System and method for coordinating network incident response activities
First Claim
1. A computer-implemented method for controlling a plurality of network-attached devices to manage countermeasures specific to mitigating or prohibiting a network attack, comprising steps of:
- a) Receiving from an originating source an electronic communication comprising an alert for an attack;
b) Generating a list of eligible devices and applications on the target network that may be impacted by or may facilitate the attack;
c) Selecting an optimal countermeasure specific to the attack to be deployed at each selected device based on the capabilities of the device;
d) Communicating electronically with each selected device to activate countermeasures;
e) Optionally communicating electronically to the originating source status information specific to the successful deployment of each countermeasure;
f) Optionally receiving from the originating source an electronic communication to remove the countermeasures;
g) Communicating electronically with each listed device to deactivate each countermeasure;
h) Optionally communicating electronically to the originating source status information specific to the successful removal of each countermeasure.
7 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a system and method to process information regarding a network attack through an automated workflow that actively reconfigures a plurality of heterogeneous network-attached devices and applications to dynamically counter the attack using the network'"'"'s own self-defense mechanisms. The present invention leverages the security capabilities present within existing and new network-attached devices and applications to affect a distributed defense that immediately quarantines and/or mitigates attacks from hostile sources at multiple points simultaneously throughout the network. In a preferred embodiment, deployed countermeasures are automatically lifted following remediation activities.
-
Citations
16 Claims
-
1. A computer-implemented method for controlling a plurality of network-attached devices to manage countermeasures specific to mitigating or prohibiting a network attack, comprising steps of:
-
a) Receiving from an originating source an electronic communication comprising an alert for an attack;
b) Generating a list of eligible devices and applications on the target network that may be impacted by or may facilitate the attack;
c) Selecting an optimal countermeasure specific to the attack to be deployed at each selected device based on the capabilities of the device;
d) Communicating electronically with each selected device to activate countermeasures;
e) Optionally communicating electronically to the originating source status information specific to the successful deployment of each countermeasure;
f) Optionally receiving from the originating source an electronic communication to remove the countermeasures;
g) Communicating electronically with each listed device to deactivate each countermeasure;
h) Optionally communicating electronically to the originating source status information specific to the successful removal of each countermeasure. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for controlling a plurality of network-attached devices to manage countermeasures specific to mitigating or prohibiting a network attack, the system comprising:
-
a) An interface connecting the system to a communications network;
b) A system clock capable of keeping time independently and/or in sync with an external time source attached to the communications network;
c) A data store capable of receiving and storing electronic communications, data associated therewith, system configuration data, network configuration data, device configuration data, and combinations thereof;
d) A system processor in communication with the interface and data store and comprising one or more processing elements programmed to;
i) Receive communication via the interface wherein the received communication is transmitted from an originating source which has determined that a network attack is either imminent, underway, recently witnessed and expected to recur, or no longer ongoing;
ii) Store the received communication in the data store and process the event as a parent transaction tracked within an activity queue that contains the transaction identifier, description and current status;
iii) Assign a start time to the parent transaction and an expiration time and/or maximum duration if provided in the received communication;
iv) Parse the received communication and perform a plurality of tests to determine the type and number of child transactions required to rapidly activate or deactivate countermeasures across the target network based on the context of the received communication to mitigate or prohibit a network attack where each child transaction is associated with a countermeasure at a specific network device;
v) Execute each transaction across a plurality of network devices processed through a device driver which uses the system interface to communicate between the system, the communications network, and the devices on the target network;
vi) Update the current state of each transaction as recorded in the queue;
vii) Output status notifications to the originating source. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
Specification