Deceiving an attacker who is harvesting credentials
First Claim
1. A system for deceiving an attacker who harvests credentials within an enterprise network, comprising a management server deploying a deceptive agent on an endpoint computer of the enterprise network, the deceptive agent comprising:
- a hook manager creating a system hook on a network adaptor of the endpoint computer; and
a deceptive content provider, generating deceptive content and responding to an outgoing call to a service of a remote server of the enterprise network made by a malicious process run by an attacker on the endpoint computer, returning the deceptive content to the malicious process, thus making it appear to the attacker that a response is coming from the service in the remote server whereas in fact the response is coming from the deceptive agent, when said hook manager hooks the remote call.
1 Assignment
0 Petitions
Accused Products
Abstract
A system for deceiving an attacker who harvests credentials within an enterprise network, including a management server deploying a deceptive agent on an endpoint computer of the enterprise network, the deceptive agent including a hook manager creating system hooks on resources in the endpoint computer that holds valuable credentials, which would be desired by attackers, and a deceptive content provider, generating deceptive content and returning the deceptive content to a malicious process run by an attacker on the endpoint computer, the malicious process making a read request directed to a resource in the endpoint computer that holds valuable credentials, thus making it appear to the attacker that a response is coming from the resource whereas in fact the response is coming from the deceptive agent, when the hook manager hooks the read request.
-
Citations
9 Claims
-
1. A system for deceiving an attacker who harvests credentials within an enterprise network, comprising a management server deploying a deceptive agent on an endpoint computer of the enterprise network, the deceptive agent comprising:
-
a hook manager creating a system hook on a network adaptor of the endpoint computer; and a deceptive content provider, generating deceptive content and responding to an outgoing call to a service of a remote server of the enterprise network made by a malicious process run by an attacker on the endpoint computer, returning the deceptive content to the malicious process, thus making it appear to the attacker that a response is coming from the service in the remote server whereas in fact the response is coming from the deceptive agent, when said hook manager hooks the remote call. - View Dependent Claims (2, 3, 4)
-
-
5. A method for deceiving an attacker who is harvesting credentials within an enterprise network, comprising:
-
deploying, by a management server, a deceptive agent on an endpoint computer of an enterprise network; creating, by the deceptive agent, a system hook on a network adaptor of the endpoint computer; and in response to hooking an outbound call to a service of a remote server in the enterprise network, by a malicious process being run by an attacker on the endpoint computer, generate, by the deceptive agent, deceptive content and respond to the remote call by returning the deceptive content to the malicious process, thus making it appear to the attacker that the response is coming from the remote server whereas in fact the response is coming from the deceptive agent. - View Dependent Claims (6, 7)
-
-
8. A method for deceiving an attacker who is harvesting credentials within an enterprise network, comprising:
-
deploying, by a management server, a deceptive agent on a remote server of an enterprise network, wherein the deceptive agent listens to inbound requests for the remote server and authenticates the inbound requests as coming from a legitimate process running on a client computer of the enterprise network; and in response to detecting a remote call to a service of the remote server from a malicious process being run by an attacker on a client computer of the enterprise network, generate, by the deceptive agent, deceptive content and respond to the remote call by returning the deceptive content to the malicious process, thus making it appear to the attacker that the response is coming from the service in the remote server whereas in fact the response is coming from the deceptive agent.
-
-
9. A system for deceiving an attacker who harvests credentials within an enterprise network, comprising a management server deploying a deceptive agent on a remote server of the enterprise network, the deceptive agent comprising:
-
an authenticator, listening to inbound requests to the remote server and authenticating the inbound requests as coming from a legitimate process running on a client computer of the enterprise network; and a deceptive content provider, generating deceptive content and responding to a remote call to a service of the remote server from a malicious process being run by an attacker on the client computer by returning the deceptive content to the malicious process, thus making it appear to the attacker that the response is coming from the service of the remote server whereas in fact the response is coming from said deceptive agent, when said authenticator detects the remote call.
-
Specification