Detecting Modern Threats: MFA Fatigue, LLM Agent Lateral Movement, and Encrypted Traffic Anomalies

We spoke with Nathaniel Jones, Vice President and Field CISO, who also leads AI and Security Strategy efforts at Darktrace, about insider risks in OT networks, MFA fatigue scams, and MaaS infrastructure.

Jones previously served as a Senior Cyber Operations Officer supporting the UK’s National Cyber Security Centre during his five years at CISA. 

His earlier career includes positions at Deloitte, Capgemini, the American Institutes for Research, and the U.S. Department of Commerce.

From anomaly detection in encrypted east-west traffic to early warning signs of lateral movement by LLM agents, Jones explains how defenders can focus on behavioral deviations to stay ahead of attackers. 

His perspective reflects a broader shift in cybersecurity, relying more on dynamic, AI-driven analysis of unusual behaviors that adversaries cannot easily disguise. 

Read further for Jones’ insights that show where enterprise defenses must evolve as attackers exploit behavior over signatures.

Vishwa: How does Darktrace correlate dark web chatter with real-time anomaly detections inside client environments?

Nathaniel: We don’t. At Darktrace, we use ML/AI to learn a customer’s environment in real time and understand their organization’s pattern of life. Unlike systems that rely on historical attack data, this approach enables us to detect anomalies that could indicate novel or sophisticated threats. 

Darktrace customers can also ingest external threat intelligence feeds with integrations if they wish to do so.

Vishwa: What access or protocol-level behaviors indicate insider-driven tampering attempts in Operational Technology (OT) networks? What do teams monitor in Modbus/TCP write commands from atypical admin paths to catch early signs?

Nathaniel: When looking to identify insider threats in OT environments, OT SOC teams can look for access and session patterns that deviate from the norm, even if the commands are valid in protocol terms. 

For example, the use of high-privilege admin account credentials from engineering workstations that don’t usually perform writes.  Access path changes, like a device or account suddenly using RDP/VPN to reach an HMI/PLC directly, can be indicators of a potential threat.

Other things that can be indicators of a potential threat include: 

• Source location
• Time of day

Early detection tactics for monitoring Modbus/TCP include network anomaly detection (i.e., alert if a new Modbus master suddenly starts issuing writes) and command semantic analysis like deep packet inspection, comparing against historical baselining, and more.

Vishwa: What indicators suggest attackers are chaining MFA fatigue and invoice fraud across email and cloud access points?

Nathaniel: Indicators can be a range of things, like: 

• Multiple MFA pushes in rapid succession 
• MFA approval from an atypical geolocation
• Device registration and token issuance immediately after MFA approval on a new endpoint

So, if an attacker does that and successfully gains access to a cloud account, whether that be email, collaboration site, or a finance app via MFA push, then they can use that foothold to manipulate communications.

They can create new email inbox rules, search the mailbox for keywords like payment or invoice, or other sensitive items. 

Then, attackers typically send outbound emails to known vendors with modified bank account details from the compromised account or make edits to cloud-stored invoice templates and PDFs in finance-related folders.

Vishwa: What are the technical indicators for detecting LLM agents performing unauthorized lateral movement or privilege escalation in hybrid DevSecOps environments?

Nathaniel: A few examples come to mind for the identity front that are:

• New accounts: Service accounts being created via API calls from an agent token that has never been previously associated with provisioning
•  Privilege requests: Agent tokens requesting human-level privileges, such as Admin Access or a root role, that are not part of the agent's typical operational role.
• IAM anomalies: Unusual IAM activity, like excessive role assumption attempts or policy changes to allow deviations outside of normal hours.

From the network perspective, one major indicator is chained environment touchpoints, like intercloud bridges. This is when an agent tied to one cloud (e.g., AWS) is observed making API calls to another cloud (e.g., Azure) using the same authentication token, which can allow movement between the platforms.

Vishwa: 2024 MaaS operators increasingly used protocol smuggling and steganography to bypass perimeter defenses. Can you share insights on their infrastructure?

Nathaniel: Most MaaS operators are leveraging services in jurisdictions with lax enforcement on take-down notices – that’s the first pain point. They are also using relay networks to help obfuscate. 

Other challenges include the use of evasive techniques like smuggling C2 commands over allowed protocols, like embedding them in HTTPS, DNS, etc., or hijacking SaaS features to smuggle payloads or commands within legit APIs.

Vishwa: How to distinguish benign vs. malicious anomalies in encrypted east-west traffic across segmented networks? Can you explain how unusual process-child relationships contribute to this analysis?

Nathaniel: Detecting anomalies in encrypted east-west traffic across segmented networks can be challenging due to the encrypted nature of the traffic, which prevents deep packet inspection. 

However, certain techniques based on machine learning and behavioral analysis can help distinguish benign from malicious anomalies. Network traffic analyst, behavioral analysis, and encryption agnostic features (i.e., packet size and distribution) are all important elements that can provide better context. 

At Darktrace, we use ML algorithms to model the normal parent-child relationships between processes and then flag any deviations from this model as potential anomalies.

Vishwa: What practical tools or AI-powered defenses can help everyday users and small teams detect sophisticated threats?

Nathaniel: Darktrace! All jokes aside -- if you’re a user, you can check the website Have I been Pwned to know if a password or credential (i.e., personal email) has been part of a broader breach and thus your account info is out there. 

Other things everyday users can do are double-check their inbox rules and be suspicious of MFA pushes at weird hours, browser extensions you didn’t download, and more. 

For small teams, a central dashboard or single pane of glass to help correlate various alerts, sign-ins, and detections will help prevent alert scatter and enable them to identify patterns of behavior more easily.