Systems and methods for assessing cyber risks using incident-origin information

US 10,516,680 B1
Filed: 06/22/2016
Issued: 12/24/2019
Est. Priority Date: 06/22/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for assessing cyber risks using incident-origin information, at least a portion of the method being performed by at least one computing device comprising at least one processor, the method comprising:

receiving, by the at least one computing device, a request to perform a security action based on a security hygiene of a private network of an organization of interest, wherein;

the request comprises an offline identifier of the organization; and

the private network comprises a plurality of computing devices whose public Internet addresses are unknown to the at least one computing device when the request is received;

using, by the at least one computing device, at least one Internet-address data source that maps offline identifiers of organizations to public Internet addresses of the organizations to translate the offline identifier of the organization into a set of candidate public Internet addresses that are likely to be the public Internet addresses of the plurality of computing devices;

using, by the at least one computing device, at least one incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of candidate public Internet addresses into a set of security incidents that likely originated from the private network of the organization;

using, by the at least one computing device, the set of security incidents to estimate the security hygiene of the private network; and

performing, by the at least one computing device, the security action based on the estimated security hygiene.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented method for assessing cyber risks using incident-origin information may include (1) receiving a request for a cyber-risk assessment of an entity of interest, (2) using an Internet-address data source that maps identifiers of entities to public Internet addresses of the entities to translate an identifier of the entity into a set of Internet addresses of the entity, (3) using an incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of Internet addresses into a set of security incidents that originated from the entity, and (4) using the set of security incidents to generate the cyber-risk assessment of the entity. Various other methods, systems, and computer-readable media may have similar features.

14 Citations

View as Search Results

20 Claims

1. A computer-implemented method for assessing cyber risks using incident-origin information, at least a portion of the method being performed by at least one computing device comprising at least one processor, the method comprising:
- receiving, by the at least one computing device, a request to perform a security action based on a security hygiene of a private network of an organization of interest, wherein;
  
  the request comprises an offline identifier of the organization; and
  
  the private network comprises a plurality of computing devices whose public Internet addresses are unknown to the at least one computing device when the request is received;
  
  using, by the at least one computing device, at least one Internet-address data source that maps offline identifiers of organizations to public Internet addresses of the organizations to translate the offline identifier of the organization into a set of candidate public Internet addresses that are likely to be the public Internet addresses of the plurality of computing devices;
  
  using, by the at least one computing device, at least one incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of candidate public Internet addresses into a set of security incidents that likely originated from the private network of the organization;
  
  using, by the at least one computing device, the set of security incidents to estimate the security hygiene of the private network; and
  
  performing, by the at least one computing device, the security action based on the estimated security hygiene.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer-implemented method of claim 1, further comprising:
    - receiving an additional request for a security hygiene of a supply chain of the organization;
      
      using the Internet-address data source to translate an offline identifier of at least one additional organization that is a part of the supply chain of the organization into an additional set of candidate public Internet addresses that are likely to be public Internet addresses of an additional plurality of computing devices in an additional private network of the additional organization;
      
      using the incident-origin data source to translate the additional set of candidate public Internet addresses into an additional set of security incidents that likely originated from the additional private network of the additional organization; and
      
      using the additional set of security incidents to generate the security hygiene of the supply chain of the organization.
  - 3. The computer-implemented method of claim 1, wherein performing the security action comprises calculating a cyber-risk score for the organization that indicates a relative probability that the private network of the organization will experience a future security incident.
  - 4. The computer-implemented method of claim 1, wherein using the set of security incidents comprises:
    - counting a number of distinct Internet addresses from which members of the set of security incidents originated;
      
      estimating the security hygiene of the organization based at least in part on the number of distinct Internet addresses.
  - 5. The computer-implemented method of claim 1, wherein using the set of security incidents comprises:
    - counting a number of security incidents within the set of security incidents;
      
      estimating the security hygiene of the organization based at least in part on the number of security incidents.
  - 6. The computer-implemented method of claim 1, wherein using the set of security incidents comprises:
    - calculating an amount of time during which members of the set of security incidents were observed;
      
      estimating the security hygiene of the organization based at least in part on the amount of time.
  - 7. The computer-implemented method of claim 1, wherein using the set of security incidents comprises:
    - determining a severity of each member of the set of security incidents;
      
      estimating the security hygiene of the organization based at least in part on the severity of each member.
  - 8. The computer-implemented method of claim 1, wherein using the set of security incidents comprises:
    - counting a number of distinct Internet addresses within the set of public Internet addresses;
      
      estimating the security hygiene of the organization based at least in part on the number of distinct Internet addresses.
  - 9. The computer-implemented method of claim 1, wherein the incident-origin data source comprises a spam-origin data source that maps externally-detected spam messages to public Internet addresses from which the spam messages originated.
  - 10. The computer-implemented method of claim 1, wherein the incident-origin data source comprises a botnet data source that identifies externally-detected zombies by public Internet address.
  - 11. The computer-implemented method of claim 1, wherein the incident-origin data source comprises a command-and-control data source that identifies externally-detected command-and-control servers by public Internet address.
  - 12. The computer-implemented method of claim 1, wherein the incident-origin data source comprises a malware data source that identifies externally-detected malware servers by public Internet address.
  - 13. The computer-implemented method of claim 1, wherein the incident-origin data source comprises a phishing data source that identifies externally-detected phishing servers by public Internet address.
  - 14. The computer-implemented method of claim 1, wherein the incident-origin data source comprises a malicious-scan data source that maps externally-detected malicious scanning activities to public Internet addresses from which the malicious scanning activities originated.
  - 15. The computer-implemented method of claim 1, wherein the incident-origin data source comprises a login-attack data source that maps externally-detected brute-force login attacks to public Internet addresses from which the brute-force login attacks originated.
  - 16. The computer-implemented method of claim 1, wherein the incident-origin data source comprises a hijack-attack data source that maps externally-detected border-gateway-protocol hijack attacks to public Internet addresses from which the border-gateway-protocol hijack attacks originated.
  - 17. The computer-implemented method of claim 1, wherein the offline identifier comprises one or more of:
    - a legal name of the organization;
      
      a business name of the organization; and
      
      a trade name of the organization.

18. A system for assessing cyber risks using incident-origin information, the system comprising:
- a request-receiving module, stored in memory, that receives a request for a security hygiene of a private network of an organization of interest, wherein;
  
  the request comprises an offline identifier of the organization; and
  
  the private network comprises a plurality of computing devices whose public Internet addresses are unknown to the system when the request is received;
  
  an identifier-translating module, stored in memory, that uses at least one Internet-address data source that maps offline identifiers of organizations to public Internet addresses of the organizations to translate the offline identifier of the organization into a set of candidate public Internet addresses that are likely to be the public Internet addresses of the plurality of computing devices in the private network of the organization;
  
  an address-translating module, stored in memory, that uses at least one incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of candidate public Internet addresses into a set of security incidents that likely originated from the private network of the organization;
  
  a risk-assessing module, stored in memory, that uses the set of security incidents to estimate the security hygiene of the private network; and
  
  at least one processor that executes the request-receiving module, the identifier-translating module, the address-translating module, and the risk-assessing module.
- View Dependent Claims (19)
- - 19. The system of claim 18, wherein:
    - the request-receiving module further receives an additional request for a security hygiene of a supply chain of the organization;
      
      the identifier-translating module further uses the Internet-address data source to translate an offline identifier of at least one additional organization that is a part of the supply chain of the organization into an additional set of candidate public Internet addresses that are likely to be public Internet addresses of an additional plurality of computing devices in an additional private network of the additional organization;
      
      the address-translating module further uses the incident-origin data source to translate the additional set of candidate public Internet addresses into an additional set of security incidents that likely originated from the additional private network of the additional organization; and
      
      the risk-assessing module further uses the additional set of security incidents to generate the security hygiene of the supply chain of the organization.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of at least one computing device, cause the at least one computing device to:
- receive a request to perform a security action based on a security hygiene of a private network of an organization of interest, wherein;
  
  the request comprises an offline identifier of the organization; and
  
  the private network comprises a plurality of computing devices whose public Internet addresses are unknown to the at least one computing device when the request is received;
  
  use at least one Internet-address data source that maps offline identifiers of organizations to public Internet addresses of the organizations to translate the offline identifier of the organization into a set of candidate public Internet addresses that are likely to be the public Internet addresses of the plurality of computing devices in the private network of the organization;
  
  use at least one incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of candidate public Internet addresses into a set of security incidents that likely originated from the private network of the organization;
  
  use the set of security incidents to estimate the security hygiene of the private network; and
  
  perform the security action based on the estimated security hygiene.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
NortonLifeLock Inc.
Inventors
Vervier, Pierre-Antoine, Bilge, Leylya, Han, Yufei, Dell'Amico, Matteo
Primary Examiner(s)
Henning, Matthew T

Application Number

US15/189,362
Time in Patent Office

1,280 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Systems and methods for assessing cyber risks using incident-origin information

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for assessing cyber risks using incident-origin information

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others