Search

US-20260127274-A1 - CYBER-INCIDENT MANAGEMENT SYSTEM AND METHOD THEREOF

US20260127274A1US 20260127274 A1US20260127274 A1US 20260127274A1US-20260127274-A1

Abstract

In some implementations, the device may include instantiating a plurality of agents configured to communicate with a plurality of security tools deployed in the organization, where each of the plurality security tools defends against a different type of cyber-incident. In addition, the device may include receiving, by an agent of the plurality of agents, an input request from a respective security tool, where the input request includes at least a traffic pattern; generating, by the agent, a prompt for an AI model based on at least the input request the prompt when processed by the AI model returns at least instructions to modify at least one security policy set with the security tool; and feeding, by the agent, the at least instructions to the security tool, where the at least instructions, when executed by the security tool, causes the security tool to modify each of the least one security policy in real-time.

Inventors

  • David Aviv

Assignees

  • RADWARE LTD.

Dates

Publication Date
20260507
Application Date
20241101

Claims (20)

  1. 1 . A method for managing cyber-incidents lifecycle of cyber-attacks, comprising: instantiating a plurality of agents configured to communicate with a plurality of security tools deployed in an organization, wherein each of the plurality security tools defends against a different type of cyber-incident; receiving, by an agent of the plurality of agents, an input request from a respective security tool, wherein the input request includes at least a traffic pattern; generating, by the agent, a prompt for an AI model based on at least the input request the prompt when processed by the AI model returns at least instructions to modify at least one security policy set with the security tool; and feeding, by the agent, the at least instructions to the security tool, wherein the at least instructions, when executed by the security tool, causes the security tool to modify each of the least one security policy in real-time.
  2. 2 . The method of claim 1 , further comprising: configuring the agent with the AI model; and training the AI model with security policies and capabilities of the respective security tool.
  3. 3 . The method of claim 2 , wherein the traffic pattern demonstrates an ongoing cyber-incident, and wherein the input request further includes an attack-time request.
  4. 4 . The method of claim 3 , wherein the attack-time request further includes at least one of: a request to improve detection of the ongoing cyber-incident, a request to characterize the ongoing cyber-incident, and a request to improve mitigation of the ongoing cyber-incident.
  5. 5 . The method of claim 3 , wherein generating the prompt further comprising: generating the prompt further based on a predefined template, the traffic pattern demonstrating the ongoing cyber-incident, the attack-time request, and metadata retrieved from external databases.
  6. 6 . The method of claim 1 , wherein the traffic pattern demonstrates peace-time traffic, and wherein the input request further includes a peace-time request.
  7. 7 . The method of claim 3 , wherein a peace-time request further includes: at least one of: a request to modify an initial security, and a request to create a new security policy.
  8. 8 . The method of claim 6 , wherein generating the prompt further comprises: generating the prompt further based on a predefined template, the traffic pattern demonstrating peace-time traffic, the peace-time request, and metadata retrieved from external databases.
  9. 9 . The method of claim 1 , further comprising: instantiating a controller agent to communicate with the plurality of agents; and responding, by the controller agent, to attack reasoning queries submitted by a user.
  10. 10 . The method of claim 9 , wherein the queries are natural language queries.
  11. 11 . The method of claim 1 , further comprising: configuring each agent with the AI model; and using a retrieval-augmented generation (RAG) process to generate the prompts.
  12. 12 . The method of claim 1 , wherein the security tools is any one of: an intrusion detection and prevention system (IDPS), an endpoint protection and detection (EPD) system, a firewall, a vulnerability scanning and management system, a network monitoring and analysis system, a DDoS detection mitigation system, a data loss prevention (DLP) system, and an API security system.
  13. 13 . The method of claim 1 , wherein a traffic pattern in the input request includes at least any one of: rate-based traffic parameters, rate-invariant parameters, a communication protocol type, a baseline, and attributes representing attacker's activity.
  14. 14 . The method of claim 13 , wherein the attributes representing attacker's activity include at least one of the logs, file changes, process behavior, and operating system events.
  15. 15 . A non-transitory computer-readable medium storing a set of instructions for managing cyber-incidents lifecycle of cyber-attacks, the set of instructions comprising: one or more instructions that, when executed by one or more processors of a device, cause the device to: instantiate a plurality of agents configured to communicate with a plurality of security tools deployed in an organization, wherein each of the plurality security tools defends against a different type of cyber-incident; receive, by an agent of the plurality of agents, an input request from a respective security tool, wherein the input request includes at least a traffic pattern generate, by the agent, a prompt for an AI model based on at least the input request the prompt when processed by the AI model returns at least instructions to modify at least one security policy set with the security tool; and feed, by the agent, the at least instructions to the security tool, wherein the at least instructions, when executed by the security tool, causes the security tool to modify each of the least one security policy in real-time.
  16. 16 . A system for managing cyber-incidents lifecycle of cyber-attacks comprising: one or more processors configured to: instantiate a plurality of agents configured to communicate with a plurality of security tools deployed in an organization, wherein each of the plurality security tools defends against a different type of cyber-incident; receive, by an agent of the plurality of agents, an input request from a respective security tool, wherein the input request includes at least a traffic pattern generate, by the agent, a prompt for an AI model based on at least the input request the prompt when processed by the AI model returns at least instructions to modify at least one security policy set with the security tool; and feed, by the agent, the at least instructions to the security tool, wherein the at least instructions, when executed by the security tool, causes the security tool to modify each of the least one security policy in real-time.
  17. 17 . The system of claim 16 , wherein the one or more processors are further configured to: configure the agent with the AI model; and train the AI model with security policies and capabilities of the respective security tool.
  18. 18 . The system of claim 17 , wherein the traffic pattern demonstrates an ongoing cyber-incident, and the input request further includes an attack-time request.
  19. 19 . The system of claim 18 , wherein the attack-time request further includes at least one of: a request to improve detection of the ongoing cyber-incident, a request to characterize the ongoing cyber-incident, and a request to improve mitigation of the ongoing cyber-incident.
  20. 20 . The system of claim 18 , wherein the one or more processors, when generating the prompt, are configured to: generate the prompt further based on a predefined template, the traffic pattern demonstrating the ongoing cyber-incident, the attack-time request, and metadata retrieved from external databases.

Description

TECHNICAL FIELD The present disclosure generally relates to cybersecurity systems and, more particularly, to an incident response system. BACKGROUND An Emergency Response Team (ERT) in cybersecurity is a specialized group responsible for detecting, responding to, and mitigating security incidents, such as cyber-attacks or data breaches. Their role includes monitoring networks, containing threats, conducting forensic analysis, and restoring systems to normal operations. ERTs also communicate with internal stakeholders, law enforcement, and regulatory bodies, ensuring proper incident management. They proactively work to strengthen an organization's defenses through vulnerability assessments and training, and after incidents, they analyze and report on the event to improve future response strategies. ERTs play a crucial role in minimizing damage, ensuring compliance, and enhancing organizational resilience against cyber threats. Complex cyber-attack vectors involve sophisticated, multi-layered methods that cybercriminals use to infiltrate and compromise systems. These attacks often combine techniques like Advanced Persistent Threats (APTs), zero-day exploits, and supply chain attacks, allowing attackers to remain undetected and cause significant harm. Attackers may use fileless malware, which operates in-memory, or Man-in-the-Middle (MitM) attacks to intercept communications. Additionally, Ransomware-as-a-Service (RaaS) models have made ransomware more accessible to less skilled attackers while Living off the Land (LotL) attacks exploit legitimate tools already present within a system, making detection difficult. These attack vectors often involve multiple stages, such as initial access via social engineering and spear phishing, followed by privilege escalation, lateral movement, and data exfiltration. Attackers may leverage large-scale Distributed Denial-of-Service (DDoS) attacks using IoT botnets or employ watering hole attacks by compromising legitimate websites frequented by the target group. Due to the complexity and stealth of these methods, organizations must adopt a multi-layered defense strategy that includes advanced threat detection, incident response plans, and continuous monitoring to mitigate these sophisticated threats. Detecting complex cyber-attacks is difficult because attackers use advanced evasion techniques, which exploit legitimate tools and avoid traditional security measures to execute complex cyber-attack vectors. The lack of real-time monitoring, weaknesses in legacy security tools, and insufficient expertise of ERT further complicate detection efforts, making these attacks highly challenging to identify and mitigate in a timely manner. It would, therefore, be advantageous to provide a solution that would overcome the challenges noted above. SUMMARY A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some aspects” or “certain aspects” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure. A method of one or more computers can be configured to perform particular operations or actions by virtue of having software, firmware, hardware, or a combination of them installed on the system that in operation causes or cause the system to perform the actions. One or more computer programs can be configured to perform particular operations or actions by virtue of including instructions that, when executed by a data processing apparatus, cause the apparatus to perform the actions. In one general aspect, method may include instantiating a plurality of agents configured to communicate with a plurality of security tools deployed in the organization, where each of the plurality security tools defends against a different type of cyber-incident. Method may also include receiving, by an agent of the plurality of agents, an input request from a respective security tool, where the input request includes at least a traffic pattern; generating, by the agent, a prompt for an AI model based on at least the input request the prompt when processed by the AI model returns at least instructions to modify at least one security policy set with the security tool; and feeding, by the agent, the at least instructions to the security tool, where the at least instructions, when executed by the security tool, causes the security tool to modify each of the least one security policy in real-time. Other embodiments o