Computerized system and method for securely distributing and exchanging cyber-threat information in a standardized format

US 10,686,828 B2
Filed: 04/14/2016
Issued: 06/16/2020
Est. Priority Date: 04/17/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized method for distributing threat information, comprising:

providing a network connecting a central repository to a plurality of local repositories, each local repository is in communication with a sensor;

generating threat information in a customizable machine readable language with a sensor based on an observed event;

creating a first item describing the threat information by converting the machine readable language into a common language at one of the plurality of local repositories;

pushing the first item from one of the plurality of local repositories to the central repository for storing the first item and distributing the first item from the central repository to the plurality of other local repositories; and

pushing the first item from the first local repository directly to another local repository in the network, wherein each of the plurality of local repositories are configured to push the first item to another local repository in the network, and each of the plurality of local repositories are configured to pull the first item from another local repository in the network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computerized systems and methods for sharing identified cyber-threat information in a standardized and secure format. The sharing of cyber-threat information assists in preventing malicious actors from replicating successful cyber-attacks by informing potential targets of the methods employed by the malicious actors, and the defensive measures that those targets should to implement to prevent those methods from succeeding. By distributing cyber-threat information in a standardized format, the systems and methods enable participating entities to automatically analyze and implement defensive measures for cyber-threat information shared by any other participating entities. The systems and methods also permit an entity to control which threat information it shares and which other entities it shares it with in a secure manner in order to preserve that entity'"'"'s security and reputation.

Citations

20 Claims

1. A computerized method for distributing threat information, comprising:
- providing a network connecting a central repository to a plurality of local repositories, each local repository is in communication with a sensor;
  
  generating threat information in a customizable machine readable language with a sensor based on an observed event;
  
  creating a first item describing the threat information by converting the machine readable language into a common language at one of the plurality of local repositories;
  
  pushing the first item from one of the plurality of local repositories to the central repository for storing the first item and distributing the first item from the central repository to the plurality of other local repositories; and
  
  pushing the first item from the first local repository directly to another local repository in the network, wherein each of the plurality of local repositories are configured to push the first item to another local repository in the network, and each of the plurality of local repositories are configured to pull the first item from another local repository in the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computerized method of claim 1 further comprising:
    - converting the first item, at the at least one other repository for storing and distributing threat information, into a second item describing the observed event or property in a customized language of the at least one other repository.
  - 3. The computerized method of claim 1, wherein the common language is the STIX language, and the first item is distributed in accordance with the TAXII specification.
  - 4. The computerized method of claim 3, wherein the first item contains descriptions of one or more of:
    - (a) an observed event or property;
      
      (b) a pattern of relevant observed activity;
      
      (c) a set of related system or network activity associated with the observed event or property;
      
      (d) an entity responsible for causing the observed event or property;
      
      (e) a representation of the behavior or modus operandi of the entity responsible for the observed event or property;
      
      (f) a vulnerability, weakness, or configuration issue of a potential victim of the observed event or property;
      
      (g) a particular action that can be taken to prevent, mitigate, or remediate the effects of the observed event or property; and
      
      (h) related activities executed by the entity responsible for the observed event or property.
  - 5. The computerized method of claim 1, further comprising manually analyzing or automatically analyzing the first item at the at least one other repository.
  - 6. The computerized method of claim 5, wherein automatically analyzing the first item comprises automatically determining whether to implement a response to the observed event or property.
  - 7. The computerized method of claim 6, further comprising automatically implementing a response to the observed event or property.
  - 8. The computerized method of claim 1, further comprising analyzing, at the first repository for storing and distributing the threat information, a plurality of items describing a plurality of observed events or properties.
  - 9. The computerized method of claim 8, further comprising determining, from the analysis of the plurality of items describing the plurality of observed events or properties, at least one piece of information selected from the group comprising:
    - (a) a representation of the behavior or modus operandi of an entity responsible for at least one of the plurality of observed events or properties;
      
      (b) a vulnerability, weakness, or configuration issue of a victim of at least one of the plurality of observed events or properties;
      
      (c) a particular action that could be taken to prevent, mitigate, or remediate the effects of at least one of the plurality of observed events or properties;
      
      (d) the entity responsible for at least one of the plurality of observed events or properties; and
      
      (e) a prediction of at least one future observed event or property.
  - 10. The computerized method of claim 9, further comprising adding the at least one piece of information to at least one of the plurality of items.
  - 11. The computerized method of claim 1, further comprising assigning a quality metric to the first item describing the observed event or property.
  - 12. The computerized method of claim 11, wherein the quality metric is automatically assigned or manually assigned to the first item, and the quality metric is based on at least one confidence metric previously assigned to the first item.
  - 13. The computerized method of claim 12, wherein the at least one confidence metric was automatically assigned or manually assigned to the first item, and the confidence metric is based on at least one of:
    - (a) an identity of an entity responsible for creating the first item describing the observed event or property;
      
      (b) a type of the observed event or property;
      
      (c) a set of related system or network activity associated with the observed event or property; and
      
      (d) an entity responsible for causing the observed event or property.

14. A computerized system for storing and distributing threat information, comprising:
- a central repository for storing and distributing threat information;
  
  a plurality of local repositories for storing and distributing threat information, each local repository is capable of generating threat information in a customizable machine readable language based on an observed event, creating a first item describing the threat information by converting the machine readable language into a common language, pushing the first item to the central repository, and pushing the first item directly to one local repository, each of the plurality of local repositories are configured to push the first item to another local repository, and each local repository is configured to pull threat information from another local repository; and
  
  a network connecting the central repository with the plurality of local repositories, wherein the network allows transmission of the first item from at least one of the plurality of local repositories to the central repository, transmission of the first item from the central repository to the plurality of local repositories, and transmission of the first item from at least one of the plurality of local repositories directly to one other local repository.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computerized system of claim 14, wherein the central repository for storing and distributing threat information is connected to at least one of:
    - (a) a private feed configured to transmit threat information to the central repository;
      
      (b) a public feed configured to transmit threat information to the central repository; and
      
      (c) a government feed configured to transmit threat information to the central repository.
  - 16. The computerized system of claim 14, wherein at least one of the plurality of local repositories for storing and distributing threat information is connected to at least one of:
    - (a) a private feed configured to transmit threat information to the central repository;
      
      (b) a public feed configured to transmit threat information to the central repository; and
      
      (c) a government feed configured to transmit threat information to the central repository.
  - 17. The computerized system of claim 14, wherein a first one of the plurality of local repositories is configured to transmit at least one item of threat information over the network via the central repository to at least a second one of the plurality of local repositories.
  - 18. The computerized system of claim 14, wherein a first one of the plurality of local repositories is configured to transmit at least one item of threat information over the network directly to at least a second one of the plurality of local repositories.
  - 19. The computerized system of claim 14, wherein each local repository is capable of pushing threat information to another local repository in real time and each local repository is capable of pulling threat information from another local repository in real time.
  - 20. The computerized system of claim 14, wherein each local repository is capable of pushing threat information to another local repository at a scheduled time and each local repository is capable of pulling threat information from another local repository at a scheduled time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Celerium Inc.
Original Assignee
NC4 Soltra, LLC (Everbridge Incorporated)
Inventors
Chernin, Michael Aharon, Clancy, Mark, Eilken, David, Guerrino, Eric, Nelson, William
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Saadoun, Hassan

Application Number

US15/098,977
Publication Number

US 20160366174A1
Time in Patent Office

1,524 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/22   Indexing; Data structures t...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/04   for providing a confidentia...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/166   at the transport layer

H04L 67/1097   for distributed storage of ...

Computerized system and method for securely distributing and exchanging cyber-threat information in a standardized format

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computerized system and method for securely distributing and exchanging cyber-threat information in a standardized format

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links