System and method employing structured intelligence to verify and contain threats at endpoints

US 10,033,748 B1
Filed: 08/02/2016
Issued: 07/24/2018
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method to identify potentially malicious code at an endpoint device in a network, the method comprising:

analyzing a portion of the network data received over the network to identify one or more threats represented by the network data;

generating a report by a threat monitor, the report includes information on the one or more threats resulting from the analyzing of the portion of the network data;

analyzing the information within the report by a verifier to yield intelligence that includes at least one of instructions or indicators related to the identified one or more threats and determining, based on the intelligence yielded from the information within the report, an endpoint device including an endpoint agent that is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination;

gathering and correlating verification information from the endpoint agent to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination and an identifier for the endpoint device; and

sending a notification including a portion of the verification information to identify the verified threat.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to detect and contain threatening executable code by employing a threat monitor, verifier, endpoint agent, and a security information and event management module. The system and method determine whether a threat has persisted or executed, and allow that information to be communicated back to the detection mechanism (or other system) such that a user (or machine) may make a decision to take further action such as to contain the threat quickly and/or permit the system to do so automatically. The system further generates a report by a threat monitor, the report includes information on the one or more threats resulting from the analyzing of the portion of the network data; analyzing the information within the report by a verifier to yield intelligence that includes at least one of instructions or indicators related to the identified one or more threats and determining, gathering and correlating verification information from the endpoint agent to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination and an identifier for the endpoint device; and sending a notification including a portion of the verification information to identify the verified threat.

185 Citations

20 Claims

1. A computerized method to identify potentially malicious code at an endpoint device in a network, the method comprising:
- analyzing a portion of the network data received over the network to identify one or more threats represented by the network data;
  
  generating a report by a threat monitor, the report includes information on the one or more threats resulting from the analyzing of the portion of the network data;
  
  analyzing the information within the report by a verifier to yield intelligence that includes at least one of instructions or indicators related to the identified one or more threats and determining, based on the intelligence yielded from the information within the report, an endpoint device including an endpoint agent that is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination;
  
  gathering and correlating verification information from the endpoint agent to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination and an identifier for the endpoint device; and
  
  sending a notification including a portion of the verification information to identify the verified threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computerized method according to claim 1, wherein the verification information is processed by the verifier by comparing the verification information to (a) data obtained from another endpoint device different than the endpoint device, or (b) data obtained from a security information and event manager module (SIEM).
  - 3. The computerized method according to claim 1, wherein the endpoint agent being associated with the endpoint device that receives at least one of the instructions or the indicators, conducting at least one of the examination of the memory of the endpoint device or a test of system state of the endpoint device for data corresponding to any of the instructions or the indicators, and obtaining results of the examination or the test.
  - 4. The computerized method according to claim 1, wherein the analyzing-of the portion of the network data comprises analyzing an executable by an analyzer of the threat monitor, the analyzer includes a dynamic analyzer that completely or partially executes the executable within an environment where operations of the executable are monitored to identify one or more behaviors or operations associated with the one or more threats.
  - 5. The computerized method according to claim 4, wherein the information resulting from the analyzing of the portion of the network data includes an attempted change of the environment by the executable or one or more attempts to establish network connections or Domain Name System (DNS) lookups.
  - 6. The computerized method according to claim 1, wherein the examination of the memory of the endpoint device comprisesconfiguring an indicator matcher within the endpoint agent to receive the indicators;
    - monitoring the system state of the endpoint device and generating audit data in response to a monitored change of the system state; and
      
      providing data, based on the audit data, to the indicator matcher to determine whether the endpoint device is compromised based on a matching of data based on the audit data to any of the indicators.
  - 7. The computerized method according to claim 1, further comprising:
    - changing a configuration of the threat monitor based on the verification information.
  - 8. The computerized method according to claim 1, further comprising:
    - performing a containment action to mitigate effects of the verified threat on the endpoint device via the endpoint agent based on the verification information, wherein, the containment action is taken by a containment agent of the endpoint agent, and the containment agent is installed on the endpoint device pursuant to instructions contained in a containment package configured by the verifier.

9. A system operable to identify potentially malicious code on an endpoint device in a network, the system comprising:
- a threat monitor operable to (i) receive network data including an executable, (ii) conduct an analysis of the executable to identify one or more threats detected from the analysis of the executable, and (iii) generate a report including information on the one or more threats resulting from the analysis of the executable; and
  
  a verifier operable to (i) analyze the information within the report to yield intelligence that includes instructions or indicators related to the identified one or more threats, (ii) determine, based on the intelligence yielded from the information within the report, the endpoint device including an endpoint agent that is to (a) receive at least one of the instructions or the indicators, (b) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, (iii) obtain results of the examination, (iv) correlate verification information received from the endpoint agent, the verification information includes at least a portion of the results of the examination and an identifier for the endpoint device, and (v) send a notification including a portion of the verification information upon determining that the verification information represents a verified threat.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system according to claim 9, wherein the verifier including (i) a report analyzer and (ii) an agent coordinator, whereinthe report analyzer to analyze the information within the report and yield intelligence including the instructions or the indicators to be provided to the agent coordinator, andthe agent coordinator to determine, based on the intelligence provided by the report analyzer, the endpoint agent.
  - 11. The system according to claim 9 further comprising:
    - a management component to further gather and correlate the verification information against data from one or more endpoint devices different than the endpoint device to determine that the verification information represents the verified threat.
  - 12. The system according to claim 9, wherein the threat monitor to generate the report including the information on the one or more threats resulting from the analysis of the executable, the information includes an attempted change of the environment by the executable or one or more attempts to establish network connections or Domain Name System (DNS) lookups.
  - 13. The system according to claim 9, wherein, the endpoint agent includes an audit controller that controls audits of the memory performed by an audit module operating within the endpoint agent.
  - 14. The system according to claim 9, wherein the verifier to enable an authorized user or machine to conduct a containment action to restrict or alter operations of the endpoint device or software within the endpoint device to mitigate effects of the verified threat.
  - 15. The system according to claim 9, wherein an indicator of the indicators relates to a specific type or subset of information regarding a state of an endpoint device includes a description of a file or a hash sum of the file or regarding a description of an operation associated with the one or more threats.

16. A system operable to identify potentially malicious code on an endpoint device in a network, the system comprising:
- a processor; and
  
  a memory including software that, when executed by the processor, operates to identify potentially malicious code within received network data that includes at least one executable, the software comprisesa threat monitor operable to (i) conduct an analysis of the executable to identify one or more threats, and (ii) generate a report including information on the one or more threats resulting from the analysis of the executable, anda verifier operable to (i) analyze the information within the report to yield intelligence that includes instructions or indicators related to the identified one or more threats, (ii) determine, based on the intelligence yielded from the information within the report, the endpoint device including an endpoint agent that is to (a) receive at least one of the instructions or the indicators, and (b) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, (iii) obtain results of the examination, (iv) correlate verification information received from the endpoint agent, the verification information includes at least a portion of the results of the examination and an identifier for the endpoint device, and (v) send a notification including a portion of the verification information upon determining that the verification information represents a verified threat.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system according to claim 16, wherein the verifier stored within the memory including (i) a report analyzer and (ii) an agent coordinator, whereinthe report analyzer, when executed by the processor, is configured to analyze the information within the report and yield intelligence including the instructions or the indicators to be provided to the agent coordinator, andthe agent coordinator, when executed by the processor, is configured to determine, based on the intelligence provided by the report analyzer, the endpoint agent.
  - 18. The system according to claim 16, wherein the threat monitor stored within the memory is configured to generate the report including the information on the one or more threats resulting from the analysis of the executable, the information includes an attempted change of the environment by the executable or one or more attempts to establish network connections or Domain Name System (DNS) lookups.
  - 19. The system according to claim 16, wherein the verifier to enable an authorized user or machine to conduct a containment action to restrict or alter operations of the endpoint device or software within the endpoint device to mitigate effects of the verified threat.
  - 20. The system according to claim 16, wherein each of the indicators relates to a specific type or subset of information regarding a state of the endpoint device includes a description of a file or a hash sum of the file or regarding a description of an operation associated with the one or more threats.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Cunningham, Sean, Dana, Robert, Nardone, Joseph, Faber, Joseph, Arunski, Kevin
Primary Examiner(s)
Lim, Krisna

Application Number

US15/226,839
Time in Patent Office

721 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/126   the source of the received ...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

System and method employing structured intelligence to verify and contain threats at endpoints

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

185 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method employing structured intelligence to verify and contain threats at endpoints

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

185 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links