System and method for verifying a cyberthreat
First Claim
1. A computerized method to identify potentially malicious code in a network, the method comprising:
- analyzing information within a report associated with one or more threats resulting from a prior analysis of a portion of network data received over a network to yield intelligence that includes at least one of instructions or indicators related to the identified one or more threats and determining, based on the intelligence yielded from the information within the report, an endpoint device including an endpoint agent that is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination;
gathering and correlating verification information with information gathered from one or more sources to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination by the endpoint device and an identifier for the endpoint device; and
sending a notification including a portion of the verification information to identify the verified threat.
7 Assignments
0 Petitions
Accused Products
Abstract
A computerized method to identify potentially malicious code in a network is described. Herein, information associated with a threat is analyzed to yield intelligence that includes instructions or indicators related to the threat. Based on the intelligence, a determination is made as to an endpoint device, which includes an endpoint agent, is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination. Verification information, including at least a portion of the results of the examination by the endpoint device and an identifier for the endpoint device, is gathered and correlated to determine whether such information corresponds to a verified threat. Thereafter, a notification, including a portion of the verification information, is sent to identify the verified threat.
-
Citations
21 Claims
-
1. A computerized method to identify potentially malicious code in a network, the method comprising:
-
analyzing information within a report associated with one or more threats resulting from a prior analysis of a portion of network data received over a network to yield intelligence that includes at least one of instructions or indicators related to the identified one or more threats and determining, based on the intelligence yielded from the information within the report, an endpoint device including an endpoint agent that is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination; gathering and correlating verification information with information gathered from one or more sources to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination by the endpoint device and an identifier for the endpoint device; and sending a notification including a portion of the verification information to identify the verified threat. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An endpoint agent for testing endpoint system state and examining memory within the endpoint system, comprising:
-
an indicator matcher component; a persistent monitor communicatively coupled to the indicator matcher component, the persistent monitor to monitor at least system state of an endpoint device and provide audit data reporting an occurrence of a persistent change in the system state of the endpoint device; and an audit controller coupled to the indicator matcher component and the persistent monitor, the audit controller to receive instructions or indicators, configure the indicator matcher component based on at least the received indicators, and control audits of at least the system state of the endpoint device conducted by the persistent monitor, wherein the persistent monitor communicates the audit data associated with a persistent change in the monitored system state of the endpoint device to the indicator matcher component and the indicator matcher component outputs information from the endpoint agent in response to a correlation between the received indicators from the audit controller and the audit data associated with the persistent change in the monitored system state. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computerized method to identify potentially malicious code in a network, the method comprising:
-
analyzing information associated with one or more threats to yield intelligence that includes at least one of instructions or indicators related to the one or more threats and determining, based on the intelligence, an endpoint device including an endpoint agent that is to (i) receive at least one of the instructions or the indicators, (ii) conduct an examination of memory of the endpoint device for data corresponding to any of the instructions or the indicators, and (iii) obtain results of the examination; gathering and correlating verification information to determine whether the verification information corresponds to a verified threat, the verification information includes at least a portion of the results of the examination by the endpoint device and an identifier for the endpoint device; and sending a notification including a portion of the verification information to identify the verified threat. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification