System and method of cyber threat intensity determination and application to cyber threat mitigation

US 9,749,344 B2
Filed: 04/03/2014
Issued: 08/29/2017
Est. Priority Date: 04/03/2014
Status: Active Grant

First Claim

Patent Images

1. A security system, comprising:

a computer system;

a memory accessible to the computer system;

a data store comprising a plurality of consensus evaluations and a plurality of cyber threat analyst ratings; and

an application stored in the memory that, when executed by the computer system;

generates a cyber threat report based on user inputs, wherein the report comprises an identification of a cyber threat intent and the identification of a cyber threat technology,receives from a cyber threat analyst an input of a cyber threat frequency score associated with a set of cyber threat intelligence, an input of a cyber threat likelihood score associated with the set of cyber threat intelligence, and an input of a cyber threat capability score associated with the set of cyber threat intelligence, andgenerates a cyber threat intensity based on the cyber threat frequency score, based on the cyber threat likelihood score, based on the cyber threat capability score, and based on a cyber threat analyst rating of the plurality of cyber threat analyst ratings stored in the data store, wherein the cyber threat analyst rating indicates at least one accuracy of the cyber threat analyst in scoring at least one of a cyber threat frequency, a cyber threat likelihood, or a cyber threat capability, and wherein the cyber threat intensity is different depending on the cyber threat analyst rating,wherein the cyber threat report and the cyber threat intensity are used to select one or more cyber risk mitigation actions to manage a cyber risk of an enterprise or organization.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security system comprising a computer, a memory, a data store comprising a plurality of consensus evaluations and a plurality of cyber threat analyst ratings, and an application stored in the memory. When executed by the computer, the application generates a cyber threat report that identifies of a cyber threat intent and a cyber threat technology, receives from a cyber threat analyst an input of a cyber threat frequency score, an input of a cyber threat likelihood score, and an input of a cyber threat capability score, and generates a cyber threat intensity based on the scores and based on a cyber threat analyst rating stored in the data store and associated with the cyber threat analyst inputting the scores, whereby the cyber threat report and the cyber threat intensity are used to select cyber risk mitigation actions to economically manage the cyber risk of an enterprise or organization.

Citations

23 Claims

1. A security system, comprising:
- a computer system;
  
  a memory accessible to the computer system;
  
  a data store comprising a plurality of consensus evaluations and a plurality of cyber threat analyst ratings; and
  
  an application stored in the memory that, when executed by the computer system;
  
  generates a cyber threat report based on user inputs, wherein the report comprises an identification of a cyber threat intent and the identification of a cyber threat technology,receives from a cyber threat analyst an input of a cyber threat frequency score associated with a set of cyber threat intelligence, an input of a cyber threat likelihood score associated with the set of cyber threat intelligence, and an input of a cyber threat capability score associated with the set of cyber threat intelligence, andgenerates a cyber threat intensity based on the cyber threat frequency score, based on the cyber threat likelihood score, based on the cyber threat capability score, and based on a cyber threat analyst rating of the plurality of cyber threat analyst ratings stored in the data store, wherein the cyber threat analyst rating indicates at least one accuracy of the cyber threat analyst in scoring at least one of a cyber threat frequency, a cyber threat likelihood, or a cyber threat capability, and wherein the cyber threat intensity is different depending on the cyber threat analyst rating,wherein the cyber threat report and the cyber threat intensity are used to select one or more cyber risk mitigation actions to manage a cyber risk of an enterprise or organization.
- View Dependent Claims (2)
- - 2. The system of claim 1, wherein the cyber threat analyst rating comprises a rating of the analyst'"'"'s accuracy in scoring the cyber threat frequency, a rating of the analyst'"'"'s accuracy in scoring the cyber threat likelihood, and a rating of the analyst'"'"'s accuracy in scoring the cyber threat capability based on the set of cyber threat intelligence.

3. A method of mitigating cybercrime risk, comprising:
- determining a cyber threat analyst rating based on evaluating a scoring accuracy of a cyber threat analyst to score at least one of a cyber threat frequency, a cyber threat likelihood, and a cyber threat capability based on an evaluation set of cyber threat intelligence, wherein the cyber threat analyst rating indicates at least one accuracy of the cyber threat analyst in scoring the at least one of the cyber threat frequency, the cyber threat likelihood, or the cyber threat capability;
  
  receiving, by an application stored in a memory and executable by a processor, from the cyber threat analyst, an input of a cyber threat frequency score associated with a set of cyber threat intelligence, an input of a cyber threat likelihood score associated with the set of cyber threat intelligence, and an input of a cyber threat capability score associated with the set of cyber threat intelligence;
  
  determining, by the application, a cyber threat intensity based on the cyber threat frequency score, on the cyber threat likelihood score, and on the cyber threat capability score associated with the set of threat intelligence and based on the cyber threat analyst rating, wherein the cyber threat intensity is different depending on the cyber threat analyst rating; and
  
  deploying at least one electronic countermeasure to mitigate a cybercrime risk associated with the set of cyber threat intelligence based at least in part on the cyber threat intensity.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11)
- - 4. The method of claim 3, wherein the cyber threat analyst rating is determined based on scoring a plurality of independent sets of cyber threat intelligence and averaging a scoring accuracy over the plurality of independent sets of cyber threat intelligence.
  - 5. The method of claim 3, wherein the cyber threat intensity is expressed as a value and a potential deviation from the value based on the cyber threat analyst rating.
  - 6. The method of claim 3, wherein the cyber threat capability score is an estimate of a strength of a threat source and a cyber attack tool identified by the set of cyber threat intelligence.
  - 7. The method of claim 3, wherein the cyber threat likelihood score is an estimate of a probability that a cyber threat identified by the set of cyber threat intelligence can succeed in actualizing its threat intent.
  - 8. The method of claim 3, further comprising:
    - generating at least one standard score,wherein the cyber threat analyst rating is determined by comparing at least one score of the threat analyst to the at least one standard score.
  - 9. The method of claim 8, wherein the cyber threat analyst rating is expressed as a deviation from the at least one standard score.
  - 10. The method of claim 3, further comprising:
    - determining a second cyber threat intensity based in part on deploying the at least one electronic countermeasure.
  - 11. The method of claim 10, wherein the second cyber threat intensity is determined partly based on determining a second cyber threat frequency score, on determining a second cyber threat likelihood score, and on determining a second cyber threat capability score based on deploying the at least one electronic countermeasure and on the set of cyber threat intelligence.

12. A security system, comprising:
- a computer system;
  
  a memory accessible to the computer system; and
  
  an application stored in the memory that, when executed by the computer system;
  
  accesses a cyber threat report including a cyber threat assessment generated by a cyber threat analyst, the cyber threat assessment including, for each of a plurality of identified cyber threats, one or more quantified components each comprising a score determined by the cyber threat analyst, the cyber threats potentially actualized as cyber attacks against any of a plurality of organizations;
  
  generates an evaluation of the cyber threats based on the cyber threat assessment and based on a cyber threat analyst rating of the cyber threat analyst accessed from a data store, wherein the cyber threat analyst rating indicates at least one accuracy of the cyber threat analyst in assessing the cyber threats, and wherein the evaluation of the cyber threats is different depending on the cyber threat analyst rating; and
  
  generates a cyber threat risk to an organization of the plurality of organizations based on the evaluation of the cyber threats and based on technology deployed by the organization, the cyber threat risk being provided by the application for use in selecting one or more cyber risk mitigation actions to manage the cyber risk of the organization.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, wherein the evaluation of the cyber threats is determined by the application based on one or more quantified components comprising one or more cyber threat scores including one or more of a cyber threat frequency score, a cyber threat likelihood score, and a cyber threat capability score.
  - 14. The system of claim 12, further comprising a cyber threat analyst calibration application stored in the memory that, when executed by the computer system:
    - receives, via user input from the cyber threat analyst, one or more scores for a standard set of threat intelligence packages, wherein the one or more scores for each threat intelligence package of the standard set of threat intelligence packages comprises one or more of a cyber threat frequency score for the threat intelligence package, a cyber threat likelihood score for the threat intelligence package, and a cyber threat capability score for the threat intelligence package; and
      
      compares the one or more scores for each threat intelligence package of the standard set of threat intelligence packages to one or more standard scores for each threat intelligence package of the standard set of threat intelligence packages, wherein the cyber threat analyst rating is based on the comparison.
  - 15. The system of claim 12, wherein the cyber threat analyst rating is based on testing performed by the cyber threat analyst prior to the application accessing the cyber threat report.
  - 16. The system of claim 15, wherein the cyber threat analyst rating is based on an accuracy of the cyber threat analyst scoring of standard threats with respect to cyber threat frequency, an accuracy of the cyber threat analyst scoring cyber threat likelihood, and an accuracy of the cyber threat analyst scoring cyber threat capability.
  - 17. The system of claim 12, wherein the cyber threat report further includes information for each of a plurality of cyber threats related to a cyber threat intent comprising a goal or object of a cyber threat, and cyber threat technology comprising a technology that the cyber threat may target, and wherein the cyber threat risk to the organization is generated based on the evaluation of the cyber threats including the cyber threat intent and the cyber threat technology.
  - 18. The system of claim 17, wherein the evaluation of the cyber threats includes the application (i) determining potential effects or impact on the organization based on the cyber threat intent to which the organization may be susceptible, and (ii) matching the cyber threat technology with technology deployed by the organization.

19. A method of mitigating cybercrime risk, comprising:
- accessing, by an application stored in a memory and executable by a processor, one or more stored scores regarding a cyber threat determined by an analyst and a rating of the analyst, wherein the rating of the analyst indicates at least one accuracy of the analyst in scoring each of a plurality of standard cyber threats;
  
  generating, by the application, an evaluation of the cyber threat to an organization based on the one or more stored scores and based on the rating of the analyst, wherein the evaluation of the cyber threat is different depending on the rating of the analyst; and
  
  deploying at least one electronic countermeasure to mitigate the cyber threat based at least in part on the evaluation of the cyber threat.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The method of claim 19, further including:
    - receiving a cyber threat report including a cyber threat assessment generated by a cyber threat analyst, the cyber threat assessment including, for each of a plurality of identified cyber threats, one or more quantified components each comprising a score determined by the cyber threat analyst, the cyber threats potentially actualized as cyber attacks against any of a plurality of organizations, and the one or more stored scores being included as scores contained in the cyber threat report.
  - 21. The method of claim 19, wherein generating the evaluation comprises determining a cyber threat risk to the organization based on technology deployed by the organization, the cyber threat risk being provided for use by the organization to select the at least one electronic countermeasure to manage the cyber risk of the organization.
  - 22. The method of claim 19, further comprising:
    - prior to receiving the one or more stored scores regarding the cyber threat, comparing, by a calibration application stored in a memory and executable by a processor, one or more scores received from the analyst for a plurality of independent sets of cyber threat intelligence to one or more standard scores for the plurality of independent sets of cyber threat intelligence, wherein the rating of the analyst is based on the comparison.
  - 23. The method of claim 19, further comprising generating, by the application, a second evaluation of the cyber threat based in part on deploying the at least one electronic countermeasure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Watters, John P., Doyle, Frederick, Peltokangas, Henry, Keane, Matthew
Primary Examiner(s)
Lipman, Jacob

Application Number

US14/244,886
Publication Number

US 20160241581A1
Time in Patent Office

1,244 Days
Field of Search

726 25
US Class Current
CPC Class Codes

G06F 16/904   Browsing; Visualisation the...

G06F 21/552   involving long-term monitor...

G06Q 10/00   Administration; Management

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

System and method of cyber threat intensity determination and application to cyber threat mitigation

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of cyber threat intensity determination and application to cyber threat mitigation

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links