System and method for creation, deployment and management of augmented attacker map
First Claim
1. A system for network surveillance to detect attackers, comprising:
- a deception management server within a network of resources, comprising a deployment module managing and planting one or more decoy lateral attack vectors in one or more of the resources in the network, wherein a lateral attack vector is an object in memory or storage of a first resource in the network that may be used to access a second resource in the network; and
one or more decoy servers accessible from resources in the network, each decoy server comprising;
an alert module that issues an alert when a specific resource in the network accesses the decoy server via one or more of the decoy lateral attack vectors planted in the specific resource by said deployment module; and
a delay module, purposely delaying incoming connections to the decoy server while a resource accesses the decoy server, in order to allow additional time to monitor activity on the decoy server.
0 Assignments
0 Petitions
Accused Products
Abstract
A system for network surveillance to detect attackers, including a deception management server within a network of resources, including a deployment module managing and planting one or more decoy attack vectors in one or more of the resources in the network, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and one or more decoy servers accessible from resources in the network, each decoy server including an alert module that issues an alert when a specific resource in the network accesses the decoy server via one or more of the decoy attack vectors planted in the specific resource by the deployment module, and a delay module, delaying access to data on the decoy server while a resource accesses the decoy server.
123 Citations
17 Claims
-
1. A system for network surveillance to detect attackers, comprising:
-
a deception management server within a network of resources, comprising a deployment module managing and planting one or more decoy lateral attack vectors in one or more of the resources in the network, wherein a lateral attack vector is an object in memory or storage of a first resource in the network that may be used to access a second resource in the network; and one or more decoy servers accessible from resources in the network, each decoy server comprising; an alert module that issues an alert when a specific resource in the network accesses the decoy server via one or more of the decoy lateral attack vectors planted in the specific resource by said deployment module; and a delay module, purposely delaying incoming connections to the decoy server while a resource accesses the decoy server, in order to allow additional time to monitor activity on the decoy server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer readable medium storing instructions, which, when executed by a processor of a management computer, cause the computer:
-
to plant one or more decoy lateral attack vectors in one or more resources in a network of computers, wherein a lateral attack vector is an object in memory or storage of a first resource in the network that may be used to access a second resource in the network; to recognize that a specific decoy server in the network is being accessed by a specific resource in the network via one or more of the decoy lateral attack vectors planted in the specific resource by said planting; to purposely delay incoming connections to data on the specific decoy server while the specific resource accesses the decoy server, in order to allow additional time to monitor activity on the decoy server; and to issue an alert in response to the recognizing. - View Dependent Claims (11, 12, 13)
-
-
14. A system for network surveillance to detect attackers, comprising:
-
a deception management server within a network of resources, comprising a deployment module managing and planting one or more decoy attack vectors in one or more of the resources in the network, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource; and one or more decoy servers accessible from resources in the network, each decoy server comprising an alert module causing a real-time forensic application to be transmitted to a destination resource in the network when a specific decoy server is being accessed by a specific resource, wherein the forensic application, when launched in the destination resource, identifies a process running within the specific resource that is accessing the specific decoy server, logs the activities performed by the thus-identified process in a forensic report, and transmits the forensic report to said deception management server.
-
-
15. A system for network surveillance to detect attackers, comprising:
-
a deception management server within a network of resources, comprising a deployment module managing and planting one or more decoy attack vectors in one or more of the resources in the network, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource; and an event monitor, recognizing an attempt by a first resource in the network to access a second resource in the network via the decoy attack vectors planted by said deployment module in the first resource, and causing, in response to the recognizing, a real-time forensic application to be transmitted to a destination resource, wherein the forensic application, when launched in the destination resource, identifies a process running within the first resource that is accessing the second resource, logs the activities performed by the thus-identified process in a forensic report, and transmits the forensic report to said deception management server.
-
-
16. A non-transitory computer readable medium storing instructions, which, when executed by a processor of a management computer, cause the computer:
-
to plant one or more decoy attack vectors in one or more resources in a network of computers, wherein an attack vector is an object in memory or storage of a first resource in the network that may be used to access a second resource in the network; to recognize that a specific decoy server in the network is being accessed by a specific resource in the network via one or more of the decoy attack vectors planted in the specific resource; to cause a real-time forensic application to be transmitted to a destination resource, wherein the forensic application, when launched on the destination resource, is operative; to identify a process running within the specific resource that is accessing the specific decoy server; to log the activities performed by the thus-identified process in a forensic report; and to transmit the forensic report to a deception management server.
-
-
17. A non-transitory computer readable medium storing instructions, which, when executed by a processor of a management computer, cause the computer:
-
to plant one or more decoy attack vectors in one or more resources in a network of computers, wherein an attack vector is an object in memory or storage of a first resource in the network that may be used to access a second resource in the network; to recognize an attempt by a first resource in the network to access a second resource in the network via one or more of the decoy attack vectors planted in the first resource; and to cause a real-time forensic application to be transmitted to a destination resource, wherein the forensic application, when launched on the destination resource, is operative; to identify a process running within the first resource that is attempting to access the second resource; to log the activities performed by the thus-identified process in a forensic report; and to transmit the forensic report to a deception management server.
-
Specification