System and method for verifying a cyberthreat

US 10,701,091 B1
Filed: 07/23/2018
Issued: 06/30/2020
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A computerized method to identify potentially malicious code in a network, the method comprising:

analyzing information within a report associated with one or more threats resulting from a prior analysis of a portion of network data received over a network to yield intelligence that includes at least one of instructions or indicators related to the identified one or more threats and determining, based on the intelligence yielded from the information within the report, an endpoint device including an endpoint agent that is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination;

gathering and correlating verification information with information gathered from one or more sources to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination by the endpoint device and an identifier for the endpoint device; and

sending a notification including a portion of the verification information to identify the verified threat.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method to identify potentially malicious code in a network is described. Herein, information associated with a threat is analyzed to yield intelligence that includes instructions or indicators related to the threat. Based on the intelligence, a determination is made as to an endpoint device, which includes an endpoint agent, is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination. Verification information, including at least a portion of the results of the examination by the endpoint device and an identifier for the endpoint device, is gathered and correlated to determine whether such information corresponds to a verified threat. Thereafter, a notification, including a portion of the verification information, is sent to identify the verified threat.

Citations

21 Claims

1. A computerized method to identify potentially malicious code in a network, the method comprising:
- analyzing information within a report associated with one or more threats resulting from a prior analysis of a portion of network data received over a network to yield intelligence that includes at least one of instructions or indicators related to the identified one or more threats and determining, based on the intelligence yielded from the information within the report, an endpoint device including an endpoint agent that is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination;
  
  gathering and correlating verification information with information gathered from one or more sources to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination by the endpoint device and an identifier for the endpoint device; and
  
  sending a notification including a portion of the verification information to identify the verified threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computerized method according to claim 1, wherein the correlating of the verification information is conducted processed by comparing the verification information to (a) data obtained from another endpoint device different than the endpoint device, or (b) data obtained from a security information and event manager module (SIEM).
  - 3. The computerized method according to claim 1, wherein the endpoint agent is further configured to a system state of the endpoint device for data corresponding to any of the instructions or the indicators, and obtaining results of the test.
  - 4. The computerized method according to claim 1, wherein prior to analyzing information within the report, the method further comprising:
    - analyzing the portion of the network data by at least analyzing an executable by an analyzer of a threat monitor, the analyzer includes a dynamic analyzer that completely or partially executes the executable within an environment where operations of the executable are monitored to identify one or more behaviors or operations associated with the one or more threats.
  - 5. The computerized method according to claim 4, wherein the information resulting from the analyzing of the portion of the network data includes an attempted change of the environment by the executable or one or more attempts to establish a network connection or a Domain Name System (DNS) lookup.
  - 6. The computerized method according to claim 1, wherein the examination of the memory of the endpoint device comprisesconfiguring the endpoint agent to receive the indicators;
    - monitoring a state of the endpoint device and generating audit data in response to a monitored change of the system state; and
      
      providing data, based on the audit data, to the endpoint agent to determine whether the endpoint device is compromised based on a matching of data based on the audit data to any of the indicators.
  - 7. The computerized method according to claim 4, further comprising:
    - changing a configuration of the threat monitor based on the verification information.
  - 8. The computerized method according to claim 1, further comprising:
    - performing a containment action to mitigate effects of the verified threat on the endpoint device via the endpoint agent based on the verification information, wherein,the containment action is taken by a containment agent of the endpoint agent, andthe containment agent is installed on the endpoint device pursuant to instructions contained in a containment package configured by a verifier that is analyzing the information within the report.

9. An endpoint agent for testing endpoint system state and examining memory within the endpoint system, comprising:
- an indicator matcher component;
  
  a persistent monitor communicatively coupled to the indicator matcher component, the persistent monitor to monitor at least system state of an endpoint device and provide audit data reporting an occurrence of a persistent change in the system state of the endpoint device; and
  
  an audit controller coupled to the indicator matcher component and the persistent monitor, the audit controller to receive instructions or indicators, configure the indicator matcher component based on at least the received indicators, and control audits of at least the system state of the endpoint device conducted by the persistent monitor,wherein the persistent monitor communicates the audit data associated with a persistent change in the monitored system state of the endpoint device to the indicator matcher component and the indicator matcher component outputs information from the endpoint agent in response to a correlation between the received indicators from the audit controller and the audit data associated with the persistent change in the monitored system state.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The endpoint agent according to claim 9, wherein the indicator matcher component outputs the information from the endpoint agent by sending a notification including intelligence to identify the instructions or indicators represent a verified threat.
  - 11. The endpoint agent according to claim 9 being communicatively coupled to a verifier, the verifier including (i) a report analyzer and (ii) an agent coordinator, whereinthe report analyzer to analyze the information within the report and yield intelligence including the instructions or indicators to be provided to the agent coordinator, andthe agent coordinator to determine, based on the intelligence provided by the report analyzer, the endpoint agent.
  - 12. The endpoint agent according to claim 10 further comprising:
    - a management component to further gather and correlate the verification information against data from one or more endpoint devices different than the endpoint device to determine that the verification information represents the verified threat.
  - 13. The endpoint agent according to claim 9, wherein the audit controller is configured to control audits of memory performed by an audit module operating within the persistent monitor.
  - 14. The endpoint agent according to claim 9, wherein an indicator of the indicators relating to a specific type or subset of information regarding a state of the endpoint device includes a description of a file or a hash sum of the file or regarding a description of an operation associated with the one or more threats.

15. A computerized method to identify potentially malicious code in a network, the method comprising:
- analyzing information associated with one or more threats to yield intelligence that includes at least one of instructions or indicators related to the one or more threats and determining, based on the intelligence, an endpoint device including an endpoint agent that is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination;
  
  gathering and correlating verification information to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination by the endpoint device and an identifier for the endpoint device; and
  
  sending a notification including a portion of the verification information to identify the verified threat.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computerized method according to claim 15, wherein the correlating of the verification information is conducted by comparing the verification information to (a) data obtained from another endpoint device different than the endpoint device, or (b) data obtained from a security information and event manager module (SIEM).
  - 17. The computerized method according to claim 15, further comprising:
    - testing of a system state of the endpoint device for data corresponding to any of the instructions or the indicators, and obtaining results of the test.
  - 18. The computerized method according to claim 15, wherein prior to analyzing information within the report, the method further comprising:
    - analyzing the portion of the network data by at least analyzing an executable by an analyzer of a threat monitor, the analyzer includes a dynamic analyzer that is configured to execute the executable within an environment where operations of the executable are monitored to identify one or more behaviors or operations associated with the one or more threats, andwherein information resulting from the analyzing of the portion of the network data includes an attempted change of the environment by the executable or one or more attempts to establish a network connection or a Domain Name System (DNS) lookup.
  - 19. The computerized method according to claim 15, wherein the examination of the memory of the endpoint device comprisesconfiguring the endpoint agent to receive the indicators;
    - monitoring a state of the endpoint device and generating audit data in response to a monitored change of the system state; and
      
      providing data, based on the audit data, to the endpoint agent to determine whether the endpoint device is compromised based on a matching of data based on the audit data to any of the indicators.
  - 20. The computerized method according to claim 15, further comprising:
    - performing a containment action to mitigate effects of the verified threat on the endpoint device via the endpoint agent based on the verification information, wherein,the containment action is taken by a containment agent of the endpoint agent, andthe containment agent is installed on the endpoint device pursuant to instructions contained in a containment package configured by a verifier that is analyzing the information within the report.
  - 21. The computerized method according to claim 15, wherein the gathering and correlating of the verification information comprises gathering and correlating verification information from multiple sources to determine whether the verification information corresponds to the verified threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Cunningham, Sean, Dana, Robert, Nardone, Joseph, Faber, Joseph, Arunski, Kevin
Primary Examiner(s)
Parry, Chris

Application Number

US16/043,004
Time in Patent Office

708 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/126   the source of the received ...

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

System and method for verifying a cyberthreat

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for verifying a cyberthreat

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links