Predicting and preventing an attacker's next actions in a breached network
First Claim
1. A method for cyber security, comprising:
- detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources in which users access the resources based on credentials, wherein access to the resources via network connections is governed by a firewall, wherein each resource has a domain name server (DNS) record stored on a DNS server, and wherein some of the resources are servers that are accessed via IP addresses;
changing, by the decoy management server, the DNS record for the breached resource on the DNS server, in response to said detecting;
predicting, by the decoy management server, which credentials are compromised, based on credentials stored on the breached resource;
changing, by the decoy management server, those credentials that were predicted to be compromised, in response to said predicting which credentials;
predicting, by the decoy management server, which servers in the network are compromised, based on connections created during the breach;
changing, by the decoy management server, IP addresses of the predicted compromised servers in response to said predicting which servers;
generating firewall rules to block access to the predicted compromised servers from the breached resource, in response to said predicting which servers;
predicting, by the decoy management server, a target subnet, based on real and decoy connections created during the breach; and
isolating, by the decoy management server, the target subnet in response to said predicting a target subnet.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for cyber security, including detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources in which users access the resources based on credentials, wherein each resource has a domain name server (DNS) record stored on a DNS server, changing, by the decoy management server, the DNS record for the breached resource on the DNS server, in response to the detecting, predicting, by the decoy management server, which credentials are compromised, based on credentials stored on the breached resource, and changing, by the decoy management server, those credentials that were predicted to be compromised, in response to the predicting which credentials.
45 Citations
9 Claims
-
1. A method for cyber security, comprising:
-
detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources in which users access the resources based on credentials, wherein access to the resources via network connections is governed by a firewall, wherein each resource has a domain name server (DNS) record stored on a DNS server, and wherein some of the resources are servers that are accessed via IP addresses; changing, by the decoy management server, the DNS record for the breached resource on the DNS server, in response to said detecting; predicting, by the decoy management server, which credentials are compromised, based on credentials stored on the breached resource; changing, by the decoy management server, those credentials that were predicted to be compromised, in response to said predicting which credentials; predicting, by the decoy management server, which servers in the network are compromised, based on connections created during the breach; changing, by the decoy management server, IP addresses of the predicted compromised servers in response to said predicting which servers; generating firewall rules to block access to the predicted compromised servers from the breached resource, in response to said predicting which servers; predicting, by the decoy management server, a target subnet, based on real and decoy connections created during the breach; and isolating, by the decoy management server, the target subnet in response to said predicting a target subnet. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for cyber security, comprising:
-
detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources, wherein access to the resources via network connections is governed by a firewall, wherein each resource has a domain name server (DNS) record stored on a DNS server, and wherein some of the resources are servers that are accessed via IP addresses; predicting, by the decoy management server, which resources of the network were exposed to the attacker, based on address pointers stored on the breached resource; generating firewall rules to block access to the predicted exposed resources from the breached resource, in response to said predicting which resources; predicting, by the decoy management server, which servers in the network are compromised, based on connections created during the breach; changing, by the decoy management server, IP addresses of the predicted compromised servers in response to said predicting which servers; predicting, by the decoy management server, a target subnet, based on real and decoy connections created during the breach; and isolating, by the decoy management server, the target subnet in response to said predicting a target subnet. - View Dependent Claims (8, 9)
-
Specification