Testing security incident response through automated injection of known indicators of compromise
First Claim
1. A non-transitory computer-readable medium embodying at least one program executable in at least one computing device, wherein when executed the at least one program causes the at least one computing device to at least:
- receive a data feed of a plurality of known indicators of compromise from an external server;
determine that a security incident response of an organization is to be tested;
select a particular indicator of compromise of the plurality of known indicators of compromise to be a fabricated indicator of compromise;
receive a stream of event data that is generated by a network monitoring system of the organization, wherein the stream of event data includes at least one event corresponding to operation of a network host monitored by the network monitoring system;
modify the stream of event data to include fabricated data embodying the particular indicator of compromise;
provide the stream of event data to an intrusion detection system of the organization, wherein the intrusion detection system is configured to identify the particular indicator of compromise as a security compromise;
generate a plurality of metrics assessing a response of the organization to the particular indicator of compromise, wherein a first metric of the plurality of metrics indicates a timeliness of a security administrator response, and a second metric of the plurality of metrics indicates whether an expected action was performed as part of the security administrator response; and
determine a corrective action by comparing the plurality of metrics to a list of manually created reference metrics; and
cause a recommendation for the corrective action to be rendered via a display.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed are various embodiments for testing the security incident response of an organization through automated injection of a known indicator of compromise. A stream of event data generated by a network monitoring system of an organization is received. The stream of event data is modified to include data embodying a fabricated indicator of compromise. The stream of event data that has been modified is then provided to an intrusion detection system of the organization. Metrics are then generated that assess the response of the organization to the fabricated indicator of compromise.
-
Citations
20 Claims
-
1. A non-transitory computer-readable medium embodying at least one program executable in at least one computing device, wherein when executed the at least one program causes the at least one computing device to at least:
-
receive a data feed of a plurality of known indicators of compromise from an external server; determine that a security incident response of an organization is to be tested; select a particular indicator of compromise of the plurality of known indicators of compromise to be a fabricated indicator of compromise; receive a stream of event data that is generated by a network monitoring system of the organization, wherein the stream of event data includes at least one event corresponding to operation of a network host monitored by the network monitoring system; modify the stream of event data to include fabricated data embodying the particular indicator of compromise; provide the stream of event data to an intrusion detection system of the organization, wherein the intrusion detection system is configured to identify the particular indicator of compromise as a security compromise; generate a plurality of metrics assessing a response of the organization to the particular indicator of compromise, wherein a first metric of the plurality of metrics indicates a timeliness of a security administrator response, and a second metric of the plurality of metrics indicates whether an expected action was performed as part of the security administrator response; and determine a corrective action by comparing the plurality of metrics to a list of manually created reference metrics; and cause a recommendation for the corrective action to be rendered via a display. - View Dependent Claims (2, 3)
-
-
4. A system, comprising:
-
at least one computing device; and an incident response testing service executable in the at least one computing device, wherein when executed the incident response testing service causes the at least one computing device to at least; receive a stream of event data generated by a network monitoring system of an organization, the stream of event data including at least one event corresponding to operation of a network host monitored by the network monitoring system; modify the stream of event data to include fabricated data embodying a fabricated indicator of compromise, wherein the stream of event data, after modification, is provided to an intrusion detection system of the organization, wherein the intrusion detection system is configured to identify the fabricated indicator of compromise as a security compromise; and generate at least one metric assessing a response of the organization to the fabricated indicator of compromise. - View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method, comprising:
-
receiving, via at least one of one or more computing devices, a stream of event data generated by a network monitoring system of an organization, wherein the stream of event data includes at least one event corresponding to operation of a network host monitored by the network monitoring system; modifying, via at least one of the one or more computing devices, the stream of event data to include fabricated data embodying a fabricated indicator of compromise; providing, via at least one of the one or more computing devices, the stream of event data that has been modified to an intrusion detection system of the organization, wherein the intrusion detection system is configured to identify the fabricated indicator of compromise as a security compromise; and generating, via at least one of the one or more computing devices, at least one metric assessing a response of the organization to the fabricated indicator of compromise. - View Dependent Claims (18, 19, 20)
-
Specification