Darktrace System istration Guide V3.1 624r5v

SYSTEM ISTRATION GUIDE

DARKTRACE SYSTEM ISTRATION GUIDE

1

Darktrace System istration Guide Contents 1. Using the Darktrace System istration Guide���������������������������������������������������������������������������� 2 Darktrace Customer Portal����������������������������������������������������������������������������������������������������������������������������������������������������������2 Threat Visualizer����������������������������������������������������������������������������������������������������������������������������������������������������������������������������2 Console�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������2

2. Basic Darktrace Appliance Configuration������������������������������������������������������������������������������������������ 3 Labelling subnets��������������������������������������������������������������������������������������������������������������������������������������������������������������������������3 Configuring Subnet DH ����������������������������������������������������������������������������������������������������������������������������������������������������������4 Label Key devices��������������������������������������������������������������������������������������������������������������������������������������������������������������������������4

3. Device Tracking������������������������������������������������������������������������������������������������������������������������������� 5 Tracking by DH�������������������������������������������������������������������������������������������������������������������������������������������������������������������������5 Tracking by Hostname�����������������������������������������������������������������������������������������������������������������������������������������������������������������5 Using put to Provide Tracking Data��������������������������������������������������������������������������������������������������������������������������������8

4. LDAP Authentication and Enrichment of Details���������������������������������������������������������������������� 10 5. Configuring HTTPS Certification���������������������������������������������������������������������������������������������������� 13 6. Configuring Email Alerts���������������������������������������������������������������������������������������������������������������� 14 7. ing the Darktrace Mobile App��������������������������������������������������������������������������������������������� 16 8. istration����������������������������������������������������������������������������������������������������������������������� 18 Available Permissions��������������������������������������������������������������������������������������������������������������������������������������������������������������� 18 Recommended Access Settings������������������������������������������������������������������������������������������������������������������������������������ 19 Anonymization Mode����������������������������������������������������������������������������������������������������������������������������������������������������������������� 20

9. Upgrading Darktrace Models���������������������������������������������������������������������������������������������������������� 21 Auto-updating Models��������������������������������������������������������������������������������������������������������������������������������������������������������������� 21 Manual Confirmation����������������������������������������������������������������������������������������������������������������������������������������������������������������� 22

10. Host Variable Configuration��������������������������������������������������������������������������������������������������������� 23 Available Host Variables:����������������������������������������������������������������������������������������������������������������������������������������������������������� 23 Modifying Host Variables���������������������������������������������������������������������������������������������������������������������������������������������������������� 24

11. Creating Backups������������������������������������������������������������������������������������������������������������������������� 25 Create an Immediate Backup��������������������������������������������������������������������������������������������������������������������������������������������������� 25 Create Scheduled Backups������������������������������������������������������������������������������������������������������������������������������������������������������� 25 Email Notifications for Scheduled Backup Status���������������������������������������������������������������������������������������������������������������� 28

12. Restore from a Backup����������������������������������������������������������������������������������������������������������������� 29 13. Upgrading the Darktrace Appliance����������������������������������������������������������������������������������������������� 30 Types of Software Bundle��������������������������������������������������������������������������������������������������������������������������������������������������������� 30 Upgrade procedure�������������������������������������������������������������������������������������������������������������������������������������������������������������������� 32

14. Securely Erasing Captured Data �������������������������������������������������������������������������������������������������� 35 Delete Captured Data���������������������������������������������������������������������������������������������������������������������������������������������������������������� 35 Restore to Factory Settings������������������������������������������������������������������������������������������������������������������������������������������������������ 36

This iteration of the Darktrace System istration Guide is intended for Darktrace appliances running software version 3.1 and above.

DARKTRACE SYSTEM ISTRATION GUIDE

2

1. Using the Darktrace System istration Guide The Darktrace System istration guide aims to provide assistance for the installation, configuration, and for Darktrace appliances and applications such as the Threat Visualizer. The following guide is intended for system s and information technology professionals; a familiarity with networking concepts is assumed. To perform the full range of configuration steps contained within this guide, the following specified access and credentials are considered essential. Prerequisites for each configuration section are also stated at the outset.

Darktrace Customer Portal The Darktrace Customer Portal is a dedicated web application to provide assistance and for your appliance. It provides a facility to raise tickets with , software such as appliance upgrade bundles, and review the latest documentation online. Significant system istration tasks such as restoring an appliance to factory settings will require a confirmation code provided by a Darktrace representative. Where Call-Home is disabled, software upgrade bundles can be ed from the Customer Portal and transferred to the appliance. If you experience any issues during any of the following configuration steps, Darktrace can guide you through the troubleshooting process.

Threat Visualizer Access to the Threat Visualizer Interface The majority of configuration steps contained within this guide require access to the Darktrace Threat Visualizer Interface. The Threat Visualizer can be accessed by navigating to the IP address of your Darktrace appliance in web browser. When logging in for the first time, a customer license agreement screen will be displayed.

credentials for the Threat Visualizer ‘’ . A number of configuration steps require access to the Threat Visualizer System Config page. Credentials for the ‘’ are required to access all possible configuration options. These credentials are provided by your Darktrace representative when the appliance is initially deployed. If you cannot locate these credentials, please Darktrace .

Console Access to the Appliance Console Sections 10-14 require access to the appliance console, distinct from the Threat Visualizer Interface. If you are unfamiliar with accessing the console, please refer to the guide, Setting Up the Darktrace Appliance.

credentials for the appliance ‘console’ . Sections 10-14 require access to the appliance console, distinct from the Threat Visualizer Interface. Accessing the console requires the console credentials. These credentials are provided by your Darktrace representative when the appliance is initially deployed. If you cannot locate these credentials, please Darktrace .

credentials for the appliance ‘transfer’ . If Call-Home is disabled, upgrade bundles must be copied to the appliance via the console transfer . Any immediate backups created (in contrast to scheduled backups) must also be transferred from the appliance by this . These credentials are provided by your Darktrace representative when the appliance is initially deployed. If you cannot locate these credentials, please Darktrace .

3

DARKTRACE SYSTEM ISTRATION GUIDE

2. Basic Darktrace Appliance Configuration

Requirements: access to the Darktrace Threat Visualizer, credentials for the . Labelling subnets and key devices is the first step to customizing your Darktrace deployment to streamline investigation and quickly identify key assets. The following configuration steps will improve workflow and remove unnecessary warnings from subnets without DH.

Labelling subnets Darktrace provides the ability to label Subnet IP address ranges for ease of use. Labelling larger subnets removes the need to memorize the purpose of each IP address range and allows for simpler Subnet searching and selection in the Threat Visualizer

Manual Labels Individual subnets can be manually labelled within the Threat Visualizer interface. 1. Within the Threat Visualizer, navigate to the ‘Subnet ’ page in the main menu under ‘’.

2. Click the IP address value under the ‘LABEL’ column to edit it. Enter a short description such as “Public Wifi”, and click the Save button on the right.

ing Labels To make changes to a large number of Subnets on the Subnet page, it is possible to a CSV file containing Subnet details. Darktrace will not accept any network ranges ed which do not correspond to a range already seen by the appliance. CSV files must be structured in the following format: Label

Network

Latitude

Longitude

DH

Office 1

192.168.1.0/24

12.34

56.67

TRUE or FALSE

Office 2

192.168.2.0/24

12.34

56.67

TRUE or FALSE

Optionally, a correctly formatted CSV file containing all current Subnet information (including labels) may be ed from the Subnet page using the CSV button. 1. Within the Threat Visualizer, navigate to the ‘Subnet ’ page in the main menu under ‘’. 2. Click ‘Edit Subnet Details’, a ‘Choose Files’ option will appear. Select your CSV file and click ‘Process File’ 3. A prompt will appear detailing the changes to be made. Confirm the changes.

4

DARKTRACE SYSTEM ISTRATION GUIDE

Configuring Subnet DH By default, all Subnets have DH enabled. This setting indicates that Darktrace should expect to observe DH traffic on the Subnet. If a subnet does not have any DH traffic, such as a server network employing static IP addresses, the Threat Visualizer Status page will show “No DH” in red for the offending Subnet. Disabling DH in the Subnet page will remove this warning. 1. Within the Threat Visualizer, navigate to the ‘System Status’ page in the main menu under ‘’.

2. Scroll down and review the Subnets section. Locate any Subnets with ‘No DH’ in red. If this is a static subnet, you can remove this warning. 3. Navigate to the ‘Subnet ’ page in the main menu under ‘’ and locate the corresponding entry. Set the DH value to ‘No’ for the Subnet and save the changes. 4. Return to the System Status page and confirm that the ‘No DH’ warning is now grey.

Label Key devices For ease of identification and prioritization, it is recommended that the most important 20-30 devices are labelled. For example, labelling the Domain Controllers as DC1 and DC2 can assist in identifying these key assets. Labelling a device is particularly helpful for devices that do not have a hostname, where the hostname is ambiguous, or where a device deviates from the naming convention. Device labels appear in search results and any model breaches associated with the device. 1. Within the Threat Visualizer, navigate to the ‘Device ’ page in the main menu under ‘’.

2. Choose a device and click the label to begin editing it. Enter a label such as “Mail Server” or “Finance Desktop”, and click away from the label to save your changes.

3. The main Threat Visualizer interface must be refreshed to display any changes.

DARKTRACE SYSTEM ISTRATION GUIDE

5

3. Device Tracking

Requirements: access to the Darktrace Threat Visualizer, credentials for the . Darktrace models every internal device that it observes on a network. This is achieved by analyzing every single packet to determine its source and destination. The most consistent method of tracking IP addresses is by asg a static IP - in these cases, no configuration is required to instruct Darktrace how to model static devices such as servers. However, In an increasing world of IoT, there may be thousands of IP addresses in use day in and day out that are dynamically re-assigned via DH to a large number of constantly changing devices. In the Threat Visualizer interface, there are multiple methods to track dynamic IP addresses. The most suitable method depends on the network traffic available and deployment scenario.

Tracking by DH Tracking via DH is the most reliable and preferred method to track IP address changes, and is enabled by default. To access a network, a device must begin by sending a DH ACK request. The DH ACK packet contains two necessary ingredients for Darktrace tracking: the device’s assigned IP address and the device’s MAC address. Darktrace will dissect this packet and extract the MAC address. As the MAC address will not change, it can be used as a unique identifier and is therefore the most trusted source for dynamic IP address tracking. This method can mean a device such as a laptop can be displayed twice in Darktrace: one device for the connection via a physical Ethernet cable, and another for the Wi-Fi network card. Differentiating the two connections can assist Darktrace learn a pattern of life for a device. For example, typically a ’s behavior can be very different on their Wi-Fi when compared to a wired connection - they may check their social media on pubic Wi-Fi, but never on the corporate LAN.

Tracking by Hostname Darktrace ively reads hostnames for devices by observing devices making network requests, such as DNS requests for IP addresses, Kerberos s, and DH handshakes. This provides the Threat Visualizer with hostnames as enrichment data, allowing for easy identification of devices beyond an IP or MAC address. If DH is unavailable, Darktrace will default to tracking a device by its IP address. Where the device has a dynamic IP address, this tracking may be inconsistent or lost. By configuring tracking by hostname, hostnames can be appended to a device for greater consistency. Hostname tracking can be achieved in three ways: oo ively look for hostnames in Kerberos traffic. oo Actively poll DNS servers for hostnames oo ively look for hostnames in DNS traffic

6

DARKTRACE SYSTEM ISTRATION GUIDE Hostnames in Kerberos Traffic

1. Within the Threat Visualizer, navigate to the ‘System Config’ page in the main menu under ‘’. 2. Under ‘Settings’, locate ‘Reassign Device IPs from Kerberos’. When DH is not available, setting this to true will enable Darktrace to append hostnames when performing Kerberos authentication. If suitable Kerberos packets are available to Darktrace, it will look for hostnames and reassign IP addresses to them. This is particularly useful if you are unable to poll DNS servers as described below. It is recommended to always set this to true.

Hostnames in DNS traffic It is also possible reassign IPs for client devices based on hostnames observed in DNS traffic and assign them to a network device. When active polling is configured (see Polling DNS Servers to Append Hostnames below), Darktrace will use this method to reassign IPs. Otherwise, ive observation will be used. 1. Within the Threat Visualizer, navigate to the ‘System Config’ page in the main menu under ‘’. 2. Under ‘Settings’, locate ‘Reassign Device IPs from DNS’. Typically, enabling this setting is not recommended, unless the other options have been exhausted. Set this field to ‘true’.

Polling DNS Servers to Append Hostnames When set to poll, Darktrace uses network istration command-line tools to poll DNS servers (DIG commands) for an IP address’s hostname when the IP address becomes active on the network. The hostname resolution will be cached for a time set by the operator. As IP addresses change frequently, these are both critical components. 1. Within the Threat Visualizer, navigate to the ‘System Config’ page in the main menu under ‘’. 2. Under ‘Settings’, locate ‘Poll Network For Hostnames’. Set the value greater than zero to send commands. A typical value of 7200 sets the number of seconds to cache the results, enabling network commands to attempt to resolve hostnames. Save your settings.

Poll Network For Hostnames:

7200

Poll Network For Hostname Throttle:

10

Poll Network For Hostnames All Subnets: true|false Poll Network For Hostnames DNS Server:

3. New polling options will appear. The following steps will explain each setting so you may select an appropriate value for your environment. Alternatively, follow the worked example on the left to complete the configuration.

7

DARKTRACE SYSTEM ISTRATION GUIDE

4. Configure the Poll Network For Hostname Throttle setting. When performing active DNS, this value will throttle the maximum frequency of requests made to the specified limit. 5. Configure the Poll Network For Hostnames setting. Set to a value greater than 0 to run ‘dig’ on the network to resolve hostnames for IP addresses. Typically used where no DH is available but correct dynamic hostnames are available from DNS. Results are cached for this many seconds. A typical setting is 7200 (two hours). 6. Configure the Poll Network For Hostnames All Subnets setting. When ‘true’, runs ‘dig’ to resolve hostnames for IP addresses for all subnets. If false, hostname lookups will not be performed for subnets marked as having tracking by DH or unique names. 7. Configure the Poll Network For Hostnames DNS Server setting. Input DNS Server details. Enter a maximum of 5, separated by commas. If this field is left empty, polling will be completed using the DNS servers configured via the console.

Tracking by Credentials Darktrace automatically detects s via Kerberos and other credentials. By extracting the source IP address and the credential, the system can identify which device is in use at the time. If Darktrace is unable to obtain DH or DIG, credentials can be utilized to track devices instead. This is most commonly used when Darktrace has no other means of identifying the device than identifying the individuals/s logging into them (e.g. VPN s). Tracking by credentials is configured on a per-Subnet basis in the Threat Visualizer. 1. In the main Threat Visualizer, click on the cube representing the Subnet where you wish to enable tracking of credentials.

2. The Threat Visualizer should pivot to the selected Subnet and the Subnet IP range should appear in the Omnisearch bar. Click the pencil icon () beside the subnet range. 3. Review the options available in the ‘Edit Subnet Info’ popup box: oo DH oo Track Hostnames oo Track Credentials

4. Review the DCHP setting. The DH subnet setting controls if Darktrace should track devices by DH. Note that the DH setting can also be changed via the Subnet page. When disabled, Darktrace will track all devices in a subnet by their IP addresses. When enabled, devices are tracked through their MAC addresses. If Tracking Credentials is to be enabled, DH must be disabled.

8

DARKTRACE SYSTEM ISTRATION GUIDE

5. Review the Track Hostnames setting. Setting Track hostnames to ‘Yes’ will force Darktrace to only track devices by hostnames, not MAC addresses. If Tracking Credentials is to be enabled, Track Hostnames must be disabled.

Example Scenario: tracking laptops connecting to a network through a docking station. The IP address seen by Darktrace will remain the same, but multiple laptops could use the docking station during the lifetime of the IP address. Tracking devices by hostname will assist Darktrace in distinguishing between the various laptops.

6. Before Track Credentials is enabled, confirm that DH is disabled (step 4). Track hostnames must also be disabled (step 5).

Example Scenario: shift workers sharing the same desktop device during the day. The device keeps the same DH information, but the credentials change. Enabling this setting will automatically create a separate device in Darktrace for each . The hostname will be a combination of the Subnet and credentials.

Using put to Provide Tracking Data When DH or Kerberos data cannot be retrieved’ DH or VPN logs can be sent to Darktrace to be parsed. put allows custom log data to be read into Darktrace and mapped to existing devices using the IP or MAC address. Assuming there is little delay retrieving ed information, it can be a very accurate method of tracking devices. This feature is most commonly used to provide device tracking information, but it can also enrich Darktrace modelling data.

VPN s s who to your network remotely via a VPN should be tracked via credentials as their IP address will constantly change Darktrace may never see the hostname for the associated device. Entering credentials will always be the first thing that a VPN needs to do before getting onto your network. For this, Darktrace can ingest VPN Logs that can be parsed for the ’s internal IP address in use and the associated with the traffic.

Other Log Types DH and name data is used to assign hostnames, IP addresses, or credentials to devices. Event data is used to add custom events into Darktrace. Note that this data will not be added to Advanced Search.

9

DARKTRACE SYSTEM ISTRATION GUIDE put

The put feature is available on the System Config page under the put section. The logs should be sent in syslog format to the IP address of the Darktrace appliance, over UDP/1514. Multiple Types and Patterns can be appended to parse the log data. Once log data is being sent to the appliance successfully, the Load Input option can be used to review a sample of the logs received. Alternatively, check your own log servers to locate a sample and paste into the ‘put Test’ field. From the sample, a pattern can be entered to automatically match and parse, setting variables to specific attributes found in the puts. Grok* patterns are used to extract values into a number of named fields using the syntax %{PATTERN:field}. PATTERN must be one of the built-in shortcut strings or a regular expression surrounded by parentheses. Existing patterns may be reviewed by hovering over the  beside Built in Patterns and copying any relevant options. Multiple patterns can be configured, each one mapping to a named type. Patterns can use perl compatible regular expressions or one of a number of built-in shortcuts. Each input log line is matched against each applicable configured pattern in the order listed below until a match is found. Once a match is found and data is extracted by the associated pattern, no further pattern matching will be attempted. The following example will take any log that contains date=, and will look for a field called xauth. It will then look for the value and assign that to name and a field called tunnelip, and assign that to the ip_address. Type: TRACK Match: date= Pattern: xauth=”%{DATA:name}”.*tunnelip=%{IP:ip_address} Click Load Input to fill the field, and Test Input to test your pattern against the sample log. A full list of available fields is available on the configuration page on the Help information tool tip.

Additional Device Tracking Notes Darktrace provides for multiple feeds into the appliance. In a Unified View deployment, logs must be fed to the relevant slave master appliance, as each slave master appliance is a separate entity. For example, if Slave Master A is modelling Device X, then any logs pertaining to Device X must be sent to Slave Master A. Please note, a physical appliance may be both a slave master and running the Unified View server.

10

DARKTRACE SYSTEM ISTRATION GUIDE

4. LDAP Authentication and Enrichment of Details

Requirements: access to the Darktrace Threat Visualizer, credentials for the . The Threat Visualizer s connections to LDAP servers such as Active Directory. This integration can be configured to provide the following additional functionality: oo Enable authentication to the Threat Visualizer interface using credentials from an LDAP server. oo Enrich details in the Threat Visualizer by providing additional LDAP attributes for s. 1. Within the Threat Visualizer, navigate to ‘System Config’ in the main menu under ‘’. 2. Scroll down and locate the LDAP section. By default, only LDAP Server is displayed. Enter an LDAP server IP address or hostname and press the enter key. For additional configuration (such as a port number or SSL), review the tooltip by hovering over  . 3. Confirm that additional configuration fields are now available. These will now be addressed in logical order, rather than alphabetical. For additional information about each field, hover the mouse pointer over the blue information icons ()

4. To enable authentication and gain additional metadata, the LDAP Attribute can be configured. This field provides an LDAP attribute to match credentials with - the name of the field in LDAP containing a ’s name. 5. Setting the LDAP Authentication to True, will enable s to to Darktrace using LDAP credentials. Note, this option cannot be used with unencrypted LDAP connections. 6. For the LDAP name, specify a name with credentials to access the LDAP server. For example: [email protected] cn=darktrace,dc=examplecompany,dc=com

7. An LDAP must be set to connect to an LDAP Server.

11

DARKTRACE SYSTEM ISTRATION GUIDE

8. The LDAP Authentication Group Value can restrict usage of LDAP authentication to specific groups. Therefore, only s belonging to the group specified as the field value can gain access to Darktrace. This is an optional attribute, which can be left blank if it is not required. Wildcard asterisks can also be employed to restrict access to groups 9. There are two types of methods to encrypt connections to LDAP. Only one option may be enabled at any one time: •

LDAPS (LDAP over SSL)

•

LDAP (using STARTTLS)

An LDAP Certificate is optional for both forms of encryption. Omitting a value disables certificate validation. 10. Optionally set the LDAP Digest Authentication to true to enable SASL authentication if desired.

11. For LDAP Group Attribute Name field, set the attribute name used for Group hip.

12. The path to the LDAP Server location can be set at ldap:// or via SSL with ldaps:// When using SSL, the LDAP Start TLS must be set to false. Only one encryption method can be used at one time. 13. When not connecting over LDAPS, set the LDAP Start TLS to true. For testing purposes, if encryption is not available, set the LDAP server location to ldap:// and the LDAP Start TLS to false. 14. If LDAP Server Referrals are in use, set this field to true

15. For the moment, leave the LDAP Test and LDAP Attributes with their default values. Set the LDAP Base path to identify the s in the LDAP tree. For example: ou=s,dc=company,dc=com 16. Before confirming all changes, it may help to test the connection. Set the LDAP Test to a valid identified by the Threat Visualizer. Changes must be saved before testing. Scroll down to the ‘Save all Settings’ button or press enter when editing a field value to save. 17. Scroll down to the Test LDAP button. An LDAP success message is displayed if a connection is established. A warning will appear if the communication is not encrypted.

12

DARKTRACE SYSTEM ISTRATION GUIDE

Mapped attributes Name



Email

[email protected]

James Bourne

Unmapped attributes Expires 92237827382370833 cn

James Bourne

countryCode UK distinguishedName CN=james bourne, OU=people, DC= company, DC=local lastLogoff 0

18. Hover the mouse over the LDAP success information icon () to view more details. This returns a list of attributes for the test : . An example list of attributes is shown across. The attributes list displays all attributes that can be appended to the Threat Visualizer interface. This attribute list has both mapped and unmapped attributes: Mapped attributes are attributes already shown in the interface. Unmapped attributes list all the LDAP attributes which are available, but not currently shown in the interface.

lastLogon 13387832738738378 logonCount 2287 memberOf

CN=packages, OU=groups, DC= company, DC=local

name

James Bourne

mail

[email protected]

objectClass phone

123456789

...

19. To append values as mapped attributes, review the LDAP Attributes field. Attributes are set as key-value pairs - e.g. Email=mail. The first part (here, Email) can be any term shown in the interface. The second term (here, mail) must be specifically returned by LDAP or no value will be found.

20. After making changes, the Threat Visualizer will not update until the next logs in and their credentials will be captured. Once refreshed, the new attributes from LDAP can be viewed in the Device View. Select a device and hover over it to view additional details set in the LDAP Attributes field. This could include the name, email, group, and telephone number. 21. When logging in for the first time after LDAP is enabled, navigate to Group under menu. Any groups for a in LDAP matching the LDAP Authentication Group Value will be automatically created In this example, an LDAP Authentication Group Value of *darktrace* had created a DarktraceAnalyst Group belonging to a . When a new Group is created, ensure that permissions for the group are updated in Group to match the desired authorization. Note, additional groups can be appended by setting the LDAP Populate Groups field.

13

DARKTRACE SYSTEM ISTRATION GUIDE

5. Configuring HTTPS Certification

Requirements: access to the Darktrace Threat Visualizer, credentials for the . ing a valid HTTPS certificate will prevent the web browser warning that the connection to the Threat Visualizer uses an invalid certificate. For example, in the Chrome browser, this is indicated by a red line through the ‘https’ part of the URL and may also present the with a warning that must first be dismissed before accessing the Threat Visualizer interface. Darktrace Appliances are shipped with a self-signed certificate for the hostname “dt-XXXX-YY” - the internal appliance hostname as designated by Darktrace. Self-signed certificates are often not trusted by web browsers and therefore a warning may be displayed when accessing the appliance. Additionally, it is common practice for companies to have their own appliance naming conventions, and it is likely the Darktrace designated name will not fit into such a scheme. The following instructions detail how to configure a TLS/SSL certificate for a Darktrace appliance. 1. Within the Threat Visualizer, navigate to the ‘System Config’ page in the main menu under ‘’. Scroll down and locate the HTTPS Certificate section. Click ‘New’. 2. A series of fields will appear requesting additional information. Complete as much information as possible. At a minimum, populate the Country and Fully Qualified Domain Name.

3. Once the minimum number of fields are complete, the Generate CSR button will become available. By clicking ‘Generate CSR’, the supplied information is used to generate a Certificate g Request in PEM format 4. The CSR should be copied to a file and provided to a Certificate Authority such as Digicert or GoDaddy who will provide a certificate in return for a nominal fee. Alternatively, a local certificate authority may be used, provided the facility is available and s of the appliance are likely to have the root certificates present on their connecting clients. 5. Upon receiving the certificate back from the Certificate Authority, return to the HTTPS Certificate section and paste the PEM encoded contents of the certificate into the Certificate field. Click Save to apply the change. Reload the Threat Visualizer and confirm that the invalid certificate warning has gone.

14

DARKTRACE SYSTEM ISTRATION GUIDE

6. Configuring Email Alerts

Requirements: access to the Darktrace Threat Visualizer, credentials for the . Darktrace offers a number of alerting types and export options - the simplest form is Email alerts. Multiple email addresses may be entered as recipients for these alerts. Email Alerting is especially important for teams that do not have enough time to regularly check the Threat Visualizer and would rather for specific alerts only. Some organizations may prefer to send all model breaches to a central SOC team, while others prefer to configure the Email Alert so they are only alerted to the most serious model breaches. Note, emails are only sent when a model is set to alert. To view this setting, edit a model and confirm that the Action setting has ‘Alert’ highlighted. 1. Within the Threat Visualizer, navigate to the ‘System Config’ page in the main menu under ‘’. In the Alerting section, set ‘Email Alerts’ to true.

2. Save the change. Scroll down to the ‘Save all Settings’ button or press enter when editing a field value to save. The page will refresh, revealing email specific configuration fields.

Email Alerts: Email Date Field: Email HTML Format: Email JSON Format: Email : Email Recipients: Email Sender Email Address: Email Sender Name: Email Server: Email Server Port: Email Server SSL: Email Server TLS: Email name:

true false true false <empty> [email protected] [email protected] Darktrace Appliance

3. Complete the configuration using the example across, substituting in the appropriate details. If extended configuration fields such as a JSON format alert or Email Date Field value are required, enter a valid recipient and save the changes. These fields should now become available. Note, both the Email Sender name and Email Sender Email Address are required fields.

mail.company.com 25 false true <empty>

4. Review the following three options at the bottom of the Alerting section: oo Minimum Alert Priority oo Minimum Alert Score oo Model Expression These settings control when an email alert should be generated for a particular model breach. If more than one alert condition is configured then a model breach must meet all criteria to generate an alert. 5. Optionally set a value for Minimum Alert Priority. Every Model has a priority from 0-5 indicating the breach severity. Providing a minimum alert priority of 1 to 5 will restrict emails to models that fire with a threshold of the priority number or greater

15

DARKTRACE SYSTEM ISTRATION GUIDE

6. Optionally set a value for Minimum Alert Score. The Alert score is displayed when hovering over the coloured line to the left of a model breach. The score is a percentage representing the overall priority of a breach and can be filtered with a slider in the main Threat Visualizer. For example, setting the Alert score to 60 will only send emails that have a 60% or higher threat score. 7. Optionally set a Model Expression to control alerts. Regular expressions can be entered in the Model Expression field to restrict email alerts to model names that match a certain Regex value. 8. Once all fields are completed and alert priority set, save the changes to reveal a Alert Settings button. Click this button to send a test email and check all settings are correct.

16

DARKTRACE SYSTEM ISTRATION GUIDE

7. ing the Darktrace Mobile App

Requirements: access to the Darktrace Threat Visualizer, credentials for the . Available for iOS and Android, the Darktrace mobile app allows s to easily access Enterprise Immune System Alerts when they are on the move. In order to associate the Darktrace Mobile app with your Darktrace deployment, the Threat Visualizer must be authorized to send alerts via IMAP. The permission ‘ mobile app’ is necessary to perform these configuration steps. Please see Section 8 below for further details on istration and permissions. 1. Within the Threat Visualizer, navigate to the ‘System Config’ page in the main menu under ‘’. In the Alerting section, set ‘Mobile App Alerts’ to true. Scroll down to the ‘Save all Settings’ button or press enter when editing a field value to save. Mobile App Alerts: Mobile App Antigena: Mobile App IMAP Address: Mobile App IMAP Internal Hostname: Mobile App IMAP : Mobile App IMAP Port: Mobile App IMAP Server: Mobile App IMAP Server SSL: Mobile App IMAP Server TLS: Mobile App IMAP name: Mobile App Restricted View:

True

2. Saving the changes should expose additional configuration options.

[email protected]

Complete your details using the example on the left.

True

<> 993 imap.example.com true false [email protected] False

3. Optionally review the following alert options at the bottom of the alerting section: oo Minimum Alert Priority oo Minimum Alert Score oo Model Expression These settings are covered in detail in Section 6, steps 4-7. 4. After completing the alerting configuration, return to the main Threat Visualizer and navigate to Settings on the main menu. The ‘ Mobile App’ option should now be available. Click ‘ Mobile App’ to reveal a QR code. 5. On your smartphone, open the appropriate App store and search for Darktrace. The Darktrace iOS app is available on the App Store, and the Android app is available on Google Play. the Darktrace app.

17

DARKTRACE SYSTEM ISTRATION GUIDE

6. Open the Darktrace app. You will be prompted to authenticate with the Darktrace appliance. Press ‘Next’ to proceed.

7. The app will request permission to use your smartphone camera. Use the camera to scan the QR code in the Threat Visualizer generated in step 4. The app should now authenticate. Further information ing the app can be found in the Threat Visualizer Guide.

18

DARKTRACE SYSTEM ISTRATION GUIDE

8. istration

Requirements: access to the Darktrace Threat Visualizer, credentials for the . provides options to control access and restrict privileges for s within the Threat Visualizer application. It can be accessed by navigating to , . privileges can be configured by enabling values in blue, and then clicking the Save button. By default, the ‘’ will possess all available privileges. access can also be controlled by creating groups in the Group page and asg specific permissions to each group.

Available Permissions The following permissions are available: Description

Permission

Visualizer

Access to the Threat Visualizer interface.

Edit Models

Make changes to Models. Using tags can be a good way of tuning models without requiring access to edit a model.

Device

Lists all devices observed by Darktrace. This is particularly useful for searching, bulk tagging, or changing device types. Typically for s only.

Subnet

Lists all subnets, labels, and whether DH is enabled. Typically for s only

Audit Log Group

Lists captured behavior such as logging into Darktrace. Typically for s only. Controls access to privileges. Typically for s only. Controls access to group privileges. Typically for s only.

Advanced Search

Advanced Search provides a deep insight into network traffic making every connection searchable. An excellent tool for investigating suspicious activity, but may be restricted to more privileged positions due to the insight granted.

Status

For s and developers to check the system health of the Darktrace appliance, probes, and network traffic.

Acknowledge Breaches

Enables s to acknowledge model breaches. Any investigating breaches should likely have access to this role. Recommended for all but the most restricted .

Discuss Breaches Makes comments on model breaches. Very useful for controlling and highlighting which s are working on a model. Recommended for all but the most restricted . Edit Domains

Make changes to domain information. Typically for s only.

Configuration

Make changes to the System Configuration page. Typically for s only.

API Help

Provides information on the Threat Visualizer API. Recommended for all s and developers.

View Models

To help understand how a model breach occurred, it is recommended that all s have access to View Models. Note there is a separate privilege for editing roles, which is much more restricted.

One Click Analysis

Provides a quick view of the model breach to assist in identifying and investigating model breaches. Recommend for all s performing threat analysis.

Create PCAPs

Enables s to create Packet Captures in the Threat Visualizer application. Recommended for s familiar with Wireshark or Darkshark.

PCAPs

Allows to created Packet Captures. Recommended for s familiar with Wireshark or Darkshark.

Antigena

Enables Antigena functionality. The Darktrace appliance must be configured to enable Antigena.

19

DARKTRACE SYSTEM ISTRATION GUIDE

View Messages

View comments on model breaches. Very useful to control and highlight which s are working on a model. Recommended for all but the most restricted .

Unrestricted Devices

When enabled, s can view all credentials that have accessed a device. Disabling this option restricts s to an obfuscated view. Recommended for restricted s.

TIRs

Enables s to Threat Intelligence Reports.

Ask the Expert

Ask Analysts questions about articular Model breaches. This will open a window to drag and drop breach log details and post questions.

Dynamic Threat Dashboard

Provides access to the Dynamic Threat Dashboard

Mobile App

the Darktrace Threat Visualizer Mobile App. The Mobile App IMAP settings in the Alerting section of the System Config must be set before this feature can be employed. Enabling this functionality provides s with this access to a link on the Settings window

Recommended Access Settings Three access configurations are covered below. These profiles encom common roles utilized by organizational security teams when using Darktrace.

(a). Basic threat analysis with obfuscation privileges s with this access are unable to identify s of a particular device, but can make comments and acknowledge breaches. They do not have access to Advanced Search, nor do they have the privileges to change and ister settings. Visualizer

Edit Models

Device

Subnet

Audit Log



Group

Advanced Search

Status

Acknowledge Breaches

Discuss Breaches

Edit Domains

Configuration

API Help

View Models

One Click Analysis

Create PCAPs

PCAPs

Antigena

View Messages

Unrestricted Devices

TIRs

Ask the Expert

Dynamic Threat Dashboard

Mobile App

(b). Full threat analysis privileges The following options provide full threat analysis with Advanced Search and capability to identify s. Packet Capture and Antigena are also available. Visualizer

Edit Models

Device

Subnet

Audit Log



Group

Advanced Search

Status

Acknowledge Breaches

Discuss Breaches

Edit Domains

Configuration

API Help

View Models

One Click Analysis

Create PCAPs

PCAPs

Antigena

View Messages

Unrestricted Devices

TIRs

Ask the Expert

Dynamic Threat Dashboard

Mobile App

(c). Full istration privileges Full istration access to change system configuration and perform detailed threat analysis. Typically, this level is granted to System s only. Visualizer

Edit Models

Device

Subnet

Audit Log



Group

Advanced Search

Status

Acknowledge Breaches

Discuss Breaches

Edit Domains

Configuration

API Help

View Models

One Click Analysis

Create PCAPs

PCAPs

Antigena

View Messages

Unrestricted Devices

TIRs

Ask the Expert

Dynamic Threat Dashboard

Mobile App

20

DARKTRACE SYSTEM ISTRATION GUIDE

Anonymization Mode Darktrace’s technology has been designed with protection and controls in place that allow customers to comply with a range of privacy and confidentiality policies. Anonymization Mode can be configured for enhanced anonymization on a per- basis. Importantly, this mode only impacts Client machines in Darktrace. It does not impact any Server device Types. If set, this mode anonymizes various aspects of the data seen by Darktrace, in order to protect the privacy of employees and to comply with European privacy laws. Anonymization Mode includes the following features: oo The last octet of IPv4 addresses is anonymized. For example, 192.168.0.22 is anonymized to 192.168.0.#36178 oo Hostnames are anonymized. For example, some.companydomain.internal is anonymized to #63680206 oo Credentials are not displayed oo No PCAPs can be generated oo Access to Advanced Search is restricted To the left is a Subnet view with Anonymization Mode enabled. The hostname and IP address have been automatically anonymized. If an incident is identified in Anonymization Mode, an analyst can seek internal approval to conduct an in-depth investigation with more visibility. Once approval is given, the analyst then switches to a higher-privileged that does not run in anonymization mode, allowing the analyst to conduct a thorough investigation of the incident. This mode grants enough visibility for analysts to conduct initial triage, and to identify incidents, without risking exposing the identity or privacy of employees or other s on a network.

Enabling Anonymization Mode 1. Within the Threat Visualizer, navigate to the ‘ ’ page in the main menu under ‘’.

2. Deselect the ‘Unrestricted Devices’ option and save the changes. Repeat for all s intended for anonymization.

21

DARKTRACE SYSTEM ISTRATION GUIDE

9. Upgrading Darktrace Models

Requirements: Access to the Darktrace Threat Visualizer, credentials for the . When a software upgrade bundle is applied, any changes to Darktrace models (such as new or updated models) will also be performed. Where software upgrades are set to pre-cache, model updates will be pushed to the Interface for automatic update or approval even if the full software bundle is not yet applied. Separate to this software upgrade process, updates to Darktrace models are delivered on a regular basis to the Threat Visualizer when Call-Home is enabled Whether a model is updated automatically or not is decided by the following process: Darktrace updates a model

Model is an Antigena Model?

TRUE

FALSE

Model edited by a non-Darktrace ?

TRUE

FALSE

Auto-update is ‘True’ in the System Config?

FALSE

TRUE

Auto-update is set to ‘Yes’ on the model?

TRUE

Model updated automatically

FALSE Manual confirmation required

Model updates can be deployed via two methods, auto-update and manual confirmation. Manual confirmation can be applied on a model-by-model basis or across all models. In this mode, an operator must confirm all model updates before application. Antigena Models will never be updated automatically.

Auto-updating Models 1. Within the Threat Visualizer, navigate to the ‘System Config’ page under ‘’ on the main menu. 2. Under Settings, confirm that Auto Update Models is ‘true’.

3. Additionally, confirm the setting for ‘Auto Update Models Maintain Tags’. True will preserve any tags added to the model when autoupdating, a useful setting if models have been mapped to specific use-cases or an existing playbook. False will overwrite any tags on a model during an auto-update. 4. Edit any Model in the Threat Visualizer and confirm that the Auto Update setting is ‘Yes’. When set to Yes, this model will automatically the latest version when its released.

22

DARKTRACE SYSTEM ISTRATION GUIDE

Manual Confirmation 1. If models are not updated automatically due to any of the conditions listed above, a message will appear on the home page of the Threat Visualizer stating ‘x’ number of model updates are available and require review. Clicking this blue notification will redirect the to the Model Updates page. The Model Updates page can be accessed at any time from the main menu under ‘Models’. Any new models created or duplicated will not be impacted by automatic updates 2. The Models Updates page lists all Models which have been customized but have new updates available. Click on a Model row to reveal more options.

3. For each model, each revision will appear as a separate line with a short description of the changes and options to Accept, Decline or View them.

4. The ‘Active’ model is the current version active on your deployment. Clicking the View button will display the current Model settings with the option to view the new upgrade. 5. Click ‘View Upgrade’ to see the newest version of the model. You may Ignore or Accept the changes. Accepting the changes will permanently update the Model. Be careful not to overwrite any changes. If you wish to preserve your changes to a model but are concerned about delaying any important updates, one method is to duplicate the model and then upgrade the original. The duplicated model will retain the original logic with your changes and can be revised to match the upgraded version at your convenience.

DARKTRACE SYSTEM ISTRATION GUIDE

23

10. Host Variable Configuration

Requirements: access to the Master appliance console, credentials for the console . Darktrace provides several custom configuration options which may be appropriate for your environment. These configuration options are accessed via the console and will help to access, use and ister the appliance and ensure any internal policies are adhered to. The available host variables may change from version to version, dependent on requirements. Each option is described in detail when selected from the console menu.

Available Host Variables: 1. Use highly compatible ssh ciphers Configures the SSH server to use a highly compatible set of ciphers. Disabling this option increases the security of the SSH server.

2. HTTPS: Disable SHA1 ciphers and TLS protocols < 1.2 Enabling this option restricts the cipher suite in use by the HTTPS server and disables TLS protocols other than TLS v1.2.

3. UI session expiry length Sets the number of minutes after which UI sessions are logged out due to inactivity.

4. Enforce two factor authentication Enabling this option requires that all s of the Threat Visualizer provide a second credential to access the interface. Two-factor authentication be individually enabled for specific s in the istration page on the Threat Visualizer Interface.

5. Set MTU Configuration This option sets the maximum transaction unit (MTU) size that can be communicated over the network.

6. CVE-2017-5754 Intel “Meltdown” patch Enabling this option applies the kernel patch to mitigate the Meltdown vulnerability (Kernel page table isolation). A reboot is required for changes to take effect.

For more details, please refer to “Darktrace Threat Note Meltdown and Spectre.pdf” available to from the Darktrace Customer Portal.

7. Set alternative TSA port Sets the Terminal Services Agent (TSA) to post data to the appliance on port 1443.

8. Block Darktrace from generating PCAPs Restricts the ability to generate PCAPs for the Darktrace .

9. Set DH hostname encoding Changes the encoding for DH hostnames. The Windows DH client transfers computer hostnames using the system encoding. Organizations with Windows machines configured using to use non-ascii charactersets by default may wish to change this setting.

10. Generate weekly Executive Threat Report Automatically generate an Executive Threat Report every Sunday at midnight UTC. Please note, this feature will not run on probes or individual masters underneath a Unified View instance.

24

DARKTRACE SYSTEM ISTRATION GUIDE

Modifying Host Variables To modify the following host variables, access to the appliance console is required. 1. to the console menu and select 3. Appliance .

2. Select option 5. Configure host variables.

3. The Host variables menu shows all the currently available configuration options. Select a desired variable.

4. After selecting an option, an explanation of the setting will be displayed. For the majority, pressing the space bar will toggle the setting on or off. On is indicated by an asterisk [*]. Variables which require a value will allow for text entry.

25

DARKTRACE SYSTEM ISTRATION GUIDE

11. Creating Backups

Requirements: access to the Master appliance(s) console, credentials for the console , credentials for the transfer . The Darktrace Threat Visualizer application includes configuration options to backup your Darktrace appliances. A backup includes all Darktrace machine learning, models, breaches, as well as subnet and device information, and configuration settings on the Threat Visualizer GUI. It does not include transactional data such as connections in the Event Log, Advanced Search entries and PCAP files, nor configuration settings on the console menu. A backup will take approximately 2GB of storage space, although actual size may vary, and can be created either manually or automatically on a daily schedule. In networks with Probe and Master appliances, only the Master appliance needs to be backed up. In Unified View deployments, or if more than Master is being used, make sure to back up all Masters.

Create an Immediate Backup A backup file can be manually created through the appliance console and accessed via SFTP by the transfer . 1. On a Master appliance, to the console menu and select 4. Backup and Restore.

2. A range of backup options are available. Select 1. Backup locally now.

3. A warning will appear stating that Darktrace appliances can only be restored from a backup of the same software version. Select ‘Yes’ to proceed.

4. The Backup file is created in the /files directory. This directory can be accessed by the transfer via SFTP.

Create Scheduled Backups Backups can be automatically created on a daily basis and ed to a specified remote server via S or SMB.

Creating Scheduled Backups over S 1. On a Master appliance, to the console menu and select 4. Backup and Restore.

2. A range of backup options are available. Select 2. Scheduled backup configuration

26

DARKTRACE SYSTEM ISTRATION GUIDE

3. When accessing this feature for the first time, a prompt may appear stating ‘Backup configuration not set’. Confirm ‘OK’ to proceed. The next screen will ask if you wish to change the configuration at this time. Select ‘Yes’ to proceed. 4. Choose a protocol over which to transfer backups. Select s. Selecting none disables scheduled backups. 5. Enter the IP address or hostname of the remote server intended to receive the backup files and proceed.

6. Enter a port on the backup server and confirm.

7. Enter a to authenticate against for the server and confirm.

8. Enter a path on the server where the backup will be sent and confirm.

9. Enter the hour, minute and second in UTC for the daily backup and confirm.

10. Confirm your configuration options and select ‘Yes’ to proceed. Please note, the public key is generated in the /files directory, which can be accessed by the transfer via SFTP. This key must be added to the .ssh/authorized_keys file for the configured on the remote backup server. The key can also be regenerated from 4. Generate/regenerate s transfer key under the Backup and Restore submenu. 11. Optionally test the configuration. Configuration can be tested at any time from 3. Test backup transfer under the Backup and Restore submenu.

27

DARKTRACE SYSTEM ISTRATION GUIDE Creating Scheduled Backups over SMB

1. On a Master appliance, to the console menu and select 4. Backup and Restore.

2. A range of backup options are available. Select 2. Scheduled backup configuration.

3. When accessing this feature for the first time, a prompt may appear stating ‘Backup configuration not set’. Confirm ‘OK’ to proceed. The next screen will ask if you wish to change the configuration at this time. Select ‘Yes’ to proceed. 4. Choose a protocol over which to transfer backups. Select SMB. Selecting none disables scheduled backups. 5. Enter the IP address or hostname of the remote server intended to receive the backup files and proceed.

7. Enter the name of the share on the SMB server and confirm.

8. Enter a to authenticate against for the server and confirm.

9. Set the domain or workgroup that this is a member of and confirm.

10. Set a for the for authentication and confirm.

11. Set the path on the server where the backup will be sent. and confirm.

12. Enter the hour, minute and second in UTC for the daily backup and confirm.

13. Confirm your configuration options and select ‘Yes’ to proceed.

14. Optionally test the configuration. Configuration can be tested at any time using 3. Test backup transfer under the Backup and Restore submenu.

28

DARKTRACE SYSTEM ISTRATION GUIDE

Email Notifications for Scheduled Backup Status Darktrace provides the option to receive email notifications about the success or failure of daily scheduled backups. Scheduled backups must be configured for email notifications to be set. 1. On a Master appliance, to the console menu and select 4. Backup and Restore. Under the Backup and Restore submenu, select 6. Configure email alerts. 2. A prompt will describe scheduled backup notifications. Select ‘OK’ to proceed. 3. A further prompt will ask whether you wish to enable notifications. Choose ‘Yes’ to configure email alerts.

4. By default, email notifications are sent when a backup fails. Optionally, notifications can be sent when a backup is successful. Select your preferred configuration option and proceed. 5. Enter an email address to receive notifications.

6. Enter an email address to send notifications from (optional).

7. Enter the hostname or IP address of an SMTP server to send emails via. 8. Select a port for SMTP.

9. Choose whether STARTTLS is to be used.

10. Enter a name to configure SMTP authentication.

11. Enter the of this .

12. Confirm the configuration and select Yes to proceed.

13. Optionally send a test email to confirm the configuration process was successful.

29

DARKTRACE SYSTEM ISTRATION GUIDE

12. Restore from a Backup

Requirements: Access to the Master appliance console, credentials for the console , credentials for the transfer . The option to restore from a backup is available in the console menu. Transactional data such as connections in the Event Log, Advanced Search entries, and PCAP files are not restored. Before restoring from a backup, check the following: oo the backup file to /files/ in the transfer directory via SFTP. oo Confirm the appliance is running the same software version as the backup file, otherwise the restore cannot be performed. 1. On the Master appliance intended for restore, to the console menu, and select 4. Backup and Restore.

2. Select 5. Restore from backup.

3. A prompt will appear to warn that a backup must be present before a restoration can occur. Select OK to continue. 4. Select a backup to restore from the list.

5. A prompt will request confirmation for the chosen backup. If this is the correct backup, proceed with the restoration.

6. Please wait for the restoration to complete. Larger backup files will take longer to restore from.

7. A ‘restore completed successfully’ message will confirm restoration was successful.

DARKTRACE SYSTEM ISTRATION GUIDE

30

13. Upgrading the Darktrace Appliance

Requirements: access to the appliance(s) console, access to the Darktrace Customer Portal, access to the Darktrace Threat Visualizer, credentials for the console , credentials for the transfer , credentials for the . This section describes the process for manually upgrading the software version running on a Darktrace appliance. When Call-Home is enabled, Darktrace appliances will automatically be upgraded by Darktrace to the latest release unless the ‘Upgrade requires approval’ option has been selected. In such case, or when “Call Home” is not enabled, a manual upgrade is required. Upgrading to the latest version of the Threat Visualizer involves the following stages: oo the latest bundle (if not ed automatically). oo Copy the bundle to all Darktrace Appliances. oo In the Darktrace console, unpack the bundle. oo Install the latest Threat Visualizer version. oo to the Threat Visualizer application and confirm the latest version is installed. As a Darktrace installation may involve multiple appliances, it is important to ensure that all appliances are upgraded to the same version. Upgrading an appliance will not change any previous settings or overwrite any stored model breaches.

Types of Software Bundle There are two types of software bundle available, full and differential. Full packages contain the entirety of the Darktrace software needed to upgrade an appliance to the newest version and consequently are larger files. Differential packages are much smaller upgrade bundles and only contain the necessary content to upgrade from the version specified in the file name. Understanding the difference will ensure you the correct package for your needs.

Full package A full package can be applied to upgrade an appliance running any older version of the Darktrace software These software bundles follow the naming syntax: darktrace-bundle- _ - -x.dat

Example: darktrace-bundle-31007_20181217T1457Z-983d8-x.dat

Differential package Differential packages are much smaller files than full packages. Unlike full packages, differential packages can only upgrade appliances running the specific software versions named in the package file name. Differential packages come in two types, delta and xdelta. Delta Packages Delta packages can be applied to any software version newer than the version specified in the filename. These software bundles follow the naming syntax: darktrace-bundle- -delta _ - -x.dat

Example: darktrace-bundle-31007-delta30911_20181217T1457Z-983d8-x.dat In this example, any appliance running the oldest version (30911) or newer can be upgraded with this bundle. Xdelta Packages Xdelta packages can only be applied to the specific software version included in the filename. These software bundles follow the naming syntax:

DARKTRACE SYSTEM ISTRATION GUIDE

31

darktrace-bundle- -xdelta<specific old version>_ - -x.dat

Example: darktrace-bundle-30811-xdelta30801_20180726T1426Z-5c186-x.dat In this example, only an appliance running the specific version (30801) can be upgraded with this bundle.

ing Bundle files Software upgrade bundle files can be obtained via automatic , manual or from the Darktrace Customer portal.

Automatic A differential package file is automatically ed every weekend (if available) when automatic s are configured. To check the current settings, access the console and navigate to 2. Software Updates > Guided mode > 3. Configure s. To disable all automatic s, select None (disable guided updates) under the appropriate submenu. oo Automatic via Call-Home: Update bundle files are ed via Call-Home. (Call-Home must be established to select this). This is enabled by default. oo Automatic over the internet: Alongside the Call-Home SSH connection, Darktrace provides another channel for appliances to automatically bundle files over the internet via HTTPS. The appliance requires access to packages.darktrace.com (or the cloudfront.net content delivery network, if you prefer) over port 443. A proxy can be configured if required. This method requires a bundle key which can be requested from Darktrace .

Manual All current software bundles can be found on the Darktrace Customer Portal. A manual update check can also be performed from the appliance console. oo Manual via Call-Home: The latest differential package can be ed via the console menu. Navigate to 2. Software Updates > Guided mode > 1. Check for updates now oo Manual via Customer Portal: The latest bundle file is available in the Customer Portal. the file from the website and copy it to the appliance intended for upgrade via SFTP using the transfer .

32

DARKTRACE SYSTEM ISTRATION GUIDE

Upgrade procedure You can manually upgrade your appliance using the following procedure. Please ensure that your upgrade bundle file is placed on the appliance before the upgrade process. If you ed a bundle from the Customer Portal, to your appliance as the transfer via SFTP, and your upgrade bundle file to the /files/ directory.

Guided Mode 1. On the appliance intended for upgrade, to the console menu and select 2. Software Updates.

2. Two options are available, Guided mode and Manual mode. Select Guided Mode. 3. Review the options available on the Guided mode menu: [1] Check for updates now: Checks if there are any new available updates. If an update is available it will and proceed to unpack and install it, prompting before each step begins. [2] Unpack and Install updates: runs through the update process, asking for confirmation before each step. [3] Configure : provides configuration settings for fetching the latest upgrade bundles. Please see ‘ing Bundle Files’ above for further information. 4. Select Check for Updates Now. The appliance will locate any available updates and proceed through the upgrade process. Confirm each step in turn and the upgrade will run successfully.

33

DARKTRACE SYSTEM ISTRATION GUIDE Manual Mode

1. On the appliance intended for upgrade, to the console menu and select 2. Software Updates.

2. Two options are available, Guided mode and Manual mode. Select Manual mode.

3. Manual mode requires further configuration steps to unpack the ed bundle and before installation. In the Manual Mode submenu, select 2. Unpack ed update bundle. 4. A list of available bundles stored on the appliance will appear. Select the newest bundle to install. The latest bundle is always at the bottom of the list. Press OK to continue. 5. A prompt will ask if you wish to unpack the specified bundle. Confirm and proceed. It may take some time for the unpacking operation to complete. 6. Once unpacked, the console will return to the Manual mode submenu. Select 3. Apply update/configuration changes.

7. A confirmation warning will appear. Proceed with the update. If an error occurs, please try applying the latest changes a second time. If the error persists, please Darktrace .

8. A further warning will appear. Upgrading a Darktrace appliance without confirmation from Darktrace may affect your Service Level Agreement. Confirm your understanding and proceed. 9. A final warning will explain that all capture services will be restarted on upgrade. Confirm and proceed. 10. The update process will begin. When finished, press OK to complete the upgrade.

11. Optionally check the status of the services. Select ‘Yes’ if you wish to do so. After the status check you will be logged out of the console. ‘No’ will log you out of the console immediately.

34

DARKTRACE SYSTEM ISTRATION GUIDE

12. to the console menu again to confirm that the software version has updated.

13. into the Threat Visualizer web application and navigate to , System Status under the main menu.

14. On the Status page, confirm that the software version has been updated to the latest version. If so, the upgrade process has been successful.

35

DARKTRACE SYSTEM ISTRATION GUIDE

14. Securely Erasing Captured Data Requirements: access to the appliance console, access to the Darktrace Customer Portal, credentials for the console . Data erasure is useful when relocating a Darktrace appliance and/or changing its monitoring scope, to start initial deployment ‘baselining’ afresh, or if data needs to be wiped before returning an appliance to Darktrace. There are two options for data erasure, captured data deletion or a factory reset. Both data erasure processes above can be performed onsite, provided access to a Darktrace appliance is available. Neither processes will affect the appliance Operating System or any Darktrace proprietary software. The ‘delete captured data’ option will include, but may not be limited to, the following data sets: topology settings (connected probes and their IP addresses), hostnames and popularity (rare hostnames etc.), environmental details (proxies, domains etc.), all modelled devices, breaches and partial breaches, device connectivity states, and backups. A factory reset will write zeros to all disks and reinstall the operating system and Darktrace software components, rendering the appliance in an as-new state. Darktrace will also fully erase any information on all storage drives for new or returned appliances.

Delete Captured Data Captured data is erased through the console application. This process will also require an unlock code to be provided by a Darktrace representative, and exchanged via a secure channel such as text message or the Darktrace Customer Portal. 1. Access the appliance console. From the main menu, select 3. Appliance , then 10. Reset appliance.

2. Select 1. Delete capture data and choose OK.

3. A prompt will appear with a warning message. Confirm Yes if you wish to proceed. No will cancel the process and no changes will be made. 4. Another warning prompt will require that you reconfirm your decision to reset captured data. Select ‘Yes’ again to confirm your choice. 5. A further screen will ask if you wish to disable capture interfaces before proceeding. ‘Yes’ will disable capture interfaces, meaning that no further data can be ingested even after the appliance completes its reset regardless of if cables have been removed. Capture Interfaces should not be disabled if you wish to continue to use the appliance after reset; only Darktrace can re-enable them. Selecting ‘No’ means the appliance will begin ingesting data again through any connected capture interfaces on completion of the reset. 6. The appliance will now request a reset unlock code. Enter the unlock code provided by Darktrace and confirm.

7. The ‘Device successfully reset’ message confirms the erasure process was successful Press OK.

36

DARKTRACE SYSTEM ISTRATION GUIDE

Restore to Factory Settings A factory reset is performed through the Appliance console and is the most stringent data erasure method available. A factory reset will write zeros to all disks, reinstall the operating system and all Darktrace software components to return the Appliance to an as-new state. Consequently, this process will take considerably longer than the standard Delete function and requires a reset code provided by a Darktrace representative and exchanged via a secure channel (such as text message or the Darktrace Customer Portal). Before proceeding with a factory reset, unplug all analysis port cables (management and RMM cables can remain plugged in). 1. Access the appliance console. From the main menu, select 3. Appliance , then 10. Reset appliance.

2. Select 2. Factory reset and select ‘OK’.

3. A prompt will appear with a warning message. Confirm ‘Yes’; if you wish to proceed. ‘No’ will cancel the process and no changes will be made. 4. Another warning prompt will require that you reconfirm your decision to restore the appliance to factory settings. Select ‘Yes’ again to confirm your choice. 5. The appliance will now request a reset unlock code. Enter the factory reset unlock code provided by Darktrace and confirm OK. 6. During the first part of the process, the following message will appear on the screen: “Initiating factory reset. The appliance will reset upon success. This can take a long time, please wait. After reboot, consult the monitor screen to view the progress of the factory reset.” Do not interrupt the process or the appliance may be left in an irrecoverable state. 7. After rebooting the appliance, the terminal will display the progress of the wipe. This progress will periodically update. 8. Once the wipe is complete, the terminal will show the following message on the screen: “Completed Wipe. Starting Setup.” After completing the setup the appliance will reboot one further time, at which point the process will be complete.

US: +1 415 229 9100

UK: +44 (0) 1223 394 100

LATAM: +55 11 97242 2011

APAC: +65 6804 5010

[email protected]

darktrace.com