Mock attack cybersecurity training system and methods

US 9,558,677 B2
Filed: 03/17/2014
Issued: 01/31/2017
Est. Priority Date: 04/08/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of providing cybersecurity training to a user of an electronic device, comprising:

by one or more processors;

accessing identifying information relating to an electronic device,selecting a mock attack situation that corresponds to the electronic device, andcausing the mock attack situation to be delivered to a user of the electronic device via the electronic device in the user'"'"'s regular context of use of the electronic device;

by a sensor, sensing an action of the user in a response to the mock attack situation; and

by the one or more processors;

receiving an identification of the sensed action from the sensor,using the sensed action to determine whether the user should receive a training intervention, anddetermining that the user should receive a training intervention, and in response selecting a training intervention from a set of at least one training intervention and delivering the selected training intervention to the user.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A training system senses a user action that may expose the user to a threat, such as a cybersecurity threat. The user action may be in response to a mock attack delivered via a messaging service, a wireless communication service, a fake malware application or another device, service, system or mechanism. The system selects a training action from a collection of available training actions and causes the training action to be delivered to the user.

113 Citations

View as Search Results

27 Claims

1. A computer-implemented method of providing cybersecurity training to a user of an electronic device, comprising:
- by one or more processors;
  
  accessing identifying information relating to an electronic device,selecting a mock attack situation that corresponds to the electronic device, andcausing the mock attack situation to be delivered to a user of the electronic device via the electronic device in the user'"'"'s regular context of use of the electronic device;
  
  by a sensor, sensing an action of the user in a response to the mock attack situation; and
  
  by the one or more processors;
  
  receiving an identification of the sensed action from the sensor,using the sensed action to determine whether the user should receive a training intervention, anddetermining that the user should receive a training intervention, and in response selecting a training intervention from a set of at least one training intervention and delivering the selected training intervention to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the electronic device comprises a software application, or firmware installed and configured to run on an electronic device.
  - 3. The method of claim 1, wherein causing the mock attack situation to be delivered to the user via the device in the user'"'"'s regular context of use of the device comprises luring the user to use the device to interact with at least one of the following mock attacks:
    - a mock malicious memory device;
      
      a mock malicious short-range tag;
      
      a mock malicious barcode;
      
      a piece of mock malware;
      
      ora mock rogue, compromised or malfunctioning device or service.
  - 4. The method of claim 1, wherein the sensed action includes receipt of identifying information in response to the mock attack situation, and using the sensed action to determine whether the user should receive a training intervention comprises:
    - using the received identifying information in the response to determine whether the response originates from a registered user; and
      
      only delivering the selected training intervention if the response originates from the registered user.
  - 5. The method of claim 1, wherein the sensed action includes receipt of identifying information in response to the mock attack situation, and using the sensed action to determine whether the user should receive a training intervention comprises:
    - using the received identifying information in the response to determine whether the response originates from a device that is a known client; and
      
      only delivering the selected training intervention if the response originates from a device that is a known device.
  - 6. The method of claim 1, wherein determining whether the user should receive a training intervention comprises:
    - determining whether the user has responded to at least a threshold number of mock attack situations.
  - 7. The method of claim 1, wherein:
    - the mock attack situation comprises a wireless service that includes a wireless local area network service, a wireless personal area network service, a near field communication service; and
      
      the sensed action comprises a request to connect the device to the wireless service.
  - 8. The method of claim 1, wherein:
    - the mock attack situation comprises a network service or device that broadcasts an availability message; and
      
      the sensed action comprises a request to connect the electronic device to the network service or device.
  - 9. The method of claim 1, wherein:
    - the mock attack situation comprises an attack that lures users to install fake malware; and
      
      the sensed action comprises a request to install fake malware on the device.
  - 10. The method of claim 1, wherein selecting the training intervention comprises:
    - using the sensed action to identify a threat scenario for which the user is at risk;
      
      identifying a collection of available training interventions that are relevant to the threat scenario; and
      
      selecting from the collection, based on the identified threat scenario, the training intervention to be delivered to the user.

11. A computer-implemented method of providing cybersecurity training to a user, comprising:
- by one or more processors;
  
  selecting a mock attack situation for a user, wherein the mock attack situation comprises a mock attack other than a mock phishing email,obtaining contact information necessary to deploy the mock attack situation to the user, andusing the contact information to cause the mock attack situation to be deployed to the user in the user'"'"'s regular context of use of a service or device;
  
  by a sensor, sensing an action of the user in a response to the mock attack situation; and
  
  by the one or more processors;
  
  using the sensed action to determine whether the user should receive a training intervention, anddetermining that the user should receive a training intervention, and in response selecting a training intervention and delivering the selected training intervention to the user.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, wherein sensing the action of the user includes receiving identifying information and using the sensed action to determine whether the user should receive a training intervention comprises:
    - using the received identifying information to determine whether the response originates from a user who is a registered user; and
      
      only delivering the selected training intervention if the response originates from a registered user.
  - 13. The method of claim 11, wherein sensing the action of the user includes receiving identifying information and using the sensed action to determine whether the user should receive a training intervention comprises:
    - using the received identifying information to determine whether the response originates from a device that is a known device; and
      
      only delivering the selected training intervention if the response originates from a device that is a known device.
  - 14. The method of claim 11, wherein sensing the action of the user includes receiving identifying information and using the sensed action to determine whether the user should receive a training intervention comprises:
    - using the received identifying information to determine whether the response originates from a user who is a registered user;
      
      using the received identifying information to determine whether the response originates from a device that is an approved device; and
      
      delivering the selected training intervention if the response originates from a registered user who is not using an approved device.
  - 15. The method of claim 11, wherein determining whether the user should receive a training intervention comprises:
    - determining whether the user has responded to at least a threshold number of mock attack situations.
  - 16. The method of claim 11, wherein:
    - the mock attack situation comprises a message delivered via a messaging service; and
      
      the sensed action comprises receiving a reply to the message, wherein the reply includes personally identifiable information.
  - 17. The method of claim 11, wherein:
    - the mock attack situation comprises a mock malicious barcode; and
      
      the sensed action comprises detecting that the user has used a device to scan the barcode and requested to connect the device to a mock malicious URL.
  - 18. The method of claim 11, wherein:
    - the mock attack situation comprises delivering a mock malicious memory device to the user; and
      
      the sensed action comprises detecting that the user has performed one or more of the following;
      
      connected the memory device to an electronic device;
      
      opened a file stored on the memory device;
      
      or provided the memory device to another person.
  - 19. The method of claim 11, wherein selecting the training intervention comprises:
    - using the sensed action to identify a threat scenario for which the user is at risk;
      
      identifying a collection of available training interventions relevant to the threat scenario; and
      
      selecting from the collection, based on the identified threat scenario, the training intervention to be delivered to the user.

20. A computer-implemented method of providing cybersecurity training to a user, comprising, by one or more processors:
- sensing, by a sensor, identifying information associated with an electronic device;
  
  using the identifying information to determine an area where a user of the electronic device is likely to be;
  
  selecting a mock attack situation for the user, wherein the mock attack situation requires the user to be within a vicinity of the area to receive the mock attack situation;
  
  causing the mock attack situation to be deployed in the area;
  
  after the user comes within the vicinity of the area, sensing an action of the user in response to the mock attack situation;
  
  determining whether the user should receive a training intervention and, if so, selecting a relevant training intervention from a set of one or more training interventions; and
  
  delivering the selected training intervention to the user.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The method of claim 20, further comprising:
    - using the sensed action to identify a threat scenario for which the user is at risk;
      
      using the sensed action to determine whether the user should receive a training intervention; and
      
      determining that the user should receive a training intervention;
      
      wherein the selecting of the training intervention is in response to the determining that the user should receive a training intervention.
  - 22. The method of claim 20, wherein the sensed action includes receipt of identifying information in response to the mock attack situation, and using the sensed action to determine whether the user should receive a training intervention comprises:
    - using the received identifying information in the response to determine whether the response originates from the user; and
      
      only delivering the selected training intervention if the response originates from the user.
  - 23. The method of claim 20, wherein the sensed action includes receipt of identifying information in response to the mock attack situation, and using the sensed action to determine whether the user should receive a training intervention comprises:
    - using the received identifying information in the response to determine whether the response originates from a device that is a known client; and
      
      only delivering the selected training intervention if the response originates from a device that is a known device.
  - 24. The method of claim 20, wherein:
    - the mock attack situation comprises a wireless service that includes a Wi-Fi network; and
      
      the sensed action comprises a request to connect the device to the Wi-Fi network.
  - 25. The method of claim 20, wherein:
    - the mock attack situation comprises a near field communication device that broadcasts an availability message; and
      
      the sensed action comprises a request to connect the device to the near field communication device.
  - 26. The method of claim 20, wherein:
    - the mock attack situation comprises a barcode that, when scanned, will connect a device to a mock malicious URL; and
      
      the sensed action comprises indicia that the user has used a device to scan the barcode and requested to connect the device to the mock malicious URL.

27. A computer-implemented method of providing cybersecurity training to a user, comprising:
- by a sensor, monitoring physical location information of a user of an electronic device during the user'"'"'s regular context of use of the electronic device;
  
  by one or more processors;
  
  accessing identifying information for the user,selecting a mock attack situation based on the accessed identifying information,selecting a physical location where the user is likely to be based on the monitored physical location information, andcausing the mock attack situation to be delivered to the user at the selected physical location;
  
  by the sensor, sensing an action of the user in response to the mock attack situation; and
  
  by the one or more processors;
  
  using the sensed action to determine whether the user should receive a training intervention, anddetermining that the user should receive a training intervention, and in response selecting a training intervention from a set of at least one training intervention and delivering the selected training intervention to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Wombat Security Technologies, Inc (Proofpoint Incorporated)
Inventors
Sadeh-Koniecpol, Norman, Wescoe, Kurt, Brubaker, Jason, Hong, Jason
Primary Examiner(s)
Gishnock, Nikolai A

Application Number

US14/216,002
Publication Number

US 20140199664A1
Time in Patent Office

1,051 Days
Field of Search

726/11, 726/22, 726/23, 726/24, 726/25
US Class Current

1/1
CPC Class Codes

A63F 13/80   Special adaptations for exe...

G06F 21/55   Detecting local intrusion o...

G06F 21/552   involving long-term monitor...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/563   by source code analysis

G06F 21/564   by virus signature recognition

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/567   using dedicated hardware

G09B 19/00   Teaching not covered by oth...

G09B 19/0053   Computers, e.g. programming

G09B 5/00   Electrically-operated educa...

G09B 5/065   Combinations of audio and v...

G09B 7/02   of the type wherein the stu...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441 : Countermeasures against mal...

H04L 63/145 : the attack involving the pr...

H04L 63/1458 : Denial of Service

H04L 63/1466 : Active attacks involving in...

H04L 63/1475 : Passive attacks, e.g. eaves...

H04L 63/1483 : service impersonation, e.g....

H04L 63/1491 : using deception as counterm...

View All

Mock attack cybersecurity training system and methods

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

113 Citations

27 Claims

Specification

Use Cases

Quick Links

Others

Mock attack cybersecurity training system and methods

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

27 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others