A process being initiated for exposure to an operating system of the computer device is detected. A control module can then check whether the process has been whitelisted, and if not, activate an artificial virtual machine to test the process prior to direct exposure to an operating system of the real computing environment. The control module can detect when the process responds to the presumed virtual environment preventing execution. A security action can then be taken on the process including preventing the process from being exposed to the operating system.

Phishing attacks attempt to solicit valuable information such as personal information, account credentials, and the like from human users by disguising a malicious request for information as a legitimate inquiry, typically in the form of an electronic mail or similar communication. By tracking a combination of outbound web traffic from an endpoint and inbound electronic mail traffic to the endpoint, improved detection of phishing attacks or similar efforts to wrongly obtain sensitive information can be achieved.

Endpoints in a network execute a sensor module that intercepts commands. The sensor module compares a source of commands to a sanctioned list of applications received from a management server. If the source does not match a sanctioned application and the command is a write or delete command, the command is ignored and a simulated acknowledgment is sent. If the command is a read command, deception data is returned instead. In some embodiments, certain data is protected such that commands will be ignored or modified to refer to deception data where the source is not a sanctioned application. The source may be verified to be a sanctioned application by evaluating a certificate, hash, or path of the source. Responses from an active directory server may be intercepted and modified to reference a decoy server when not addressed to a sanctioned application.

Methods and systems for trust evaluation of network activities are provided. An example method commences with receiving, from a user, a request to access at least one file on a network. The method further includes authenticating the user using a multi-factor authentication method. The method continues with selectively granting the user a credentialed access to the at least one file based on the authentication. The method further includes analyzing, based on a security policy, at least one activity of the user. The security policy includes at least one trigger event and at least one mitigating action. The method further includes triggering re-authentication of the user in response to determining, based on the analysis, that the at least one trigger event has occurred. The method then continues with selectively performing the at least one mitigation action based on results of the re-authentication.

The present disclosure relates generally to security solutions. More specifically, techniques (e.g., systems, methods, and devices) are provided to implement an incentivized-based intrusion detection system to detect malicious acts against an asset. The incentive may lure or facilitate the actor to provide information detecting malicious actions against an asset.

Disclosed herein are methods, systems, and processes for managing and controlling the collective behavior of deception computing system fleets. A malicious attack initiated by a malicious attacker received by a honeypot that is part of a network along with other honeypots is detected. Information associated with the malicious attack is received from the honeypot. Based on the received information, a subset of honeypots other than the honeypot are configured to entice the attacker to engage with the subset of honeypots or avoid the subset of honeypots.

The invention relates to a method for improving the security in an electronic communication network, in which lures and decoys are distributed in the communication network. The aim of the invention is that of providing a systemisation for the selection and positioning of lures and decoys, by means of which the lures and decoys are distributed as optimally as possible in the communication network. For this purpose, the invention proposes that an attack vector on the communication network be determined, an attack graph (1) be created on the basis of the attack vector, which graph shows possible attack paths as acyclic directed graphs, the type and the number of lures and decoys be determined on the basis of the structure of the attack graph, and the lures and the decoys be distributed in the communication network using a target function, wherein the target function takes account of parameters which detects, as quickly as possible and with as high a likelihood as possible, an attacker (4), using the available lures and decoys, and allows for an assessment of the distribution.

A computer-implemented method for detecting anomalous communications in a service oriented communication system. The method includes providing at least one decoy service, hosted by a decoy server communicably coupled to the service oriented communication system, wherein the at least one decoy service is addressable using a corresponding decoy service identifier; detecting, at the decoy server, a request to consume at least one instance of the at least one decoy service, wherein the request originates from a client communicably coupled to the decoy server via the service oriented communication system; and performing, at the decoy server, a response to the request to consume the at least one instance of the at least one decoy service.

System and method of detecting malicious interactions in a computer network, the method including generating, by a processor, at least one decoy segment, broadcasting, by the processor, the generated at least one decoy segment in a public database, monitoring, by the processor, communication within the computer network to identify interactions associated with the generated at least one decoy segment, determining, by the processor, at least one indicator of compromise (IOC) for the identified interactions, and blocking communication between the computer network and any computer associated with the determined at least one IOC.

A system and method is provided for detecting a suspicious process in an operating system environment. In an exemplary aspect, a method comprises generating, by a hardware processor, a file honeypot in a directory in a file system and receiving a directory enumeration request from a process executing in the operating system environment. The method comprises determining whether the process is identified in a list of trusted processes and in response to determining that the process is not in the list of trusted processes, providing, to the process by the file system, a file list including the file honeypot responsive to the directory enumeration request. The method further comprises intercepting, by a file system filter driver, a file modification request for the file honeypot from the process, and identifying the process as a suspicious object responsive to intercepting the file modification request from the process.