RU2702269C1 - Intelligent control system for cyberthreats - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: invention relates to information protection. Technical result is achieved by searching and collecting information on malicious code associated with known cyber threat; updating information on cybersecurity, including at least information: vulnerability of used software, presence of malicious code associated with at least one vulnerability, and information on updating at least one software, providing protection against at least one type of vulnerability; and detecting user accounts, which were involved in interaction with resources associated with compromise indicators, information on which is stored in a database.

EFFECT: high information security owing to automated processing of incoming cyber threats, which continuously updates data on types of cyberthreats and compromise indicators.

9 cl, 2 dwg, 1 tbl

Description

FIELD OF TECHNOLOGY

[0001] This technical solution generally relates to the field of information protection, and in particular, to the system of intelligent control of cyber threats.

BACKGROUND

[0002] Given the widespread use of IT (information technology) in various industrial and economic fields, the development of systems and approaches in the field of cyber security is one of the priority areas and requires constant improvement, taking into account the constant emergence of new types of cyber threats. In this regard, an important aspect of the solutions created is updating information on existing types of cyber threats, as well as information on their elimination and maintaining the current degree of cyber defense of the internal infrastructure.

[0003] In the banking sector, the issue of cybersecurity plays a key role, since the internal information infrastructure processes a huge amount of structured and unstructured data, which in turn requires huge resources for the timely detection of potentially harmful objects that can lead to the risk of cyber threats.

[0004] As an analogue of the claimed solution, we can consider a method for detecting cyber threats based on an analysis of user actions disclosed in application US 20170134415 A1 (patent holder: Splunk Inc, publication date: 05/11/2017). The known method uses machine learning algorithms to update models for detecting deviations from the user's network activity, which can be an indicator of compromise and indicate an attempt to unauthorized access to information resources, thereby creating a risk of cyber security threats.

[0005] A disadvantage of the known approach is the lack of a mechanism for continuous updating and enrichment of data on various types of cyberthreats by monitoring and identifying data in external information sources and their subsequent connection based on data on compromise indicators to form information entities containing an actual slice of information about the corresponding type cyberthreats and means for their identification and elimination.

SUMMARY OF THE INVENTION

[0006] The technical problem or technical problem to be solved is the creation of a new system that provides intelligent management of cyber threats, which provides an integrated approach to the organization and management of cyber security infrastructure.

[0007] The main technical result that is achieved by solving the above technical problem is to increase information security by implementing automated processing of data about incoming cyberthreats, which ensures constant updating of data on types of cyberthreats and indicators of compromise corresponding to them.

[0008] An additional effect of the implementation of the claimed solution is an increase in the speed of identifying indicators of compromise of cyber threats through automated data enrichment and the construction of entities linking information about types of cyber threats and their corresponding indicators of compromise into a single information space.

[0009] The claimed solution is a system of intelligent control of cyber threats, which contains:

at least one processor capable of processing information flows between system modules;

at least one data storage medium comprising computer-readable instructions executed by a processor;

data acquisition module providing

collecting information from external and internal data sources containing information about cyberthreats;

filtering the received data and converting the received information into a single presentation format;

data enrichment module providing

addition of data on indicators of compromise of cyber threats from external data sources;

search and collection of information about malicious code associated with known cyber threats;

updating cybersecurity information, including at least information: about the vulnerability of the software used, about the presence of malicious code associated with at least one vulnerability and information about updating at least one software that provides protection against at least one type of vulnerability;

identification of user accounts that were involved in interacting with resources related to indicators of compromise, information on which is stored in the database;

a database that provides storage of relevant information on cyberthreats transmitted from the data acquisition modules and the data enrichment module;

an integration module that provides transmission of cyber threats to internal sources in a unified format;

analytics module providing

analysis of IT infrastructure vulnerabilities in systems connected to the integration module;

identifying and displaying implicit links between informational entities related to at least one type of cyberthreat, by analyzing the chains of links between the mentioned entities and searching for common nodes of the mentioned entities.

[0010] In one particular embodiment, the data acquisition module further deduplicates data received from external sources.

[0011] In another particular embodiment, external sources transmit data in a structured and unstructured manner.

[0012] In another particular embodiment, data is obtained from the Internet computing network.

[0013] In another particular example implementation, the system further comprises an administration module that provides control of user access rights and logging of the system operation.

[0014] In another particular example of implementation, the request for data from external sources is carried out automatically according to a schedule or based on an external user request.

[0015] In another particular implementation example, the cyber threat compromising indicator is selected from the group: IP address, domain name, checksum, resource identifier, or a combination thereof.

[0016] In another particular implementation example, the analytics module further prioritizes information on cyberthreats.

[0017] In another particular embodiment, prioritization is performed based on keywords or scoring of a threat identifier (CVE).

BRIEF DESCRIPTION OF THE DRAWINGS

[0018] The features and advantages of the present invention will become apparent from the following detailed description of the invention and the accompanying drawings, in which:

[0019] In FIG. 1 presents a General view of the claimed system.

[0020] In FIG. 2 shows a general view of a computing device.

DETAILED DESCRIPTION OF THE INVENTION

[0021] Below will be described the concepts and terms necessary for understanding this technical solution.

[0022] In this technical solution, a system means, including a computer system, a computer (electronic computer), CNC (numerical control), PLC (programmable logic controller), computerized control systems, and any other devices that can perform a given , clearly defined sequence of operations (actions, instructions).

[0023] An instruction processing device is understood to mean an electronic unit or an integrated circuit (microprocessor) executing machine instructions (programs).

[0024] An instruction processing device reads and executes machine instructions (programs) from one or more data storage devices. Hard disk drives (HDD), flash memory, ROM (read only memory), solid state drives (SSD), optical drives can be used as storage devices.

[0025] A program is a sequence of instructions for execution by a computer control device or an instruction processing device.

[0026] Cyberthreats are potential events whose action (s) can disrupt the business process or the state of security of the internal information infrastructure.

[0027] Cyberthreat analytics is a regular and systematic collection, enrichment and processing of information about cyberthreats, with a view to its use to protect information security.

[0028] A cyberthreat analytics system is a system designed to partially automate a cyberthreat analytics process.

[0029] External sources of data on cyberthreats - resources and services that provide data on vulnerabilities and threats, such as: feed providers (kaspersky security intelligence, IBM X-Force, Group-IB, etc.), news services, analytical reports , posts on social networks, newsletters.

[0030] Internal data sources - resources and services that provide data from internal infrastructure systems, in particular from cybersecurity systems, IT systems.

[0031] A feed is a collection of indicators of compromise. In the context of the current document, a feed is a stream of cyberthreat data.

[0032] Compromise identifier / Compromise marker (Indicator of Compromise, hereinafter referred to as IR) is a list of threat data that makes it possible to detect the presence of a threat in the infrastructure. An IR can be: a list of suspicious or malicious IP addresses, email addresses, domain names, network resource identifiers, checksums, names of registry objects (registry hive, key and its value) or file system (path to the object, name of the object ), samples of malicious behavior, etc.

[0033] An exploit is a computer program, a piece of program code, or a sequence of instructions that exploits vulnerabilities in software and is used to conduct an attack on a computer system.

[0034] CVE (English Common Vulnerabilities and Exposures) is a database of well-known information security vulnerabilities. Each vulnerability is assigned an identification number of the form CVE-year-number.

[0035] As shown in FIG. 1, the claimed solution is a distributed computing system (100), providing automated integrated processing of information about cyber threats. System (100) contains an intelligent cyber threat processing system (130), which provides interaction between the internal infrastructure and external sources (110) on the Internet

[0036] An intelligent cyber threat processing system (130) can be executed on the basis of a server or other type of computer device, and contains such main components as: processor (131), data storage medium (132), data acquisition module (133), data enrichment module (134), integration module (135), analytics module (136), administration module (137). The components of system (130), as a rule, are connected via an information bus, but it should also be obvious to a specialist that the principle of connecting components can be of a different type, providing the required software and hardware functionality.

[0037] The processor (131) performs the required processing of information flows between the modules of the system (130), based on machine-readable instructions stored in the tool (132). Data storage means (132) refers to one or more storage devices, for example, RAM, ROM, or a combination thereof. Machine-readable instructions are usually stored in RAM when they are directly executed by the processor (131). Additional program instructions can be contained in the ROM and used when performing the corresponding computational operations.

[0038] An intelligent cyber threat processing system (130) provides for the collection and processing of data that is obtained from cyber threat data sources. As such sources, external data sources (110) and internal sources (150) are used. External sources of data on cyberthreats (110) are located on various resources on the Internet and transmitted over the data network (120) to the data acquisition module (133).

[0039] The data acquisition module (133) is designed to collect information from external (110) and internal (150) data sources. Module (133) also filters data received from external sources (110) and converts the received information into a single presentation format. Module (133) provides work with heterogeneous information obtained from external data sources (110), in particular, structured and unstructured information.

Data on cyberthreats can be:

- indicators of compromise (reputational sources);

- news sources;

- thematic sources on vulnerabilities;

- exploits;

- enrichment sources (contextual sources);

- data from the shadow Internet segment (Eng. Darknet).

[0040] The module (133) also provides automation of the processing of the received data, their subsequent integration and their transformation into a single format for the subsequent formation of information entities identifying a given type of cyberthreat. Module (133) also formalizes the received data, deduplicates the received data, provides support for such formats as: JSON, STIX, XML, HTML, etc.

[0041] Filtering the incoming information may be based on the date of placement / publication of data on the Internet, by keywords, tags, etc. Deduplication should be performed automatically, by creating lists of compromise markers by highlighting them from the context obtained in the process of processing feed data. Processing unstructured data using module (133) can be performed using a parser. Module (133) allows you to process data in the specified formats, obtained not only from the Internet, but also supports downloading and subsequent processing in the “Upload” mode, converting the data into a CASE entity.

[0042] The operation algorithm of the data acquisition module (133) provides a universal constructor that allows you to configure the algorithms for collecting data from various external data sources (110) through the user interface, including:

- setting a schedule for data collection;

- creating rules for processing collected data;

- Ability to configure HTTP (S) authorization.

[0043] The data search using the enrichment module (134) may include, for example, scanning pages for a list of specific sets of URLs, scanning for text (support for multilingual requests and responses can be implemented). Scanning can be performed on the basis of keywords or phrases that are set by the user, while the creation of key phrases supports the use of logical operators "AND", "OR". It can also be implemented the ability to set an arbitrary value for the percentage of keywords / phrases when scanning. Scanning can provide links to the links on the page, and scanning the page for the link. Scanning can be started on schedule or at the request of the user.

[0044] The search result may be presented as a list of found links with a preview of the text (several lines before and after the keyword / phrase). Full-text indexing of the collected data can also be carried out to quickly retrieve data by user-defined parameters. When issuing a search result, a grouping of pages linked to each other by a specific topic (keyword, phrase) and tags can be performed. Stored pages have attributes set by the user (for example, a new one, in operation, processed-used, processed-not used). To extract specific information from scanned pages, it is possible to export the result to XML, JSON, etc. The search engine can bypass potential spam (spam filter).

[0045] Data obtained and processed using module (133) is subject to further processing using data enrichment module (134). The data enrichment module (134) supplements the data on IR cyber threats obtained from external data sources (110). The main functional purpose of module (134) is to enrich existing (previously received / stored) data on cyber threats, which are stored in a database (140). The enrichment can be carried out both in an automated mode and by a user request. Enrichment occurs due to multiple integrations with external (110) and internal (150) sources, as well as due to the detection of connected components in the database (140).

[0046] Module (134) also searches for and collects information about malicious code associated with known cyber threats, updates information on cybersecurity, in particular, information about the vulnerability of the internal infrastructure software used and the presence of malicious code associated with at least one vulnerability and information about updating at least one software that provides protection against at least one type of vulnerability.

[0047] The data enrichment module (134) identifies user accounts that were involved in interacting with resources associated with compromise indicators, information on which is stored in the database. The basic information for enriching information about IR, as a rule, is additional contextual information. This information is obtained by processing the corresponding request generated by module (134). An IR context is requested on a specialized external resource (110), to which samples are sent using the module (134) for analysis, and the response gives detailed reports with behavioral indicators and threat severity scores.

[0048] At the time of importing new data from external sources (110) using the enrichment module (134), the incoming information is compared with that already stored in the database (140). In case of detection of changes in any attributes of cyberthreats, the data are automatically updated. At the import stage, existing contexts are searched in the database (140) based on the values of key fields and IR. If the context with the necessary values in the key fields exists in the database (140), then it is supplemented with missing attributes, otherwise a new context is created, which goes to the automatic procedure for identifying IR. Indicators can be found both in the base fields, which are intended for storing precisely IR, and in other context attributes. The system also has the ability to specify rules for extracting IR (or non-extraction / exclusion / omission).

[0049] File types or file-like objects, for example, a process executed in memory, represented and analyzed using the mentioned resource, can serve as samples. Input data for a resource can be, for example, domain name, IP address, URL, Hash, etc. In response to processing the request with the sample, the module (134) receives information related to a specific IR, for example, a domain name, IP address, or URL. A resource takes input in the form of, for example, a domain name, IP or URL, and returns all patterns associated with the domain. Data is returned to system (130) as nested JSON arrays. This functionality makes it possible to extract new IRs upon receipt of new components of cyber threats that were not previously present in the database (140).

[0050] Also, module (134) enriches information on cyberthreats based on IR from such external sources (110) as: Threat Grid, VirusTotal, Kaspersky Threat Lookup, Domain Tools, and others. Enriching information about cyberthreats using module (134 ) is also carried out by searching and collecting exploits for enriching vulnerabilities from unstructured external sources (110), for example, exploit-db.com/, 0day.today, etc. Searching and collecting security updates from unstructured sources (110), for example, can , taken from Microsoft Update catalog, * NIX resources, systems - Re dHat, FreeBsd, etc.

[0051] The system (130) also contains a database (140), which is a centralized bank of cyber security threats. Database (140) is designed to store in a formalized form any data that was obtained from structured and unstructured data sources. The database (140) also stores analytical results obtained from expert assessments and automatic processing of the information received.

[0052] The database allows maintaining and accounting of the following information entities:

- Case - an entity designed to record / maintain / analyze / parse received information and data on cybersecurity events;

- Actor;

- Campaign;

- Malware;

- TTP;

- News;

- Vulnerability;

- IR;

- Brand Monitoring - allows you to keep track of fraudulent resources, payment details in order to obtain a single database of phishing / fraudulent campaigns;

- Data Leakage.

[0053] System (130) provides functionality for performing various operations on entities, in particular:

- create, edit, delete;

- the linking of entities among themselves, the construction of graphs of relationships;

- viewing the list, filtering the list by various fields of the entity;

- tagging entities;

- attach files;

- draft management;

- management of statuses and conditions: for example, for the news is applicable / not applicable, new / processed;

- version control: viewing all versions for each entity with the ability to display all the changes that were made by the user or automatically;

- the ability to roll back / return to any of the saved versions.

[0054] The database (140) may also store a “white list” for IRs, the purpose of which is to prevent the use of invalid IRs in internal infrastructure. Other well-known approaches can also be applied to prevent the use of invalid IRs, for example, analysis of the number of domain names at a network address (English “reverse whois”), etc.

[0055] Table 1 provides an example of storing records of cyberthreats.

[0056] The integration module (135) provides for the transmission of cyberthreats data in a unified format to the internal infrastructure, in particular internal data sources (150). Module (135) provides interaction with information security event monitoring systems, in particular, transmits IR sets for further search in information security event lists. For systems of this type, contextual information about the found IRs is provided. The integration module (135) also receives information protection tools (hereinafter referred to as SIS) and / or requests the status of indicators of compromise on a specific SIS, as well as information on adding ICs to exclusive groups / lists, and allows you to search for information on specified ICs in information event logs security for the selected period of time.

[0057] The analytics module (136) provides interaction with the processed cyberthreats data, in particular, the module (136) analyzes the vulnerabilities of IT infrastructure in internal data sources connected to the integration module (135) (150), identifies and displays implicit relationships between informational entities related to one or another type of cyberthreats by analyzing the chains of relations between entities and searching for their common nodes. The analytics module (136) makes it possible to identify the relationships between the accumulated IRs, in particular, the relationships are built from the data that are already present in the database (140).

[0058] Entities in the system can be interconnected both in manual mode and automatically. There can be several links / links from different places of the system to the same entity, which can be created at different time periods within the framework of different situations / incidents / analytical reports, and each link has a direction (from a specific entity to another specific entity) . Thus, based on the information stored in the database (140), it is possible to visualize the first level of relationships for a particular entity (i.e., display the entities referenced by the selected entity or entities that refer to the selected entity), then using the analytics module functionality ( 136) it is possible for any of the visualized entities to get a list of entities related to it, and so on, revealing any of the nodes as long as related entities exist in the database (140).

[0059] After the disclosure of N link levels, the system (130) can conclude that entities can be connected not directly with one link, but through other entities that are at least one edge from each. Thus, two or more basic nodes after the disclosure of entities related to them at N levels can have common nodes, and such a connection between the basic nodes is called implicit. The search for such implicit relationships and disclosure of relationships for each entity is performed automatically using the analytics module (136).

[0060] The module (136) also provides interactive interaction between the user and the system (130) to conduct cyber intelligence. The interaction can be carried out using a graphical user interface (GUI) implemented on the corresponding computer device. The analytics module (136) has a designer of information panels (dashboards) and provides the following functionality:

- Creating custom widgets (Managing data selection criteria; Managing options for displaying data);

- setting the location of widgets;

- Setting the schedule for updating widgets;

- sorting control;

- grouping management (including multi-level grouping is supported, the number of levels is limited by the number of fields that exist for a particular entity.

[0061] The module (136) also contains a constructor for working with the graph, in particular, it allows you to visualize the objects of the system and the relationships between them, and allows you to find non-obvious relationships at different depths between the studied objects. The analytics module (136) allows in an automated mode to analyze the dynamics of queries on the topic of cybersecurity (for example, using Google Trends). The analytics module (136) also provides the construction of statistical slices for a given time period specified at the user's request, for example, week, month, year, etc.

[0062] The system (130) may also include an administration module (137), which provides control of user access rights and logging of the operation of the system (130). Differentiation of access rights can be implemented using well-known approaches, in particular, such as: accounts, identification hardware (smart card, USB token, etc.), electronic signature, etc. Each user can be assigned access to the corresponding part of the system (130) to work with a given functionality.

[0063] Next, we consider as an example the process of the system (130) working with data when enriching information about cyberthreats using analysis of external sources (110), in particular news sources on the Internet.

[0064] Data from external sources (110) is collected by polling them with a data acquisition module (133), for example, according to a predetermined information collection schedule. Further, the information received from sources (110) is converted into a single presentation format and deduplication is performed, which together forms the input data stream for the analytics module (136).

[0065] The analytics module (136), based on the received data stream from the module (133), carries out the basic prioritization of the received data on the basis of the given keywords, which ensures the marking of a relevant group of data from a large stream of incoming data, which must be analyzed first. After analyzing the relevance of the resulting stream, the function of maintaining and accounting for entities is activated. Initially, an “analytical report” is formed in the essence of CASE. The report contains a descriptive part of the received data stream, with the ability to use other entities in the analysis, for example, add extracted IRs to CASE.

[0066] After adding the IR, the capabilities of the data enrichment module (134) are activated, which receives information from the means of protecting information of the infrastructure, for example, a bank. In particular, such parameters can be data on the status of locks of this IR in the internal infrastructure. The data enrichment module (134) also accesses contextual subscriptions to obtain possible related indicators. In this case, the CASE entity is linked (linked) with the news (and other entities, depending on the news content), which was processed by the analytics module (136) in the system (130) based on the generated data stream from external sources (110).

[0067] After the CASE entity from the “Draft” state (project) is transferred to the “Published” state (publication), the integration module (135) sends the submitted IR (in the current context, information about cyber threats for certain systems is presented essence - an indicator of compromise) in the information security event monitoring system. The integration module (135) also allows the analyst to send a request to the information security event monitoring system, in order to obtain historical information about the presence of added infrastructures in the infrastructure for the N-period. When receiving data on the presence of infrared in the infrastructure for the past N-period, the data enrichment module (134) collects information about the source. For example, the network zone of the source of the incident, membership in the user account, as well as complete information about the user from other systems of user accounting are determined.

[0068] According to the results of the publication of the CASE entity, if IR blocking is required, or the registration of any other application in the application accounting system (ticketing), the integration module (135) fills a certain set of application fields with data from the CASE entity and registers it in the accounting system applications (ticketing).

[0069] Next, we consider the process of processing information related to vulnerabilities. When working with this type of information, the data acquisition module (133), according to a given schedule, collects data from external sources (110) and converts them into a single presentation format, and performs data deduplication, which together forms the input data stream for the analytics module (136), taking into account possible aggregations of similar data streams. Data deduplication is performed if information is collected from different sources, in the absence of a single reference data source.

[0070] The analytics module (136), based on the received data stream from the module (133), carries out the basic prioritization of the received data on the basis of the given keywords, which ensures the marking of a relevant group of data from a large stream of incoming data, which must be analyzed first.

[0071] The data enrichment module (134) together with the data acquisition module (133) collects additional information from the Internet, taking into account the vulnerability identifier (CVE) of the following form: the presence of program code for the operation of the indicated vulnerability (exploit), information about security updates , including replacement / cross (Microsoft), information about security packages (according to the package manager of Unix / Linux systems), information about the version of the vulnerable object, information about the overall vulnerability assessment, taking into account its version ( CVSS 2.0 or CVSS 3.0) and other attributes used in the entity "Vulnerability" (vulnerability).

[0072] Moreover, the enrichment module (134), according to a predetermined schedule, for entities of the "Vulnerability" type, carries out a continuous process of searching for additional information on the Internet on certain resources. In the process of processing information on a particular vulnerability, the system (130) uses the function of maintaining and accounting for entities. Initially, the system (130) in an automated mode forms the entity "Vulnerability", which aggregates the results of the above modules. Aggregated information, taking into account prioritization, is transmitted for further analysis to the analytics module (136).

[0073] During processing of the Vulnerability entity using the analytics module (136), the integration module (135) is also used to evaluate the applicability of the found vulnerability to the infrastructure. The integration module (135) allows you to send a request to centralized systems for maintaining IT assets, for example, to determine the availability of security updates or other attributes used in the "Vulnerability" entity.

[0074] The analytics module (136) analyzes the received data from the integration module (135) according to the embedded information processing algorithms. Moreover, if the vulnerability type is network, the analytics module (136) can call the integration module (135) again to obtain information about the network reachability of the end computing nodes. Subsequently, this information may affect the assessment of the applicability of the vulnerability being handled.

[0075] After the analysis (determination of relevance) of the received data stream about the vulnerability and its application in the infrastructure is performed, the function of maintaining and accounting entities is reused. Based on the results of the analysis, an “analytical report” is created in the CASE entity. According to the results of the publication of the CASE entity, if steps are required to eliminate the vulnerability, or the establishment of any other application in the application accounting system (ticketing), the integration module (135) fills a certain set of application fields with data from the CASE entity and registers it in the application accounting system (ticketing).

[0076] In FIG. Figure 2 shows an example of the general form of a computing device (200), with which the functionality of the system (130) can be implemented. The device (200) may be part of a computer system, for example, a server, a computer, a cloud platform, or the like.

[0077] In general, a computing device (200) comprises one or more processors (201) connected by a common data bus, memory means such as RAM (202) and ROM (203), input / output interfaces (204), devices input / output (205), and a device for network interaction (206).

[0078] A processor (201) (or multiple processors, a multi-core processor) may be selected from a variety of currently widely used devices, for example, Intel ™, AMD ™, Apple ™, Samsung Exynos ™, MediaTEK ™, Qualcomm Snapdragon ™, and etc. Under the processor, it is also necessary to take into account a graphic processor, for example, an NVIDIA or ATI GPU, which may also be suitable for performing the required computing processing functionality. At the same time, the available memory of the graphics card or graphics processor may also be a means of memory.

[0079] RAM (202) is a random access memory and is designed to store machine-readable instructions executed by the processor (201) to perform the necessary operations for logical data processing. RAM (202), as a rule, contains executable instructions of the operating system and corresponding software components (applications, program modules, etc.).

[0080] The ROM (203) is one or more permanent storage devices, for example, a hard disk drive (HDD), a solid state drive (SSD), flash memory (EEPROM, NAND, etc.), optical storage media ( CD-R / RW, DVD-R / RW, BlueRay Disc, MD), etc.

[0081] Various types of I / O interfaces (204) are used to organize the operation of the components of the device (200) and organize the operation of external connected devices. The choice of appropriate interfaces depends on the particular computing device, which can be, but not limited to: PCI, AGP, PS / 2, IrDa, FireWire, LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, type C), TRS / Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc.

[0082] Various means (205) of I / O information, for example, a keyboard, a display (monitor), a touch screen, a touch pad, a joystick, a mouse, a light pen, a stylus, are used to provide user interaction with a computing device (200), touch panel, trackball, speakers, microphone, augmented reality, optical sensors, tablet, light indicators, projector, camera, biometric identification tools (retina scanner, fingerprint scanner, voice recognition module), etc.

[0083] The network interaction tool (206) enables data transmission by the device (200) via an internal or external computer network, for example, an Intranet, the Internet, a LAN, and the like. As one or more means (206), it can be used, but not limited to: Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communications module, NFC module, Bluetooth and / or BLE module, Wi-Fi module and other

[0084] Additionally, satellite navigation aids as part of device (200), for example, GPS, GLONASS, BeiDou, Galileo, can also be used.

[0085] The materials of the application disclose preferred examples of the implementation of the technical solution and should not be construed as limiting other, particular examples of its implementation, not going beyond the scope of the requested legal protection, which are obvious to specialists in the relevant field of technology.

Claims (24)

1. The system of intelligent control of cyber threats, containing - at least one processor capable of processing information flows between modules of the system; - at least one means of data storage containing machine-readable instructions executed by a processor; - a data acquisition module providing

collecting information from external and internal data sources containing information about cyberthreats;

filtering the received data and converting the received information into a single presentation format; - data enrichment module providing

addition of data on indicators of compromise of cyber threats from external data sources;

search and collection of information about malicious code associated with known cyber threats;

updating cybersecurity information, including at least information: on the vulnerability of the software used, the presence of malicious code associated with at least one vulnerability, and information on updating at least one software that provides protection against at least one type of vulnerability ;

identifying user accounts that were involved in interacting with resources related to compromise indicators, information on which is stored in the database; - a database that provides storage of relevant information on cyberthreats transmitted from the data acquisition modules and the data enrichment module; - an integration module that ensures the transmission in a unified format of data on cyberthreats to internal sources; - analytics module providing

Vulnerability analysis of IT infrastructure in systems connected to the integration module;

identifying and displaying implicit links between informational entities related to at least one type of cyberthreat, by analyzing the chains of links between the mentioned entities and searching for common nodes of the mentioned entities. 2. The system according to claim 1, characterized in that the data acquisition module further deduplicates data received from external sources. 3. The system according to claim 1, characterized in that external sources transmit data in a structured and unstructured form. 4. The system according to p. 3, characterized in that the data is obtained from the computer network Internet. 5. The system according to claim 1, characterized in that it further comprises an administration module that provides control of user access rights and logging of the system operation. 6. The system according to claim 1, characterized in that the request for data from external sources is carried out automatically according to a schedule or based on an external user request. 7. The system according to claim 1, characterized in that the cyber threat compromising indicator is selected from the group: IP address, domain name, checksum, resource identifier, or combinations thereof. 8. The system according to claim 1, characterized in that the analytics module additionally prioritizes information on cyber threats. 9. The system of claim 8, characterized in that the prioritization is based on keywords or scoring a threat identifier (CVE).

Images