapid

exploitation of SAP. that was a really popular one in 2025 had some good detections around that. They were once they found it, they went for it, right? Um some of those any AP that was the salt, they're going to use the ones that they can quickly find, but also keep those long sort of buried security tools um and offensive weapons for for for a long time. US critical infrastructure, quite a few of those. Identity abuse and recon in a transportation infrastructure network, and I'll show you that one in a minute. weeks of quite activity before they got deeper and deeper into that um sort of exploration and emphasis on persistence. And then it should say APJ but it

doesn't. Um Australia critical manufacturing this was a rare earth organization. Um rare earth obviously being quite needed for for iPhones as well as a lot of different uh technologies. Um but yeah repeated burst of activity across 2022 2024 multi multi-month intrusion with the side loading. We have a few others. Um, I'd say they they become really good at saying uh low and slow. In one instance, we had observed activity and then we didn't see it and they came back 600 days later. So very very high obstac behavior detection for one example. So one of the use cases you'll see here description of of what we saw the model that fired and then that's the that's

the log. Um all this is public by the way. It's all on the website if you guys if you guys want to use it. But in this case, the model that fired from anomalous activity directory replication behavior for exactly the DRSG jet get NTZ changes, right? And so that was really interesting because it says Tuesday, December 24th. It's about 45 days before the GIS. So this is called city works which is a GIS tool, geo image spatial tool which is used alongside transportation networks, airports, aviation systems, things that you sort of see different airports, vessels, ships going through. That makes sense if you want to be able to hold that as a strategic risk, right? And so

from from our perspective, these are sort of key insights from less about dark trace but more about CISC the western sort of um cyber intel agencies that are trying to give you insights around hey we keep seeing persistent credit abuse. We keep seeing living off the land embedded network activity but then also talking about shifting to behavior analysis and these are the sort of discussions from those sources. Uh and so one of the other things that we notice is the western detection mitch match. So western socks focus on malware detection, alert triage, containment, ramp and instant closure. We also even myself um have metrics on how quickly we close a ticket. Is that the right

approach? I would or you can argue maybe not right from a financial perspective maybe. But from a security perspective, we should think about it another way. Because if you're thinking about state sponsored actors, they're taking a very long range strategic view on how they use cyber as statecraft, right? And so detection mismatch that risk, allowing them to remain undetected, exploiting that gap in security defenses. If they're not going to come back, they're first going to get initial access, get a few creds, come back and maintain that access, and then not come back again for 600 days. what logging do you have for that? Right? That's really difficult. So need to sort of change and recognize at least

that that adversary intent and persistence is beyond disclosing what that means. Right? And so this is the argument for behavioral signals for early detection. So you need to look continue to look at identity drift and admin access things that we often say it's kind of difficult to do in practice. Um strategic shaping behaviors. So those trust boundary connections without following exploitation I would say that's an indicator. You had that initial exploit but then nothing happened. Why not? Why didn't they go kill that? And if you look at other strategic shaping behaviors, China's 15th 5-year plan recently just came out uh actually last December but um each province then within China will have their own sort of

mandate that they have to then go meet. Um, and that tells you that they have Thank you. Um, they have they have uh their own mandate to fulfill that 5-year plan for 2030. And unsurprisingly, it's about semiconductors. It's about AI, you know, and and what that means. So, in terms of how you defend against that, cross domain identity anomalies and low impact recon bursts. That's not me saying that. That's the cyber agency saying that. Behavioral approach benefits. helps detect adversary intent and persistence before traditional alert. Right? And so the other thing they take advantage of exploiting defender assumptions. They exploit the bias. They exploit blogging capabilities. They exploit the actual security tools that are in your

environment. I just saw Microsoft Defender just had a big van. I forget the fancy name that it was um few days ago. So we would argue that you shift towards behavior understanding of your network of of your systems of you as a user right and that's a way to sort of adopt and change the detection paradigm on advanced threat actors. So moving to some more of our technical use case. These are things that you could think about internet facing foothold plus a delayed action and we'll talk about time in a minute but if you think about sort of like from our perspective we had like a 10day window and also um you know 100 day window. So how do you sort of build

that long age model identitycentric persistence but no malware lower noise recon before lateral movement. So those traditional alerts that maybe think of as like a compliance risk, use that as a way to start thinking about how you hypothesize around thread hunting, data staging and and throttled egress that slow slow slow egress out of your network. Now I think any sock can do this because they have a lot of action a lot of data access without action crossplane identity drift living off land abuse a lot of these things that are already available in in many socks. you look through the foothold, dormcancy, re-entry, most stocks already collect this data. They just don't model it in a way. So, I think if you take

advantage of what all the AI agents are available now, you could actually do this. You don't necessarily need to buy a tool that specifically like like Dark Trace or whatever that focuses on anomalies, but you can actually focus on what data you have and how do you use it and how do you model it based on what you're seeing in the threat landscape. Now, low and slow, that's another way to do it. you can do for credentials valid access legit tooling you have a sparse move then you have persistence and egress these are things that you can do in low cadence and redundancy and for us I think that's really important as we continue to build our

own meta models right and so this is what we've been doing we've been combining those multiple signals we weigh them by rarity and we also require co-occurrence in a time window so we took about 80 90 different cases all the different models and meta models that fired and pulled them up and threw them into a larger meta model and that's been able to sort of detect newer fun things. But if you don't have that data, it's just use a generic use case. You have an internet facing compromise. You see tool and grass like a cert util which is a very common one C2 via legit protocol beaconing recon ladder movement essentially the kill chain right put that in the a meta

model but two things have to happen a sequence and a co- occurrence with time so instead of getting in all that very loud different sort of specific models you build that and your outcome is a higher confidence multi-stage you have early warning intent and it gives you lower noise and singer alerts. And so this is what's been going on for us as of late. So we deployed about four or five different meta models based on the data that we observed. Again, all of the sort of uh inherent um models that we have are all anomaly based um and sort of built out different meta models to understand that behavior. So we have a few out there so

that go through the full kill chain and 10day plus macro window. And the last sort of 2 or 3 months, we've had a few different interesting cases. So alerted in a small US electrical grid, which makes sense, right? They want to be able to hold US critical infrastructure, particularly energy, at risk. Shut off the power, you shut off telco, you shut off finance, shut it all off. Now they also compromised a rare earth uh organization that materializes they materialize rare earth for EV batteries strategic goal within 2026 2030 China's plan as semiconductor producer in APJ anyway you guys get the point so for this I think for me it's adversaries optimize for how defenders think not

just how tools detect so we should move past just around specific maybe uh detections or may maybe maybe measures by alert you miss the strategic intent and so for me it's less about so Chinese 8 sponsored are focused on don't break the system loudly right and so we need to think about how you model that behavior over time and something we heard in in earlier talks around how behavior matters for detection so uh and with that just just as a reminder in the event that you were taking pictures you just want to take the report I know an AI agent's already read through it you can probably get a DLDDR version of it um quite quickly for yourself. But um

yeah, I think uh I finished a little bit early, but we'll we'll that'll be it for for Crimson Echo. And the reason why I settled that is because Crimson for the Color and Echo just because I always felt like I was talking echo chi echo chamber about China. So thanks everyone.

So, if there are any questions from the audience,

Uh, do you hear me? Hi. >> Yeah. >> Uh, I wanted to ask about your uh, stay in China. >> Yeah, go for it. >> Yeah. Well, how was it? How did you like it there? Uh, >> I was there I was there 2009 to 2012 and again 2013. So, Hujun Tao was mostly the president then or chairman and then and she took over. I will say just like the the phased approach that we took in terms of breaking down the Chinese ecosystem, the growth there is is incredibly to witness. Um and I remember I lived in Shanghai. Um and it take 12 hours to get to Beijing. When I lived there 2009 when I left the first time in

2012, they had changed they improved it so much it only took 5 hours. So the rate of change is incredible. >> Oh, very cool. Thank you very much. Yeah, there's one there.

Um, so are those meta models that you introduced also modeling for the case of 100 plus days of waiting operational obsac mentioned. You mentioned that there was one case of 600 days plus of waiting right? >> Yeah. Yeah. And so these of your meta models you are modeling for these cases also like you are handling this and >> for that one we just realized it after the fact um just because we are able to keep so we have our own elk instance. So a lot of those models that flow back into from our custom environments we can go back and look like 2 3 years um and so for that one it went off just because

of an anomaly based uh a few models not the meta model we just figured that out after we used that as a use case to build the longer one. Okay, so this is still a hole, right? And the approach like if the attackers wait for 50 plus days, then you might not notice this. >> Uh well, again, it's anomaly based. So, and it goes back to um co occurrence in time. So, even if it's like 50 days, you're still going to have one some of those anomaly behaviors will shoot up. And so, we just built it for for those reasons. But the 600 day one was just kind of a cool uh high obssec one.

>> Thanks. Yeah. All right. Anyone else?

>> Oh, so you mentioned the difference between like US targets and IA targets. >> Yeah. >> And I'm curious. First of all, I'm not sure how like how real it was or how far they got in the in the like uh attacks. And do you do you have any specifics for like for example Czech Republic or uh like sectors sector wise? >> Uh I don't think we have any I wish we had customers in Czech Republic but I don't think we have that many. Uh I will say we saw one in in um AMIA that we definitely saw um IP theft around manufacturing of ammunitions. Uh and that was uh yeah disheartening to see. So

>> ammunition. >> Yeah. >> Thank you. >> Cool. All right. Thanks everyone. See you at the pub. Thank you again.