Systems and methods for identifying a source of an attack chain based on network security scanning events triggered by movement of a decoy file are provided. A decoy file is stored on a deception host deployed by a deception-based intrusion detection system (IDS) within a private network. The decoy file contains therein a traceable object that is detectable by network security scanning performed by multiple network security devices protecting the private network. Information regarding an attack chain associated with an access to the decoy file or a transmission of the decoy file through the one or more network security devices is received by the deception-based IDS from the one or more network security devices. The information is created responsive to detection of a security incident by the network security scanning. Finally, an Internet Protocol (IP) address of a computer system that originated the attack chain is determined.

Systems and methods are disclosed for autonomous security enhancement of a tenant network via a managed security service provider (MSSP) server comprising a processor and a memory, with information from a plurality of data sources, the method comprising querying a database or server, upon an encounter with an indicator of compromise (IoC), by a security system, to identify data sources of a plurality of data sources, wherein the data sources include information on the IoC; generating, via the processor, an IoC threat score for the IoC; generating, at least one actionable security enhancement notification based on the IoC threat score; and deploying an automated security response that can comprise displaying the IoC threat score and an actionable security enhancement notification to a user, allowing triggering or disabling of at least one action based on the single IoC threat score.

A system and method automatically links security events associated with a computer network and system calls of plural networked computers interfaced with the computer network. System call information of the system calls of the plural networked computers are communicated to a network location to associate security events with system calls across the networked computers and provide a causal graph that reconstructs a sequence of events with precise attribution and timing to comprehend entities and actions associated with the security event.

A method of monitoring and protecting access to an online service from Account Take Over may include: providing a Traffic Inspector in communication with at least one device for Internet browsing and with a web server; providing a Traffic Analyzer in communication with the Traffic Inspector; identifying each browsing session of the at least one device; extracting and identifying one or more usernames when a user performs authentication to the service by analyzing traffic exchanged between the at least one device and the web server; collecting first characteristic data concerning unique and/or non-unique technical parameters and associating the first characteristic data with respective identified one or more usernames; identifying each anonymous web beacon generated by the at least one device on the service; and collecting second characteristic data concerning unique and/or non-unique technical parameters and associating the second characteristic data with the anonymous web beacon.

Disclosed herein are systems and methods that may generate so-called honey credentials that are transmitted to a phishing website, and are then stored into a honey credential database. The honey credentials appear to be valid credentials, but whenever a bad actor attempts to access an enterprise using the honey credentials, security appliances the enterprise may update the records of the honey credential database to include one or more unique identifiers for each bad actor device that attempts to access the enterprise network using the honey credentials. A server may automatically query the honey credential database to identify other accounts that have been accessed by devices that used the honey credentials to access the enterprise. The server may then flag the accounts and restrict their functionality.

According to one embodiment, host infrastructure analysis logic that attempts to detect a malicious host operating within a network prior to a cyber-attack being conducted by the malicious host is described. The host infrastructure analysis logic includes querying logic, profile confirmation logic, classification logic and reporting logic. The querying logic retrieves salient characteristics associated with a plurality of hosts operating within the network and determines whether any hosts are suspicious. The profile confirmation logic, if a suspicious host is detected, establishes communications with that suspicious host to retrieve additional context information. The classification logic, based on the retrieved information, determines whether the suspicious host is malicious, prior to and without reliance on information associated with a cyber-attack being conducted by that host. The reporting logic outputs analytic results identifying at least the suspicious host is operating as a malicious host.

Systems and methods are disclosed for autonomous security enhancement of a tenant network via a managed security service provider (MSSP) server comprising a processor and a memory, with information from a plurality of data sources, the method comprising querying a database or server, upon an encounter with an indicator of compromise (IoC), by a security system, to identify data sources of a plurality of data sources, wherein the data sources include information on the IoC; generating, via the processor, an IoC threat score for the IoC; generating, at least one actionable security enhancement notification based on the IoC threat score; and deploying an automated security response that can comprise displaying the IoC threat score and an actionable security enhancement notification to a user, allowing triggering or disabling of at least one action based on the single IoC threat score.

A vehicle attack continuity determination method includes: obtaining first vehicle attack event information pertaining to a first vehicle attack event which has occurred in an in-vehicle network, second vehicle attack event information pertaining to a second vehicle attack event which has occurred in the in-vehicle network before the first vehicle attack event, and in-vehicle network information indicating a configuration of the in-vehicle network; determining whether there is continuity between the first vehicle attack event and the second vehicle attack event based on the first vehicle attack event information, the second vehicle attack event information, and the in-vehicle network information; and outputting a result of the determining.

An apparatus for performing threat analysis and risk assessment (TARA) includes an input device configured to receive an input of a user. The apparatus also includes a processor configured to generate a threat scenario based on information about a specific damage scenario, when a specific damage scenario requiring threat analysis is selected through the input device. The processor is also configured to determine information about an attack path depending on the technical services based on a pre-stored database. The processor is additionally configured to derive a security goal based on the information about the attack path.

An exposure management system and an exposure management method for assessing exposure of assets of an organization, the assets comprising at least one host, such as a computer or a server. The method comprises creating a model of the organization controlling the assets, creating models of plurality of threat actors able to attack the assets of the organization, producing a reduced set of threat actors relevant for the organization based on the relevance of a specific threat actor to the organization in view of the created threat actor models and the created model of the organization. The method further comprises, for each threat actor of the reduced set of threat actors, determining available attack paths for the assets of the organization with an attack path simulator and combining the determined available attack paths for the assets of the organization to attack trees for a specific threat actor.