Systems and methods for assessing cyber risks using incident-origin information
First Claim
1. A computer-implemented method for assessing cyber risks using incident-origin information, at least a portion of the method being performed by at least one computing device comprising at least one processor, the method comprising:
- receiving, by the at least one computing device, a request to perform a security action based on a security hygiene of a private network of an organization of interest, wherein;
the request comprises an offline identifier of the organization; and
the private network comprises a plurality of computing devices whose public Internet addresses are unknown to the at least one computing device when the request is received;
using, by the at least one computing device, at least one Internet-address data source that maps offline identifiers of organizations to public Internet addresses of the organizations to translate the offline identifier of the organization into a set of candidate public Internet addresses that are likely to be the public Internet addresses of the plurality of computing devices;
using, by the at least one computing device, at least one incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of candidate public Internet addresses into a set of security incidents that likely originated from the private network of the organization;
using, by the at least one computing device, the set of security incidents to estimate the security hygiene of the private network; and
performing, by the at least one computing device, the security action based on the estimated security hygiene.
6 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method for assessing cyber risks using incident-origin information may include (1) receiving a request for a cyber-risk assessment of an entity of interest, (2) using an Internet-address data source that maps identifiers of entities to public Internet addresses of the entities to translate an identifier of the entity into a set of Internet addresses of the entity, (3) using an incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of Internet addresses into a set of security incidents that originated from the entity, and (4) using the set of security incidents to generate the cyber-risk assessment of the entity. Various other methods, systems, and computer-readable media may have similar features.
-
Citations
20 Claims
-
1. A computer-implemented method for assessing cyber risks using incident-origin information, at least a portion of the method being performed by at least one computing device comprising at least one processor, the method comprising:
-
receiving, by the at least one computing device, a request to perform a security action based on a security hygiene of a private network of an organization of interest, wherein; the request comprises an offline identifier of the organization; and the private network comprises a plurality of computing devices whose public Internet addresses are unknown to the at least one computing device when the request is received; using, by the at least one computing device, at least one Internet-address data source that maps offline identifiers of organizations to public Internet addresses of the organizations to translate the offline identifier of the organization into a set of candidate public Internet addresses that are likely to be the public Internet addresses of the plurality of computing devices; using, by the at least one computing device, at least one incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of candidate public Internet addresses into a set of security incidents that likely originated from the private network of the organization; using, by the at least one computing device, the set of security incidents to estimate the security hygiene of the private network; and performing, by the at least one computing device, the security action based on the estimated security hygiene. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A system for assessing cyber risks using incident-origin information, the system comprising:
-
a request-receiving module, stored in memory, that receives a request for a security hygiene of a private network of an organization of interest, wherein; the request comprises an offline identifier of the organization; and the private network comprises a plurality of computing devices whose public Internet addresses are unknown to the system when the request is received; an identifier-translating module, stored in memory, that uses at least one Internet-address data source that maps offline identifiers of organizations to public Internet addresses of the organizations to translate the offline identifier of the organization into a set of candidate public Internet addresses that are likely to be the public Internet addresses of the plurality of computing devices in the private network of the organization; an address-translating module, stored in memory, that uses at least one incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of candidate public Internet addresses into a set of security incidents that likely originated from the private network of the organization; a risk-assessing module, stored in memory, that uses the set of security incidents to estimate the security hygiene of the private network; and at least one processor that executes the request-receiving module, the identifier-translating module, the address-translating module, and the risk-assessing module. - View Dependent Claims (19)
-
-
20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of at least one computing device, cause the at least one computing device to:
-
receive a request to perform a security action based on a security hygiene of a private network of an organization of interest, wherein; the request comprises an offline identifier of the organization; and the private network comprises a plurality of computing devices whose public Internet addresses are unknown to the at least one computing device when the request is received; use at least one Internet-address data source that maps offline identifiers of organizations to public Internet addresses of the organizations to translate the offline identifier of the organization into a set of candidate public Internet addresses that are likely to be the public Internet addresses of the plurality of computing devices in the private network of the organization; use at least one incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of candidate public Internet addresses into a set of security incidents that likely originated from the private network of the organization; use the set of security incidents to estimate the security hygiene of the private network; and perform the security action based on the estimated security hygiene.
-
Specification