EA038063B1 - Intelligent control system for cyberthreats - Google Patents

Abstract

The invention relates to information protection, in particular to systems of intelligent control of cyberthreats. The main technical result consists in the improvement of information security due to automated processing of information on incoming cyberthreats, ensuring continuous update of information on cyberthreat types and their indicators of compromise. The claimed system of intelligent control of cyberthreats includes at least one processor to provide processing of information streams between system modules; at least one data storage containing machine-recognizable instructions executed by said processor; data receiving module providing the collection of information from external and internal data sources containing information on cyberthreats, filtration of received data and conversion of the received information into an uniform presentation format; a module of data enrichment providing additional data on cyberthreat indicators of compromise from external data sources; searching and collecting the information on malicious code related to known cyberthreats; updating cybersecurity information that includes at least the following: information on vulnerabilities of software in use, on presence of malicious code related to at least one vulnerability, and information on update of at least one software ensuring protection against at least one type of vulnerability; identification of user accounts used in interactions with resources related to indicators of compromise stored in the database; database to store up-to-date information on cyberthreats transmitted from data receiving modules and the data enrichment module; an integration module to transmit in an uniformed format the information on cyberthreats to cybersecurity systems; a module of analytics to analyze vulnerabilities of IT-infrastructure in the systems connected to said integration module; detecting and displaying implicit links between informational entities related to at least one type of cyberthreats using the analysis of link chains between said entities and search for common nodes of said entities.

Description

Technology area

The present invention generally relates to the field of information security, and in particular to an intelligent cyber threat management system.

State of the art

Currently, given the massive use of IT (information technology) in various industrial and economic spheres, the development of systems and approaches in the field of cybersecurity is one of the priority areas and requires constant improvement, taking into account the constant emergence of new types of cyber threats. In this regard, an important aspect of the solutions being created is the updating of information about the existing types of cyber threats, as well as information about their elimination and maintaining the current level of cyber defense of the internal infrastructure.

In the banking sector, the problem of cybersecurity plays a key role, since the internal information infrastructure processes a huge amount of structured and unstructured data, which in turn requires huge resources to timely identify potentially malicious objects that can lead to the risk of a cyber threat. As an analogue of the claimed invention, we can consider a method for detecting cyber threats based on the analysis of user actions, disclosed in the application US 20170134415 A1 (patentee: Splunk Inc, publication date: 05/11/2017). The known method uses machine learning algorithms to update models for detecting deviations from the behavior of the user's network activity, which can be an indicator of compromise and indicate an attempt to unauthorized access to information resources, thereby generating the risk of a cybersecurity threat.

The disadvantage of the known approach is the lack of a mechanism for constant updating and enrichment of data on various types of cyber threats using monitoring, identifying data in external sources of information and their subsequent connection based on data on indicators of compromise to form information entities containing an up-to-date section of information about the corresponding type of cyber threats and means. to identify and eliminate them.

Disclosure of invention

The technical problem or technical challenge to be solved is the creation of a new system that provides intelligent cyber threat management, which provides an integrated approach to the organization and management of cybersecurity infrastructure.

The main technical result, which is achieved when solving the above technical problem, is to increase information security through the implementation of automated processing of data on incoming cyber threats, which ensures constant updating of data on the types of cyber threats and indicators of compromise corresponding to them.

An additional effect from the implementation of the claimed invention is to increase the speed of identifying indicators of compromise of cyber threats due to automated data enrichment and the construction of entities that link information about the types of cyber threats and the corresponding indicators of compromise into a single information space.

The claimed invention is a system for intelligent management of cyber threats, which contains:

at least one processor that processes information flows between system modules;

at least one data storage medium containing machine-readable instructions executed by the processor;

a data acquisition module that collects information from external and internal data sources containing information about cyber threats;

filtering the received data and converting the received information into a single presentation format;

a data enrichment module that supplements data on indicators of cyber threat compromise from external data sources;

performing searches and collecting information about malicious code associated with known cyber threats;

cybersecurity information update, including at least the following information:

about the vulnerability of the software used, about the presence of malicious code associated with at least one vulnerability, and information about the update of at least one software that protects against at least one type of vulnerability;

identification of user accounts that were involved in interacting with resources associated with indicators of compromise, information on which is stored in the database;

a database that provides storage of up-to-date information about cyber threats, transmitted from the data acquisition modules and the data enrichment module;

an integration module that ensures the transmission of cyber threat data to internal sources in a unified format;

- 1 038063 analytics module providing analysis of IT infrastructure vulnerabilities in systems connected to the integration module;

identifying and displaying implicit relationships between information entities related to at least one type of cyber threat by analyzing chains of relationships between said entities and searching for common nodes of said entities.

In one of the particular examples of implementation, the data acquisition module additionally deduplicates data received from external sources.

In another particular implementation example, external sources transmit data in a structured and unstructured form.

In another particular example of implementation, the data is received from the Internet.

In another particular example of implementation, the system additionally contains an administration module that provides control of user access rights and logging of the system operation process.

In another particular example of implementation, the request for data from external sources is carried out automatically according to a schedule or based on an external user request.

In another particular example of implementation, the indicator of compromise of cyber threats is selected from the group: IP address, domain name, checksum, resource identifier, or their combination.

In another particular example of implementation, the analytics module additionally prioritizes information on cyber threats.

In another particular implementation, prioritization is performed based on keywords or Threat Identifier (CVE) scoring.

Brief Description of Drawings

Features and advantages of the present invention will become apparent from the following detailed description of the invention and the accompanying drawings.

FIG. 1 shows a general view of the claimed system.

FIG. 2 shows a general view of the computing device.

Implementation of the invention

The following will describe the concepts and terms necessary to understand the present invention.

In this invention, the system means, among other things, a computer system, a computer (electronic computer), a CNC (numerical control), a PLC (programmable logic controller), computerized control systems and any other devices capable of performing a given, well-defined sequence of operations. (actions, instructions).

A command processing device means an electronic unit or an integrated circuit (microprocessor) that executes machine instructions (programs).

A command processor reads and executes machine instructions (programs) from one or more storage devices. The role of data storage devices can be, but are not limited to, hard disks (HDD), flash memory, ROM (read only memory), solid state drives (SSD), optical drives.

A program is a sequence of instructions intended for execution by a computer control device or a command processing device.

Cyberthreats are potential events, the action (impact) of which can disrupt the business process or the state of security of the internal information infrastructure.

Cyber Threat Analytics is a regular and systematic collection, enrichment and processing of information about cyber threats in order to use it to protect information security.

Cyber Threat Analytics System is a system designed to partially automate the cyber threat analytics process.

External sources of data on cyber threats - resources and services that provide data on vulnerabilities and threats, such as feed providers (kaspersky security intelligence, IBM X-Force, Group-IB, etc.), news services, analytical reports, posts on social networks, newsletters.

Internal data sources are resources and services that provide data from internal infrastructure systems, in particular from cybersecurity systems, IT systems.

Feed is a collection of indicators of compromise. In the context of the current document, a feed is a cyberthreat data stream.

Compromise identifier / Compromise marker (English Indicator of Compromise, hereinafter referred to as IC) is a list of threat data, which makes it possible to identify the presence of a threat in the infrastructure. A list of suspicious or malicious IP addresses, email addresses, domain names, identifiers of network resources, checksums, names of registry objects (registry hive, key and its value) or file system (path to an object, name of an object) can be used as ICs. , samples of malicious behavior, etc.

An exploit is a computer program, a piece of software code or a sequence of commands that exploits vulnerabilities in software and is used to attack a computer system.

CVE (Common Vulnerabilities and Exposures) is a database of well-known information security vulnerabilities. Each vulnerability is assigned an identification number of the form CVEyear-number.

As shown in FIG. 1, the claimed invention is a distributed computing system (100) that provides automated complex processing of information about cyber threats. System (100) contains a system for intelligent processing of cyber threats (130), which provides interaction between internal infrastructure and external sources (110) on the Internet.

The system for intelligent processing of cyber threats (130) can be performed on the basis of a server or other type of computer device and contains such main components as a processor (131), a data storage medium (132), a data acquisition module (133), a data enrichment module (134), a module integration (135), analytics module (136), administration module (137). The components of the system (130), as a rule, are connected via a data bus, but it should also be obvious to a specialist that the principle of connecting the components can be of a different type, providing the required software and hardware functionality.

The processor (131) performs the required processing of information flows between the modules of the system (130) based on the machine-readable instructions stored in the means (132). By means of data storage (132) is meant one or more storage devices, such as RAM, ROM, or a combination thereof. Machine-readable instructions are usually stored in RAM when they are directly executed by a processor (131). Additional program instructions can be contained in ROM and used when performing the corresponding computational operation. The intelligent cyber threat processing system (130) collects and processes data that is obtained from cyber threat data sources. External data sources (110) and internal sources (150) are used as such sources. External sources of data on cyber threats (110) are located on various resources on the Internet and are transmitted via the data transmission network (120) to the data acquisition module (133).

The data acquisition module (133) is designed to collect information from external (110) and internal (150) data sources. Module (133) also filters data received from external sources (110) and converts the received information into a single presentation format. Module (133) provides work with heterogeneous information obtained from external data sources (110), in particular, structured and unstructured information. Cyber threat data can be indicators of compromise (reputational sources);

news sources;

thematic sources on vulnerabilities;

exploits;

sources of enrichment (contextual sources);

data from the darknet segment.

Module (133) also provides automation of the processing of the received data, their subsequent integration and their transformation into a single format for the subsequent formation of information entities that identify a given type of cyber threat. Module (133) also formalizes the received data, deduplicates the received data, provides support for formats such as JSON, STIX, XML, HTML, etc.

Filtration of incoming information can be carried out based on the date of posting / publication of data on the Internet, by keywords, tags, etc. Deduplication should be performed automatically, by generating lists of compromise markers by extracting them from the context obtained during the processing of these feeds. Processing unstructured data with module (133) can be done with a parser. Module (133) allows processing data in the specified formats, obtained not only from the Internet, but also supports uploading and subsequent processing in the Upload mode, transforming the data into a CASE entity.

The algorithm of the data acquisition module (133) provides a universal designer that allows you to customize the algorithms for collecting data from various external data sources (110) through the user interface, including setting a data collection schedule;

creation of rules for the processing of collected data;

the ability to configure HTTP (S) authorization.

Searching for data using the enrichment module (134) may include, for example, scanning pages against a list of specific sets of URLs, scanning through text (multilingual requests and responses may be supported). Scanning can be performed based on keywords or phrases that are specified by the user, while the creation of key phrases supports the use of logical operators AND, OR. It can also be implemented the ability to set an arbitrary value for the percentage of the presence of keywords / phrases during scanning. Crawling can provide clicks on links specified on a page and crawls a page from a link.

- 3 038063

Scanning can be started according to a schedule or at the user's request.

The search result can be presented as a list of found links with a preview of the text (several lines before and after the keyword / phrase). Full-text indexing of the collected data can also be performed to quickly retrieve data based on user-defined parameters. When displaying a search result, a grouping of related pages can be performed by a specific topic (keyword, phrase) and tags. Saved pages have user-supplied attributes (for example, new, in progress, processed-used, processed-not used). To extract specific information from scanned pages, it is possible to export the result to XML, JSON, etc. The search engine can bypass potential spam (spam filter).

The data received and processed using the module (133) are subject to further processing using the data enrichment module (134). The data enrichment module (134) complements the data on IC of cyber threats received from external data sources (110). The main functional purpose of the module (134) is to enrich the existing (previously received / stored) data on cyber threats, which are stored in the database (140). Enrichment can be performed both in an automated mode and on a user request. Enrichment occurs through multiple integrations with external (110) and internal (150) sources, as well as through the discovery of connected components in the database (140). Module (134) also performs search and collection of information about malicious code associated with known cyber threats, updates information about cybersecurity, in particular information about the vulnerability of the internal infrastructure software used, about the presence of malicious code associated with at least one vulnerability and information about the update of at least one software that provides protection against at least one type of vulnerability.

The data enrichment module (134) identifies user accounts that were involved in interacting with resources associated with indicators of compromise, information on which is stored in the database. The main information for enriching information about the IC, as a rule, is additional contextual information. This information is obtained by processing the corresponding request generated by the module (134). The IC context is requested on a specialized external resource (110), to which, using the module (134), samples are sent for analysis, and in response, detailed reports with behavioral indicators and threat severity scores are received.

At the time of importing new data from external sources (110), using the enrichment module (134), the incoming information is compared with that already stored in the database (140). If changes are detected in any attributes of cyber threats, the data is automatically updated. The import stage searches for existing contexts in the database (140) based on the values of the key fields and IC. If the context with the necessary values in the key fields exists in the database (140), then it is supplemented with the missing attributes, otherwise a new context is created, which is sent to the automatic procedure for identifying IC. Indicators can be found both in the basic fields, which are intended to store exactly the IC, and in other attributes of the context. Also, the system has the ability to specify rules for extracting IC (or non-extracting / excluding / omitting).

Examples can be file types or file-like objects, such as a process running in memory, represented and analyzed using the resource. Input data for a resource can be, for example, a domain name, IP-address, URL, Hash, etc. In response to processing a request with a sample, the module (134) receives information associated with a specific IC, for example, a domain name, an IP address, or a URL. The resource accepts input in the form of, for example, a domain name, IP, or URL and returns all patterns associated with the domain. The data is returned to the system (130) as nested JSON arrays. This functionality makes it possible to extract new ICs upon receipt of new cyber threat components that were not previously present in the database (140). The module (134) also enriches information about cyber threats based on IC from such external sources (110) as Threat Grid, VirusTotal, Kaspersky Threat Lookup, Domain Tools, etc. Enrichment of information about cyber threats using the module (134) is also carried out using search and collecting exploits to enrich vulnerabilities from unstructured external sources (110), such as exploit-db.com/, Oday.today, etc. Searching for and collecting security updates from unstructured sources (110) can, for example, be taken from the Microsoft Update Catalog , resources * NIX, systems - RedHat, FreeBsd, etc. System (130) also contains a database (140), which is a centralized bank of cybersecurity threats. The database (140) is intended for storing in a formalized form any data that was obtained from structured and unstructured data sources. The database (140) also stores analytical results obtained from expert assessments and automatic processing of the information received.

The database allows you to maintain and record the following information entities:

Case - an entity designed to record / maintain / analyze / parse the received information and data on cybersecurity events;

Actor;

Campaign;

Malware;

TTP;

News;

Vulnerability;

IR;

Brand Monitoring - allows you to keep track of fraudulent resources, payment details in order to obtain a single database of phishing / fraudulent campaigns;

Data Leakage.

System (130) provides functionality for performing various operations on entities, in particular, creating, editing, deleting;

linking entities with each other, building link graphs;

viewing the list, filtering the list by various fields of the entity;

entity tagging;

attachment of files;

management of drafts;

management of statuses and states, for example, for news applicable / not applicable, new / processed;

version control:

viewing all versions for each entity with the ability to display all changes that were made by the user or automatically;

the ability to rollback / return to any of the saved versions. The database (140) can also store a whitelist for ICs, the purpose of which is to prevent the use of invalid ICs in the internal infrastructure. Other well-known approaches can also be applied to prevent the use of invalid ICs, for example, analysis of the number of domain names on a network address (reverse whois), etc. The table provides an example of storing records of cyber threats.

- 5 038063

Cyber Threat Data

The essence Description / Additional Information lOCdns Information about domain names that are used by malicious software or are involved in the attacker's infrastructure. Yushai List of e-mail addresses used to distribute phishing or malicious software. lOCfiles Instances of malicious code files. lOChash Hashes of malicious components that are present in the system after it has been infected. IOC_ip A list of malicious IP addresses that are used by malicious software or are involved in the attacker's infrastructure. IOC_process A list of names of processes with variations of location on the file system that are called or injected by malicious code. lOCregistry Registry keys created or manipulated by malicious software or its components. lOCurl Addresses of compromised and infected resources that are involved in the distribution of malicious software or are involved in the attacker's infrastructure. lOCPipe A list of names of named pipes that are created by malware when it infects a computing node. lOCwmi List of names of subscriptions that are created by malware when it infects a computing node.

The integration module (135) provides the transfer of cyber threat data in a unified format to the internal infrastructure, in particular, internal data sources (150). Module (135) provides interaction with systems for monitoring information security events, in particular, transmits sets of ICs for further search in the lists of information security events. For systems of this type, contextual information about the found IC is provided. The integration module (135) also receives information security tools (hereinafter referred to as ISS) and / or requests the status of indicators of compromise on a specific ISS, as well as information on adding ICs to exclusive groups / lists, and allows you to search for information by specified ICs in the information event logs. security for the selected period of time.

The analytics module (136) provides interaction with the processed data of cyber threats, in particular, using the module (136), the analysis of IT infrastructure vulnerabilities in the internal data sources (150) connected to the integration module (135) is carried out, the identification and display of implicit relationships between information entities, related to a particular type of cyber threat, by analyzing chains of relationships between entities and finding their common nodes. The analytics module (136) makes it possible to identify the relationships between the accumulated IC, in particular, based on the data that are already present in the database (140), connections are built.

Entities in the system can be linked to each other either manually or automatically. The same entity can have several links / links from different places in the system, which can be created at different time intervals within different situations / incidents / analytical reports, with each link having a direction (from a specific entity to another specific entity) ... Thus, based on the information stored in the database (140), you can visualize the first level of relationships for a specific entity (i.e. display the entities referenced by the selected entity or entities that refer to the selected entity), then using

- 6 038063 functionality of the analytics module (136), it is possible for any of the rendered entities to obtain a list of entities associated with it, and so on, expanding any of the nodes as long as there are related entities in the database (140).

After the disclosure of N levels of links, the system (130) can conclude that the entities can be linked to each other not directly by one link, but through other entities located at a distance of at least one edge from each. Thus, two or more base nodes, after the expansion of related entities to N levels, can have common nodes, and such a relationship between base nodes is called implicit. The search for such implicit relationships and the disclosure of relationships for each entity is performed automatically using the analytics module (136).

The module (136) also provides an interactive interaction between the user and the system (130) for the purpose of conducting cyber intelligence. Interaction can be carried out using a graphical user interface (GUI) implemented on the appropriate computer device. The analytics module (136) has a dashboard designer (dashboards) and provides the following functionality:

creation of custom widgets (Managing data selection criteria; Managing data display options);

setting up the location of widgets;

setting up a schedule for updating widgets;

sorting management;

grouping management (including multi-level grouping is supported, the number of levels is limited by the number of fields that exist for a specific entity.

Module (136) also contains a constructor for working with a graph, in particular, it allows you to visualize system objects and connections between them, allows you to find non-obvious connections at different depths between the objects under study. The analytics module (136) allows automated analysis of the dynamics of queries on cybersecurity topics (for example, using Google Trends). The analytics module (136) also provides the construction of statistical slices for a given time period, set at the user's request, for example, a week, month, year, etc.

The system (130) may also contain an administration module (137), which provides control of user access rights and logging of the system operation (130). Differentiation of access rights can be implemented using known approaches, in particular, such as accounts, hardware identification means (smart card, USB token, etc.), electronic signature, etc. Each user can be assigned access to the corresponding part of the system (130) to work with the specified functionality.

Next, let us consider, using an example, the process of operation of the system (130) with data when enriching information about cyber threats using the analysis of external sources (110), in particular news sources on the Internet.

Data from external sources (110) are collected by polling them by the data acquisition module (133), for example, according to a given data collection schedule. Further, the information received from the sources (110) is converted into a single presentation format and deduplication is performed, which together forms the input data stream for the analytics module (136).

The analytics module (136), based on the received data stream from the module (133), carries out a basic prioritization of the received data based on the specified keywords, which ensures the marking of a relevant group of data from a large flow of incoming data that needs to be analyzed first. After analyzing the relevance of the received stream, the function of maintaining and accounting for entities is activated. Initially, an analytical report is generated in the CASE entity. The report contains a descriptive part of the received data stream with the ability to use other entities within the analysis, for example, add extracted ICs to CASE. After adding the IC, the capabilities of the data enrichment module (134) are used, which receives information from the information protection means of the infrastructure, for example, a bank. In particular, such parameters can be data on the status of blocking of a given IC in the internal infrastructure. The data enrichment module (134) also accesses the contextual subscriptions to obtain possible related indicators. In this case, the CASE entity is linked (linked) with the news (and other entities, depending on the content of the news), which was processed by the analytics module (136) in the system (130) according to the generated data stream from external sources (110).

After the CASE entity from the Draft state (project) is transferred to the Published state (publication), the integration module (135) sends the introduced ICs (in the current context, information about cyber threats, for certain systems, is represented by an entity - an indicator of compromise) to the monitoring system information security events. The integration module (135) also allows the analyst to send a request to the information security event monitoring system in order to obtain historical information about the presence of added ICs in the infrastructure for N period. Upon receiving data on the presence of IC in the infrastructure for the past N-period, the data enrichment module (134) collects information about the source. For example, the network zone is defined

- 7 038063 sources of the incident, belonging to the user account, as well as complete information about the user from other systems for keeping records of users.

Based on the results of the publication of the CASE entity, if it is required to block IC or to enter any other order in the order accounting system (ticketing), the integration module (135) fills a certain set of order fields with data from the CASE entity and registers it in the order accounting system (ticketing). Next, we will consider the process of processing information related to vulnerabilities. When working with this type of information, the data acquisition module (133), according to a given schedule, collects data from external sources (110), converts them into a single presentation format and performs data deduplication, which together forms an input data stream for the analytics module ( 136), taking into account possible aggregations of similar data streams. Data deduplication is performed when information is collected from different sources, in the absence of a single reference data source.

The analytics module (136), based on the received data stream from the module (133), carries out a basic prioritization of the received data based on the specified keywords, which ensures the marking of a relevant group of data from a large flow of incoming data that needs to be analyzed first. The data enrichment module (134), together with the data retrieval module (133), collects additional information from the Internet, taking into account the vulnerability identifier (CVE) of the following form: the presence of software code for exploiting the indicated vulnerability (exploit), information about security updates, including number of substitute / cross (Microsoft), information about security packages (according to the package manager of Unix / Linux systems), information about the versioning of the vulnerable object, information about the general vulnerability assessment taking into account its versioning (CVSS 2.0 or CVSS 3.0) and other attributes used in entities Vulnerability (vulnerability).

In this case, the enrichment module (134), according to a given schedule, for entities of the Vulnerability type carries out a continuous process of searching for additional information on the Internet on certain resources. In the process of processing information on a particular vulnerability, the system (130) uses the function of maintaining and accounting for entities. Initially, the system (130) automatically forms the Vulnerability entity, which aggregates the results of the work of the above modules. Aggregated information, taking into account prioritization, is transmitted for further analysis to the analytics module (136).

During the processing of the Vulnerability entity using the analytics module (136), the integration module (135) is also used to assess the applicability of the found vulnerability to the infrastructure. The integration module (135) allows you to send a request to centralized IT asset management systems, for example, to determine if there are security updates or other attributes used in the Vulnerability entity.

The analytics module (136) analyzes the data received from the integration module (135) according to the embedded information processing algorithms. In this case, if the type of vulnerability is network, the analytics module (136) can re-invoke the integration module (135) to obtain information about the network reachability of the end computing nodes. Subsequently, this information can influence the assessment of the applicability of the vulnerability being processed.

After analyzing (determining the relevance) of the received data stream about the vulnerability and applying it in the infrastructure, the function of maintaining and accounting for entities is re-used. Based on the analysis results, an analytical report is generated in the CASE entity. According to the results of the publication of the CASE entity, if steps are required to eliminate the vulnerability, or the establishment of any other order in the order accounting system (ticketing), the integration module (135) fills a certain set of order fields with data from the CASE entity and registers it in the order accounting system (ticketing).

FIG. 2 shows an example of a general view of a computing device (200), with the help of which the functionality of the system (130) can be implemented.

The device (200) can be part of a computer system such as a server, computer, cloud platform, or the like.

In the general case, the computing device (200) contains one or more processors (201) united by a common data exchange bus, memory means such as RAM (202) and ROM (203), input / output interfaces (204), input / output devices ( 205), a device for networking (206).

The processor (201) (or multiple processors, multi-core processor) can be selected from a range of devices currently in widespread use, such as Intel ™, AMD ™, Apple ™, Samsung Exynos ™, MediaTEK ™, Qualcomm Snapdragon ™, etc. ... The processor also needs to consider a graphics processor such as an NVIDIA or ATI GPU, which may also be capable of performing the required computational functionality. In this case, the memory means can also be the available amount of memory of the graphics card or GPU.

- 8 038063

RAM (202) is a random access memory and is intended for storing machine-readable instructions executed by the processor (201) for performing the necessary operations for logical data processing. RAM (202), as a rule, contains executable instructions of the operating system and corresponding software components (applications, software modules, etc.).

ROM (203) is one or more persistent storage devices such as a hard disk drive (HDD), solid state data storage device (SSD), flash memory (EEPROM, NAND, etc.), optical storage media (CD-R / RW, DVD-R / RW, BlueRay Disc, MD), etc.

Various types of I / O interfaces (204) are used to organize the operation of the device components (200) and to organize the operation of external connected devices. The choice of appropriate interfaces depends on the specific design of the computing device, which can be, but are not limited to: PCI, AGP, PS / 2, IrDa, FireWire, LPT, com, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, type C), TRS / Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc. To ensure user interaction with the computing device (200), various means (205) of I / O information are used, for example, a keyboard, display (monitor), touch display, touch pad, joystick, mouse manipulator, light pen, stylus, touch panel, trackball , speakers, microphone, augmented reality, optical sensors, tablet, light indicators, projector, camera, biometric identification (retina scanner, fingerprint scanner, voice recognition module), etc.

The means of networking (206) allows the device (200) to transmit data via an internal or external computer network, for example, Intranet, Internet, LAN, etc. One or more means (206) may be used, but not limited to: Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communication module, NFC module, Bluetooth and / or BLE module, Wi-Fi module, and dr.

Additionally, satellite navigation aids can be used as part of the device (200), for example, GPS, GLONASS, BeiDou, Galileo. The presented materials disclose preferred examples of implementation of the invention and should not be construed as limiting other, particular examples of its implementation that do not go beyond the scope of the claimed legal protection, which are obvious to specialists in the relevant field of technology.

Claims (9)

CLAIM 1. The system of intelligent management of cyber threats, containing at least one processor that processes information flows between the modules of the system; at least one data storage medium containing machine-readable instructions executed by the processor; a data acquisition module that collects information from external and internal data sources containing information about cyber threats; filtering the received data and converting the received information into a single presentation format; a data enrichment module that supplements data on indicators of cyber threat compromise from external data sources; performing searches and collecting information about malicious code associated with known cyber threats; update of cybersecurity information, including at least the following information: the vulnerability of the software used, the presence of malicious code associated with at least one vulnerability, and information about the update of at least one software that protects against at least one one type of vulnerability; identification of user accounts that were involved in interacting with resources associated with indicators of compromise, information on which is stored in the database; a database that provides storage of up-to-date information about cyber threats transmitted from the data acquisition modules and the data enrichment module; an integration module that transfers cyber threat data to internal sources in a unified format; analytics module that provides analysis of IT infrastructure vulnerabilities in systems connected to the integration module; identifying and displaying implicit relationships between information entities belonging to at least one type of cyber threat by analyzing chains of relationships between said entities and searching for common nodes of said entities. 2. The system according to claim 1, characterized in that the data acquisition module additionally implements - 9 038063 Enables deduplication of data received from external sources. 3. The system according to claim 1, characterized in that external sources transmit data in a structured and unstructured form. 4. The system according to claim 3, characterized in that the data is received from the Internet. 5. The system according to claim 1, characterized in that it additionally contains an administration module that provides control of user access rights and logging of the system operation process. 6. The system according to claim 1, characterized in that the request for data from external sources is carried out automatically according to a schedule or based on an external user request. 7. The system according to claim 1, characterized in that the cyber threat compromise indicator is selected from the group: IP address, domain name, checksum, resource identifier, or a combination thereof. 8. The system according to claim 1, characterized in that the analytics module additionally prioritizes information on cyber threats. 9. The system of claim 8, wherein prioritization is performed based on keywords or Threat Identifier (CVE) scoring.