Classifying kill-chains for security incidents

US 9,888,029 B2
Filed: 08/12/2015
Issued: 02/06/2018
Est. Priority Date: 12/03/2014
Status: Active Grant

First Claim

Patent Images

1. A method of operating an advisement system to provide security actions in a computing environment comprising a plurality of computing assets, the method comprising:

in a processing system of the advisement system, identifying a security threat within the computing environment, wherein the security threat comprises an unknown process executing on an asset of the plurality of computing assets;

in response to identifying the security threat, receiving state information for the security threat from the asset and one or more additional assets of the plurality of computing assets, wherein the state information comprises at least communication activity for the security threat with the one or more additional assets, and wherein the communication activity for the security threat comprises a quantity of communications initiated by the security threat with the one or more additional assets and an amount of data communicated by the security threat;

determining a current state for the security threat within the computing environment based on the state information;

obtaining enrichment information for the security threat; and

determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and software described herein provide security actions based on the current state of a security threat. In one example, a method of operating an advisement system in a computing environment with a plurality of computing assets includes identifying a security threat within the computing environment. The method further includes, in response to identifying the security threat, obtaining state information for the security threat within the computing environment, and determining a current state for the security threat within the computing environment. The method also provides obtaining enrichment information for the security threat and determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.

55 Citations

View as Search Results

18 Claims

1. A method of operating an advisement system to provide security actions in a computing environment comprising a plurality of computing assets, the method comprising:
- in a processing system of the advisement system, identifying a security threat within the computing environment, wherein the security threat comprises an unknown process executing on an asset of the plurality of computing assets;
  
  in response to identifying the security threat, receiving state information for the security threat from the asset and one or more additional assets of the plurality of computing assets, wherein the state information comprises at least communication activity for the security threat with the one or more additional assets, and wherein the communication activity for the security threat comprises a quantity of communications initiated by the security threat with the one or more additional assets and an amount of data communicated by the security threat;
  
  determining a current state for the security threat within the computing environment based on the state information;
  
  obtaining enrichment information for the security threat; and
  
  determining one or more security actions for the security threat based on the enrichment information and the current state for the security threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein determining the one or more security actions for the security threat based on the enrichment information and the current state comprises:
    - identifying a rule set based on the enrichment information; and
      
      identifying at least one security action associated with the rule set based on the current state.
  - 3. The method of claim 1 wherein determining the current state for the security threat within the computing environment comprises determining whether the security threat is in a reconnaissance state, an exploit state, a persist state, lateral movement state, or an exfiltration state.
  - 4. The method of claim 1 further comprising, in response to determining the one or more security actions for the security threat, initiating implementation of the one or more security actions in the computing environment.
  - 5. The method of claim 1 further comprising:
    - in response to determining the one or more security actions for the security threat, providing the one or more security actions to at least one administrator for the computing environment;
      
      after providing the one or more security actions to the at least one administrator, obtaining an action selection from the at least one administrator from the one or more security actions; and
      
      initiating implementation of the action selection in the computing environment.
  - 6. The method of claim 5 wherein determining the one or more security actions for the security threat based on the enrichment information and the current state comprises ranking the one or more security actions for the security threat based on the current state.
  - 7. The method of claim 1 wherein obtaining the enrichment information for the security threat comprises obtaining, from at least one internal or external database, the enrichment information for the security threat.
  - 8. The method of claim 1 wherein the communication activity for the security threat comprises identifiers for assets targeted by communications of the security threat.

9. An apparatus to manage security actions for a computing environment comprising a plurality of assets, the apparatus comprising:
- one or more non-transitory computer readable media; and
  
  processing instructions stored on the one or more computer readable media that, when executed by a processing system, direct the processing system to;
  
  identify a security threat within the computing environment, wherein the security threat comprises an unknown process executing on an asset of the plurality of computing assets;
  
  in response to identifying the security threat, receive state information for the security threat from the asset and one or more additional assets of the plurality of computing assets, wherein the state information comprises at least communication activity for the security threat in with the one or more additional assets, and wherein the communication activity for the security threat comprises a quantity of communications initiated by the security threat with the one or more additional assets and an amount of data communicated by the security threat;
  
  determine a current state for the security threat within the computing environment based on the state information;
  
  obtain enrichment information for the security threat; and
  
  determine one or more security actions for the security threat based on the enrichment information and the current state for the security threat.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The apparatus of claim 9 wherein the processing instructions to determine the one or more security actions for the security threat based on the enrichment information and the current state for the security threat direct the processing system to:
    - identify a rule set based on the enrichment information; and
      
      identify the one or more security actions associated with the rule set based on the current state.
  - 11. The apparatus of claim 9 wherein the processing instructions to determine the current state for the security threat within the computing environment direct the processing system to determine whether the security threat is in a reconnaissance state, an exploit state, a persist state, lateral movement state, or an exfiltration state.
  - 12. The apparatus of claim 9 wherein the processing instructions further direct the processing system to, in response to determining the one or more security actions for the security threat, initiate implementation of the one or more security actions in the computing environment.
  - 13. The apparatus of claim 9 wherein the processing instructions further direct the processing system to:
    - in response to determining the one or more security actions for the security threat, provide the one or more security actions to at least one administrator for the computing environment;
      
      after providing the one or more security actions to the at least one administrator, obtain an action selection from the at least one administrator from the one or more security actions; and
      
      initiate implementation of the action selection in the computing environment.
  - 14. The apparatus of claim 13 wherein the processing instructions to determine the one or more security actions for the security threat based on the enrichment information and the current state direct the processing system to rank the one or more security actions for the security threat based on the current state.
  - 15. The apparatus of claim 9 wherein the processing instructions to obtain the enrichment information for the security threat direct the processing system to obtain, from at least one internal or external database, the enrichment information for the security threat.
  - 16. The apparatus of claim 9 wherein the communication activity for the security threat comprises identifiers for assets targeted by communications of the security threat.

17. An advisement system to manage security actions for a computing environment comprising a plurality of assets, the advisement system comprising:
- a communication interface configured to receive a notification of a security threat within the computing environment, wherein the security threat comprises an unknown process executing on an asset of the plurality of computing assets; and
  
  a processing system, communicatively coupled to the communication interface, configured to;
  
  in response to the notification of the security threat, receive state information for the security threat from the asset and one or more additional assets of the plurality of computing assets;
  
  wherein the state information comprises at least communication activity for the security threat with the one or more additional assets, and wherein the communication activity for the security threat comprises a quantity of communications initiated by the security threat with the one or more additional assets and an amount of data communicated by the security threat;
  
  determine a current state for the security threat within the computing environment based on the state information;
  
  obtain enrichment information for the security threat; and
  
  determine one or more security actions for the security threat based on the enrichment information and the current state for the security threat.
- View Dependent Claims (18)
- - 18. The advisement system of claim 17 wherein the processing system is further configured to:
    - in response to determining the one or more security actions for the security threat, provide the one or more security actions to at least one administrator for the computing environment;
      
      after providing the one or more security actions to the at least one administrator, obtain an action selection from the at least one administrator from the one or more security actions; and
      
      initiate implementation of the action selection in the computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Phantom Cyber Corporation (Splunk Inc.)
Inventors
Satish, Sourabh, Friedrichs, Oliver, Mahadik, Atif, Salinas, Govind
Primary Examiner(s)
Hailu, Teshome

Application Number

US14/824,262
Publication Number

US 20160164891A1
Time in Patent Office

909 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 16/285   Clustering or classification

G06F 21/554   involving event detection a...

H04L 47/2425   for supporting services spe...

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

Classifying kill-chains for security incidents

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Classifying kill-chains for security incidents

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others