RU2802539C1 - Method for identifying information security threats (options) - Google Patents

Abstract

FIELD: information security.

SUBSTANCE: method for detecting IS threats includes the following steps: on a machine-readable medium of a computer, data corresponding to at least one remote file is searched; using the analysis conditions, checking the possibility of analyzing the found data; when the analysis conditions are met, at least a portion of the data corresponding to the remote file is read into the computer's RAM; analyze the read data for the presence of information about IS threats; upon detection of information about IS threats, a notification is generated about the detected IS threat.

EFFECT: increasing the level of detection of information security threats (IS), traces of computer infection with malware, to improve the quality of detection of malware and computer attacks.

38 cl, 4 dwg

Description

Field of technology

The invention relates to the field of information security, and more specifically to methods for identifying threats to information security, such as malicious software and computer attacks.

State of the art

In modern society, computer information systems (also IS - a set of computing devices and communications used to connect them; an information system is also called corporate infrastructure) play an important role. At the same time, there is currently a sharp increase in the number of information security (IS) threats, which may include various malicious software (malware) and computer attacks (cyber-attacks). Malware may include network worms, computer viruses, Trojan horses, hacking tools, and unwanted software. Computer attacks by criminals and, in particular, targeted attacks (targeted attacks, targeted attacks - TA), as well as persistent attacks of increased complexity (Advanced Persistent Threat - APT) on an information system have become widespread. Attackers can pursue various goals - from stealing personal data of employees to industrial espionage.

Modern security tools implement a wide variety of methods for detecting malware and computer attacks - signature and heuristic analysis methods, proactive protection technologies, behavioral analysis, intrusion detection systems (IDS, intrusion detection system), firewall, emulator and sandbox. In addition, the protection tools use various cloud technologies and modern methods of detecting malware and computer attacks using machine learning methods. Thus, modern detection technologies are mainly aimed at identifying active infestations. Antiviruses allow you to preventively block the execution of malicious code, IDS systems allow you to detect an intrusion into a computer network and notify the owner of confidential information about it.

There are various possible ways that a computer can be infected with malware - for example, when visiting an infected website, when opening a malicious attachment in an email, when connecting a removable drive, over a local network, and others. One of the ways to infect a computer with malware is to use downloaders or droppers. Loader - software for downloading via a malware network. Dropper is software for delivering another malware to a victim’s computer or smartphone. Thus, the main task of the downloader and dropper is to silently install another malware, the so-called payload, on the target device. However, traces of infection may remain - any information about how the malware was infected, for example, indicators of compromise (IOC), information about the dropper or downloader that installed the malicious file.

Unlike the downloader, which downloads the necessary components from the attackers’ server, the dropper contains them within itself. When launched, it extracts the payload (payload) and saves it to the device. The payload may contain the malware files themselves or parts of them, such as libraries. Also, the dropper and loader can launch malware installation files. Another feature of downloaders and droppers is that after downloading and installing the payload, the downloader or dropper itself can be deleted from the computer's file system, thereby removing any trace of its presence. Therefore, a security tool (for example, an antivirus) cannot always determine how the malware appeared on the computer. This problem is especially relevant if a security tool (antivirus) was installed on the computer after the bootloader or dropper was removed. That is, the protection tool will not be able to find traces of infection and determine the chain of infection, and will also not be able to find those infections of malware that were carried out before the moment of analysis. Infection chain is the name given in the information security industry to a set of multi-stage attack tools that are sequentially loaded into an infected system. The ultimate goal of the attackers is to install and launch the payload. It is worth noting that elements of the infection chain may be present on several computers of the information system. For example, one of the computers may be an intermediate point of a computer attack on other computers in the information system.

Computer attacks can be carried out in a similar way. Although attackers try to hide traces of infection, indicators of compromise may still remain on the victim’s computer, including among deleted files. For example, after the start of a computer attack, an attacker can delete the system event log, which contains a service installation event with a name pattern that matches the malware family; the system call log can also contain indicators of compromise.

An attacker can use malware to automatically steal passwords. To do this, the attacker installs a dropper on the victim’s computer, which in turn installs malware to steal passwords, after which the dropper is deleted. After receiving passwords from accounts on other computers, the password-stealing malware sends the received passwords to the control center and is also deleted on the first computer. And if a security tool or antivirus was installed only after an information security incident occurred, it will not be able to detect the chain of infection and traces of a computer attack that led to an information security incident involving the theft of account passwords.

In addition, the antivirus may not be on the computer for a long time or may be disabled by the user, and by the time the antivirus is installed, some or all information about information security threats may be deleted from the computer’s file system, which will complicate the identification of information security threats.

Another cybersecurity challenge is new, previously unknown malware, including malware that exploits vulnerabilities, in particular zero-day vulnerabilities. For such information security threats, signatures or behavioral patterns for proactive protection or behavioral heuristics for heuristic protection have not yet been created, and other protection technologies may also miss a new threat. Moreover, such malware can be quickly removed from the computer after executing the malicious payload. Even if after some time the protection tool receives updated anti-virus databases containing rules for detecting previously unknown malware, the protection tool will not be able to establish the fact of a previous infection of the computer and will not be able to notify the user about the damage caused to the information security of the computer.

Also, in an enterprise, an attacker can penetrate the information system by exploiting vulnerabilities and use malware and techniques/procedures for which there is no detection logic in the enterprise detection systems (for example, anti-virus technologies, IDS, EDR, SIEM and others) at the time of his active actions. Upon completion of their operation to steal confidential data, attackers often remove traces of their presence, for example, by cleaning logs and deleting from the system disk the malware that they used to move through the network (English lateral movement) from the entry point to the storage location of confidential information.

Over time, detection system developers can add detection logic to detection systems (for example, to antivirus technologies, IDS, EDR, SIEM and others), however, since the attacker has already removed his malware, these tools can no longer detect a computer attack after the fact. A similar problem is typical for services and systems, such as the compromise assessment system, the incident response service, and the threat hunting service.

Thus, a technical problem arises consisting of a low level of detection of information security threats that arose before the computer was analyzed for information about information security threats or were missed during a previous analysis.

Technologies for creating and scanning backup copies of files are known from the prior art. For example, patent US8220053B1 describes a method for anti-virus scanning of a computer disk backup. However, a backup copy is created at a point in time before the start of anti-virus scanning in order to avoid blocking malware files. Therefore, such a backup copy will not contain deleted files, because it was created immediately before the start of the anti-virus scan. Therefore, the known technology will not detect malware infections whose traces have been removed from the computer.

Thus, the known technologies have disadvantages that prevent a full solution to the stated technical problem, so there is a need for the claimed invention to solve the specified technical problem.

Disclosure of the invention

The first technical result is to increase the level of detection of information security threats, in particular malware, computer attacks.

The second technical result is to reduce the detection time of information security threats, in particular malware, and computer attacks.

The third technical result is to increase the level of detection of a computer malware infection chain.

The fourth technical result is to increase the level of detection of traces of malware infection on a computer.

The fifth technical result is to increase the level of detection of those malware infections, traces of which have been removed from the computer’s file system.

The sixth technical result is to improve the quality of technology for detecting malware and computer attacks, in particular the system for detecting traces of penetration into the system, the incident response service, and the threat search service.

According to an embodiment, a computer-implemented method for identifying information security (IS) threats is used, which includes the steps of: searching for data corresponding to at least one remote file on a machine-readable computer medium; using analysis conditions, check the possibility of analyzing the found data; when the analysis conditions are met, at least part of the data corresponding to the remote file is read into the computer's RAM; analyze the read data for information about information security threats; When information about information security threats is detected, a notification about the detected information security threat is generated.

According to one of the private implementation options, information security threats are at least one of: malicious software (malware), computer attack; wherein information about malware includes malware data, and information about a computer attack includes indicators of compromise.

According to another particular embodiment, information about a computer attack additionally includes malware data.

According to another particular embodiment, the analysis conditions include at least one of the following: it is possible to read the path to the remote file; it is possible to read at least part of the contents of the remote file; The deleted file is not among the actual files.

According to one particular embodiment, the analysis condition further includes the following: it is possible to read at least part of the contents of the remote file, and the remote file has not been overwritten or corrupted.

According to another particular embodiment, the analysis condition further includes the following: it is possible to read at least part of the contents of a remote file, and the remote file has been overwritten or corrupted, provided that the read data of the remote file is sufficient to analyze for the presence of information about information security threats, or metadata of the specified remote file allow you to obtain the source file and analyze the source file for information about information security threats.

According to another particular embodiment, data corresponding to at least one remote file is searched on a machine-readable medium of a computer when information about a second information security threat was previously detected on the computer or on a remote server connected to the computer.

According to one of the private implementation options, when information about an information security threat is detected based on the results of the analysis of the read data, information about the second information security threat is included in the generated notification about the detected information security threat.

According to another particular embodiment, data corresponding to at least one remote file is searched on a machine-readable medium of a computer when information about a second information security threat was previously detected on the computer or on a remote server connected to the computer, and in the event that the information security threat is Malware and the second information security threat is the second malware, after detecting the second malware, the connection between the malware and the second malware is checked, and if such a connection is detected, the malware and the second malware are classified as one infection chain, and information about the identified infection chain is included in the notification about the detected information security threat .

According to another particular implementation option, the malware and the second malware are classified as one infection chain if the time interval between operations with deleted files in the data of which the malware and the second malware were found is within specified limits, where file operations include at least one of : creation, deletion, modification, opening, launching.

According to one of the particular implementation options, the malware and the second malware are classified as one chain of infection if a previously known computer attack uses the malware and the second malware, and information about the mentioned computer attack is additionally included in the notification of a detected information security threat.

According to another particular embodiment, data corresponding to at least one remote file is searched on a machine-readable medium of a computer when information about a second information security threat was previously detected on the computer or on a remote server connected to the computer, and if the information about the threat Information security is an indicator of compromise and information about the second threat is information security is a second indicator of compromise, and also if, after detecting the second indicator of compromise, the connection between the indicator of compromise and the second indicator of compromise is checked, and if such a connection is identified, the indicator of compromise and the second indicator of compromise are attributed to one information security threat - computer attack, and information about the detected computer attack is included in the notification about the detected information security threat.

According to another particular embodiment, the indicator of compromise and the second indicator of compromise are classified as one computer attack if the time interval between operations with deleted files, in the data of which the indicator of compromise and the second indicator of compromise were found, is within specified limits, where operations with files include at least one of: creation, deletion, modification, opening, execution.

According to one of the private embodiments, the indicator of compromise and the second indicator of compromise are attributed to one computer attack if a previously known computer attack uses an indicator of compromise and a second indicator of compromise, and information about the mentioned computer attack is additionally included in the notification about a detected information security threat.

According to another particular embodiment, the read data of the deleted file is analyzed using antivirus databases updated from the time the file was deleted.

According to another particular embodiment, data corresponding to at least one deleted file is searched in at least one of the following ways: by low-level analysis of the file system, by comparing current files with files from at least one backup copy of files, using technologies “file carving”, using the “file slack space extraction” technology, by performing cluster-by-cluster analysis.

According to one of the particular implementation options, during low-level analysis of the file system, they search for free cells on machine-readable media in the main file table, after which they analyze the found cells for the presence of a structure corresponding to the structure of the file cell, parse the cell structure and recognize the cell as containing information on the remote file , wherein the contents of the cell are used to search for blocks of computer-readable media storing the contents of the file and to read the contents of the file.

In another particular embodiment, the selected remote files are analyzed by sending metadata of the selected remote files to the remote device and receiving feedback from the remote device.

According to another particular embodiment, data corresponding to at least one remote file is searched by performing at least one pass over a computer-readable medium.

In one particular embodiment, the remote file data includes at least one of the following: metadata, content.

In another embodiment, the parsing conditions are checked on all found data of the remote file or only on the file's metadata.

According to an embodiment, a computer-implemented method for identifying information security threats is used, which includes the steps of: searching a machine-readable computer medium for data corresponding to at least one deleted file; reading at least part of the found data corresponding to the remote file into the computer's RAM; analyze the read data for information about information security threats; When information about information security threats is detected, a notification about the detected information security threat is generated.

According to one of the private implementation options, information security threats are at least one of: malware, computer attack; wherein information about malware includes malware data, and information about a computer attack includes indicators of compromise.

According to another particular embodiment, information about a computer attack additionally includes malware data.

According to another particular embodiment, data corresponding to at least one remote file is searched on a machine-readable medium of a computer when information about a second information security threat was previously detected on the computer or on a remote server associated with the computer.

According to one of the private implementation options, when information about an information security threat is detected based on the results of the analysis of the read data, information about the second information security threat is included in the generated notification about the detected information security threat.

According to another particular embodiment, data corresponding to at least one remote file is searched on a machine-readable medium of a computer when information about a second information security threat was previously detected on the computer or on a remote server connected to the computer, and in the event that the information security threat is Malware and the second information security threat is the second malware, after detecting the second malware, the connection between the malware and the second malware is checked, and if such a connection is detected, the malware and the second malware are classified as one infection chain, and information about the identified infection chain is included in the notification about the detected information security threat .

According to another particular implementation option, the malware and the second malware are classified as one infection chain if the time interval between operations with deleted files in the data of which the malware and the second malware were found is within specified limits, where file operations include at least one of : creation, deletion, modification, opening, launching.

According to one of the particular implementation options, the malware and the second malware are classified as one chain of infection if a previously known computer attack uses the malware and the second malware, and information about the mentioned computer attack is additionally included in the notification of a detected information security threat.

According to another particular embodiment, data corresponding to at least one remote file is searched on a machine-readable medium of a computer when information about a second information security threat was previously detected on the computer or on a remote server connected to the computer, and if the information about the threat Information security is an indicator of compromise and information about the second threat is information security is a second indicator of compromise, and also if, after detecting the second indicator of compromise, the connection between the indicator of compromise and the second indicator of compromise is checked, and if such a connection is identified, the indicator of compromise and the second indicator of compromise are attributed to one information security threat - computer attack, and information about the detected computer attack is included in the notification about the detected information security threat.

According to another particular embodiment, the indicator of compromise and the second indicator of compromise are classified as one computer attack if the time interval between operations with deleted files, in the data of which the indicator of compromise and the second indicator of compromise were found, is within specified limits, where operations with files include at least one of: creation, deletion, modification, opening, execution.

According to one of the private embodiments, the indicator of compromise and the second indicator of compromise are attributed to one computer attack if a previously known computer attack uses an indicator of compromise and a second indicator of compromise, and information about the mentioned computer attack is additionally included in the notification about a detected information security threat.

According to another particular embodiment, the read data of the deleted file is analyzed using antivirus databases updated from the time the file was deleted.

According to another particular embodiment, data corresponding to at least one deleted file is searched in at least one of the following ways: by low-level analysis of the file system, by comparing current files with files from at least one backup copy of files, using technologies “file carving”, using the “file slack space extraction” technology, by performing cluster-by-cluster analysis.

According to one of the particular implementation options, during low-level analysis of the file system, they search for free cells on machine-readable media in the main file table, after which they analyze the found cells for the presence of a structure corresponding to the structure of the file cell, parse the cell structure and recognize the cell as containing information on the remote file , wherein the contents of the cell are used to search for blocks of computer-readable media storing the contents of the file and to read the contents of the file.

In another particular embodiment, the selected remote files are analyzed by sending metadata of the selected remote files to the remote device and receiving feedback from the remote device.

According to another particular embodiment, data corresponding to at least one remote file is searched by performing at least one pass over a computer-readable medium.

In one particular embodiment, the remote file data includes at least one of the following: metadata, content.

Brief description of drawings

Additional objects, features and advantages of the present invention will become apparent from a reading of the following description of the invention with reference to the accompanying drawings, in which:

In FIG. Figure 1 presents a system for identifying information security threats.

In FIG. 2 presents a method for identifying information security threats.

In FIG. 3 shows a possible example of a security measure.

Fig. 4 provides an example of a general purpose computer system with which the present invention can be implemented.

Carrying out the invention

Objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, but may be embodied in various forms. The following description is intended to assist one skilled in the art to fully understand the invention, which is defined only by the scope of the appended claims.

Glossary

A file is a collection of related records stored on a machine-readable storage medium of a computer and considered as a single whole. It is uniquely identified by specifying the file name, its extension and the path to the file. Each file consists of metadata (also attributes) and content (also the body of the file). The metadata of a file primarily includes its name, content type, date and time of creation, name of the creator, size, conditions for granting permissions for its use, and access method. The contents of the file can be programs, data, texts and any other information.

A file system is a part of the operating system (OS) that provides writing and reading of files on machine-readable media. Defines the file's logical and physical structure, identification, and accompanying data.

Deleting a file (English file delete) is a procedure for excluding a file from a directory and/or from the file system on computer-readable storage media. Deleting a file does not mean physically erasing it from the storage medium. When a file is deleted, only information about it in the directory and/or file system is erased. In the present invention, a deleted file refers to a collection of data remaining on a computer-readable medium corresponding to a file after the file has been deleted. Data corresponding to a deleted file is part or all of the data corresponding to a file after that file has been deleted. The data corresponding to the deleted file is of two types - metadata, content.

Indicators of compromise (English indicator of compromise, IOC, less often - indicators of infection, indicators of compromise, indicators of a computer attack) - in computer forensics this is the name given to artifacts or residual signs of an intrusion into an information system, for example a computer attack, observed on a computer or on a network . Typical indicators of compromise are, for example, antivirus signatures (malware signatures), IP addresses, file checksums, URLs, domain names of botnet command centers that have been observed in known computer attacks. There are a number of standards for indicators of compromise, in particular: OpenIOC, STIX, CybOX, etc.

A computer attack is a set of hidden and lengthy activities carried out by an attacker and aimed at the information system of an organization or individual with the aim of penetrating the network and causing various types of damage to the organization or individual.

A targeted attack (also a targeted or targeted attack, from the English targeted attack - TA) is a computer attack on the information system of a specific organization or a specific individual with the aim of penetrating the network and causing various types of damage to the organization or individual.

An Advanced Persistent Threat (APT, also an advanced persistent threat) is a complex, long-lasting, well-planned multi-pass computer attack that uses complex malware (software), social engineering methods and data about the information system of the attacked person.

Malicious software (MSW) is any program designed to perform any unauthorized, harmful, unwanted action on a computer device. Malware can be used as part of a computer attack or without it.

Below are examples of malware:

• viruses;

• macro viruses for Word and Excel;

• boot viruses;

• script viruses, including batch viruses that infect the Windows shell, Java applications, etc.;

• keyloggers;

• programs for stealing passwords;

• backdoor Trojans;

• crimeware - malicious programs created to automate the commission of financial crimes;

• spyware;

• adware and other types of malware;

• hacker utilities;

• unwanted software.

An information security (IS) threat is a set of conditions and factors that create the danger of an information security violation. An information security threat is at least one of the following: malicious software (malware), computer attack, and information about the malware includes malware data (for example, the verdict of the protection tool, hash sums of files, file paths, dates of appearance on the computer specified files, signatures and other information about detected malware, in particular malicious files). Computer attack information includes indicators of compromise. In a particular embodiment, information about a computer attack additionally includes malware data.

In FIG. 1 shows a system for identifying threats to information security 100 , which is implemented on a computer 20 (an example of a general-purpose computer system is shown in Fig. 4 ). The system 100 includes a security tool 101 and an analysis tool 102 . The analysis tool 102 is designed to search (scan) data corresponding to at least one deleted file on the machine-readable storage medium 120 of the computer 20 (remote file data), and when the remote file data is found, to read at least part of the remote file data into the operational memory (random access memory - RAM) 25 of the computer 20 . The computer-readable medium 120 may be any computer-readable storage medium, such as the non-removable storage device 28 , the removable storage device 27 , which are shown in FIG. 4 . The claimed invention also works for any number and any combination of computer readable media 120 . The remote file data includes at least one of the following: metadata (all or part of the metadata), content (all or part of the contents of the remote file, and also the body of the remote file). That is, the remote file data may include only metadata, only content, or a combination of metadata and content of the remote file. In one embodiment, when data from a remote file is found, analysis conditions 103 are used to check whether the found data can be analyzed. The conditions of analysis 103 will be disclosed below. Moreover, if the conditions of analysis 103 are met, at least part of the data of the remote file is read into RAM 25 .

It is worth noting that checking, using analysis conditions, the possibility of analyzing the found data also implies reading into the RAM 25 (for example, into a temporary buffer, into a cache) the data on which the specified check is carried out, and the volume of such data may be less than the volume of all found data. data corresponding to the deleted file. Moreover, after verification, the data read for verification is released from RAM 25 , after which the data of the remote file is read into RAM 25 in the amount necessary for subsequent analysis. Moreover, the amount of data required for analysis may exceed the amount of data required to check the conditions of analysis. For example, only the metadata of a remote file may be sufficient for verification, while the analysis will be carried out using the metadata and contents of the remote file. In another example, the metadata of the remote file and part of the contents of the file may be sufficient for verification, while the analysis would be carried out using the metadata and the entire contents of the remote file found.

In another embodiment, reading at least a portion of the remote file data into the RAM 25 occurs whenever the remote file data is found. In this embodiment, the conditions of analysis 103 are not checked.

The security tool 101 is designed to analyze (detect, detect) the read data of a remote file for the presence of information security threats (more details about the operation of the security tool 101 are disclosed in Fig. 3 ) - that is, information about the specified information security threats. This analysis may consist of scanning the read data of the remote file by the modules of the security tool 101 (see Fig. 3 ) and/or searching the read data of the remote file for indicators of compromise. If information about an information security threat is detected, the result of the analysis contains information about the detected information security threat found (discovered) during the analysis.

The notification, which is generated when an information security threat is detected, may contain information (meta-information) about the detected information security threat (malware or computer attack). Information (data) about malware may include data such as, for example, the verdict of the protection tool 101 , hash sums (hashes) of files, file paths, dates of appearance of the specified files on the computer 20 , signatures and other information about the detected malware, in particular malicious files. Computer attack information may include indicators of compromise. Information about a computer attack may also include malware data if the detected malware indicates a computer attack. The generated notifications can be transmitted to a remote computer 110 for further analysis, in particular to identify and investigate information security incidents and take measures to ensure information security.

In the case where the information security threat is malware, analysis of the read data of a remote file for the presence of malware may include checking (scanning) using signature and heuristic analysis methods, proactive protection technologies, a vulnerability scanner, firewall, emulator, sandbox, machine learning methods and others methods (see Fig. 3 for details). Moreover, based on the results of the analysis, the deleted file itself may be recognized as a malicious file, or a potentially malicious file, or a dual-use hacker utility (that is, one that can be used for both legitimate purposes and malicious purposes), or containing several malicious files , if the deleted file is an archive. Additionally, the deleted file could be a hacking tool or one of the files used by a hacking utility (such as a dynamic link library or database).

Also, the remote file may contain information about the information security threat, which is one or another indicator of compromise, for example, malicious URLs, hashes of malicious components, log entries that may end up on computer 20 after it is infected with malware or a computer attack is carried out. Also, the remote file may contain such indicators of compromise as, for example, configurations of hacker utilities, temporary files of hacker utilities or output (report) of the operation of a hacker utility, a remote system event log that contains a service installation event with a name pattern that matches the malware family. Thus, in one of the implementation options, the analysis of read data from a remote file for the presence of information security threats (both malware and computer attacks) includes the detection of indicators of compromise in the read data. In this example, the claimed invention makes it possible to identify traces of infection, as well as the chain of infection and, therefore, identify those malware infections whose traces have been removed from the file system. In addition, the claimed invention makes it possible to identify computer attacks based on detected indicators of compromise.

For example, from the reports published by antivirus companies for the well-known APT Carbanak attack, a list of MD5 hashes or Yara rules of all malicious components that may end up on computer 20 after it is infected during the specified attack can be taken. In this example, the specified MD5 hashes or Yara rules are indicators of compromise. Moreover, individual such components may or may not cause direct harm to the computer, 20 but they indicate an information security threat - an APT Carbanak computer attack, which will be detected by the claimed invention. In this case, the analysis of the read data of a remote file will include checking the hash of the remote file against the mentioned list, searching the file for hashes from the mentioned list, or scanning with a Yara rule. And if a hash from the mentioned list is detected, the notification about the detected cybersecurity threat will include information about a possible APT Carbanak attack.

The security tool 101 and the analysis tool 102 access files and remote files on the computer readable medium 120 of the computer 20 through the file system 130 . In FIG. 1 shows a possible way to organize disk space using the NTFS file system as an example. The machine-readable medium contains a master boot record (MBR), one or more logical partitions of the machine-readable medium 120 , and a corresponding partition table of the machine-readable medium 120 . In this example, partition 1 of the machine-readable medium 120 contains several files, and for each file there is an entry in the master file table (MFT). If a file is deleted, the entry in MFT is marked as free, which indicates disk space available for recording. However, the contents of the deleted file remain on the computer-readable medium 120 . At the same time, the contents of the deleted file may be partially or completely overwritten by new data in the future. Thus, after deletion, it is possible to read all or part of the contents of the deleted file, or the metadata of the deleted file, especially on computer systems with low file system activity. It is also worth noting that such a structure for organizing disk space, as well as the ability to read data from remote files, is characteristic not only of the NTFS file system, but also of most other file systems. In particular, for file systems FAT (FAT16, FAT32), exFAT, HPFS, ext2, ext4, HFS and others. Therefore, the present invention can be implemented for most file systems, in particular those listed above.

One of the advantages of the claimed invention is to perform on-the-fly/on-stream/real-time analysis of deleted files—that is, without restoring or otherwise writing deleted files to the file system 130 on the computer-readable medium 120 . In this case, the data of the remote file is read into RAM 25 . In a particular implementation, after analyzing the read data of a remote file for the presence of information about information security threats, the read data will be deleted from RAM 25 . This method of analysis can significantly reduce analysis time due to the use of fast RAM 25 instead of the slow memory of computer-readable media 120 , as well as through the timely release of excess data (read data from a remote file) from RAM 25 . In addition, this method eliminates the possibility of restoring the most deleted file, potentially containing malware, to the machine-readable media 120 of the user's computer, thus not exposing the computer 20 to an information security threat. And the reading of data into the RAM 25 occurs in such a way as to prevent the execution of malicious functionality of the remote file. For example, data is read without launching execution, only part of the data is read, and in other ways. This feature also makes it possible to reduce the time of malware detection compared, for example, with the analysis of a previously saved image of a machine-readable medium 120 . Saving an image of computer-readable media 120 for the purpose of analyzing it for the presence of malware is usually used when conducting forensic analysis. In addition, the claimed invention can be scaled to work on a large number of computers 20 , which will improve the information security of the entire information system, as well as find an infection chain, the elements of which are present on several computers 20 of the information system.

In addition, real-time operation on the computer system 20 has a significant advantage over existing approaches based on taking an image of a disk or other machine-readable media of the system and transporting the image to a central server that recovers deleted files from the disk image using forensic methods on a separate system and in then scans them with an antivirus. After all, such approaches cannot be effective on an enterprise scale, because they require imaging all systems in the enterprise and transporting them all to a central server. Images can reach hundreds or thousands of gigabytes, and just capturing and transporting them can take tens of hours, or even more if users are connected to the enterprise network via VPN and/or working remotely through a low-bandwidth link. Therefore, the use of the claimed invention, which to a certain extent combines the work of an antivirus that runs in real time on a computer system, in combination with a system for searching for data of deleted files and analyzing them for information security threats, allows one to bypass these technological obstacles.

Another advantage of the claimed invention is that reading deleted file data into RAM 25 does not have the disadvantage that occurs when recovering or otherwise writing deleted files in the file system 130 on computer-readable media 120 . Namely, the ability to write a recovered file over another deleted file, which will then not be able to be recovered/read and analyzed for information security threats.

Many antivirus tools known in the prior art send suspicious files to a remote server for detailed analysis and, based on the verdict of the remote server, decide whether to raise an alarm. The criterion for a file being suspicious is based on detection logic, which may not be present at the time the malicious file is present in the system and will appear in the antivirus database after the malicious file has been deleted. Therefore, combining an antivirus with a system for searching for data of deleted files and analyzing them for information security threats allows you to scan deleted files with new detection logic, search for suspicious files among them, send them to a remote server (for example, to a remote computer 110 ) for detailed analysis, after which the remote the file will be recognized as malicious, and thus detect new, previously unknown malware. A released signature for this previously unknown malware may detect other previously unknown examples of malware, thereby increasing the detection rate.

Among other things, combining the work of an antivirus and a data search system for deleted files allows you to detect other indicators of compromise and traces of infection. For example, a deleted file data retrieval system can detect and read system log data that was intentionally deleted by an attacker. The log may contain events, after scanning which the antivirus can decide that malware was executed in the file. For example, when moving from system to system, the “cobaltstrike” malware installs a malicious service on the target system, the fact that the service is installed on the system generates event 7045 in the Windows system log with the following patterns:

• Service Name: <7-alphanumeric-characters>;

• Service File Name: %COMSPEC% /b /c start /b /min powershell -nop -w hidden -encodedcommand <base64-encoded-command>.

If an attacker deletes the log, then the claimed invention will make it possible to detect the fact of compromise and installation of malware by reading the deleted log data and searching it for the indicator of compromise described above and other indicators of compromise.

Another example would be indicators of compromise containing artifacts left behind by malware. For example, the “mimikatz” utility, when dumping Kerberos tickets, creates files with the “.kirbi” extension on machine-readable media. The presence of such a file or a deleted file is an indicator of compromise.

The present system 100 can begin searching for deleted file data based on data (e.g., commands, instructions) received from the user of the computer 20 , including from a security officer or information security analyst (SOC analyst, from the English security operation center), according to a schedule , after installing the system 100 on the computer 20 , after installing the protection tool 101 or an antivirus on the computer 20 , after updating the anti-virus databases of the protection tool 101 , when changing the analysis conditions 103 , when an information security threat is detected on the computer 20 by the protection tool 101 or when other conditions are met. Thus, according to a particular embodiment, a search for data corresponding to remote files is started on the computer readable medium 120 when the condition is met that information about an information security threat (the first information security threat) was detected on the computer or on a remote server associated with the computer, and if information about an information security threat is detected based on the results of analysis of the read data (second information security threat), information about the first information security threat and about the second information security threat is included in the notification about the detected information security threat.

In another example of implementation, the first information security threat and the second information security threat are attributed to one infection chain (or one computer attack) if a computer attack is known that uses the first information security threat and the second information security threat in the sequence in which the mentioned information security threats arose. For example, a dropper may contain malware that will be installed on the computer and which configures the OS, after which the malware and the dropper are removed. In another example, the dropper extracts the downloader, after which the downloader downloads the malware and installs it on the computer. In another example, several droppers extract parts of malware (for example, libraries, files) or parts of files (for example, not containing executable file headers) onto a computer, after which, at the last stage, the malware is assembled from several files. In another example, the downloader analyzes legitimate software constructors on a computer and downloads specific components for the constructors found, which will then be assembled into a specific malware. In all of the above examples, droppers, loaders, parts of malware can be detected among the data of remote files as information about information security threats, and the totality of such information about information security threats will be collected into one infection chain corresponding to one of the previously known computer attacks, which is an information security threat. Information about previously known computer attacks may be contained on the computer 20 , for example, in the form of a list, database or list of known computer attacks, which also contains indicators of compromise corresponding to the specified computer attacks and, if available, corresponding malware.

In one particular embodiment, for example, if the security tool 101 has detected malware (the first malware), then the system 100 will search for the deleted file data, read the deleted file data into the RAM 25 , and identify the malware in the read data. Moreover, if the system 100 finds malware in the read data (second malware), then the chain of infection (the set of the first malware and the second malware) can be restored, and traces of malware infection can be detected. It is also worth noting that although the first malware was detected earlier than the second malware, the second malware could nevertheless appear on computer 20 before the first malware. In this case, the notification about a detected malware infection of a computer includes information about the first malware and the second malware, as well as about the identified chain of infection.

In another particular embodiment, the read data of a deleted file is analyzed using antivirus databases updated from the time the file was deleted (current antivirus databases). This implementation option will allow you to identify new malware, signatures (or other rules) for detection of which were created or obtained after the file was deleted. In addition, computer attacks using such new malware may be detected. Also, the analysis may include primary and secondary analyses. Moreover, for primary analysis, databases with a high risk of type II errors can be used, and secondary analysis uses all databases. It is also worth noting that legitimate files/applications may also be present in the infection chain, for example, those used to assemble one malicious file from several files. In this case, the specified legitimate files can be identified as indicators of compromise.

In another particular embodiment, after malware is detected in the read data of a remote file, the connection between the malware detected before the search for remote files and the malware detected in the read data is checked.

For example, they check the time interval between operations with deleted files in the data of which malware was found, and if the time interval is within a specified limit, the found malware is assigned to the same infection chain. In addition, the type of malware, for example a dropper, can be determined if it is shown that a file that was deleted, but its data was saved on a machine-readable medium 120 , before its deletion, launched a process from which a new file was created, in which it was Malware detected. Operations with remote files include at least one of: creation, deletion, modification, opening, execution.

In another example, the first malware and the second malware are assigned to the same infection chain if a computer attack is known that uses the first malware and the second malware. For example, data from the first malware and the second malware may be contained in information about a known computer attack. In this case, the notification about a detected information security threat additionally includes information about the mentioned computer attack.

In another example, malware was discovered on a remote information system server (which is another computer not shown in the figure), for example, through manual forensic analysis of the remote server. After this, one or more signatures were created for the protection tool 101 , allowing detection of the detected malware. These signatures were then delivered to the security tool 101 on the computer 20 , which may also be a server. Next, on computer 20 , a search was carried out for data corresponding to the deleted files, and the read data was analyzed taking into account new signatures. And if, as a result of the analysis, a second malware was detected on computer 20 using new signatures, then the malware detected on the remote server and the second malware detected on computer 20 will be classified as one infection chain.

In another particular implementation, if information about the first information security threat is an indicator of compromise (the first indicator of compromise) and information about the second information security threat is an indicator of compromise (the second indicator of compromise), and also if, after detecting the second indicator of compromise, the connection between the first an indicator of compromise and a second indicator of compromise, and if such a connection is detected, the first indicator of compromise and the second indicator of compromise are attributed to one information security threat - which is a computer attack, then information about the identified computer attack (information security threat) is included in the notification about the detected information security threat.

In another particular embodiment, the first indicator of compromise and the second indicator of compromise are attributed to one computer attack if the time interval between operations with deleted files, in the data of which the first indicator of compromise and the second indicator of compromise were found, is within specified limits, where operations with deleted files include at least one of: creation, deletion, modification, opening, execution.

In yet another particular embodiment, the first indicator of compromise and the second indicator of compromise are attributed to one computer attack if a computer attack is known that uses the first indicator of compromise and the second indicator of compromise, and information about the mentioned computer attack is additionally included in the notification of a detected information security threat.

The claimed invention may use various methods for searching for data of deleted files. For example, searching for deleted file data may be accomplished by comparing the actual files (present on the computer-readable medium 120 ) with files from at least one backup copy 104 (file brute force). Backup copy 104 may be any copy of the contents of computer-readable medium 120 . One or more backup copies 104 may be stored on the computer 20 . In addition, the backup copy 104 may be stored either on the computer-readable medium 120 itself or on any other storage medium, including on a remote computer 110 . For example, in Windows OS, the backup copy 104 is implemented using shadow copy technology (volume shadow copy service, VSS). Other examples are mobile OSs such as Android, iOS, in which backups 104 are stored in cloud storage on remote devices. Thus, the claimed invention can use any implementation of backup 104 , including those saved both recently (eg, less than 24 hours) and long ago (eg, a month or a year ago). It is also worth noting that the claimed invention allows you to analyze previous versions of current files if previous versions have been deleted.

Another way to search for data of deleted files is the “file carving” technology - a method of finding (with possible recovery, reading) data of deleted files from fragments in the absence of file system metadata. Another method is the “file slack space extraction” technology - analysis of unallocated space in the cells of data files on machine-readable media 120 . These methods of searching for data of deleted files can be used together, including together with searching for files in a backup copy 104 , or without it, if there are no backup copies 104 . For example, in backup 104 , the operating system may regularly add and remove files from certain directories. In this case, other methods of searching for data of deleted files will be additionally used.

In another particular embodiment, the search for data from deleted files is carried out on a machine-readable medium without reference to the file system. For example, if information about a file is deleted from the file system, and part of the file data is overwritten, but clusters containing old information remain, then a cluster-by-cluster analysis can be carried out, as a result of which malware data or other information about information security threats will be found.

In a particular implementation, the search for data from deleted files occurs sequentially in various listed ways, depending on the priority of using one or another method. Moreover, the priority can be determined, for example, by the speed of operation of the method or the availability of the method for the analyzed file system.

Another way to find deleted file data is through low-level analysis of the file system. Using the NTFS file system as an example, during this analysis they search for free cells in the main file table MFT, then analyze the found cells for the presence of a structure corresponding to the cell structure of the remote file, parse (parse) the cell structure and extract attributes from the cell, after which they recognize cell as containing information on the remote file. Moreover, the contents of the cell are used to search for blocks of computer-readable media 120 storing (containing) the contents of a remote file, and to read the contents of a remote file. The correctness and error-free execution of the above-mentioned parsing of the structure for the contents of the file and reading the contents into RAM 25 can also be checked. The remote file may only be partially read (if the computer-readable medium 120 contains part of the contents of the remote file), but even in this form, the data of the remote file (the readable portion) can be analyzed. Part of the packed files can be extracted from a partially read archive or dropper. The data read from the beginning of the remote file may contain metadata such as information about the format of the remote file as a whole, the name of the remote file, and others. In addition, the beginning of the remote file may contain a header of a known format, which will serve as additional information about the remote file itself.

In one embodiment, testing of parsing conditions 103 is performed by security tool 101 on all data found in the deleted file. In another particular embodiment, the parsing conditions 103 are tested only on the remote file metadata contained in the retrieved remote file data.

Analysis conditions 103 may include one or more of the following:

it is possible to read the path to a remote file;

it is possible to read at least part of the contents of the remote file (the remote file can be partially or completely read);

the deleted file is not among the actual files (present on the machine-readable medium 120 ).

Using such conditions allows you to reduce the time it takes to detect malware. For example, the actual files of the computer 20 are usually analyzed in advance by the protection tool 101 for the presence of malware. Therefore, if the deleted file coincides with one of the current files, then re-analysis of the read data of the deleted file on the malware is redundant. The situation is similar with known legitimate files - they have been analyzed previously and the verdict for them is known (if it has not changed over time). Checking the knownness of a remote file can be done against a list of known files or by sending a request for a remote file to a remote computer 110 that contains an up-to-date list of known files.

In a particular embodiment, the above-mentioned analysis condition 103 a) is checked during low-level analysis of the file system. In another embodiment, the specified condition is also checked when low-level analysis of the file system is not performed.

In a particular embodiment, the above-mentioned analysis condition 103 b) additionally checks that the deleted file has not been overwritten or corrupted.

In another particular embodiment, in the analysis condition 103 b) mentioned above, it is additionally checked that the remote file has been overwritten or corrupted, provided that the read data of the remote file is sufficient to analyze for the presence of information about information security threats, or the metadata of the specified remote file allows obtain the source file and analyze the source file for information about information security threats.

In yet another particular embodiment, the above-mentioned analysis condition 103 c) is checked in the case of analysis of the backup copy 104 . In another embodiment, this condition is also checked when the backup copy 104 is not analyzed.

In yet another particular implementation of this, the security tool 101 sends the read metadata or parts of the remote file to the remote computer 110 , and the remote computer 110 searches for the corresponding source file by comparing the received data and sends back metainformation about the source file to the security tool 101 or the source file itself.

In yet another particular embodiment, a search for data corresponding to at least one remote file is performed by at least one pass through the computer readable medium 120 of the computer 20 . By traversing computer-readable medium 120 is meant browsing (usually once) all or part of the data on computer-readable medium 120 . This implementation option makes it possible to eliminate the situation when, during the first pass, part of the data of one deleted file was found, which was then read into RAM 25 , after which it was discovered that the remaining part of the data of one deleted file was completely overwritten by a new file and therefore the read data cannot be analyzed. Two or more passes through the computer readable medium 120 will solve this problem by excluding from the analysis data corresponding to deleted files that have been overwritten so much that they are unusable for further analysis. However, the claimed invention also uses a single pass through the computer-readable medium 120 - in this case, the speed of the method for identifying information security threats increases.

In FIG. 1 also provides an example of searching for data corresponding to at least one deleted file (in this example, data corresponding to deleted file 3 would be found) and reading data from deleted file 3, the data of which remained on the computer-readable medium 120 while the MFT was written to marked as free. In this case, the deleted file 3 was read into RAM 25 by the analysis tool 102 .

In FIG. 2 presents a method for identifying IS threats 200 . At step 210 , the computer readable medium 120 of the computer 20 is searched for data corresponding to at least one deleted file. Then, at step 220 , when the remote file data is found, at least a portion of the found data corresponding to the remote file is read into the RAM 25 of the computer 20 . Next, at step 230 , the read data is analyzed for the presence of information about information security threats. As a result, at step 240 , when information about information security threats is detected, a notification about the detected information security threat is generated.

In one embodiment, at step 220 , when remote file data is found, analysis conditions 103 check whether the found data can be analyzed. And when the analysis conditions are met, at least part of the data corresponding to the remote file is read into the RAM 25 of the computer 20 and the operation of the method 200 continues at step 230 .

Particular implementations described for system 100 in FIG. 1 are also applicable to the method 200 of FIG. 2 .

Thus, the novelty of the claimed invention, which consists in a special combination of stages of searching for data of deleted files and analyzing the found data of deleted files using antivirus tools, makes it possible to detect information security threats, such as missed malware infections and computer attacks. For example, in the case of an enterprise, information about timestamps when a deleted malicious file was created in the system, hashes, attributes, as well as other meta-information about the deleted file can be added to the antivirus log events and notification about a detected cybersecurity threat - by analyzing such timestamps and meta information from several systems, the information security analyst can make educated guesses about the relationship between infections and the sequence in which the attacker infected systems with the same malware, and, accordingly, restore the chain of infection.

Using malware for automatic password stealer as an example, the claimed invention will allow us to trace the chain of infection for a more detailed investigation of information security incidents associated with malware infection or a computer attack, and take measures aimed at improving information security. In addition, the claimed invention can be used to improve the quality of technology for detecting malware and computer attacks, for example, such as: a system for detecting traces of system penetration (compromise assessment), an incident response service, a search service threats (English: threat hunting).

Thus, the claimed invention allows us to solve the technical problem of a low level of detection of information security threats that arose before the computer was analyzed for the presence of information about information security threats or were missed during the previous analysis. In addition, the stated technical results will be achieved, namely, the level of detection of information security threats, in particular malware, computer attacks, will be increased, the time for detecting information security threats, in particular malware, computer attacks will be reduced, the level of detection of a computer malware infection chain will be increased, the level of detection of traces of infection will be increased computer malware, the level of detection of those malware infections whose traces have been removed from the computer’s file system has been increased. The quality of technology for detecting malware and computer attacks will also be improved, in particular the system for detecting traces of system penetration, the incident response service, and the threat search service.

In FIG. 3 shows a possible example of protection 101 . Security tool 101 (antivirus or other security tool) of computer 20 may contain modules designed to ensure device security, for example: on-access scanner, on-demand scanner, email antivirus, web antivirus, proactive protection module, HIPS (Host Intrusion Prevention) module System - intrusion prevention system), DLP module (data loss prevention), vulnerability scanner, emulator, firewall, indicator of compromise (IOC) search module and others. It is worth noting that in one particular embodiment, the analysis tool 102 is one of the modules of the security tool 101 . In a private embodiment, these modules may be an integral part of the security means 101 . In yet another embodiment, these modules may be implemented as separate software components.

The on-access scanner contains functionality for detecting malicious activity of all opened, launched and saved files on the user’s computer system. An on-demand scanner differs from an on-access scanner in that it scans user-specified files and directories at the user's request.

An email antivirus is necessary to monitor incoming and outgoing email for malicious content. Web antivirus is used to prevent the execution of malicious code that may be contained on websites visited by the user, as well as to block the opening of websites. The HIPS module is used to detect unwanted and malicious program activity and block it at the time of execution. The DLP module is used to detect and prevent leakage of confidential data outside the computer or network. A vulnerability scanner is needed to determine vulnerabilities on the device (for example, some security components are disabled, out-of-date virus databases are used, a network port is open, etc.). The firewall monitors and filters network traffic in accordance with specified rules. The emulator's job is to imitate the guest system while executing file instructions in the emulator. The proactive protection module uses behavioral signatures to determine the behavior of applications and classify them by trust level.

The indicators of compromise search module searches for signs of compromise, for example, using YARA (open signature format) signatures, using the Loki scanner, using STIX and JSON formats.

In FIG. 4 illustrates a computer system on which various embodiments of the systems and methods disclosed herein may be implemented. The computer system 20 may be a system configured to implement the present invention and may be a single computing device or multiple computing devices, such as a desktop computer, a laptop computer, a notebook computer, a mobile computing device, a smartphone, a tablet computer, a server, mainframe, embedded device and other forms of computing devices.

As shown in FIG. 4 , computer system 20 includes: a central processing unit 21 , system memory 22 , and a system bus 23 that communicates various system components, including memory, coupled to the central processing unit 21 . System bus 23 is implemented like any bus structure known in the art, which in turn includes a bus memory or bus memory controller, a peripheral bus, and a local bus capable of interfacing with any other bus architecture. Examples of buses include: PCI, ISA, PCI-Express, HyperTransport™, InfiniBand™, Serial ATA, I2C and other suitable connections between computer system components 20 . The central processing unit 21 contains one or more processors having one or more cores. The central processing unit 21 executes one or more sets of computer-readable instructions implementing the methods presented herein. System memory 22 may be any memory for storing data and/or computer programs executable by the central processing unit 21 . System memory can contain both read-only memory (ROM) 24 and random access memory (RAM) 25 . The basic input/output system (BIOS) 26 contains the basic procedures that ensure the transfer of information between elements of the computer system 20 , for example, when the operating system is loaded using ROM 24 .

Computer system 20 includes one or more data storage devices, such as one or more removable storage devices 27 , one or more non-removable storage devices 28 , or combinations of removable and non-removable devices. One or more removable storage devices 27 and/or non-removable storage devices 28 are connected to the system bus 23 via an interface 32 . In one embodiment, removable storage devices 27 and associated computer-readable storage media are nonvolatile modules for storing computer instructions, data structures, program modules, and other computer system 20 data. System memory 22 , removable storage devices 27 , and non-removable storage devices 28 may use various computer readable media. Examples of computer-readable storage media include computer memory such as cache memory, SRAM, DRAM, capacitorless RAM (Z-RAM), thyristor memory (T-RAM), eDRAM, EDO RAM, DDR RAM, EEPROM, NRAM, RRAM, SONOS, PRAM; flash memory or other memory technologies such as solid-state drives (SSDs) or flash drives; magnetic cassettes, magnetic tapes and magnetic disks such as hard disks or floppy disks; optical media such as compact discs (CD-ROMs) or digital versatile discs (DVDs); and any other media that can be used to store the desired data and that can be accessed by the computer system 20 .

System memory 22 , removable storage devices 27, and non-removable storage devices 28 contained in the computer system 20 are used to store the operating system 35 , applications 37 , other program modules 38 , and program data 39 . Computer system 20 includes a peripheral interface 46 for transmitting data from input devices 40 such as a keyboard, mouse, stylus, game controller, voice input device, touch input device, or other peripheral devices such as a printer or scanner through one or more input/output ports, such as a serial port, parallel port, universal serial bus (USB), or other peripheral interface. A display device 47 , such as one or more monitors, projectors, or embedded displays, is also connected to the system bus 23 through an output interface 48 , such as a video adapter. In addition to the display devices 47 , the computer system 20 is equipped with other peripheral output devices (not shown in FIG. 4 ), such as speakers and other audiovisual devices.

The computer system 20 may operate in a networked environment using a network connection to one or more remote computers 49 . The remote computer(s) 49 is a working personal computer or server that contains most or all of the components noted previously in describing the nature of the computer system 20 shown in FIG. 4 . There may also be other devices in the network environment, such as routers, network stations or other network nodes. The computer system 20 may include one or more network interfaces 51 or network adapters for communicating with remote computers 49 over one or more networks, such as a local area network (LAN) 50 , a wide area network (WAN), an intranet, and the Internet. Examples of network interface 51 are an Ethernet interface, a Frame Relay interface, a SONET interface, and wireless interfaces.

Embodiments of the present invention may be a system, a method, or a computer-readable medium (or storage medium).

A computer-readable storage medium is a tangible device that stores and stores program code in the form of machine-readable instructions or data structures that are accessible by the central processing unit 21 of a computer system 20 . A computer-readable medium may be an electronic, magnetic, optical, electromagnetic, semiconductor storage device, or any suitable combination thereof. By way of example, such a computer-readable storage medium may include random access memory (RAM), read-only memory (ROM), EEPROM, compact disc read-only memory (CD-ROM), digital versatile disk (DVD) ), flash memory, hard drive, portable computer floppy disk, memory card, floppy disk, or even a mechanically encoded device such as punch cards or embossed structures with instructions written on them.

The system and method of the present invention can be thought of in terms of means. The term "device" as used herein refers to an actual device, component, or group of components implemented in hardware, such as an application-specific integrated circuit (ASIC) or FPGA, or a combination of hardware and software. providing, for example, using a microprocessor system and a set of machine-readable instructions to implement the functionality of a tool that (in the process of execution) turns the microprocessor system into a special-purpose device. The tool may also be implemented as a combination of these two components, with some functions being implemented by hardware alone and other functions being implemented by a combination of hardware and software. In some embodiments, at least a portion, and in some cases all, of the means may be executed on the central processing unit 21 of the computer system 20 . Accordingly, each means may be implemented in various suitable configurations and should not be limited to any particular embodiment set forth herein.

In conclusion, it should be noted that the information given in the description are examples that do not limit the scope of the present invention as defined by the formula. One skilled in the art will appreciate that in developing any actual embodiment of the present invention, many decisions specific to the particular implementation must be made to achieve specific objectives, and these specific objectives will differ from one embodiment to another. It is understood that such development efforts can be complex and time consuming, but will nevertheless be a routine engineering task for those of ordinary skill in the art using the present disclosure.

Claims (50)

1. A computer-implemented method for identifying information security (IS) threats, including stages in which: a) search for data corresponding to at least one remote file on a machine-readable computer medium; b) check, using analysis conditions, the possibility of analyzing the found data; c) when the analysis conditions are met, at least part of the data corresponding to the remote file is read into the computer’s RAM; d) analyze the read data for the presence of information about information security threats; e) when information about information security threats is detected, a notification is generated about the detected information security threat. 2. The method according to claim 1, in which the information security threats are at least one of: malicious software (malware), computer attack; wherein information about malware includes malware data, and information about a computer attack includes indicators of compromise. 3. The method according to claim 2, in which information about a computer attack additionally includes malware data. 4. The method according to claim 1, wherein the analysis conditions include at least one of the following: a) it is possible to read the path to a remote file; b) it is possible to read at least part of the contents of the remote file; c) the deleted file is not among the current files. 5. The method of claim 4, wherein the analysis condition further includes the following: it is possible to read at least part of the contents of the remote file, and the remote file has not been overwritten or corrupted. 6. The method according to claim 4, wherein the analysis condition further includes the following: it is possible to read at least part of the contents of the remote file, and the remote file has been overwritten or corrupted, provided that the read data of the remote file is sufficient to analyze for the presence of information about information security threats, or metadata of the specified remote file allows you to obtain the source file and analyze the source file for information about information security threats. 7. The method according to claim 1, in which data corresponding to at least one remote file is searched on the machine-readable media of the computer when information about the second information security threat was previously detected on the computer or on a remote server associated with the computer. 8. The method according to claim 7, in which, when information about an information security threat is detected based on the results of analysis of the read data, information about the second information security threat is included in the generated notification about the detected information security threat. 9. The method according to claim 2, in which data corresponding to at least one remote file is searched on a machine-readable medium of a computer, when information about a second information security threat was previously detected on the computer or on a remote server connected to the computer, and in the case , if the information security threat is malware and the second information security threat is a second malware, after detecting the second malware, the connection between the malware and the second malware is checked, and if such a connection is detected, the malware and the second malware are attributed to the same infection chain, and information about the identified infection chain is included in notification of a detected information security threat. 10. The method according to claim 9, in which the malware and the second malware are classified as one infection chain if the time interval between operations with deleted files in the data of which the malware and the second malware were found is within specified limits, where file operations include at least one of: creation, deletion, modification, opening, execution. 11. The method according to claim 9, in which the malware and the second malware are classified as one infection chain if a previously known computer attack uses the malware and the second malware, and the notification about the detected information security threat additionally includes information about the mentioned computer attack. 12. The method according to claim 2, in which data corresponding to at least one remote file is searched on a machine-readable medium of a computer, when information about a second information security threat was previously detected on the computer or on a remote server connected to the computer, and in the case , if information about an information security threat is an indicator of compromise and information about a second information security threat is a second indicator of compromise, and also if, after detecting a second indicator of compromise, the connection between the indicator of compromise and the second indicator of compromise is checked, and if such a connection is identified, the indicator of compromise and the second indicator of compromise are classified as one information security threat - a computer attack, and information about the detected computer attack is included in the notification about the detected information security threat. 13. The method according to claim 12, in which the indicator of compromise and the second indicator of compromise are attributed to one computer attack if the time interval between operations with deleted files, in the data of which the indicator of compromise and the second indicator of compromise were found, is within specified limits, where the operations with files include at least one of: creation, deletion, modification, opening, execution. 14. The method according to claim 12, in which the indicator of compromise and the second indicator of compromise are attributed to one computer attack, if a previously known computer attack uses an indicator of compromise and a second indicator of compromise, and information about the mentioned computer attack is additionally included in the notification of a detected information security threat. 15. The method according to claim 1, in which the read data of the deleted file is analyzed using antivirus databases updated from the time the file was deleted. 16. The method according to claim 1, in which data corresponding to at least one deleted file is searched in at least one of the following ways: by low-level analysis of the file system, by comparing current files with files from at least one backup copy of files , using “file carving” technologies, using “file slack space extraction” technology, by performing cluster-by-cluster analysis. 17. The method according to claim 16, in which, during low-level analysis of the file system, free cells are searched on a machine-readable medium in the main file table, after which the found cells are analyzed for the presence of a structure corresponding to the structure of the file cell, the cell structure is parsed and the cell is recognized as containing information on the remote file, the contents of the cell being used to search for blocks of computer-readable media storing the contents of the file and to read the contents of the file. 18. The method according to claim 1, wherein the selected remote files are analyzed by sending metadata of the selected remote files to the remote device and receiving feedback from the remote device. 19. The method of claim 1, wherein data corresponding to at least one remote file is searched by performing at least one pass over a computer-readable medium. 20. The method of claim 1, wherein the remote file data includes at least one of the following: metadata, content. 21. The method according to claim 20, in which the analysis conditions are checked in all found data of the remote file or only in the file metadata. 22. A computer-implemented method for identifying threats to information security, including stages in which: a) search for data corresponding to at least one remote file on a machine-readable computer medium; b) reading at least part of the found data corresponding to the remote file into the computer's RAM; c) analyze the read data for the presence of information about information security threats; d) when information about information security threats is detected, a notification about the detected information security threat is generated. 23. The method according to claim 22, in which the information security threats are at least one of: malware, computer attack; wherein information about malware includes malware data, and information about a computer attack includes indicators of compromise. 24. The method according to claim 23, in which the information about the computer attack additionally includes malware data. 25. The method according to claim 22, in which data corresponding to at least one remote file is searched on the machine-readable media of the computer when information about the second information security threat was previously detected on the computer or on a remote server associated with the computer. 26. The method according to claim 25, in which, when information about an information security threat is detected based on the results of analysis of the read data, information about the second information security threat is included in the generated notification about the detected information security threat. 27. The method according to claim 23, in which data corresponding to at least one remote file is searched on a machine-readable medium of a computer, when information about a second information security threat was previously detected on the computer or on a remote server associated with the computer, and in the case , if the information security threat is malware and the second information security threat is a second malware, after detecting the second malware, the connection between the malware and the second malware is checked, and if such a connection is detected, the malware and the second malware are attributed to the same infection chain, and information about the identified infection chain is included in notification of a detected information security threat. 28. The method according to clause 27, in which the malware and the second malware are classified as one infection chain if the time interval between operations with deleted files in the data of which the malware and the second malware were found is within specified limits, where operations with files include at least one of: creation, deletion, modification, opening, execution. 29. The method according to claim 27, in which the malware and the second malware are classified as one chain of infection if a previously known computer attack uses the malware and the second malware, and the notification about the detected information security threat additionally includes information about the mentioned computer attack. 30. The method according to claim 23, in which data corresponding to at least one remote file is searched on a machine-readable medium of a computer, when information about a second information security threat was previously detected on the computer or on a remote server associated with the computer, and in the case , if information about an information security threat is an indicator of compromise and information about a second information security threat is a second indicator of compromise, and also if, after detecting a second indicator of compromise, the connection between the indicator of compromise and the second indicator of compromise is checked, and if such a connection is identified, the indicator of compromise and the second indicator of compromise are classified as one information security threat - a computer attack, and information about the detected computer attack is included in the notification about the detected information security threat. 31. The method according to claim 30, in which the indicator of compromise and the second indicator of compromise are attributed to one computer attack if the time interval between operations with deleted files, in the data of which the indicator of compromise and the second indicator of compromise were found, is within specified limits, where the operations with files include at least one of: creation, deletion, modification, opening, execution. 32. The method according to claim 30, in which the indicator of compromise and the second indicator of compromise are attributed to one computer attack, if a previously known computer attack uses an indicator of compromise and a second indicator of compromise, and the notification about the detected information security threat additionally includes information about the mentioned computer attack. 33. The method according to claim 22, in which the read data of the deleted file is analyzed using antivirus databases updated from the time the file was deleted. 34. The method according to claim 22, in which data corresponding to at least one deleted file is searched in at least one of the following ways: by low-level analysis of the file system, by comparing the current files with files from at least one backup copy of the files , using “file carving” technologies, using “file slack space extraction” technology, by performing cluster-by-cluster analysis. 35. The method according to claim 34, in which, during low-level analysis of the file system, free cells are searched on a machine-readable medium in the main file table, after which the found cells are analyzed for the presence of a structure corresponding to the structure of the file cell, the cell structure is parsed and the cell is recognized as containing information on the remote file, the contents of the cell being used to search for blocks of computer-readable media storing the contents of the file and to read the contents of the file. 36. The method of claim 22, wherein the selected remote files are analyzed by sending metadata of the selected remote files to the remote device and receiving feedback from the remote device. 37. The method of claim 22, comprising retrieving data corresponding to at least one remote file by performing at least one pass over a computer-readable medium. 38. The method of claim 22, wherein the remote file data includes at least one of the following: metadata, content.