SYSTEMS AND METHODS FOR REMOTE IDENTIFICATION OF ENTERPRISE THREATS

US 20180063181A1
Filed: 08/23/2017
Published: 03/01/2018
Est. Priority Date: 08/30/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, a threat analysis system, threat parameters associated with an enterprise management system;

configuring a tool based on the threat parameters;

distributing the tool to a plurality of computing systems in an enterprise managed by the enterprise management system, the tool configured to be executed by the threat analysis system remote from the plurality of computing systems, wherein at each computing system the tool;

collects a system data set based on the threat parameters associated with the computing system; and

sends the system data set to a data store;

obtaining a plurality of system data sets associated with the plurality of computing systems from the data store, each system data set associated with one of the plurality of computing systems;

analyzing the plurality of system data sets to identify potential threats;

generating a threat report including one or more identified potential threats from one or more computing systems of the plurality of computing systems; and

causing an alert including the threat report to be provided to the enterprise management system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide techniques, systems, and methods for remote, agent-less enterprise computer threat data collection, malicious threat analysis, and identification and reporting of potential and real threats present on an enterprise computer system. Specifically, embodiments are directed to a system that securely collects system information from computers across the enterprise, internally encrypts and analyzes the collected information for indicators of compromise, threatening behavior, and known vulnerabilities, and generates alerts regarding known and potential threats for further analysis and remediation. If potential threats are identified, the system may deploy a memory analysis module that takes a deeper analysis of the potentially compromised computer to obtain more information about the potential threat. The remote, agent-less collection, analysis, and identification process can be repeated periodically to obtain additional information over time in order to identify the nature of the threat, and may delete itself after completion to avoid detection.

Citations

20 Claims

1. A computer-implemented method, comprising:
- receiving, a threat analysis system, threat parameters associated with an enterprise management system;
  
  configuring a tool based on the threat parameters;
  
  distributing the tool to a plurality of computing systems in an enterprise managed by the enterprise management system, the tool configured to be executed by the threat analysis system remote from the plurality of computing systems, wherein at each computing system the tool;
  
  collects a system data set based on the threat parameters associated with the computing system; and
  
  sends the system data set to a data store;
  
  obtaining a plurality of system data sets associated with the plurality of computing systems from the data store, each system data set associated with one of the plurality of computing systems;
  
  analyzing the plurality of system data sets to identify potential threats;
  
  generating a threat report including one or more identified potential threats from one or more computing systems of the plurality of computing systems; and
  
  causing an alert including the threat report to be provided to the enterprise management system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - identifying the one or more computing systems of the plurality of computing systems associated with the one or more identified potential threats;
      
      configuring a second tool to collect memory information from the one or more identified computing systems associated with the one or more identified potential threats;
      
      distributing the second tool to the one or more identified computing systems, wherein at each computing system the second tool;
      
      collects a memory data set associated with the computing system; and
      
      sends the memory data set to the data store;
      
      obtaining one or more memory data sets associated with the one or more identified computing systems;
      
      analyzing the one or more memory data sets to identify real threats; and
      
      generating a memory threat report including one or more identified real threats.
  - 3. The method of claim 1, wherein analyzing the plurality of system data sets to identify potential threats comprises:
    - comparing each system data set of the plurality of system data sets to a database of known threat indicators;
      
      identifying at least one system data set matching one or more threat indicators of the database of known threat indicators; and
      
      for each of the at least one system data set matching the one or more threat indicators;
      
      determining a file identifier, a computing system identifier, a type of threat indicator, and a threat identifier associated with the system data set; and
      
      logging the file identifier, the computing system identifier, the type of threat indicator, and the threat identifier for use in the threat report.
  - 4. The method of claim 1, wherein analyzing the plurality of system data sets to identify potential threats comprises:
    - comparing each system data set of the plurality of system data sets to a previously stored system data set for the computing system associated with the system data set;
      
      identifying one or more differences between the previously stored system data set for at least one of the plurality of computing systems;
      
      for each of the at least one of the plurality of computing systems;
      
      for each difference of the one or more differences;
      
      comparing the difference to a database of behavioral threat indicators;
      
      identifying a behavioral threat indicator matching the difference;
      
      determining a file identifier, a computing system identifier, a type of threat indicator, the difference, and a threat identifier associated with the system data set, the difference, and the behavioral threat indicator matching the difference; and
      
      logging the file identifier, the computing system identifier, the type of threat indicator, the difference, and the threat identifier for use in the threat report.
  - 5. The method of claim 1, wherein analyzing the plurality of system data sets to identify potential threats comprises:
    - for each system data set of the plurality of system data sets;
      
      comparing the system data set to a reference system data set; and
      
      identifying one or more differences between the system data set and the reference system data set for at least one of the plurality of system data sets;
      
      for each difference of the one or more differences;
      
      comparing the difference to a database of behavioral threat indicators;
      
      identifying a behavioral threat indicator matching the difference;
      
      determining a file identifier, a computing system identifier, a type of threat indicator, the difference, and a threat identifier associated with the system data set, the difference, and the behavioral threat indicator matching the difference; and
      
      logging the file identifier, the computing system identifier, the type of threat indicator, the difference, and the threat identifier for use in the threat report.
  - 6. The method of claim 1, further comprising:
    - receiving confirmation that at least one of the one or more identified potential threats indicates a real threat;
      
      generating a hash of the system data set associated with the real threat;
      
      updating the database of known threat indicators to include the hash of the system data set associated with the real threat.
  - 7. The method of claim 1, further comprising:
    - receiving confirmation that at least one of the one or more identified potential threats indicates a real threat;
      
      identifying one or more indicators of the system data associated with the at least one identified potential threat; and
      
      updating a database of known threat indicators to include the one or more indicators of the system data associated with the threat.
  - 8. The method of claim 1, wherein before analyzing the plurality of system data sets, the method further comprises:
    - identifying identical system data between the plurality of system data sets; and
      
      removing the identical system data from the plurality of system data sets.
  - 9. The method of claim 1, further comprising:
    - encrypting the collected system data set prior to sending the collected system data to the data store; and
      
      decrypting the plurality of system data set prior to analyzing to identify potential threats.
  - 10. The method of claim 1, wherein the tool is deleted from the two or more computing systems after being run to reduce detection by the one or more identified potential threats.

11. A computing device comprising:
- a processor; and
  
  a computer-readable medium comprising code, executable by the processor, to perform a method comprising;
  
  receive threat parameters associated with an enterprise management system;
  
  configure a tool based on the threat parameters;
  
  distribute the tool to a plurality of computing systems in the enterprise, the tool configured to be executed by the computing device remote from the plurality of computing systems, wherein at each computing system the tool;
  
  collects a system data set based on the threat parameters associated with the computing system; and
  
  sends the system data set to a data store;
  
  obtain a plurality of system data sets associated with the plurality of computing systems from the data store, each system data set associated with one of the plurality of computing systems;
  
  analyze the plurality of system data sets to identify potential threats;
  
  generate a threat report including one or more identified potential threats from one or more computing systems of the plurality of computing systems; and
  
  cause an alert including the threat report to be provided to the enterprise management system.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computing device of claim 11, wherein the method further comprises:
    - identify the one or more computing systems of the plurality of computing systems associated with the one or more identified potential threats;
      
      configure a second tool to collect memory information from the one or more identified computing systems associated with the one or more identified potential threats;
      
      distribute the second tool to the one or more identified computing systems, wherein at each computing system the second tool;
      
      collects a memory data set associated with the computing system; and
      
      sends the memory data set to the data store;
      
      obtain one or more memory data sets associated with the one or more identified computing systems;
      
      analyze the one or more memory data sets to identify real threats; and
      
      generate a memory threat report including one or more identified real threats.
  - 13. The computing device of claim 11, wherein analyzing the plurality of system data sets to identify potential threats comprises:
    - comparing each system data set of the plurality of system data sets to a database of known threat indicators;
      
      identifying at least one system data set matching one or more threat indicators of the database of known threat indicators; and
      
      for each of the at least one system data set matching the one or more threat indicators;
      
      determining a file identifier, a computing system identifier, a type of threat indicator, and a threat identifier associated with the system data set; and
      
      logging the file identifier, the computing system identifier, the type of threat indicator, and the threat identifier for use in the threat report.
  - 14. The computing device of claim 11, wherein analyzing the plurality of system data sets to identify potential threats comprises:
    - compare each system data set of the plurality of system data sets to a previously stored system data set for the computing system associated with the system data set;
      
      identify one or more differences between the previously stored system data set for at least one of the plurality of computing systems;
      
      for each of the at least one of the plurality of computing systems;
      
      for each difference of the one or more differences;
      
      compare the difference to a database of behavioral threat indicators;
      
      identify a behavioral threat indicator matching the difference;
      
      determine a file identifier, a computing system identifier, a type of threat indicator, the difference, and a threat identifier associated with the system data set, the difference, and the behavioral threat indicator matching the difference; and
      
      log the file identifier, the computing system identifier, the type of threat indicator, the difference, and the threat identifier for use in the threat report.
  - 15. The computing device of claim 11, wherein analyzing the plurality of system data sets to identify potential threats comprises:
    - for each system data set of the plurality of system data sets;
      
      compare the system data set to a reference system data set; and
      
      identify one or more differences between the system data set and the reference system data set for at least one of the plurality of system data sets;
      
      for each difference of the one or more differences;
      
      compare the difference to a database of behavioral threat indicators;
      
      identify a behavioral threat indicator matching the difference;
      
      determine a file identifier, a computing system identifier, a type of threat indicator, the difference, and a threat identifier associated with the system data set, the difference, and the behavioral threat indicator matching the difference; and
      
      log the file identifier, the computing system identifier, the type of threat indicator, the difference, and the threat identifier for use in the threat report.
  - 16. The computing device of claim 11, wherein the method further comprises:
    - receive confirmation that at least one of the one or more identified potential threats indicates a real threat;
      
      generate a hash of the system data set associated with the real threat;
      
      update the database of known threat indicators to include the hash of the system data set associated with the real threat.

17. A system comprising:
- a threat analysis system configured to;
  
  receive threat parameters associated with an enterprise management system;
  
  configure a tool based on the threat parameters;
  
  distribute the tool to a plurality of computing systems in the enterprise, the tool configured to be executed by the threat analysis system remote from the plurality of computing systems;
  
  obtain a plurality of system data sets associated with the plurality of computing systems from a data store, each system data set associated with one of the plurality of computing systems;
  
  analyzing the plurality of system data sets to identify potential threats;
  
  generating a threat report including one or more identified potential threats from one or more computing systems of the plurality of computing systems; and
  
  causing an alert including the threat report to be provided to the enterprise management system;
  
  the enterprise management system configured to;
  
  provide the threat parameters associated with the tool to the threat analysis system; and
  
  receive the threat report including the one or more identified potential threats from the threat analysis system; and
  
  mediate the one or more identified threats on the one or more computing systems for the plurality of computing systems; and
  
  the plurality of computing systems in the enterprise, wherein each of the plurality of computing systems are configured to;
  
  receive the tool; and
  
  execute the tool, wherein the tool is configured to;
  
  collect a system data set based on the threat parameters associated with the computing system; and
  
  send the system data set to a data store.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the threat analysis computer is further configured to:
    - identify the one or more computing systems of the plurality of computing systems associated with the one or more identified potential threats;
      
      configure a second tool to collect memory information from the one or more identified computing systems associated with the one or more identified potential threats;
      
      distribute the second tool to the one or more identified computing systems, wherein the each of the one or more identified computing systems executes the second tool to;
      
      collect a memory data set associated with the computing system; and
      
      send the memory data set to the data store;
      
      obtain one or more memory data sets associated with the one or more identified computing systems;
      
      analyze the one or more memory data sets to identify real threats; and
      
      generate a memory threat report including one or more identified real threats.
  - 19. The system of claim 17, wherein analyzing the plurality of system data sets to identify potential threats comprises:
    - comparing each system data set of the plurality of system data sets to a database of known threat indicators;
      
      identifying at least one system data set matching one or more threat indicators of the database of known threat indicators; and
      
      for each of the at least one system data set matching the one or more threat indicators;
      
      determining a file identifier, a computing system identifier, a type of threat indicator, and a threat identifier associated with the system data set; and
      
      logging the file identifier, the computing system identifier, the type of threat indicator, and the threat identifier for use in the threat report.
  - 20. The system of claim 17, wherein analyzing the plurality of system data sets to identify potential threats comprises:
    - compare each system data set of the plurality of system data sets to a previously stored system data set for the computing system associated with the system data set;
      
      identify one or more differences between the previously stored system data set for at least one of the plurality of computing systems;
      
      for each of the at least one of the plurality of computing systems;
      
      for each difference of the one or more differences;
      
      compare the difference to a database of behavioral threat indicators;
      
      identify a behavioral threat indicator matching the difference;
      
      determine a file identifier, a computing system identifier, a type of threat indicator, the difference, and a threat identifier associated with the system data set, the difference, and the behavioral threat indicator matching the difference; and
      
      log the file identifier, the computing system identifier, the type of threat indicator, the difference, and the threat identifier for use in the threat report.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kivu Consulting, Inc.
Original Assignee
Kivu Consulting, Inc.
Inventors
Jones, Elgan David, Langer, Thomas, Krone, Winston

Granted Patent

US 10,594,719 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/0428   wherein the data content is...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

SYSTEMS AND METHODS FOR REMOTE IDENTIFICATION OF ENTERPRISE THREATS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR REMOTE IDENTIFICATION OF ENTERPRISE THREATS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links