Techniques for securely detecting compromises of enterprise end stations utilizing tunnel tokens
First Claim
1. A method in an enterprise network to detect compromises of enterprise end stations based on tokens tunneled outside the enterprise network while avoiding disclosure of source enterprise network addresses outside the enterprise network, comprising:
- receiving, at a first server within the enterprise network that is implemented by one or more electronic devices, a first set of one or more packets from a source enterprise network address directed to a destination enterprise network address of the enterprise network, wherein the destination enterprise network address is an enterprise network address assigned to the first server, wherein the first set of one or more packets includes data comprising a token, wherein the token was placed upon an enterprise end station within the enterprise network and wherein the token appears to be useful for accessing the first server or a resource provided by the first server; and
transmitting, by the first server, a second set of one or more packets via a tunnel across a public network to a second server that is outside of the enterprise network, wherein the second set of one or more packets includes the data comprising the token and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed to the second server, wherein the second set of one or more packets causes the second server to send the data comprising the token to a third server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the second set of one or more packets allows for determining whether one of the enterprise end stations has been compromised, wherein at least one of the enterprise end station that utilized the source enterprise network address or the source enterprise network address can be determined within the enterprise based upon the identifier, and wherein outside the enterprise the identifier distinguishes between traffic sent from different source enterprise network addresses without disclosing the different source enterprise network addresses; and
causing, within the enterprise network, one or more security measures to be deployed that monitor or block traffic based on receipt of an alert data that was sent to the enterprise network due to detection of a use of the token in the data sent by the second server to the third server.
5 Assignments
0 Petitions
Accused Products
Abstract
A token tunnel server (TTS) within an enterprise network receives packets from a source address directed to a destination address (both of the enterprise network) that were caused to be originated by an attacker. The packets carry data including a token that was placed upon an end station of the enterprise and that appears to be useful for accessing an enterprise server, despite the apparent enterprise server not actually being deployed within the enterprise network. The TTS transmits packets carrying the data (that do not include the source address) across a public network outside of the enterprise network to a tunnel gateway server (TGS). The TGS sends the data to a trap server that acts as the apparent enterprise server. Actions of the attacker with regard to the trap server can be monitored while the source address is not provided to the TGS.
-
Citations
24 Claims
-
1. A method in an enterprise network to detect compromises of enterprise end stations based on tokens tunneled outside the enterprise network while avoiding disclosure of source enterprise network addresses outside the enterprise network, comprising:
-
receiving, at a first server within the enterprise network that is implemented by one or more electronic devices, a first set of one or more packets from a source enterprise network address directed to a destination enterprise network address of the enterprise network, wherein the destination enterprise network address is an enterprise network address assigned to the first server, wherein the first set of one or more packets includes data comprising a token, wherein the token was placed upon an enterprise end station within the enterprise network and wherein the token appears to be useful for accessing the first server or a resource provided by the first server; and transmitting, by the first server, a second set of one or more packets via a tunnel across a public network to a second server that is outside of the enterprise network, wherein the second set of one or more packets includes the data comprising the token and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed to the second server, wherein the second set of one or more packets causes the second server to send the data comprising the token to a third server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the second set of one or more packets allows for determining whether one of the enterprise end stations has been compromised, wherein at least one of the enterprise end station that utilized the source enterprise network address or the source enterprise network address can be determined within the enterprise based upon the identifier, and wherein outside the enterprise the identifier distinguishes between traffic sent from different source enterprise network addresses without disclosing the different source enterprise network addresses; and causing, within the enterprise network, one or more security measures to be deployed that monitor or block traffic based on receipt of an alert data that was sent to the enterprise network due to detection of a use of the token in the data sent by the second server to the third server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium having instructions which, when executed by one or more processors of a device, cause the device to implement a first server to act in an enterprise network to detect compromises of enterprise end stations based on tokens tunneled outside the enterprise network while avoiding disclosure of source enterprise network addresses outside the enterprise network by performing operations comprising:
-
receiving a first set of one or more packets from a source enterprise network address directed to a destination enterprise network address of the enterprise network, wherein the destination enterprise network address is an enterprise network address assigned to the first server, wherein the first set of one or more packets includes data comprising a token, wherein the token was placed upon an enterprise end station within the enterprise network and wherein the token appears to be useful for accessing the first server or a resource provided by the first server; and transmitting a second set of one or more packets via a tunnel across a public network to a second server that is outside of the enterprise network, wherein the second set of one or more packets includes the data comprising the token and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed to the second server, wherein the second set of one or more packets causes the second server to send the data comprising the token to a third server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the second set of one or more packets allows for determining whether one of the enterprise end stations has been compromised, wherein at least one of the enterprise end station that utilized the source enterprise network address or the source enterprise network address can be determined within the enterprise based upon the identifier, wherein outside the enterprise the identifier distinguishes between traffic sent from different source enterprise network addresses without disclosing the different source enterprise network addresses, wherein the transmitting the second set of one or more packets to the second server causes one or more security measures to be deployed in the enterprise network that monitor or block traffic based on receipt of an alert data that was sent to the enterprise network due to detection of a use of the token in the data sent by the second server to the third server. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A device, comprising:
-
one or more processors; and a non-transitory computer-readable storage medium having instructions which, when executed by the one or more processors, cause the device to implement a first server to act in an enterprise network to detect compromises of enterprise end stations based on tokens tunneled outside the enterprise network while avoiding disclosure of source enterprise network addresses outside the enterprise network by being adapted to; receive a first set of one or more packets from a source enterprise network address directed to a destination enterprise network address of the enterprise network, wherein the destination enterprise network address is an enterprise network address assigned to the first server, wherein the first set of one or more packets includes data comprising a token, wherein the token was placed upon an enterprise end station within the enterprise network and wherein the token appears to be useful for accessing the first server or a resource provided by the first server; and transmit a second set of one or more packets via a tunnel across a public network to a second server that is outside of the enterprise network, wherein the second set of one or more packets includes the data comprising the token and an identifier but does not include the source enterprise network address so that the source enterprise network address is not disclosed to the second server, wherein the second set of one or more packets causes the second server to send the data comprising the token to a third server that acts as if it were an enterprise server within the enterprise network but is actually outside of the enterprise network and does not store enterprise data, wherein the presence of the token in the second set of one or more packets allows for determining whether one of the enterprise end stations has been compromised, wherein at least one of the enterprise end station that utilized the source enterprise network address or the source enterprise network address can be determined within the enterprise based upon the identifier, wherein outside the enterprise the identifier distinguishes between traffic sent from different source enterprise network addresses without disclosing the different source enterprise network addresses, wherein the transmission of the second set of one or more packets to the second server causes one or more security measures to be deployed in the enterprise network that monitor or block traffic based on receipt of an alert data that was sent to the enterprise network due to detection of a use of the token in the data sent by the second server to the third server. - View Dependent Claims (21, 22, 23, 24)
-
Specification