Detecting advanced persistent threats
First Claim
1. A method of detecting an advanced persistent threat (APT) attack on an enterprise system, the method comprising:
- receiving, in a computerized device, an indication that a document has been leaked outside the enterprise system;
evaluating a log of security events of the enterprise system using a set of heuristics to produce a reduced set of events potentially relevant to the APT attack; and
outputting the reduced set of events over a user interface for consideration by a security analysis team;
wherein evaluating the log of security events includes;
in a decision engine module, determining a set of heuristic criteria based on external data about the APT attack;
in a correlation engine module, applying the set of heuristic criteria to identify security events from the log of security events that are consistent with the external data about the APT attack;
determining whether a number of the identified security events exceeds a minimum threshold value;
if the number of the identified security events does not exceed the minimum threshold value, then modifying, at the decision engine module, the set of heuristic criteria until the number of the identified security events produced by the correlation engine exceeds the minimum threshold value; and
if the number of the identified security events exceeds the minimum threshold value, then using the identified security events as the reduced set of events;
wherein;
evaluating the log of security events further includes identifying a set of access events within the log of security events in which an endpoint machine has accessed the document;
determining the set of heuristic criteria includes;
determining a document-access time window consistent with the external data about the APT attack; and
determining a set of security event types consistent with the external data about the APT attack; and
applying the set of heuristics includes;
for each access events of the set of access events, searching for security events from the log of security events that are associated with a corresponding endpoint machine and within the document-access time window in proximity to that access event; and
searching the security events identified to be within the document-access time window for security events of a type that falls within the set of security event types to produce a set of suspicious events.
9 Assignments
0 Petitions
Accused Products
Abstract
Techniques are provided for detecting the source of an APT-based leaked document by iteratively or recursively evaluating a set of network security logs (e.g., SIEM logs and FPC logs) for events consistent with APT behavior according to a set of heuristics to generate a reduced set of security events for consideration by the CIRT. A method of detecting an APT attack on an enterprise system is provided. The method includes (a) receiving, in a computerized device, an indication that a document has been leaked outside the enterprise system, (b) evaluating a log of security events of the enterprise system using a set of heuristics to produce a reduced set of events potentially relevant to the APT attack, and (c) outputting the reduced set of events over a user interface for consideration by a security analysis team. A system and computer program product for performing this method are also provided.
29 Citations
14 Claims
-
1. A method of detecting an advanced persistent threat (APT) attack on an enterprise system, the method comprising:
-
receiving, in a computerized device, an indication that a document has been leaked outside the enterprise system; evaluating a log of security events of the enterprise system using a set of heuristics to produce a reduced set of events potentially relevant to the APT attack; and outputting the reduced set of events over a user interface for consideration by a security analysis team; wherein evaluating the log of security events includes; in a decision engine module, determining a set of heuristic criteria based on external data about the APT attack; in a correlation engine module, applying the set of heuristic criteria to identify security events from the log of security events that are consistent with the external data about the APT attack; determining whether a number of the identified security events exceeds a minimum threshold value; if the number of the identified security events does not exceed the minimum threshold value, then modifying, at the decision engine module, the set of heuristic criteria until the number of the identified security events produced by the correlation engine exceeds the minimum threshold value; and if the number of the identified security events exceeds the minimum threshold value, then using the identified security events as the reduced set of events; wherein; evaluating the log of security events further includes identifying a set of access events within the log of security events in which an endpoint machine has accessed the document; determining the set of heuristic criteria includes; determining a document-access time window consistent with the external data about the APT attack; and determining a set of security event types consistent with the external data about the APT attack; and applying the set of heuristics includes; for each access events of the set of access events, searching for security events from the log of security events that are associated with a corresponding endpoint machine and within the document-access time window in proximity to that access event; and searching the security events identified to be within the document-access time window for security events of a type that falls within the set of security event types to produce a set of suspicious events. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An enterprise system comprising:
-
a set of endpoint machines; a set of enterprise-managed servers; a security logging system; a Critical Incident Response Center (CIRC) server; and a network, connecting the set of endpoint machines, the set of enterprise-managed servers, the security logging system, and the CIRC server; wherein, the CIRC server is configured to detect an advanced persistent threat (APT) attack on the enterprise system by; receiving an indication that a document has been leaked outside the enterprise system; evaluating a log of security events from the security logging system using a set of heuristics to produce a reduced set of events potentially relevant to the APT attack; and outputting the reduced set of events for consideration by a security analysis team wherein the CIRC server, when evaluating the log of security events, is configured to; in a decision engine module, determine a set of heuristic criteria based on external data about the APT attack; in a correlation engine module, apply the set of heuristic criteria to identify security events from the log of security events that are consistent with the external data about the APT attack; determine whether a number of the identified security events exceeds a minimum threshold value; if the number of the identified security events does not exceed the minimum threshold value, then modify, at the decision engine module, the set of heuristic criteria until the number of the identified security events produced by the correlation engine exceeds the minimum threshold value; if the number of the identified security events exceeds the minimum threshold value, then use the identified security events as the reduced set of events; and identify a set of access events within the log of security events in which an endpoint machine has accessed the document; wherein; determining the set of heuristic criteria includes; determining a document-access time window consistent with the external data about the APT attack; and determining a set of security event types consistent with the external data about the APT attack; and applying the set of heuristics includes; for each access event of the set of access events, searching for security events from the log of security events that are associated with a corresponding endpoint machine and within the document-access time window in proximity to that access event; and searching the security events identified to be within the document-access time window for security events of a type that falls within the set of security event types to produce a set of suspicious events. - View Dependent Claims (10, 11, 12)
-
-
13. A computer program product comprising a non-transitory computer-readable storage medium storing a set of instructions, which, when executed by a computer, cause the computer to:
-
receive an indication that a document has been leaked outside an enterprise system; evaluate a log of security events of the enterprise system using a set of heuristics to produce a reduced set of events potentially relevant to an advanced persistent threat (APT) attack; and output the reduced set of events over a user interface for consideration by a security analysis team; wherein the set of instructions, when executed by the computer, cause the computer to, when evaluating the log of security events; in a decision engine module, determine a set of heuristic criteria based on external data about the APT attack; in a correlation engine module, apply the set of heuristic criteria to identify security events from the log of security events that are consistent with the external data about the APT attack; determine whether a number of the identified security events exceeds a minimum threshold value; if the number of the identified security events does not exceed the minimum threshold value, then modify, at the decision engine module, the set of heuristic criteria until the number of the identified security events produced by the correlation engine exceeds the minimum threshold value; and if the number of the identified security events exceeds the minimum threshold value, then use the identified security events as the reduced set of events; wherein the set of instructions, when executed by the computer, cause the computer to; when evaluating the log of security events, identify a set of access events within the log of security events in which an endpoint machine has accessed the document; and when determining the set of heuristic criteria; determine a document-access time window consistent with the external data about the APT attack; and determine a set of security event types consistent with the external data about the APT attack; when applying the set of heuristics; for each access event of the set of access events, search for security events from the log of security events that are associated with a corresponding endpoint machine and within the document-access time window in proximity to that access event; and search the security events identified to be within the document-access time window for security events of a type that falls within the set of security event types to produce a set of suspicious events. - View Dependent Claims (14)
-
Specification