System and method for detecting lateral movement and data exfiltration
First Claim
Patent Images
1. A system comprising:
- one or more devices on a network to;
monitor network data transmitted over the network between a plurality of internal devices on the network and between at least one of the plurality of internal devices and at least one external device outside the network;
detect a first order indicator of compromise on the network based on the network data transmitted over the network;
detect one or more indicators of a compromised entity detected by a honey host,the compromised entity, detected by the honey host, being one of the plurality of internal devices;
detect a second order indicator of compromise on the network based on the network data transmitted over the network;
correlate the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network;
generate a risk score for the network data based on correlating the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network;
generate at least one incident alert based on comparing the risk score and a threshold; and
quarantine the network data based on the network data being identified as suspicious or malware.
1 Assignment
0 Petitions
Accused Products
Abstract
A system configured to detect a threat activity on a network. The system including a digital device configured to detect a first order indicator of compromise on a network, detect a second order indicator of compromise on the network, generate a risk score based on correlating said first order indicator of compromise on the network with the second order indicator of compromise on said network, and generate at least one incident alert based on comparing the risk score to a threshold.
126 Citations
26 Claims
-
1. A system comprising:
one or more devices on a network to; monitor network data transmitted over the network between a plurality of internal devices on the network and between at least one of the plurality of internal devices and at least one external device outside the network; detect a first order indicator of compromise on the network based on the network data transmitted over the network; detect one or more indicators of a compromised entity detected by a honey host, the compromised entity, detected by the honey host, being one of the plurality of internal devices; detect a second order indicator of compromise on the network based on the network data transmitted over the network; correlate the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network; generate a risk score for the network data based on correlating the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network; generate at least one incident alert based on comparing the risk score and a threshold; and quarantine the network data based on the network data being identified as suspicious or malware. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
12. A non-transitory computer-readable medium storing instructions, the instructions comprising:
one or more instructions that, when executed by one or more processors, cause the one or more processors to; monitor network data transmitted over a network between a plurality of internal devices on the network and between at least one of the plurality of internal devices and at least one external device outside the network; detect a first order indicator of compromise on the network based on the network data transmitted over the network; detect one or more indicators of a compromised entity detected by a honey host, the compromised entity, detected by the honey host, being one of the plurality of internal devices; detect a second order indicator of compromise on the network based on the network data transmitted over the network; correlate the one or more indicators of the compromised entity detected by the honey host, the first order indicator of the compromise on the network, and the second order indicator of the compromise on the network; generate a risk score for the network data based on correlating the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network; generate at least one incident alert based on comparing the risk score and a threshold; and quarantine the network data based on the network data being identified as suspicious or malware. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
19. A method, comprising:
-
monitoring, by a device, network data transmitted over a network between a plurality of internal devices on the network and between at least one of the plurality of internal devices and at least one external device outside the network; detecting, by the device, a first order indicator of compromise on the network based on the network data transmitted over the network; detecting, by the device, one or more indicators of a compromised entity detected by a honey host, the compromised entity, detected by the honey host, being one of the plurality of internal devices; detecting, by the device, a second order indicator of compromise on the network based on the network data transmitted over the network; correlating, by the device, the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise; generating, by the device, a risk score for the network data based on correlating the one or more indicators of the compromised entity detected by the honey host, the first order indicator of compromise on the network, and the second order indicator of compromise on the network; generating, by the device, at least one incident alert based on comparing the risk score and a threshold; and quarantining, by the device, the network data based on the network data being identified as suspicious or malware. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
-
Specification