Open source intelligence deceptions

US 10,333,976 B1
Filed: 07/23/2018
Issued: 06/25/2019
Est. Priority Date: 07/23/2018
Status: Active Grant

First Claim

Patent Images

1. A system to detect attackers who attempt to breach an enterprise network and attackers who have already breached the enterprise network, comprising:

an open source intelligence (OSINT) discoverer within an enterprise network scanning public open source Internet resources outside of the enterprise network to discover open source Internet resources that contain data related to the enterprise that is publicly available online, wherein the enterprise network comprises switches and routers, and a firewall located within a gateway between the enterprise network and the Internet;

an OSINT replacer generating deceptive files by replacing placeholders within template files with deceptive information, based on the data discovered by said OSINT discoverer;

an OSINT distributor planting the deceptive files generated by said OSINT replacer within public open source Internet resources outside of the enterprise network, that were discovered by said OSINT discoverer; and

a deception management server that alerts an administrator in response to an attacker attempting to make a connection within the enterprise network using information in a deceptive file planted by said OSINT distributor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system to detect attackers who attempt to breach an enterprise network and attackers who have already breached the enterprise network, including an open source intelligence (OSINT) discoverer scanning the Internet to discover data related to an enterprise that is available online, an OSINT replacer generating deceptive files by replacing placeholders within template files with deceptive information, based on the data discovered by the OSINT discoverer, an OSINT distributor planting the deceptive files generated by the OSINT replacer within designated OSINT resources, and a deception management server that alerts an administrator in response to an attacker attempting to make a connection within the network using information in a deceptive file planted by the OSINT distributor.

140 Citations

18 Claims

1. A system to detect attackers who attempt to breach an enterprise network and attackers who have already breached the enterprise network, comprising:
- an open source intelligence (OSINT) discoverer within an enterprise network scanning public open source Internet resources outside of the enterprise network to discover open source Internet resources that contain data related to the enterprise that is publicly available online, wherein the enterprise network comprises switches and routers, and a firewall located within a gateway between the enterprise network and the Internet;
  
  an OSINT replacer generating deceptive files by replacing placeholders within template files with deceptive information, based on the data discovered by said OSINT discoverer;
  
  an OSINT distributor planting the deceptive files generated by said OSINT replacer within public open source Internet resources outside of the enterprise network, that were discovered by said OSINT discoverer; and
  
  a deception management server that alerts an administrator in response to an attacker attempting to make a connection within the enterprise network using information in a deceptive file planted by said OSINT distributor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, further comprising a trap server that keeps a connection open when an attacker attempts to connect thereto using information in a deceptive file planted by said OSINT distributor, wherein the deceptive files lead an attacker to said trap server, and wherein said deception management server collects forensic data from said trap server and delivers the forensic data to the administrator.
  - 3. The system of claim 1, wherein said access governor logs a failed logon attempt when the attacker attempts to connect to a resource in the enterprise network using information in a deceptive file planted by said OSINT distributor.
  - 4. The system of claim 1 wherein said deception management server transmits a forensic application that runs on the attacker'"'"'s source computer to collect forensic data related to the attacker'"'"'s actions, in response to the attacker attempting to make a connection within the network using information in a deceptive file planted by said OSINT distributor.
  - 5. The system of claim 1 further comprising a templates editor for creating template files with placeholders, for use by said OSINT replacer.
  - 6. The system of claim 1 wherein the enterprise has account credentials with an Internet-based platform, and wherein said OSINT distributor uses the enterprise account credentials to plant the deceptive files in the Internet-based platform.
  - 7. The system of claim 6 wherein the Internet-based platform is a social media platform, a development platform, a file sharing platform, or a file backup platform.
  - 8. The system of claim 1 wherein said OSINT distributor plants deceptive text in paste sites.
  - 9. The system of claim 1 further comprising a dictionary of OSINT deceptive data based on the data discovered by said OSINT discoverer, and wherein said OSINT replacer replaces placeholders in template files with data in the dictionary.

10. A method for detecting attackers who attempt to breach an enterprise network and attackers who have already breached the enterprise network, comprising:
- scanning, from within the enterprise network, public open source Internet resources outside of the enterprise network to discover open source Internet resources that contain data related to the enterprise that is publicly available online, wherein the enterprise network comprises switches and routers, and a firewall located within a gateway between the enterprise network and the Internet;
  
  generating files and text by replacing placeholders within template files with deceptive information based on the results of said scanning;
  
  planting the files and text generated by said generating within public open source Internet resources outside of the enterprise network, that were discovered by said scanning; and
  
  alerting an administrator in response to an attacker attempting to make a connection within the enterprise network using information in a deceptive file planted by planting.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10 wherein the generated files and text lead an attacker to a trap server, the method further comprising:
    - keeping a connection to the trap server open, when the attacker attempts to connect to the trap server using deceptive information planted by said planting;
      
      collecting forensic data from the trap server while the connection to the trap server is open; and
      
      transmitting the forensic data to an administrator.
  - 12. The method of claim 10 further comprising logging a failed logon attempt when the attacker attempts to connect to a resource in the enterprise network using information in a deceptive file planted by said OSINT distributor.
  - 13. The method of claim 10 further comprising transmitting a forensic application that runs on the attacker'"'"'s source computer to collect forensic data related to the attacker'"'"'s actions, in response to the attacker attempting to make a connection within the network using information in a deceptive file planted by said OSINT distributor.
  - 14. The method of claim 10 further comprising creating template files with placeholders, for use by said generating.
  - 15. The method of claim 10 wherein the enterprise has account credentials with an Internet-based platform, and wherein said planting uses the enterprise account credentials to plant the deceptive files in the Internet-based platform.
  - 16. The method of claim 15 wherein the Internet-based platform is a social media platform, a development platform, a file sharing platform, or a file backup platform.
  - 17. The method of claim 10 wherein said planting plants deceptive text in paste sites.
  - 18. The method of claim 10 further comprising compiling a dictionary of OSINT deceptive data based on the results of said scanning, and wherein said generating replaces placeholders in template files with data in the dictionary.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
illusive networks LTD.
Original Assignee
illusive networks LTD.
Inventors
Yudovich, Hadar, Lavi, Nimrod, Bittan, Sharon, Kahana, Tom, Sela, Tom
Primary Examiner(s)
Lanier, Benjamin E

Application Number

US16/043,137
Time in Patent Office

337 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/0209   Architectural arrangements,...

H04L 63/10   for controlling access to d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1491   using deception as counterm...

H04L 63/302   gathering intelligence info...

H04L 67/34   involving the movement of s...

Open source intelligence deceptions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

140 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Open source intelligence deceptions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

140 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links