Detecting advanced persistent threats

US 8,904,531 B1
Filed: 06/30/2011
Issued: 12/02/2014
Est. Priority Date: 06/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method of detecting an advanced persistent threat (APT) attack on an enterprise system, the method comprising:

receiving, in a computerized device, an indication that a document has been leaked outside the enterprise system;

evaluating a log of security events of the enterprise system using a set of heuristics to produce a reduced set of events potentially relevant to the APT attack; and

outputting the reduced set of events over a user interface for consideration by a security analysis team;

wherein evaluating the log of security events includes;

in a decision engine module, determining a set of heuristic criteria based on external data about the APT attack;

in a correlation engine module, applying the set of heuristic criteria to identify security events from the log of security events that are consistent with the external data about the APT attack;

determining whether a number of the identified security events exceeds a minimum threshold value;

if the number of the identified security events does not exceed the minimum threshold value, then modifying, at the decision engine module, the set of heuristic criteria until the number of the identified security events produced by the correlation engine exceeds the minimum threshold value; and

if the number of the identified security events exceeds the minimum threshold value, then using the identified security events as the reduced set of events;

wherein;

evaluating the log of security events further includes identifying a set of access events within the log of security events in which an endpoint machine has accessed the document;

determining the set of heuristic criteria includes;

determining a document-access time window consistent with the external data about the APT attack; and

determining a set of security event types consistent with the external data about the APT attack; and

applying the set of heuristics includes;

for each access events of the set of access events, searching for security events from the log of security events that are associated with a corresponding endpoint machine and within the document-access time window in proximity to that access event; and

searching the security events identified to be within the document-access time window for security events of a type that falls within the set of security event types to produce a set of suspicious events.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for detecting the source of an APT-based leaked document by iteratively or recursively evaluating a set of network security logs (e.g., SIEM logs and FPC logs) for events consistent with APT behavior according to a set of heuristics to generate a reduced set of security events for consideration by the CIRT. A method of detecting an APT attack on an enterprise system is provided. The method includes (a) receiving, in a computerized device, an indication that a document has been leaked outside the enterprise system, (b) evaluating a log of security events of the enterprise system using a set of heuristics to produce a reduced set of events potentially relevant to the APT attack, and (c) outputting the reduced set of events over a user interface for consideration by a security analysis team. A system and computer program product for performing this method are also provided.

29 Citations

View as Search Results

14 Claims

1. A method of detecting an advanced persistent threat (APT) attack on an enterprise system, the method comprising:
- receiving, in a computerized device, an indication that a document has been leaked outside the enterprise system;
  
  evaluating a log of security events of the enterprise system using a set of heuristics to produce a reduced set of events potentially relevant to the APT attack; and
  
  outputting the reduced set of events over a user interface for consideration by a security analysis team;
  
  wherein evaluating the log of security events includes;
  
  in a decision engine module, determining a set of heuristic criteria based on external data about the APT attack;
  
  in a correlation engine module, applying the set of heuristic criteria to identify security events from the log of security events that are consistent with the external data about the APT attack;
  
  determining whether a number of the identified security events exceeds a minimum threshold value;
  
  if the number of the identified security events does not exceed the minimum threshold value, then modifying, at the decision engine module, the set of heuristic criteria until the number of the identified security events produced by the correlation engine exceeds the minimum threshold value; and
  
  if the number of the identified security events exceeds the minimum threshold value, then using the identified security events as the reduced set of events;
  
  wherein;
  
  evaluating the log of security events further includes identifying a set of access events within the log of security events in which an endpoint machine has accessed the document;
  
  determining the set of heuristic criteria includes;
  
  determining a document-access time window consistent with the external data about the APT attack; and
  
  determining a set of security event types consistent with the external data about the APT attack; and
  
  applying the set of heuristics includes;
  
  for each access events of the set of access events, searching for security events from the log of security events that are associated with a corresponding endpoint machine and within the document-access time window in proximity to that access event; and
  
  searching the security events identified to be within the document-access time window for security events of a type that falls within the set of security event types to produce a set of suspicious events.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein:
    - determining the set of heuristic criteria further includes determining a server-access time window consistent with the external data about the APT attack; and
      
      applying the set of heuristics further includes;
      
      searching for security events from the log of security events that are within the server-access time window prior to each suspicious event of the set of suspicious events and associated with a same endpoint machine; and
      
      searching the security events identified to be within the server-access time window for security events that indicate access to an enterprise-managed server of a set of enterprise-managed servers to produce a set of suspicious accesses.
  - 3. The method of claim 2 wherein:
    - each enterprise-managed server of the set of enterprise-managed servers is a virtual server running on a computerized device, the computerized device being re-provisioned with a virtual machine (VM) snapshot of that enterprise-managed server at periodic provisioning intervals, a recorded VM snapshot being taken of that enterprise-managed server just prior to each re-provisioning;
      
      determining the set of heuristic criteria further includes determining a set of suspicious change types associated with the set of enterprise-managed servers consistent with the external data about the APT attack; and
      
      applying the set of heuristics includes;
      
      for each suspicious access of the set of suspicious accesses, determining a set of changes within the corresponding enterprise-managed server between a next recorded VM snapshot taken after that suspicious access and the VM snapshot of that enterprise-managed server; and
      
      searching for changes within the set of changes for each suspicious access of a type that falls within the set of suspicious change types to produce the identified security events.
  - 4. The method of claim 3 wherein the set of enterprise-managed servers include virtual servers drawn from the set of:
    - web servers;
      
      file transfer servers; and
      
      mail servers.
  - 5. The method of claim 1 wherein searching the security events identified to be within the document-access time window for security events of the type that falls within the set of security event types to produce the set of suspicious events includes aggregating together security events of the same type as each other.
  - 6. The method of claim 1 wherein:
    - the document is a particular version of a document stored within the enterprise system; and
      
      identifying the set of access events within the log of security events in which an endpoint machine has accessed the document includes;
      
      calculating a hash signature of the particular version of the document; and
      
      searching a full-packet capture log of the enterprise system for file-transfer events prior to a time that the APT attack was discovered that have a same hash signature as the calculated hash signature of the particular version of the document.
  - 7. The method of claim 1 wherein:
    - the document is a particular version of a document stored within the enterprise system; and
      
      identifying the set of access events within the log of security events in which an endpoint machine has accessed the document includes;
      
      identifying a filename and timestamp of the particular version of the document; and
      
      searching the log of security events for file-transfer request events that include the filename between a time identified by the timestamp and a time that the APT attack was discovered.
  - 8. The method of claim 1 wherein:
    - the document is a particular version of a document stored within the enterprise system; and
      
      identifying the set of access events within the log of security events in which an endpoint machine has accessed the document includes;
      
      identifying a filename and timestamp of the particular version of the document;
      
      searching for locations in enterprise data storage having the identified filename and a timestamp at or after the identified timestamp; and
      
      searching access logs for devices associated with locations having the identified filename for file-transfer events that include the filename between a time identified by the timestamp and a time that the APT attack was discovered.

9. An enterprise system comprising:
- a set of endpoint machines;
  
  a set of enterprise-managed servers;
  
  a security logging system;
  
  a Critical Incident Response Center (CIRC) server; and
  
  a network, connecting the set of endpoint machines, the set of enterprise-managed servers, the security logging system, and the CIRC server;
  
  wherein, the CIRC server is configured to detect an advanced persistent threat (APT) attack on the enterprise system by;
  
  receiving an indication that a document has been leaked outside the enterprise system;
  
  evaluating a log of security events from the security logging system using a set of heuristics to produce a reduced set of events potentially relevant to the APT attack; and
  
  outputting the reduced set of events for consideration by a security analysis teamwherein the CIRC server, when evaluating the log of security events, is configured to;
  
  in a decision engine module, determine a set of heuristic criteria based on external data about the APT attack;
  
  in a correlation engine module, apply the set of heuristic criteria to identify security events from the log of security events that are consistent with the external data about the APT attack;
  
  determine whether a number of the identified security events exceeds a minimum threshold value;
  
  if the number of the identified security events does not exceed the minimum threshold value, then modify, at the decision engine module, the set of heuristic criteria until the number of the identified security events produced by the correlation engine exceeds the minimum threshold value;
  
  if the number of the identified security events exceeds the minimum threshold value, then use the identified security events as the reduced set of events; and
  
  identify a set of access events within the log of security events in which an endpoint machine has accessed the document;
  
  wherein;
  
  determining the set of heuristic criteria includes;
  
  determining a document-access time window consistent with the external data about the APT attack; and
  
  determining a set of security event types consistent with the external data about the APT attack; and
  
  applying the set of heuristics includes;
  
  for each access event of the set of access events, searching for security events from the log of security events that are associated with a corresponding endpoint machine and within the document-access time window in proximity to that access event; and
  
  searching the security events identified to be within the document-access time window for security events of a type that falls within the set of security event types to produce a set of suspicious events.
- View Dependent Claims (10, 11, 12)
- - 10. The enterprise system of claim 9 wherein:
    - determining the set of heuristic criteria further includes determining a server-access time window consistent with the external data about the APT attack;
      
      applying the set of heuristics further includes;
      
      searching for security events from the log of security events that are within the server-access time window prior to each suspicious event of the set of suspicious events and associated with a same endpoint machine; and
      
      searching the security events identified to be within the server-access time window for security events that indicate access to an enterprise-managed server of a set of enterprise-managed servers to produce a set of suspicious accesses;
      
      each enterprise-managed server of the set of enterprise-managed servers is a virtual server running on a computerized device, the computerized device being re-provisioned with a virtual machine (VM) snapshot of that enterprise-managed server at periodic provisioning intervals, a recorded VM snapshot being taken of that enterprise-managed server just prior to each re-provisioning;
      
      determining the set of heuristic criteria further includes determining a set of suspicious change types associated with the set of enterprise-managed servers consistent with the external data about the APT attack; and
      
      applying the set of heuristics includes;
      
      for each suspicious access of the set of suspicious accesses, determining a set of changes within the corresponding enterprise-managed server between a next recorded VM snapshot taken after that suspicious access and the VM snapshot of that enterprise-managed server; and
      
      searching for changes within the set of changes for each suspicious access of a type that falls within the set of suspicious change types to produce the identified security events.
  - 11. The enterprise system of claim 10 wherein the set of enterprise-managed servers include virtual servers drawn from the set of:
    - web servers;
      
      file transfer servers; and
      
      mail servers.
  - 12. The enterprise system of claim 9 wherein the security logging system includes one of:
    - a full-packet capture log of the enterprise system; and
      
      a security information and event management log of the enterprise system.

13. A computer program product comprising a non-transitory computer-readable storage medium storing a set of instructions, which, when executed by a computer, cause the computer to:
- receive an indication that a document has been leaked outside an enterprise system;
  
  evaluate a log of security events of the enterprise system using a set of heuristics to produce a reduced set of events potentially relevant to an advanced persistent threat (APT) attack; and
  
  output the reduced set of events over a user interface for consideration by a security analysis team;
  
  wherein the set of instructions, when executed by the computer, cause the computer to, when evaluating the log of security events;
  
  in a decision engine module, determine a set of heuristic criteria based on external data about the APT attack;
  
  in a correlation engine module, apply the set of heuristic criteria to identify security events from the log of security events that are consistent with the external data about the APT attack;
  
  determine whether a number of the identified security events exceeds a minimum threshold value;
  
  if the number of the identified security events does not exceed the minimum threshold value, then modify, at the decision engine module, the set of heuristic criteria until the number of the identified security events produced by the correlation engine exceeds the minimum threshold value; and
  
  if the number of the identified security events exceeds the minimum threshold value, then use the identified security events as the reduced set of events;
  
  wherein the set of instructions, when executed by the computer, cause the computer to;
  
  when evaluating the log of security events, identify a set of access events within the log of security events in which an endpoint machine has accessed the document; and
  
  when determining the set of heuristic criteria;
  
  determine a document-access time window consistent with the external data about the APT attack; and
  
  determine a set of security event types consistent with the external data about the APT attack;
  
  when applying the set of heuristics;
  
  for each access event of the set of access events, search for security events from the log of security events that are associated with a corresponding endpoint machine and within the document-access time window in proximity to that access event; and
  
  search the security events identified to be within the document-access time window for security events of a type that falls within the set of security event types to produce a set of suspicious events.
- View Dependent Claims (14)
- - 14. The computer program product of claim 13 wherein the set of instructions, when executed by the computer, cause the computer to:
    - when determining the set of heuristic criteria, determine a server-access time window consistent with the external data about the APT attack; and
      
      when applying the set of heuristics;
      
      search for security events from the log of security events that are within the server-access time window prior to each suspicious event of the set of suspicious events and associated with a same endpoint machine; and
      
      search the security events identified to be within the server-access time window for security events that indicate access to an enterprise-managed server of a set of enterprise-managed servers to produce a set of suspicious accesses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Zolfonoon, Riaz, Saklikar, Samir D., Kuppa, Aditya, Moreau, Dennis Ray
Primary Examiner(s)
Hirl, Joseph P.
Assistant Examiner(s)
Gyorfi, Thomas

Application Number

US13/172,979
Time in Patent Office

1,251 Days
Field of Search

726/23, 726/25, 707/695
US Class Current

726/23
CPC Class Codes

G06F 21/552 involving long-term monitor...

H04L 63/1416 Event detection, e.g. attac...

Detecting advanced persistent threats

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting advanced persistent threats

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links