Protecting threat indicators from third party abuse
First Claim
1. A computer-based method for detecting threats based on obfuscated threat indicators, the method comprising:
- receiving, from a server, an obfuscated threat indicator associated with an identified cyber-threat that was determined by the server to be above a threshold level of quality, the obfuscated threat indicator having been generated by the server responsive to determining that the identified-cyber-threat is above the threshold level of quality by;
including a threat data source of a threat indicator and excluding raw information of the threat indicator;
identifying one or more client-side events occurring within a third-party system, each client-side event identified by an entity identifier indicating an entity to which the client-side event is attributed;
determining that the third-party system experienced a cyber-threat when the obfuscated threat indicator matches at least one entity identifier; and
in response to determining that the third-party system experienced the cyber-threat;
generating descriptive information associated with the obfuscated threat indicator; and
transmitting the descriptive information to the third-party system.
2 Assignments
0 Petitions
Accused Products
Abstract
A threat analytics system expends significant resources to acquire, structure, and filter the threat indicators provided to the client-side monitoring systems. To protect the threat indicators from misuse, the threat analytics system only provides enough information about the threat indicators to the client-side systems to allow the client-side systems to detect past and ongoing threats. Specifically, the threat analytics system provides obfuscated threat indicators to the client-side monitoring systems. The obfuscated threat indicators enable the client-side systems to detect threats while protecting the threat indicators from misuse or malicious actors.
54 Citations
16 Claims
-
1. A computer-based method for detecting threats based on obfuscated threat indicators, the method comprising:
-
receiving, from a server, an obfuscated threat indicator associated with an identified cyber-threat that was determined by the server to be above a threshold level of quality, the obfuscated threat indicator having been generated by the server responsive to determining that the identified-cyber-threat is above the threshold level of quality by;
including a threat data source of a threat indicator and excluding raw information of the threat indicator;identifying one or more client-side events occurring within a third-party system, each client-side event identified by an entity identifier indicating an entity to which the client-side event is attributed; determining that the third-party system experienced a cyber-threat when the obfuscated threat indicator matches at least one entity identifier; and in response to determining that the third-party system experienced the cyber-threat; generating descriptive information associated with the obfuscated threat indicator; and transmitting the descriptive information to the third-party system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product for detecting threats based on obfuscated threat indicators, the computer program product comprising a non-transitory computer-readable storage medium containing computer program code for:
-
receiving, from a server, an obfuscated threat indicator associated with an identified cyber-threat that was determined by the server to be above a threshold level of quality, the obfuscated threat indicator having been generated by the server responsive to determining that the identified cyber-threat is above the threshold level of quality by;
including a threat data source of a threat indicator and excluding raw information of the threat indicator;identifying one or more client-side events occurring within a third-party system, each client-side event identified by an entity identifier indicating an entity to which the client-side event is attributed; obfuscating the entity identifier by excluding raw information related to the entity; determining that the third-party system experienced a cyber-threat when the obfuscated threat indicator matches at least one obfuscated entity identifier; and in response to determining that the third-party system experienced the cyber-threat; generating descriptive information associated with the obfuscated threat indicator; and transmitting the descriptive information to the third-party system. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A computer-based method for transmitting threat information to client modules, the method comprising:
-
generating, at a server, obfuscated threat indicators associated with identified cyber-threats that are determined to be above a threshold level of quality, each respective obfuscated threat indicator having been generated responsive to determining that a respective cyber-threat is above the threshold level of quality by;
including a threat data source of a threat indicator and excluding raw information of the threat indicator;determining, by the server, that the obfuscated threat indicators are available for transmission to a client module; determining, by the server, whether a threat detection report associated with the obfuscated threat indicators was received from the client module; and transmitting, by the server, the obfuscated threat indicators to the client module in response to determining that the threat detection report was received from the client module. - View Dependent Claims (15, 16)
-
Specification