Testing security incident response through automated injection of known indicators of compromise

US 10,135,862 B1
Filed: 12/04/2015
Issued: 11/20/2018
Est. Priority Date: 12/04/2015
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer-readable medium embodying at least one program executable in at least one computing device, wherein when executed the at least one program causes the at least one computing device to at least:

receive a data feed of a plurality of known indicators of compromise from an external server;

determine that a security incident response of an organization is to be tested;

select a particular indicator of compromise of the plurality of known indicators of compromise to be a fabricated indicator of compromise;

receive a stream of event data that is generated by a network monitoring system of the organization, wherein the stream of event data includes at least one event corresponding to operation of a network host monitored by the network monitoring system;

modify the stream of event data to include fabricated data embodying the particular indicator of compromise;

provide the stream of event data to an intrusion detection system of the organization, wherein the intrusion detection system is configured to identify the particular indicator of compromise as a security compromise;

generate a plurality of metrics assessing a response of the organization to the particular indicator of compromise, wherein a first metric of the plurality of metrics indicates a timeliness of a security administrator response, and a second metric of the plurality of metrics indicates whether an expected action was performed as part of the security administrator response; and

determine a corrective action by comparing the plurality of metrics to a list of manually created reference metrics; and

cause a recommendation for the corrective action to be rendered via a display.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are various embodiments for testing the security incident response of an organization through automated injection of a known indicator of compromise. A stream of event data generated by a network monitoring system of an organization is received. The stream of event data is modified to include data embodying a fabricated indicator of compromise. The stream of event data that has been modified is then provided to an intrusion detection system of the organization. Metrics are then generated that assess the response of the organization to the fabricated indicator of compromise.

Citations

20 Claims

1. A non-transitory computer-readable medium embodying at least one program executable in at least one computing device, wherein when executed the at least one program causes the at least one computing device to at least:
- receive a data feed of a plurality of known indicators of compromise from an external server;
  
  determine that a security incident response of an organization is to be tested;
  
  select a particular indicator of compromise of the plurality of known indicators of compromise to be a fabricated indicator of compromise;
  
  receive a stream of event data that is generated by a network monitoring system of the organization, wherein the stream of event data includes at least one event corresponding to operation of a network host monitored by the network monitoring system;
  
  modify the stream of event data to include fabricated data embodying the particular indicator of compromise;
  
  provide the stream of event data to an intrusion detection system of the organization, wherein the intrusion detection system is configured to identify the particular indicator of compromise as a security compromise;
  
  generate a plurality of metrics assessing a response of the organization to the particular indicator of compromise, wherein a first metric of the plurality of metrics indicates a timeliness of a security administrator response, and a second metric of the plurality of metrics indicates whether an expected action was performed as part of the security administrator response; and
  
  determine a corrective action by comparing the plurality of metrics to a list of manually created reference metrics; and
  
  cause a recommendation for the corrective action to be rendered via a display.
- View Dependent Claims (2, 3)
- - 2. The non-transitory computer-readable medium of claim 1, wherein the fabricated data embodying the indicator of compromise includes a signature of a malware file.
  - 3. The non-transitory computer-readable medium of claim 1, wherein the fabricated data embodying the indicator of compromise includes a destination network address corresponding to a known malware control server.

4. A system, comprising:
- at least one computing device; and
  
  an incident response testing service executable in the at least one computing device, wherein when executed the incident response testing service causes the at least one computing device to at least;
  
  receive a stream of event data generated by a network monitoring system of an organization, the stream of event data including at least one event corresponding to operation of a network host monitored by the network monitoring system;
  
  modify the stream of event data to include fabricated data embodying a fabricated indicator of compromise, wherein the stream of event data, after modification, is provided to an intrusion detection system of the organization, wherein the intrusion detection system is configured to identify the fabricated indicator of compromise as a security compromise; and
  
  generate at least one metric assessing a response of the organization to the fabricated indicator of compromise.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 5. The system of claim 4, wherein the incident response testing service is further configured to cause the at least one computing device to at least:
    - determine whether one or more user actions have been performed to investigate the security compromise identified by the intrusion detection system; and
      
      generate the at least one metric based at least in part on whether the one or more user actions have been performed.
  - 6. The system of claim 4, wherein the incident response testing service is further configured to cause the at least one computing device to at least:
    - determine an impact to a resource availability on a network of the organization by the response of the organization; and
      
      generate the at least one metric based at least in part on the impact to the resource availability.
  - 7. The system of claim 4, wherein the incident response testing service is further configured to cause the at least one computing device to at least:
    - record a first time relative to modifying the stream of event data; and
      
      generate the at least one metric based at least in part on an elapsed time between the first time and a second time corresponding to the response of the organization.
  - 8. The system of claim 7, wherein the incident response testing service is further configured to cause the at least one computing device to at least generate the at least one metric based at least in part on a comparison of the elapsed time to a predefined target time.
  - 9. The system of claim 7, wherein the second time is a time at which a user indication is received, via an incident response system, that the security compromise identified by the intrusion detection system is a false positive.
  - 10. The system of claim 7, wherein the second time is a time at which a user indication is received, via an incident response system, that the security compromise is being investigated.
  - 11. The system of claim 7, wherein the second time is a time at which an alarm is raised by the intrusion detection system in response to the security compromise being identified.
  - 12. The system of claim 4, wherein the incident response testing service is further configured to cause the at least one computing device to at least randomly select the fabricated indicator of compromise from a plurality of known indicators of compromise.
  - 13. The system of claim 4, wherein the incident response testing service is further configured to cause the at least one computing device to at least determine that the response of the organization is to be tested based at least in part on a randomly selected interval of time.
  - 14. The system of claim 4, wherein the incident response testing service is further configured to cause the at least one computing device to at least receive a data feed describing the fabricated indicator of compromise from an external server.
  - 15. The system of claim 4, wherein the incident response testing service is further configured to cause the at least one computing device to at least remove the fabricated data embodying the fabricated indicator of compromise from the stream of event data before the stream of event data is provided to a machine learning model.
  - 16. The system of claim 4, wherein the at least one event comprises an event corresponding to a file installation on the network host.

17. A method, comprising:
- receiving, via at least one of one or more computing devices, a stream of event data generated by a network monitoring system of an organization, wherein the stream of event data includes at least one event corresponding to operation of a network host monitored by the network monitoring system;
  
  modifying, via at least one of the one or more computing devices, the stream of event data to include fabricated data embodying a fabricated indicator of compromise;
  
  providing, via at least one of the one or more computing devices, the stream of event data that has been modified to an intrusion detection system of the organization, wherein the intrusion detection system is configured to identify the fabricated indicator of compromise as a security compromise; and
  
  generating, via at least one of the one or more computing devices, at least one metric assessing a response of the organization to the fabricated indicator of compromise.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - receiving, via at least one of the one or more computing devices, a data feed describing a plurality of known indicators of compromise from an external server; and
      
      configuring, via at least one of the one or more computing devices, the intrusion detection system to recognize the plurality of known indicators of compromise as the security compromise.
  - 19. The method of claim 17, further comprising removing, via at least one of the one or more computing devices, the fabricated indicator of compromise from the stream of event data that has been modified.
  - 20. The method of claim 17, further comprising recording, via at least one of the one or more computing devices, a log indicating insertion of the fabricated indicator of compromise into the stream of event data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
McClintock, Jon Arron, Stathakopoulos, George Nikolaos
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Chao, Michael W

Application Number

US14/959,618
Time in Patent Office

1,082 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

Testing security incident response through automated injection of known indicators of compromise

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Testing security incident response through automated injection of known indicators of compromise

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links