Search

US-12627699-B2 - Network security assessment based upon identification of an adversary

US12627699B2US 12627699 B2US12627699 B2US 12627699B2US-12627699-B2

Abstract

A computer-implemented method comprises establishing a database based at least in part on network traffic data received from a network, detecting adversarial behavior within the network traffic data, identifying an adversary associated with the adversarial behavior, determining a plurality of specific indicators of compromise that are associated with the adversary that has been identified, constructing a query based on the plurality of specific indicators of compromise, submitting the query to search for the plurality of specific indicators of compromise within the network traffic data, searching for the plurality of specific indicators of compromise within the network traffic data, and generating, responsive to having located at least one potential indicator of compromise, a search report containing at least one specific indicator of compromise and displaying the search report to a user interface.

Inventors

  • Dineshkumar Ramnath Barai

Assignees

  • INTERNATIONAL BUSINESS MACHINES CORPORATION

Dates

Publication Date
20260512
Application Date
20230606

Claims (20)

  1. 1 . A computer-implemented method comprising: establishing a database based at least in part on network traffic data received from a network, wherein the database comprises network traffic data representative of a plurality of entities in the network and relationships among the plurality of entities in the network; detecting adversarial behavior within the network traffic data; identifying at least one adversary associated with the adversarial behavior, wherein the identifying comprises extracting a plurality of rule identifiers (rule IDs) corresponding to a plurality of rules triggered by the detecting, each rule ID in the plurality of rule IDs corresponding to a plurality of tactics, each tactic being associated with a corresponding threat group; and selecting, responsive to a particular threat group being common to each rule ID in the plurality of rule ID, the particular threat group as the at least one adversary; determining a plurality of specific indicators of compromise that are associated with the at least one adversary that has been identified; constructing a query based on the plurality of specific indicators of compromise, wherein the query includes a criterion enabling searching for an indicator corresponding to a particular threat group; submitting the query to search for the plurality of specific indicators of compromise within the network traffic data; searching for the plurality of specific indicators of compromise within the network traffic data; and generating, responsive to having located at least one potential indicator of compromise, a search report containing at least one specific indicator of compromise and displaying the search report to a user interface.
  2. 2 . The computer-implemented method of claim 1 , wherein identifying the at least one adversary comprises comparing the adversarial behavior that has been detected to a mapping of known adversaries and tactics and techniques associated with the known adversaries.
  3. 3 . The computer-implemented method of claim 1 , wherein the method further comprises initiating a response action upon having located the at least one indicator of compromise.
  4. 4 . The computer-implemented method of claim 3 , wherein the initiating a response action comprises at least one of isolating a segment of the network, resetting a password for user an account, removing malware, and blocking an IP address.
  5. 5 . The computer-implemented method of claim 1 , wherein the searching for the plurality of indicators of compromise is performed for a predetermined period of time.
  6. 6 . The computer-implemented method of claim 5 , wherein the predetermined period of time is one hour.
  7. 7 . The computer implemented method of claim 1 , wherein the method is performed iteratively once every predefined period of time.
  8. 8 . The computer implemented method of claim 1 , wherein the method is performed upon receiving an alert that a set of conditions indicative of potential adversarial behavior have been met.
  9. 9 . The computer-implemented method of claim 1 , wherein the method further includes, upon submitting the query, parsing and optimizing the query prior to searching for the plurality of specific indicators of compromise.
  10. 10 . A computer program product comprising one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions executable by a processor to cause the processor to perform operations comprising: establishing a database based at least in part on network traffic data received from a network, wherein the database comprises network traffic data representative of a plurality of entities in the network and relationships among the plurality of entities in the network; detecting adversarial behavior within the network traffic data; identifying at least one adversary associated with the adversarial behavior, wherein the identifying comprises extracting a plurality of rule identifiers (rule IDs) corresponding to a plurality of rules triggered by the detecting, each rule ID in the plurality of rule IDs corresponding to a plurality of tactics, each tactic being associated with a corresponding threat group; and selecting, responsive to a particular threat group being common to each rule ID in the plurality of rule ID, the particular threat group as the at least one adversary; determining a plurality of specific indicators of compromise that are associated with the at least one adversary that has been identified; constructing a query based on the plurality of specific indicators of compromise, wherein the query includes a criterion enabling searching for an indicator corresponding to a particular threat group; submitting the query to search for the plurality of specific indicators of compromise within the network traffic data; searching for the plurality of specific indicators of compromise within the network traffic data; and generating, responsive to having located at least one potential indicator of compromise, a search report containing at least one specific indicator of compromise and displaying the search report to a user interface.
  11. 11 . The computer program product of claim 10 , wherein the stored program instructions are stored in a computer readable storage device in a data processing system, and wherein the stored program instructions are transferred over the network from a remote data processing system.
  12. 12 . The computer program product of claim 10 , wherein identifying the at least one adversary comprises comparing the adversarial behavior that has been detected to a mapping of known adversaries and tactics and techniques associated with the known adversaries.
  13. 13 . The computer program product of claim 10 , further comprising initiating a response action upon having located the at least one indicator of compromise.
  14. 14 . The computer program product of claim 10 , wherein the initiating a response action comprises at least one of isolating a segment of the network where the specific indicator of compromise was located, resetting a password for user accounts, removing malware, and blocking an IP address.
  15. 15 . The computer program product of claim 10 , wherein the searching for the plurality of indicators of compromise is performed for a predetermined period of time.
  16. 16 . The computer program product of claim 10 , wherein the identifying is performed upon receiving an alert that a set of conditions indicative of potential adversarial behavior have been met.
  17. 17 . A computer system comprising a processor and one or more computer readable storage media, and program instructions collectively stored on the one or more computer readable storage media, the program instructions executable by the processor to cause the processor to perform operations comprising: establishing a database based at least in part on network traffic data received from a network, wherein database base comprises network traffic data representative of a plurality of entities in the network and relationships among the plurality of entities in the network; detecting adversarial behavior within the network traffic data; identifying at least one adversary associated with the adversarial behavior, wherein the identifying comprises extracting a plurality of rule identifiers (rule IDs) corresponding to a plurality of rules triggered by the detecting, each rule ID in the plurality of rule IDs corresponding to a plurality of tactics, each tactic being associated with a corresponding threat group; and selecting, responsive to a particular threat group being common to each rule ID in the plurality of rule ID, the particular threat group as the at least one adversary; determining a plurality of specific indicators of compromise that are associated with the at least one adversary that has been identified; constructing a query based on the plurality of specific indicators of compromise, wherein the query includes a criterion enabling searching for an indicator corresponding to a particular threat group; submitting the query to search for the plurality of specific indicators of compromise within the network traffic data; searching for the plurality of specific indicators of compromise within the network traffic data; and generating, responsive to having located at least one potential indicator of compromise, a search report containing at least one specific indicator of compromise and displaying the search report to a user interface.
  18. 18 . The computer system of claim 17 , wherein identifying the at least one adversary comprises comparing the adversarial behavior that has been detected to a mapping of known adversaries and tactics and techniques associated with the known adversaries.
  19. 19 . The computer system of claim 17 , wherein the operations are performed upon receiving an alert that a set of conditions indicative of potential adversarial behavior have been met.
  20. 20 . The computer system of claim 17 , further comprises initiating a response action upon having located at least one indicator of compromise.

Description

BACKGROUND The present invention relates generally to network security. More particularly, the present invention relates to a method, system, and computer program for network security assessment based upon identification of an adversary. Computer security (also known as “network security” and “cyber security”) refers to the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide. Protecting computer systems and networks from attack by malicious actors includes thorough monitoring and assessment of the behavior of users across those computer systems and networks. Often, the actions taken by the malicious actors are perpetrated by known groups e.g., threat groups that follow routine or known methods of performing malicious actions. When cyber-attacks occur, malicious actors often leave behind artifacts that may provide an indication that a computer system or network has been compromised. Currently, there exist a number of different organizations that track and monitor the activities of these groups so that users and owners of computer systems and networks may be better equipped to safeguard against cyber-attacks. Further, these organizations compile and publish publicly available knowledge bases containing information relating to the groups and the methods they employ to perpetrate cyber-attacks. Embodiments of the present invention have been conceived in light of the above. SUMMARY The illustrative embodiments provide for network security assessment based upon an identified adversary. An embodiment includes a computer-implemented method comprising establishing a database based at least in part on network traffic data received from a network, wherein the database comprises network traffic data representative of a plurality of entities in the network and relationships among the plurality of entities in the network, detecting adversarial behavior within the network traffic data, identifying an adversary associated with the adversarial behavior, determining a plurality of specific indicators of compromise that are associated with the adversary that has been identified, constructing a query based on the plurality of specific indicators of compromise, submitting the query to search for the plurality of specific indicators of compromise within the network traffic data, searching for the plurality of specific indicators of compromise within the network traffic data, and generating, responsive to having located at least one potential indicator of compromise, a search report containing at least one specific indicator of compromise and displaying the search report to a user interface. An embodiment includes a computer system. The computer system includes a processor, a computer-readable memory, and a computer-readable storage medium, and program instructions stored on the storage medium for execution by the processor via the memory. An embodiment includes a computer usable program product. The computer usable program product includes a computer-readable storage medium, and program instructions stored on the storage medium. BRIEF DESCRIPTION OF THE DRAWINGS The novel features believed characteristic of the invention are set forth in the appended claims. The invention itself, however, as well as a preferred mode of use, further objectives, and advantages thereof, will best be understood by reference to the following detailed description of the illustrative embodiments when read in conjunction with the accompanying drawings, wherein: FIG. 1 depicts a block diagram of a computing environment in accordance with an illustrative embodiment; FIG. 2 depicts a block diagram of an example network infrastructure in accordance with an illustrative embodiment; FIG. 3 depicts a block diagram of an example security module in accordance with an illustrative embodiment; FIG. 3A depicts a block diagram of an example network environment in accordance with an illustrative embodiment; FIG. 4 depicts a flowchart of an example process for network security assessment based upon identification of an adversary. FIG. 5 depicts a flowchart of an example process for identification of an adversary. FIG. 6 depicts a flowchart of an example process for network security assessment based upon identification of an adversary. DETAILED DESCRIPTION The illustrative embodiments recognize that there is a need to precisely and efficiently assess the security of a computer system or network, especially when a potential security compromise has been detected or suspected. For example, computer systems and networks often store all types of sensitive and/or confidential information that is at risk of being leaked when a system or network is compromised. As another example, computer systems and networks are at risk of being denied the ability of providing services w