WO2021181391A1 - System and method for finding, tracking, and capturing a cyber-attacker - Google Patents

System and method for finding, tracking, and capturing a cyber-attacker Download PDF

Info

Publication number
WO2021181391A1
WO2021181391A1 PCT/IL2021/050263 IL2021050263W WO2021181391A1 WO 2021181391 A1 WO2021181391 A1 WO 2021181391A1 IL 2021050263 W IL2021050263 W IL 2021050263W WO 2021181391 A1 WO2021181391 A1 WO 2021181391A1
Authority
WO
WIPO (PCT)
Prior art keywords
packets
suspicious
server
code
computer
Prior art date
Application number
PCT/IL2021/050263
Other languages
French (fr)
Inventor
Netanel GREENBERG
Original Assignee
Greenberg Netanel
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Greenberg Netanel filed Critical Greenberg Netanel
Publication of WO2021181391A1 publication Critical patent/WO2021181391A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/535Tracking the activity of the user

Definitions

  • the invention is in the field of cyber-security and in particular relates to tracking computers involved in attack operations.
  • US 9,553,885 B2 discloses a network surveillance system including a deception management server within a network, including a deployment module managing and planting decoy attack vectors in network resources, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and decoy servers accessible from resources in the network via decoy attack vectors, each decoy server including a forensic alert module causing a real-time forensic application to be transmitted to a destination resource in the network when the decoy server is being accessed by a specific resource in the network via a decoy attack vector, wherein the forensic application, when launched in the destination resource, identifies a process running within the specific resource that is accessing that decoy server, logs the activities performed by the thus identified process in a forensic report, and transmits the forensic report to the deception management server.
  • US 2016/0330219 A1 discloses a method and device for managing security in a computer network include algorithms of iterative intelligence growth, iterative evolution, and evolution pathways; sub -algorithms of information type identifier, conspiracy detection, media scanner, privilege isolation analysis, user risk management and foreign entities management; and modules of security behavior, creativity, artificial threat, automated growth guidance, response/generic parser, security review module and monitoring interaction system.
  • Applications include malware predictive tracking, clandestine machine intelligence retribution through covert operations in cyberspace, logically inferred zero-database a-priori real-time defense, critical infrastructure protection & retribution through cloud & tiered information security, and critical thinking memory & perception.
  • the present invention expands the aims and functionality of cyber-security, as further described herein.
  • Cyber-security has traditionally revolved around building firewalls and other protective devices that have increasing levels of impenetrability than preceding technologies. No product is available to identify the attacker himself and or his specific location . The situation is not unlike that found in aviation security, where until recently all of the effort was placed on finding weapons at the airport. Only recently was there an effort to find terrorists at their hideouts.
  • the present invention presents a solution to this problem, providing a system and method for tracking computers of suspected cyber- attackers.
  • a computer-based system for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity comprising a server of a private computing entity, comprising a first firewall, comprising a first whitelist and/or a first blacklist, configured to tag incoming data packets from a public network as suspicious data packets if attributes of the incoming data packets match an attribute set on the first blacklist and/or do not match an attribute set on the first whitelist; and tag incoming the data packets as non-suspected data packets if attributes of the incoming data packets do not match an attribute set on the first blacklist and/or match an attribute set on the first whitelist; and a second firewall, comprising a second whitelist and/or a second blacklist configured to receive packets pre-screened by the first firewall; tag the prescreened data packets as suspicious data packets if attributes of the prescreened data packets do not match an attribute set of the second whitelist and/or match an attribute
  • the mole code is further configured, upon opening of the deceptive solicited data file on one of the computers, to cause the computer to send a second telltale packet revealing a unique identifier of the computer, such as a MAC address; and the undercover server is further configured to receive the second informant packet and add the unique computer identifier to the network locations of the computer as further evidence. It is further within the scope of the invention to provide any one of the abovementioned systems, wherein one or more of the first and/or second informant packets further comprises the physical location of the computer.
  • the first firewall comprises a first whitelist, a first blacklist, or both a first whitelist and a first blacklist.
  • the second firewall comprises a second whitelist, a second blacklist, or both a second whitelist and a second blacklist.
  • any one of the abovementioned systems further comprising a bleaching module in communicative connection with one or more media device drivers on the network, the bleaching module configured to intercept requests for copying of data from the media device driver to a media device; tag the copying request as suspicious if attributes of the copying request do not match an attribute set on a third whitelist of the bleaching module; the honeypot module is further configured to receive suspicious copying requests build a file of deceptive requested data in response to the copying request; the undercover server is further configured to receive the deceptive requested data and add a hidden code; the bleaching module is further configured to receive and transfer the deceptive requested data and the hidden code to the media device; and upon connection of the media device to an attacker computer, the hidden program is configured to install a mole code on the attacker computer (the mole code behaving substantially the same as previously described).
  • any one of the abovementioned systems further comprising a firewall administration module, configured to receive the suspicious packets from the first firewall; display the attributes of the suspicious packets to an administrative user; and enable the administrative user to allow the suspicious packet, add the attributes to the first whitelist, and/or remove the attributes from the first blacklist.
  • a firewall administration module configured to receive the suspicious packets from the first firewall; display the attributes of the suspicious packets to an administrative user; and enable the administrative user to allow the suspicious packet, add the attributes to the first whitelist, and/or remove the attributes from the first blacklist.
  • first firewall and the second firewall are further configured to refrain from sending a denial-of-access signal to a suspected computer.
  • undercover server is further configured to send the telltale packets to the network server.
  • any one of the abovementioned systems further comprising a law-enforcement client module, installed on a computer of a law-enforcement authority in communicative connection with the undercover server, the law- enforcement client module configured to receive an identifier of the network and all or some of the network location identifiers, computer identifiers, and/or computer physical locations.
  • the private computing entity comprises a network or computer of a business, organization, or private person; a limited-access computer; a cloud-based service; a financial network; an infrastructure control network; one or more appliances or networks thereof; or any combination thereof.
  • the public network is the Internet, a blockchain network, or any combination thereof.
  • suspected data packets comprise malicious data or code, an attempt to steal data, phishing, vandalism, a virus, a Trojan horse, spyware, or any combination thereof.
  • a computer-based system for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity comprising a server of the private computing entity, comprising a firewall, comprising a whitelist and/or a blacklist, configured to tag incoming data packets from a public network as suspicious data packets if attributes of the incoming data packets match an attribute set on the blacklist or do not match an attribute set on the whitelist; and admit the incoming data packets to the private computing entity if attributes of the incoming data packets match an attribute set on the whitelist and/or do not match an attribute set on the blacklist; a sandbox server comprising a honeypot module configured to receive the suspicious packets; unwrap suspicious code in the suspicious packets by running and/or analyzing the suspicious code in the suspicious packets; and build a file of deceptive solicited data, in response to requests of the unwrapped suspicious code; and wherein the system further comprises an undercover server configured to
  • one or more of the first and/or second informant packets further comprises the physical location of the computer.
  • any of the abovementioned methods further comprising a step of providing the first firewall with a first whitelist, a first blacklist, or a first whitelist and a first blacklist.
  • any of the abovementioned methods further comprising a step of providing the second firewall with a second whitelist, a second blacklist, or a second whitelist and a second blacklist.
  • a bleaching module in communicative connection with one or more media device drivers on the network, is configured to implement steps of intercepting requests for copying of data from the media device driver to a media device; tagging the copying request as suspicious if attributes of the copying request do not match an attribute set on a third whitelist of the bleaching module;
  • the honeypot module is further configured to implement a step of receiving suspicious copying requests build a file of deceptive requested data in response to the copying request;
  • the undercover server is further configured to implement a step of receiving the deceptive requested data and add a hidden code;
  • the bleaching module is further configured to implement steps of receiving and transferring the deceptive requested data and the hidden code to the media device; and upon connection of the media device to an attacker computer, the hidden program is configured to implement a step of installing a mole code on the attacker computer.
  • any of the abovementioned methods further comprising steps of providing a firewall administration module; configured to implement steps of receiving the suspicious packets from the first firewall; displaying the attributes of the suspicious packets to an administrative user; and enabling the administrative user to allow the suspicious packet, add the attributes to the first whitelist, and/or remove the attributes from the first blacklist.
  • any of the abovementioned methods further comprising a step of refraining from sending a denial-of-access signal to a suspected computer, by the first firewall and the second firewall.
  • undercover server is further configured to implement a step of sending the telltale packets to the network server.
  • any of the abovementioned methods further comprising steps of providing a law-enforcement client module, installed on a computer of a law-enforcement authority in communicative connection with the undercover server, wherein the law-enforcement client module is configured to implement a step of receiving an identifier of the network and all or some of the network location identifiers, computer identifiers, and/or computer physical locations.
  • any of the abovementioned methods further comprising a step of providing the private computing entity, selected from a group consisting of a network or computer of a business, organization, or private person; a limited-access computer; a cloud-based service; a financial network; an infrastructure control network; one or more appliances or networks thereof; or any combination thereof.
  • the private computing entity selected from a group consisting of a network or computer of a business, organization, or private person; a limited-access computer; a cloud-based service; a financial network; an infrastructure control network; one or more appliances or networks thereof; or any combination thereof.
  • suspected data packets comprise malicious data or code, an attempt to steal data, phishing, vandalism, a virus, a Trojan horse, spyware, or any combination thereof.
  • Fig. 1 shows a block diagram of a computer-based system for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, according to some embodiments of the invention.
  • Fig. 2 shows a functional block diagram of the system, showing interactions between operative modules therein, according to some embodiments of the invention.
  • Fig. 3 shows a list of steps of a computer-based method for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, according to some embodiments of the invention.
  • Private computing entity refers to any non-public computing entity with limited access that is protected from cyber-attacks by the invention.
  • a private computing entity may be a network or computer of a business, organization, or private person; a limited-access computer; a cloud-based service; a financial network; an infrastructure control network such as for utilities, air-traffic control, oil and gas facilities, and nuclear facilities; or one or more appliances, such as among those connected to the IoT, or networks thereof.
  • Attribute set is a set of attributes of a data packet entering a private computing entity, matched against allowed attribute sets in a white list or prohibited attribute sets in a black list. Attributes can include, for example, socket number, file type, file size, file contents, type of data requested, sending IP address or domain, routed IP addresses or domains, number of hops, etc.
  • “Attacking computing entity” or “attacking computer” is one or more computers involved in a cyber-attack.
  • the attacking computers attempt, at the prerogative of an attacker’s malicious intent, to send malicious data or code, receive stolen data, phish, vandalize, implant a virus, Trojan horse or spyware, or otherwise infiltrate a private computing entity.
  • an attacking computing entity may involve various different computers at different times; attackers are may be apt to employ different computing assets at different times, in order to evade detection.
  • Unwrapping code is a process of either analyzing code within incoming data packets or allowing the code to execute. The purpose of unwrapping the code is to determine the sender’s intent and responding with deceptive responses to data requested by the code.
  • Deceptive solicited data is false data, such as expired passwords, of the type and format requested by a suspected attacker.
  • Internetworked computer refers to a computer with a network connection to a private computing entity server. Typically, this connection is over a public network such as the Internet or a blockchain network .
  • Mole code refers to a segment of code implanted in the computer of a suspected attacker.
  • a mole is usually a short segment of code, typically for transmission of a ping request, of a hardware ID such as a MAC address, or of GPS coordinates of the computer.
  • a mole is typically installed by a hidden program in the computer’s registry file.
  • Undercover server refers to a computer whose function is to package and send the deceptive solicited data with a hidden program containing the mole code, and to monitor and amalgamate telltale packets.
  • “Telltale packet” refers to a communicated packet, initiated by a mole code, containing identifying information about the attacker’s computer. A telltale packet may identify the computer’ s network location (e.g., IP address), a unique identifier of the computer (e.g., MAC address), and/or the physical location of the computer obtained from the computer’s GPS locator.
  • a private computing entity 105 can be a network or computer of a business, organization, or private person; a limited-access computer; a cloud-based service; a financial network; an infrastructure control network such as for utilities, air-traffic control, oil and gas facilities, and nuclear facilities; or one or more appliances, such as among those connected to the IoT, or networks thereof.
  • System 100 comprises a server 110 of private computing entity 105.
  • Server 110 can be a gateway to a private computing entity 105 from one or more public networks 130, which may include the Internet.
  • server 110 can be one or more computers or a mechanism by which traffic from public network 130 to private computing entity 105 is monitored and filtered against potential incoming cyber- attacks.
  • Server 110 preferably comprises two firewalls, a first firewall 125 and a second firewall 135, further described herein.
  • System 100 further comprises a sandbox server 115 in communicative connection with server 105.
  • Sandbox server 115 is a “demilitarized zone” (DMZ), where suspicious traffic can be analyzed and further processed with no risk or minimal risk of damaging server 110 and other components of private computing entity 105.
  • Sandbox server 115 comprises a honeypot module 140, further described herein.
  • System 100 further comprises an undercover server 120, further described herein.
  • Undercover server 120 is preferably operated by a specialized service provider, usually not the owner of private computing entity 105.
  • undercover server services a plurality of private computing entities 105.
  • Undercover server 120 is in communicative connection with sandbox server 115, preferably over a secured connection 150A (e.g., a secure virtual connection, such as a VPN, or a hardwired line).
  • a secured connection 150A e.g., a secure virtual connection, such as a VPN, or a hardwired line.
  • Undercover server 120 typically uses network credentials of private server 110 when communicating over public network 130, in order that communications appear to a potentially malicious computer 145 as originating from the targeted private computing entity 105.
  • system 100 may comprise one or more of the following: a) a firewall administration server 127, in communicative connection with main server 110 and sandbox server 140; b) a bleaching module 155, in communicative connection with one or more media device drivers 160 in the private computing entity 105 (which in turn interact with a removable media device 165 such as a disk-on-key, CD drive, etc.), with sandbox server 115, and with undercover server 120; and c) a law enforcement client 170, in communication with undercover server 120, preferably over a secured connection 150B. All three components are further described herein.
  • FIG. 2 showing a functional block diagram of a system 100 of the invention, showing interactions between operative modules therein, according to some embodiments of the invention.
  • First firewall 125 receives incoming data packets 5A sent over public network 130. At this point, the origin of incoming packets 5A and whether incoming packets 5A are malicious is unknown. First firewall 125 stores a first whitelist 10A, a first blacklist 12A, or both a first whitelist and a first blacklist. First firewall 125 compares attributes of incoming packets 5A against attribute sets stored on first whitelist 10A and/or attribute sets stored on first blacklist 12A. The compared attributes of incoming packets 5A, included in the attribute sets of first whitelist 10A and/or of first blacklist 12A, can include packet size, sending IP address, sending MAC address, protocol, protocol stack, routing path, network socket, file format, and any combination thereof.
  • First firewall 125 tags incoming packets 5A, whose attributes do not match at least one attribute set on first whitelist 10A and/or match an attribute set on first blacklist 12A, as suspicious packets 20A.
  • First firewall 125 forwards non-suspected packets 5B, whose attributes match at least one attribute set on first whitelist 10A and/or do not match an attribute set on first blacklist 12A, to second firewall 135.
  • first firewall 125 adds to first blacklist 12A the attributes of incoming packets 5A not matching any sets on first whitelist 10A.
  • first firewall 125 does not reply with an abuse-of- privilege or denial-of-access signal to the sending computer 145 of suspicious packet(s) 20A, as is typically sent by firewall software. The non-sending of an access-denied signal is deceptive and encourages the suspected attacker or suspected attacking computer 145 to continue an attack.
  • first firewall 125 forwards packets 20A tagged as suspicious to sandbox server 115 for processing by honeypot module 140.
  • a firewall administrative module 127 receives suspicious packets 20A tagged by first firewall 125.
  • Firewall administrative module 127 displays attributes of suspicious packets 20A to an administrative user. The administrative user can, either temporarily or permanently, retag suspicious packets 20A matching a blocked attribute set as non-suspected packets, if they are known to be non-suspected.
  • Firewall administrative server 127 sends retagged suspicious data packets 20A back to first firewall for further processing as non-suspected packets 5B.
  • Firewall administrative module 127 forwards suspicious packets 20A that remain suspicious packets 20C to sandbox server 115 for processing by honeypot module 140 therein.
  • Firewall administrative module 127 may send an instruction, either automatically or at the administrative user’s prerogative, to first firewall 125 to modify the first whitelist 10A and/or the blacklist 12.
  • first whitelist 10A and/or blacklist 12 can be modified to allow future packets matching the allowed attribute set of retagged packets as non-suspected packets 5A.
  • Second firewall 135 receives non-suspected packets 5B and suspicious packets 20. Second firewall 135 stores a second whitelist 10B, a second blacklist 12B, or both a second whitelist 10B and a second blacklist 12B.
  • second whitelist 10B is a mirror image or synchronized with first whitelist 10A.
  • second blacklist 12B is a mirror image or synchronized with first blacklist 12A.
  • Second firewall 135 compares attributes of incoming packets 5A, 20 prescreened by first firewall 125 against attribute sets stored on second whitelist 10B and/or attribute sets stored on second blacklist 12B. Second firewall 135 tags non-suspected packets 5B whose attributes match an attribute set on second whitelist 10B and/or do not match an attribute set on second blacklist 12B, as innocent packets 15 and forwards them to their recipient in the private computing entity 105. Second firewall tags non-suspected packets 5B, whose attributes do not match an attribute set on second whitelist 10B and/or match an attribute set on second blacklist 12B, as suspicious packets 20B and forwards them to sandbox server 115 for processing by honeypot module 140 therein. Honeypot module 140 receives suspicious packets 20.
  • Honeypot module 140 unwraps code 25 in suspicious packets 20.
  • Unwrapping of suspicious code 25 comprises executing or analyzing the code 25. Whether to execute or analyze code 25 may be decided based on the length of code 25. For example, code of up to 10,000 lines may be analyzed, while longer code may require execution to unwrap. Unwrapping of code 25 facilitates a determining what kind of potential malice the suspicious code 25 would do had it been allowed to run on server 110. In some embodiments, if the code 25 is would damage the network 105 or delete data therein, without requesting that any data in network 105 be sent outside of network 105, then suspicious packet 20 is discarded and no further action is taken.
  • honeypot module 140 builds a file 30 of deceptive solicited data, in response to requests of the unwrapped suspicious code 25.
  • Information in deceptive solicited data file 30 is of the same type of data requested by code 25, for example expired passwords, closed bank account numbers, etc.
  • Undercover server 120 builds a return data file 35, comprising deceptive solicited data file 30 and a hidden program 40.
  • Hidden program 40 is programmed to implant a mole code 45 in a malicious computer 145 receiving return data file 35.
  • Undercover server 120 sends return data file 35 over public network 130 to addresses specified in suspicious code 25. The addresses may be for the same computer that sent suspicious packet 20 and/or an address explicitly specified in suspicious code 25.
  • the return data file 35 reaches the suspected attacker computer 145 and mole code 45 is implanted therein.
  • mole code 45 is implanted at the operating system level, such as in a registry file of suspected attacker computer 145.
  • Mole code 45 is typically a very short segment of code that is impossible or very difficult for an attacking computer 145 to detect.
  • Mole code 45 is a program that initiates sending of telltale packets 50A-50B to undercover server 120, revealing certain information, further described herein, about the suspected attacker computer 145.
  • Telltale packets 50 may contain an identifier of the private computing entity 120 and/or of return data file 35, so that undercover server 120 may catalog received telltale packets 50 by each private computing entity 110 and each incident of a suspected attack serviced by undercover server 120.
  • Mole code 45 may also query the geographic location of suspected attacker computer 145, whose data may accompany one or more of the telltale packets 50.
  • Mole code 45 repetitively sends first telltale packets 50A.
  • the sending can be, for example, at regular intervals, whenever the attacker computer 145 is booted, and/or whenever there is a change in network status.
  • a first telltale packet 50A reveals a network location, such as an IP address, of suspected attacker computer 145.
  • the network location may vary quite often between first telltale packets 50A, as attackers are notorious for operating from constantly changing IP addresses in order to evade detection.
  • first telltale packets 50A provide undercover server 120 with a history of network locations of one or more suspected attacker computers 145 on which mole code 45 was implanted.
  • Mole code 45 may be further programmed to initiate, upon opening of deceptive solicited data file 30 by a suspected attacker computer 145, to send a second telltale packet 50B revealing a unique hardware identifier (e.g., MAC address) of attacker computer 145.
  • a unique hardware identifier e.g., MAC address
  • telltale packets 50 may be provided to law enforcement authorities.
  • a law enforcement client 170 which can be installed on a computer of a law enforcement agency, receives the telltale packets from undercover server 120.
  • Undercover server 120 may provide telltale packets in real time, in periodic updates, or after receiving second telltale packet 50B and thereby identifying attacker computer 145.
  • System 100 enables law enforcement agencies to investigate and find the suspected attacker, then arrest him and seize suspected attacking computer 145.
  • the IP-address history of first telltale packets 50A, the MAC address of the second telltale packets 50B, physical locations reported by either type of telltale packets 50, and/or data stored on the computer 145 itself may be used as positive evidence in furthering an investigation or in a criminal and/or civil trial against the attacker. For example, if network location history stored on computer 145 matches, in whole or in part, the first telltale packets 50A and/or if its MAC number matches the second telltale packet 50B.
  • system 100 further comprising a bleaching module 155.
  • Bleaching module 155 intercepts requests for copying of data from a media device driver 160 to a removable media device 165, such as a disk-on-key, a CD drive, or other physical device .
  • Bleaching module 155 tags the copying request as suspicious if attributes of the copying request do not match an attribute set on a third whitelist IOC of the bleaching module 155.
  • Honeypot module 140 receives suspicious copying requests build a file of deceptive requested data in response to the suspicious copying request.
  • Undercover server 120 receives said deceptive requested data file and adds a hidden code.
  • Bleaching module 155 receives and transfers the deceptive requested data and hidden code to the media device 165.
  • the hidden program Upon connection of the media device 165 to an attacker computer 145, the hidden program is configured to install a mole code on the attacker computer 145.
  • the mole code behaves substantially the same as described above.
  • FIG. 3 showing a list of steps of a computer-based method 200 for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, the method 200 comprising steps of obtaining a system for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity 205; receiving incoming data packets from a public network 210; tagging the incoming data packets as suspicious data packets if attributes of said incoming data packets match an attribute set on a blacklist of a first firewall or do not match an attribute set on a first whitelist of said first firewall 215; replying to the suspicious data packets with a deceptive verification, to be received by a suspected attacking computer, that incoming data packets sent by the suspected computer were successfully admitted into the private computing entity 220;

Abstract

Systems and methods for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity. The system comprises a server, a sandbox server with a honeypot module, an undercover server operated by a specialized service provider. Undercover server is in communicative connection with sandbox server over a secured connection. The server comprises a first firewall including a whitelist and/or blacklist that tags incoming data packets from a public network as suspicious data packets or as non-suspicions data packets, and a second firewall including a whitelist and/or blacklist that tags prescreened data packets as suspicious data packets or as non-suspicions data packets. The honeypot module of the sandbox server receives the suspicious packets and builds a file of deceptive solicited data.

Description

SYSTEM AND METHOD FOR FINDING, TRACKING, AND CAPTURING
A CYBER-ATTACKER
FIELD OF THE INVENTION
The invention is in the field of cyber-security and in particular relates to tracking computers involved in attack operations.
BACKGROUND TO THE INVENTION
The field of cyber-security is recently employing methods that go beyond traditional firewalls.
US 9,553,885 B2 discloses a network surveillance system including a deception management server within a network, including a deployment module managing and planting decoy attack vectors in network resources, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and decoy servers accessible from resources in the network via decoy attack vectors, each decoy server including a forensic alert module causing a real-time forensic application to be transmitted to a destination resource in the network when the decoy server is being accessed by a specific resource in the network via a decoy attack vector, wherein the forensic application, when launched in the destination resource, identifies a process running within the specific resource that is accessing that decoy server, logs the activities performed by the thus identified process in a forensic report, and transmits the forensic report to the deception management server.
US 2016/0330219 A1 discloses a method and device for managing security in a computer network include algorithms of iterative intelligence growth, iterative evolution, and evolution pathways; sub -algorithms of information type identifier, conspiracy detection, media scanner, privilege isolation analysis, user risk management and foreign entities management; and modules of security behavior, creativity, artificial threat, automated growth guidance, response/generic parser, security review module and monitoring interaction system. Applications include malware predictive tracking, clandestine machine intelligence retribution through covert operations in cyberspace, logically inferred zero-database a-priori real-time defense, critical infrastructure protection & retribution through cloud & tiered information security, and critical thinking memory & perception. The present invention expands the aims and functionality of cyber-security, as further described herein.
SUMMARY
Cyber-security has traditionally revolved around building firewalls and other protective devices that have increasing levels of impenetrability than preceding technologies. No product is available to identify the attacker himself and or his specific location . The situation is not unlike that found in aviation security, where until recently all of the effort was placed on finding weapons at the airport. Only recently was there an effort to find terrorists at their hideouts.
The present invention presents a solution to this problem, providing a system and method for tracking computers of suspected cyber- attackers.
It is therefore within the scope of the invention to provide a computer-based system for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, the system comprising a server of a private computing entity, comprising a first firewall, comprising a first whitelist and/or a first blacklist, configured to tag incoming data packets from a public network as suspicious data packets if attributes of the incoming data packets match an attribute set on the first blacklist and/or do not match an attribute set on the first whitelist; and tag incoming the data packets as non-suspected data packets if attributes of the incoming data packets do not match an attribute set on the first blacklist and/or match an attribute set on the first whitelist; and a second firewall, comprising a second whitelist and/or a second blacklist configured to receive packets pre-screened by the first firewall; tag the prescreened data packets as suspicious data packets if attributes of the prescreened data packets do not match an attribute set of the second whitelist and/or match an attribute set of the second blacklist; and admit prescreened data packets into the private computing entity if attributes of the prescreened data packets match an attribute set of the second whitelist and/or do not match an attribute set of the second blacklist; a sandbox server comprising a honeypot module configured to receive the suspicious packets; unwrap suspicious code in the suspicious packets by running and/or analyzing the suspicious code in the suspicious packets; and build a file of deceptive solicited data, in response to requests of the unwrapped suspicious code; and wherein the system further comprises an undercover server configured to receive the deceptive solicited data file; build a return data file comprising the set of deceptive solicited data and a hidden program; the hidden program is configured to implant a mole code in one or more malicious computers receiving the return data file; and send the return data file to network addresses specified in accordance with instructions in the suspicious code; and the mole code is configured to cause the computers to send one or more telltale packets comprising network locations of the computers, which can be ping requests, to the undercover server; and the undercover server is further configured to receive the first informant packets, each of the first informant packet revealing a network location, such as an IP address, of one of the computers; an amalgamation of the telltale packets thereby providing a history of the network locations for each of the computers. It is further within the scope of the invention to provide the abovementioned system, wherein the mole code is further configured, upon opening of the deceptive solicited data file on one of the computers, to cause the computer to send a second telltale packet revealing a unique identifier of the computer, such as a MAC address; and the undercover server is further configured to receive the second informant packet and add the unique computer identifier to the network locations of the computer as further evidence. It is further within the scope of the invention to provide any one of the abovementioned systems, wherein one or more of the first and/or second informant packets further comprises the physical location of the computer.
It is further within the scope of the invention to provide any one of the abovementioned systems, wherein the first firewall comprises a first whitelist, a first blacklist, or both a first whitelist and a first blacklist.
It is further within the scope of the invention to provide any one of the abovementioned systems, wherein the second firewall comprises a second whitelist, a second blacklist, or both a second whitelist and a second blacklist.
It is further within the scope of the invention to provide any one of the abovementioned systems, further comprising a bleaching module in communicative connection with one or more media device drivers on the network, the bleaching module configured to intercept requests for copying of data from the media device driver to a media device; tag the copying request as suspicious if attributes of the copying request do not match an attribute set on a third whitelist of the bleaching module; the honeypot module is further configured to receive suspicious copying requests build a file of deceptive requested data in response to the copying request; the undercover server is further configured to receive the deceptive requested data and add a hidden code; the bleaching module is further configured to receive and transfer the deceptive requested data and the hidden code to the media device; and upon connection of the media device to an attacker computer, the hidden program is configured to install a mole code on the attacker computer (the mole code behaving substantially the same as previously described).
It is further within the scope of the invention to provide any one of the abovementioned systems, further comprising a firewall administration module, configured to receive the suspicious packets from the first firewall; display the attributes of the suspicious packets to an administrative user; and enable the administrative user to allow the suspicious packet, add the attributes to the first whitelist, and/or remove the attributes from the first blacklist.
It is further within the scope of the invention to provide any one of the abovementioned systems, wherein the first firewall and the second firewall are further configured to refrain from sending a denial-of-access signal to a suspected computer.
It is further within the scope of the invention to provide any one of the abovementioned systems, wherein the sandbox server and the undercover server are communicatively connected via a secured connection.
It is further within the scope of the invention to provide any one of the abovementioned systems, wherein the undercover server sends the return data file using sending credentials of the private computing entity server.
It is further within the scope of the invention to provide any one of the abovementioned systems, wherein the undercover server is further configured to send the telltale packets to the network server.
It is further within the scope of the invention to provide any one of the abovementioned systems, wherein the hidden program is itself the mole.
It is further within the scope of the invention to provide any one of the abovementioned systems, further comprising a law-enforcement client module, installed on a computer of a law-enforcement authority in communicative connection with the undercover server, the law- enforcement client module configured to receive an identifier of the network and all or some of the network location identifiers, computer identifiers, and/or computer physical locations. It is further within the scope of the invention to provide any one of the abovementioned systems, wherein the private computing entity comprises a network or computer of a business, organization, or private person; a limited-access computer; a cloud-based service; a financial network; an infrastructure control network; one or more appliances or networks thereof; or any combination thereof.
It is further within the scope of the invention to provide any one of the abovementioned systems, wherein the public network is the Internet, a blockchain network, or any combination thereof.
It is further within the scope of the invention to provide any one of the abovementioned systems, wherein the suspected data packets comprise malicious data or code, an attempt to steal data, phishing, vandalism, a virus, a Trojan horse, spyware, or any combination thereof.
It is further within the scope of the invention to provide a computer-based system for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, the system comprising a server of the private computing entity, comprising a firewall, comprising a whitelist and/or a blacklist, configured to tag incoming data packets from a public network as suspicious data packets if attributes of the incoming data packets match an attribute set on the blacklist or do not match an attribute set on the whitelist; and admit the incoming data packets to the private computing entity if attributes of the incoming data packets match an attribute set on the whitelist and/or do not match an attribute set on the blacklist; a sandbox server comprising a honeypot module configured to receive the suspicious packets; unwrap suspicious code in the suspicious packets by running and/or analyzing the suspicious code in the suspicious packets; and build a file of deceptive solicited data, in response to requests of the unwrapped suspicious code; and wherein the system further comprises an undercover server configured to receive the deceptive solicited data file; build a return data file comprising the set of deceptive solicited data and a hidden program; the hidden program is configured to implant a mole code in one or more malicious computers receiving the return data file; and send the return data file to network addresses specified in accordance with instructions in the suspicious code; and the mole code is configured to cause the computers to send one or more telltale packets comprising network locations of the computers, which can be ping requests, to the undercover server; and the undercover server is further configured to receive the first informant packets, each of the first informant packet revealing a network location, such as an IP address, of one of the computers; an amalgamation of the telltale packets thereby providing a history of the network locations for each of the computers.
It is further within the scope of the invention to provide a computer-based method for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, the method comprising steps of obtaining any one of the abovementioned systems; receiving incoming data packets from a public network, by a first firewall; tagging the incoming data packets as suspicious data packets if attributes of the incoming data packets match an attribute set on a blacklist of the first firewall and/or do not match an attribute set on a first whitelist of the first firewall; receiving packets prescreened by the first firewall by a second firewall; tagging the prescreened packets as suspicious data packets if attributes of the prescreened data packets do not match an attribute set on a second whitelist of the second firewall and/or match an attribute set on a second blacklist of the second firewall; admitting the prescreened data packets to the private computing entity if attributes of the prescreened data packets match an attribute set on the second whitelist and/or do not match an attribute set on the blacklist; receiving the suspicious packets by a sandbox server; unwrapping suspicious code in the suspicious packets by running and/or analyzing the suspicious code in the suspicious packets; building a file of deceptive solicited data, in response to requests of the unwrapped suspicious code; wherein the method further comprises steps of receiving the deceptive solicited data file by an undercover server; building a return data file comprising the set of deceptive solicited data and a hidden program; the hidden program is configured to implant a mole code in one or more suspected computers receiving the return data file; sending the return data file to network addresses specified in accordance with instructions in the suspicious code; the mole code is further configured for causing the suspected computers to implement a step of sending one or more telltale packets comprising network locations of the computers, which can be ping requests, to the undercover server; and the undercover server is further configured for receiving the first informant packets, each of the first informant packets revealing a network location, such as an IP address, of one of the computers; amalgamating the telltale packets, thereby providing a history of the network locations of the suspected computers.
It is further within the scope of the invention to provide the abovementioned method, further comprising steps of upon opening of the deceptive solicited data file on the suspected computer, of causing the computer to send a second telltale packet revealing a unique identifier of the computer, such as a MAC address; and receiving the second informant packet, by the undercover server, and adding the unique computer identifier to the network locations of the computer as further evidence.
It is further within the scope of the invention to provide any of the abovementioned methods, wherein one or more of the first and/or second informant packets further comprises the physical location of the computer.
It is further within the scope of the invention to provide any of the abovementioned methods, further comprising a step of providing the first firewall with a first whitelist, a first blacklist, or a first whitelist and a first blacklist.
It is further within the scope of the invention to provide any of the abovementioned methods, further comprising a step of providing the second firewall with a second whitelist, a second blacklist, or a second whitelist and a second blacklist.
It is further within the scope of the invention to provide any of the abovementioned methods, wherein a bleaching module, in communicative connection with one or more media device drivers on the network, is configured to implement steps of intercepting requests for copying of data from the media device driver to a media device; tagging the copying request as suspicious if attributes of the copying request do not match an attribute set on a third whitelist of the bleaching module; the honeypot module is further configured to implement a step of receiving suspicious copying requests build a file of deceptive requested data in response to the copying request; the undercover server is further configured to implement a step of receiving the deceptive requested data and add a hidden code; the bleaching module is further configured to implement steps of receiving and transferring the deceptive requested data and the hidden code to the media device; and upon connection of the media device to an attacker computer, the hidden program is configured to implement a step of installing a mole code on the attacker computer. It is further within the scope of the invention to provide any of the abovementioned methods, further comprising steps of providing a firewall administration module; configured to implement steps of receiving the suspicious packets from the first firewall; displaying the attributes of the suspicious packets to an administrative user; and enabling the administrative user to allow the suspicious packet, add the attributes to the first whitelist, and/or remove the attributes from the first blacklist.
It is further within the scope of the invention to provide any of the abovementioned methods, further comprising a step of refraining from sending a denial-of-access signal to a suspected computer, by the first firewall and the second firewall.
It is further within the scope of the invention to provide any of the abovementioned methods, further comprising a step of providing a secured connection for communication between the sandbox server and the undercover server.
It is further within the scope of the invention to provide any of the abovementioned methods, wherein the undercover server sends the return data file using sending credentials of the private computing entity server.
It is further within the scope of the invention to provide any of the abovementioned methods, wherein the undercover server is further configured to implement a step of sending the telltale packets to the network server.
It is further within the scope of the invention to provide any of the abovementioned methods, wherein the hidden program is itself the mole.
It is further within the scope of the invention to provide any of the abovementioned methods, further comprising steps of providing a law-enforcement client module, installed on a computer of a law-enforcement authority in communicative connection with the undercover server, wherein the law-enforcement client module is configured to implement a step of receiving an identifier of the network and all or some of the network location identifiers, computer identifiers, and/or computer physical locations.
It is further within the scope of the invention to provide any of the abovementioned methods, further comprising a step of providing the private computing entity, selected from a group consisting of a network or computer of a business, organization, or private person; a limited-access computer; a cloud-based service; a financial network; an infrastructure control network; one or more appliances or networks thereof; or any combination thereof.
It is further within the scope of the invention to provide any of the abovementioned methods, further comprising a step of receiving the incoming packets from the Internet, a blockchain network, or any combination thereof.
It is further within the scope of the invention to provide any of the abovementioned methods, wherein the suspected data packets comprise malicious data or code, an attempt to steal data, phishing, vandalism, a virus, a Trojan horse, spyware, or any combination thereof.
It is further within the scope of the invention to provide a computer-based method for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, the method comprising steps of acquiring the system of claim; receiving incoming data packets from a public network; tagging incoming data packets from a public network as suspicious data packets if attributes of the incoming data packets match an attribute set on a blacklist or do not match an attribute set on a whitelist; admitting the incoming data packets to the private computing entity if attributes of the incoming data packets match an attribute set on the whitelist and/or do not match an attribute set on the blacklist; receiving the suspicious packets by a sandbox server; unwrapping suspicious code in the suspicious packets by running and/or analyzing the suspicious code in the suspicious packets; building a file of deceptive solicited data, in response to requests of the unwrapped suspicious code; wherein the method further comprises steps of receiving the deceptive solicited data file by an undercover server; building a return data file comprising the set of deceptive solicited data and a hidden program; the hidden program is configured to implant a mole code in one or more malicious computers receiving the return data file; sending the return data file to network addresses specified in accordance with instructions in the suspicious code; the mole code is configured to cause the computers to implement a step of sending one or more telltale packets comprising network locations of the computers, which can be ping requests, to the undercover server; and the undercover server is further configured to implement a step of receiving the first informant packets, each of the first informant packet revealing a network location, such as an IP address, of one of the computers; an amalgamation of the telltale packets thereby providing a history of the network locations for each of the computers.
BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 shows a block diagram of a computer-based system for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, according to some embodiments of the invention.
Fig. 2 shows a functional block diagram of the system, showing interactions between operative modules therein, according to some embodiments of the invention.
Fig. 3, shows a list of steps of a computer-based method for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, according to some embodiments of the invention.
DETAIFED DESCRIPTION Definitions
“Private computing entity” refers to any non-public computing entity with limited access that is protected from cyber-attacks by the invention. A private computing entity may be a network or computer of a business, organization, or private person; a limited-access computer; a cloud-based service; a financial network; an infrastructure control network such as for utilities, air-traffic control, oil and gas facilities, and nuclear facilities; or one or more appliances, such as among those connected to the IoT, or networks thereof.
“Attribute set” is a set of attributes of a data packet entering a private computing entity, matched against allowed attribute sets in a white list or prohibited attribute sets in a black list. Attributes can include, for example, socket number, file type, file size, file contents, type of data requested, sending IP address or domain, routed IP addresses or domains, number of hops, etc.
“Attacking computing entity” or “attacking computer” is one or more computers involved in a cyber-attack. The attacking computers attempt, at the prerogative of an attacker’s malicious intent, to send malicious data or code, receive stolen data, phish, vandalize, implant a virus, Trojan horse or spyware, or otherwise infiltrate a private computing entity. It is appreciated that an attacking computing entity may involve various different computers at different times; attackers are may be apt to employ different computing assets at different times, in order to evade detection.
“Unwrapping code” is a process of either analyzing code within incoming data packets or allowing the code to execute. The purpose of unwrapping the code is to determine the sender’s intent and responding with deceptive responses to data requested by the code.
“Deceptive solicited data” is false data, such as expired passwords, of the type and format requested by a suspected attacker.
“Internetworked computer” refers to a computer with a network connection to a private computing entity server. Typically, this connection is over a public network such as the Internet or a blockchain network .
“Mole code” refers to a segment of code implanted in the computer of a suspected attacker. A mole is usually a short segment of code, typically for transmission of a ping request, of a hardware ID such as a MAC address, or of GPS coordinates of the computer. A mole is typically installed by a hidden program in the computer’s registry file.
“Undercover server” refers to a computer whose function is to package and send the deceptive solicited data with a hidden program containing the mole code, and to monitor and amalgamate telltale packets. “Telltale packet” refers to a communicated packet, initiated by a mole code, containing identifying information about the attacker’s computer. A telltale packet may identify the computer’ s network location (e.g., IP address), a unique identifier of the computer (e.g., MAC address), and/or the physical location of the computer obtained from the computer’s GPS locator.
Throughout this disclosure, where there are feature references comprising a number followed by a letter. The number alone refers collectively to one or more of the same type of feature with the same number (e.g., 20 refers to 20A, 20B, and/or 20C).
Reference is now made to Fig. 1, showing a block diagram of a computer-based system for tracking one or more computers 145 of a suspected perpetrator of a cyberattack against a private computing entity 105, according to some embodiments of the invention. A private computing entity 105 can be a network or computer of a business, organization, or private person; a limited-access computer; a cloud-based service; a financial network; an infrastructure control network such as for utilities, air-traffic control, oil and gas facilities, and nuclear facilities; or one or more appliances, such as among those connected to the IoT, or networks thereof.
System 100 comprises a server 110 of private computing entity 105. Server 110 can be a gateway to a private computing entity 105 from one or more public networks 130, which may include the Internet. Alternatively, server 110 can be one or more computers or a mechanism by which traffic from public network 130 to private computing entity 105 is monitored and filtered against potential incoming cyber- attacks. Server 110 preferably comprises two firewalls, a first firewall 125 and a second firewall 135, further described herein.
System 100 further comprises a sandbox server 115 in communicative connection with server 105. Sandbox server 115 is a “demilitarized zone” (DMZ), where suspicious traffic can be analyzed and further processed with no risk or minimal risk of damaging server 110 and other components of private computing entity 105. Sandbox server 115 comprises a honeypot module 140, further described herein.
System 100 further comprises an undercover server 120, further described herein. Undercover server 120 is preferably operated by a specialized service provider, usually not the owner of private computing entity 105. Typically, undercover server services a plurality of private computing entities 105. Undercover server 120 is in communicative connection with sandbox server 115, preferably over a secured connection 150A (e.g., a secure virtual connection, such as a VPN, or a hardwired line). Undercover server 120, further described herein, typically uses network credentials of private server 110 when communicating over public network 130, in order that communications appear to a potentially malicious computer 145 as originating from the targeted private computing entity 105.
In some embodiments, system 100 may comprise one or more of the following: a) a firewall administration server 127, in communicative connection with main server 110 and sandbox server 140; b) a bleaching module 155, in communicative connection with one or more media device drivers 160 in the private computing entity 105 (which in turn interact with a removable media device 165 such as a disk-on-key, CD drive, etc.), with sandbox server 115, and with undercover server 120; and c) a law enforcement client 170, in communication with undercover server 120, preferably over a secured connection 150B. All three components are further described herein.
Reference is now made to Fig. 2, showing a functional block diagram of a system 100 of the invention, showing interactions between operative modules therein, according to some embodiments of the invention.
First firewall 125 receives incoming data packets 5A sent over public network 130. At this point, the origin of incoming packets 5A and whether incoming packets 5A are malicious is unknown. First firewall 125 stores a first whitelist 10A, a first blacklist 12A, or both a first whitelist and a first blacklist. First firewall 125 compares attributes of incoming packets 5A against attribute sets stored on first whitelist 10A and/or attribute sets stored on first blacklist 12A. The compared attributes of incoming packets 5A, included in the attribute sets of first whitelist 10A and/or of first blacklist 12A, can include packet size, sending IP address, sending MAC address, protocol, protocol stack, routing path, network socket, file format, and any combination thereof.
First firewall 125 tags incoming packets 5A, whose attributes do not match at least one attribute set on first whitelist 10A and/or match an attribute set on first blacklist 12A, as suspicious packets 20A. First firewall 125 forwards non-suspected packets 5B, whose attributes match at least one attribute set on first whitelist 10A and/or do not match an attribute set on first blacklist 12A, to second firewall 135. In some embodiments, first firewall 125 adds to first blacklist 12A the attributes of incoming packets 5A not matching any sets on first whitelist 10A. In some embodiments, first firewall 125 does not reply with an abuse-of- privilege or denial-of-access signal to the sending computer 145 of suspicious packet(s) 20A, as is typically sent by firewall software. The non-sending of an access-denied signal is deceptive and encourages the suspected attacker or suspected attacking computer 145 to continue an attack.
In some embodiments, first firewall 125 forwards packets 20A tagged as suspicious to sandbox server 115 for processing by honeypot module 140. Alternatively, as in the embodiment shown, a firewall administrative module 127 receives suspicious packets 20A tagged by first firewall 125. Firewall administrative module 127 displays attributes of suspicious packets 20A to an administrative user. The administrative user can, either temporarily or permanently, retag suspicious packets 20A matching a blocked attribute set as non-suspected packets, if they are known to be non-suspected. Firewall administrative server 127 sends retagged suspicious data packets 20A back to first firewall for further processing as non-suspected packets 5B. Firewall administrative module 127 forwards suspicious packets 20A that remain suspicious packets 20C to sandbox server 115 for processing by honeypot module 140 therein.
Firewall administrative module 127 may send an instruction, either automatically or at the administrative user’s prerogative, to first firewall 125 to modify the first whitelist 10A and/or the blacklist 12. For example, the first whitelist 10A and/or blacklist 12 can be modified to allow future packets matching the allowed attribute set of retagged packets as non-suspected packets 5A.
Second firewall 135 receives non-suspected packets 5B and suspicious packets 20. Second firewall 135 stores a second whitelist 10B, a second blacklist 12B, or both a second whitelist 10B and a second blacklist 12B. In some embodiments, second whitelist 10B is a mirror image or synchronized with first whitelist 10A. In some embodiments, second blacklist 12B is a mirror image or synchronized with first blacklist 12A.
Second firewall 135 compares attributes of incoming packets 5A, 20 prescreened by first firewall 125 against attribute sets stored on second whitelist 10B and/or attribute sets stored on second blacklist 12B. Second firewall 135 tags non-suspected packets 5B whose attributes match an attribute set on second whitelist 10B and/or do not match an attribute set on second blacklist 12B, as innocent packets 15 and forwards them to their recipient in the private computing entity 105. Second firewall tags non-suspected packets 5B, whose attributes do not match an attribute set on second whitelist 10B and/or match an attribute set on second blacklist 12B, as suspicious packets 20B and forwards them to sandbox server 115 for processing by honeypot module 140 therein. Honeypot module 140 receives suspicious packets 20. Honeypot module 140 unwraps code 25 in suspicious packets 20. Unwrapping of suspicious code 25 comprises executing or analyzing the code 25. Whether to execute or analyze code 25 may be decided based on the length of code 25. For example, code of up to 10,000 lines may be analyzed, while longer code may require execution to unwrap. Unwrapping of code 25 facilitates a determining what kind of potential malice the suspicious code 25 would do had it been allowed to run on server 110. In some embodiments, if the code 25 is would damage the network 105 or delete data therein, without requesting that any data in network 105 be sent outside of network 105, then suspicious packet 20 is discarded and no further action is taken.
If, however, the suspicious code 25 solicits data from network 105, honeypot module 140 builds a file 30 of deceptive solicited data, in response to requests of the unwrapped suspicious code 25. Information in deceptive solicited data file 30 is of the same type of data requested by code 25, for example expired passwords, closed bank account numbers, etc.
Undercover server 120 builds a return data file 35, comprising deceptive solicited data file 30 and a hidden program 40. Hidden program 40 is programmed to implant a mole code 45 in a malicious computer 145 receiving return data file 35. Undercover server 120 sends return data file 35 over public network 130 to addresses specified in suspicious code 25. The addresses may be for the same computer that sent suspicious packet 20 and/or an address explicitly specified in suspicious code 25.
The return data file 35 reaches the suspected attacker computer 145 and mole code 45 is implanted therein. Typically, mole code 45 is implanted at the operating system level, such as in a registry file of suspected attacker computer 145. Mole code 45 is typically a very short segment of code that is impossible or very difficult for an attacking computer 145 to detect.
Mole code 45 is a program that initiates sending of telltale packets 50A-50B to undercover server 120, revealing certain information, further described herein, about the suspected attacker computer 145. Telltale packets 50 may contain an identifier of the private computing entity 120 and/or of return data file 35, so that undercover server 120 may catalog received telltale packets 50 by each private computing entity 110 and each incident of a suspected attack serviced by undercover server 120. Mole code 45 may also query the geographic location of suspected attacker computer 145, whose data may accompany one or more of the telltale packets 50.
Mole code 45 repetitively sends first telltale packets 50A. The sending can be, for example, at regular intervals, whenever the attacker computer 145 is booted, and/or whenever there is a change in network status. A first telltale packet 50A reveals a network location, such as an IP address, of suspected attacker computer 145. The network location may vary quite often between first telltale packets 50A, as attackers are notorious for operating from constantly changing IP addresses in order to evade detection. Over a period of time, first telltale packets 50A provide undercover server 120 with a history of network locations of one or more suspected attacker computers 145 on which mole code 45 was implanted.
Mole code 45 may be further programmed to initiate, upon opening of deceptive solicited data file 30 by a suspected attacker computer 145, to send a second telltale packet 50B revealing a unique hardware identifier (e.g., MAC address) of attacker computer 145.
Some or all of the telltale packets 50 may be provided to law enforcement authorities. In some embodiments, a law enforcement client 170, which can be installed on a computer of a law enforcement agency, receives the telltale packets from undercover server 120. Undercover server 120 may provide telltale packets in real time, in periodic updates, or after receiving second telltale packet 50B and thereby identifying attacker computer 145.
System 100 enables law enforcement agencies to investigate and find the suspected attacker, then arrest him and seize suspected attacking computer 145. The IP-address history of first telltale packets 50A, the MAC address of the second telltale packets 50B, physical locations reported by either type of telltale packets 50, and/or data stored on the computer 145 itself may be used as positive evidence in furthering an investigation or in a criminal and/or civil trial against the attacker. For example, if network location history stored on computer 145 matches, in whole or in part, the first telltale packets 50A and/or if its MAC number matches the second telltale packet 50B.
In some embodiments, system 100 further comprising a bleaching module 155. Bleaching module 155 intercepts requests for copying of data from a media device driver 160 to a removable media device 165, such as a disk-on-key, a CD drive, or other physical device . Bleaching module 155 tags the copying request as suspicious if attributes of the copying request do not match an attribute set on a third whitelist IOC of the bleaching module 155. Honeypot module 140 receives suspicious copying requests build a file of deceptive requested data in response to the suspicious copying request. Undercover server 120 receives said deceptive requested data file and adds a hidden code. Bleaching module 155 receives and transfers the deceptive requested data and hidden code to the media device 165. Upon connection of the media device 165 to an attacker computer 145, the hidden program is configured to install a mole code on the attacker computer 145. The mole code behaves substantially the same as described above. Reference is now made to Fig. 3, showing a list of steps of a computer-based method 200 for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, the method 200 comprising steps of obtaining a system for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity 205; receiving incoming data packets from a public network 210; tagging the incoming data packets as suspicious data packets if attributes of said incoming data packets match an attribute set on a blacklist of a first firewall or do not match an attribute set on a first whitelist of said first firewall 215; replying to the suspicious data packets with a deceptive verification, to be received by a suspected attacking computer, that incoming data packets sent by the suspected computer were successfully admitted into the private computing entity 220; tagging incoming data packets not suspected by said first firewall as suspicious data packets if attributes of said incoming data packets do not match an attribute set on a second whitelist of a second firewall 225; admitting data packets to said private computing entity if attributes of said data packets match an attribute set on said second whitelist 230; receive said suspicious packets by a sandbox server 235; unwrapping suspicious code in the suspicious packets by running and/or analyzing the suspicious code in the suspicious packets 240; building a file of deceptive solicited data, in response to requests of the unwrapped suspicious code 245; receiving the deceptive solicited data file by an undercover server 250; building a return data file comprising the set of deceptive solicited data and a hidden program; the hidden program is configured to implant a mole code in one or more malicious computers receiving the return data file 255; sending the return data file to network addresses specified in accordance with instructions in the suspicious code 260; wherein the mole code is configured to cause the computers to implement a step of sending one or more telltale packets comprising network locations of said computers, which can be ping requests, to the undercover server 265; and the undercover server is further configured to implement a step of receiving the first informant packets, each of the first informant packet revealing a network location, such as an IP address, of one of the computers 270; an amalgamation of the telltale packets thereby providing a history of the network locations for each of the computers.

Claims

1 A computer-based system 100 for tracking one or more computers 145 of a suspected perpetrator of a cyberattack against a private computing entity 105, the system 100 comprising: a server 110 of a private computing entity 105, comprising a first firewall 125, comprising a first whitelist 10A and/or a first blacklist 12A, configured to tag incoming data packets 5A from a public network 130 as suspicious data packets 20A if attributes of said incoming data packets 5A match an attribute set on the first blacklist 12A and/or do not match an attribute set on the first whitelist 10A; and tag incoming said data packets 5A as non-suspected data packets 5A if attributes of the incoming data packets 5A do not match an attribute set on the first blacklist 12A and/or match an attribute set on the first whitelist 10A; and a second firewall 135, comprising a second whitelist 10B and/or a second blacklist 12B configured to receive packets pre-screened by the first firewall 125; tag the prescreened data packets as suspicious data packets 20B if attributes of the prescreened data packets do not match an attribute set of the second whitelist 10B and/or match an attribute set of the second blacklist 12B; and admit prescreened data packets 15 into the private computing entity 105 if attributes of the prescreened data packets match an attribute set of the second whitelist 10B and/or do not match an attribute set of the second blacklist 12B; a sandbox server 115 comprising a honeypot module 140 configured to receive said suspicious packets 20; unwrap suspicious code 25 in the suspicious packets 20 by running and/or analyzing the suspicious code 25 in the suspicious packets 20; and build a file 30 of deceptive solicited data — false data of a requested type and format — in response to requests of the unwrapped suspicious code 25; and wherein said system 100 further comprises an undercover server 120 a computer configured to receive the deceptive solicited data file 30; build a return data file 35 comprising the set of deceptive solicited data 30 and a hidden program 40; the hidden program 40 is configured to implant a mole code 45 — code configured to cause a computer to send identifying information — in one or more malicious computers 145 receiving the return data file 35; and send the return data file 35 to network addresses specified in accordance with instructions in the suspicious code 25; and the mole code 45 is configured to cause the computers 145 to send one or more telltale packets 50 — packets containing said identifying information — comprising network locations of said computers 145, which can be ping requests, to the undercover server 120; and the undercover server 120 is further configured to receive the first informant packets 50, each of the first informant packet 50 revealing a network location, such as an IP address, of one of the computers 145; an amalgamation of the telltale packets 50 thereby providing a history of the network locations for each of the computers 145. The system of claim 1, wherein the mole code is further configured, upon opening of the deceptive solicited data file on one of the computers, to cause the computer to send a second telltale packet 50B revealing a unique identifier of the computer, such as a MAC address; and the undercover server is further configured to receive the said second informant packet 50B and add the unique computer identifier to the network locations of the computer 145 as further evidence. The system of claim 1 or claim 2, wherein one or more of said first and/or second informant packets further comprises the physical location of said computer. The system of claim 1, wherein said first firewall comprises a first whitelist, a first blacklist, or both a first whitelist and a first blacklist. The system of claim 1 or 4, wherein said second firewall comprises a second whitelist, a second blacklist, or both a second whitelist and a second blacklist. The system of claim 1, further comprising a bleaching module 155 in communicative connection with one or more media device drivers 160 on said network 105, said bleaching module 155 configured to intercept requests for copying of data from a said media device driver 160 to a media device 165; tag said copying request as suspicious if attributes of said copying request do not match an attribute set on a third whitelist IOC of said bleaching module 155; said honeypot module is further configured to receive suspicious copying requests build a file of deceptive requested data in response to said copying request; said undercover server is further configured to receive said deceptive requested data and add a hidden code; said bleaching module 155 is further configured to receive and transfer said deceptive requested data and said hidden code to said media device 165; and upon connection of said media device 165 to an attacker computer, said hidden program is configured to install a said mole code on said attacker computer (said mole code behaving substantially the same as recited in claim 1). The system of claim 1, further comprising a firewall administration module 127, configured to receive said suspicious packets 20A from said first firewall 125; display said attributes of said suspicious packets 20A to an administrative user; and enable said administrative user to allow said suspicious packet, add said attributes to said first whitelist, and/or remove said attributes from said first blacklist. The system of claim 1, wherein the first firewall and the second firewall are further configured to refrain from sending a denial-of-access signal to a suspected computer. The system of claim 1, wherein the sandbox server and the undercover server are communicatively connected via a secured connection. The system of claim 1, wherein the undercover server sends the return data file using sending credentials of the private computing entity server. The system of claim 1 or 2, wherein the undercover server is further configured to send the telltale packets to the network server. The system of claim 1, wherein the hidden program is itself the mole. The system of any one of claims 1-3, further comprising a law-enforcement client module 170, installed on a computer of a law-enforcement authority in communicative connection with said undercover server, said law-enforcement client module 170 configured to receive an identifier of said network and all or some of said network location identifiers, computer identifiers, and/or computer physical locations. The system of claim 1, wherein the private computing entity comprises a network or computer of a business, organization, or private person; a limited-access computer; a cloud-based service; a financial network; an infrastructure control network; one or more appliances or networks thereof; or any combination thereof. The system of claim 1, wherein the public network is the Internet, a blockchain network, or any combination thereof. The system of claim 1, wherein the suspected data packets comprise malicious data or code, an attempt to steal data, phishing, vandalism, a virus, a Trojan horse, spyware, or any combination thereof. A computer-based system 100 for tracking one or more computers 145 of a suspected perpetrator of a cyberattack against a private computing entity 105, the system comprising a server of the private computing entity 105, comprising a firewall, comprising a whitelist and/or a blacklist, configured to tag incoming data packets from a public network 130 as suspicious data packets 20 if attributes of the incoming data packets match an attribute set on the blacklist or do not match an attribute set on the whitelist; and admit the incoming data packets to the private computing entity 105 if attributes of the incoming data packets match an attribute set on the whitelist and/or do not match an attribute set on the blacklist; a sandbox server 115 comprising a honeypot module 140 configured to receive the suspicious packets 20; unwrap suspicious code 25 in the suspicious packets 20 by running and/or analyzing the suspicious code 25 in the suspicious packets 20; and build a file 30 of deceptive solicited data — false data of a requested type and format — in response to requests of the unwrapped suspicious code 25; and wherein said system further comprises an undercover server 120, a computer configured to receive the deceptive solicited data file 30; build a return data file 35 comprising the set of deceptive solicited data 30 and a hidden program 40; the hidden program 40 is configured to implant a mole code 45 — code configured to cause a computer to send identifying information — in one or more malicious computers 145 receiving the return data file 35; and send the return data file 35 to network addresses specified in accordance with instructions in the suspicious code 25; and the mole code 45 is configured to cause the computers 145 to send one or more telltale packets 50 — packets containing said identifying information — comprising network locations of said computers 145, which can be ping requests, to the undercover server 120; and the undercover server 120 is further configured to receive the first informant packets 50, each of the first informant packet 50 revealing a network location, such as an IP address, of one of the computers 145; an amalgamation of the telltale packets 50 thereby providing a history of the network locations for each of the computers 145. A computer-based method 200 for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, the method 200 comprising steps of obtaining the system of claim 1 205; receiving incoming data packets from a public network, by a first firewall 210; tagging the incoming data packets as suspicious data packets if attributes of the incoming data packets match an attribute set on a blacklist of the first firewall and/or do not match an attribute set on a first whitelist of the first firewall 215; receiving packets prescreened by the first firewall by a second firewall 220; tagging the prescreened packets as suspicious data packets if attributes of the prescreened data packets do not match an attribute set on a second whitelist of the second firewall and/or match an attribute set on a second blacklist of the second firewall 225; admitting the prescreened data packets to the private computing entity if attributes of the prescreened data packets match an attribute set on the second whitelist and/or do not match an attribute set on the blacklist 230; receiving the suspicious packets by a sandbox server 235; unwrapping suspicious code in the suspicious packets by running and/or analyzing the suspicious code in the suspicious packets 240; building a file of deceptive solicited data, in response to requests of the unwrapped suspicious code 245; wherein the method 200 further comprises steps of receiving the deceptive solicited data file by an undercover server 250; building a return data file comprising the set of deceptive solicited data and a hidden program; the hidden program is configured to implant a mole code in one or more suspected computers receiving the return data file 255; sending the return data file to network addresses specified in accordance with instructions in the suspicious code 260; the mole code is further configured for causing the suspected computers to implement a step of sending one or more telltale packets comprising network locations of said computers, which can be ping requests, to the undercover server 265; and the undercover server is further configured for receiving the first informant packets, each of the first informant packets revealing a network location, such as an IP address, of one of the computers; amalgamating the telltale packets, thereby providing a history of the network locations of the suspected computers. The method of claim 18, further comprising steps of upon opening of the deceptive solicited data file on a said suspected computer, of causing the computer to send a second telltale packet revealing a unique identifier of the computer, such as a MAC address; and receiving the second informant packet, by the undercover server, and adding the unique computer identifier to the network locations of the computer as further evidence. The method of claim 18 or claim 19, wherein one or more of said first and/or second informant packets further comprises the physical location of said computer. The method of clam 18, further comprising a step of providing the first firewall with a first whitelist, a first blacklist, or a first whitelist and a first blacklist. The method of clam 18 or 21, further comprising a step of providing the second firewall with a second whitelist, a second blacklist, or a second whitelist and a second blacklist. The method of claim 18, wherein a bleaching module, in communicative connection with one or more media device drivers on said network, is configured to implement steps of intercepting requests for copying of data from a said media device driver to a media device; tagging said copying request as suspicious if attributes of said copying request do not match an attribute set on a third whitelist of said bleaching module; said honeypot module is further configured to implement a step of receiving suspicious copying requests build a file of deceptive requested data in response to said copying request; said undercover server is further configured to implement a step of receiving said deceptive requested data and add a hidden code; said bleaching module is further configured to implement steps of receiving and transferring said deceptive requested data and said hidden code to said media device; and upon connection of said media device to an attacker computer, said hidden program is configured to implement a step of installing a said mole code on said attacker computer. The method of claim 18, further comprising steps of providing a firewall administration module; configured to implement steps of receiving said suspicious packets from said first firewall; displaying said attributes of said suspicious packets to an administrative user; and enabling said administrative user to allow said suspicious packet, add said attributes to said first whitelist, and/or remove said attributes from said first blacklist. The method of claim 18, further comprising a step of refraining from sending a denial-of- access signal to a suspected computer, by the first firewall and the second firewall. The method of claim 18, further comprising a step of providing a secured connection for communication between the sandbox server and the undercover server. The method of claim 18, wherein the undercover server sends the return data file using sending credentials of the private computing entity server. The method of claim 18 or 19, wherein the undercover server is further configured to implement a step of sending the telltale packets to the network server. The method of claim 18, wherein the hidden program is itself the mole. The method of any one of claims 18-20, further comprising steps of providing a law- enforcement client module, installed on a computer of a law-enforcement authority in communicative connection with said undercover server, wherein said law-enforcement client module is configured to implement a step of receiving an identifier of said network and all or some of said network location identifiers, computer identifiers, and/or computer physical locations. The method of claim 18, further comprising a step of providing the private computing entity, selected from a group consisting of a network or computer of a business, organization, or private person; a limited-access computer; a cloud-based service; a financial network; an infrastructure control network; one or more appliances or networks thereof; or any combination thereof. The method of claim 18, further comprising a step of receiving the incoming packets from the Internet, a blockchain network, or any combination thereof. The method of claim 18, wherein the suspected data packets comprise malicious data or code, an attempt to steal data, phishing, vandalism, a virus, a Trojan horse, spyware, or any combination thereof. A computer-based method for tracking one or more computers of a suspected perpetrator of a cyberattack against a private computing entity, the method comprising steps of acquiring the system of claim 17; receiving incoming data packets from a public network; tagging incoming data packets from a public network as suspicious data packets if attributes of the incoming data packets match an attribute set on a blacklist or do not match an attribute set on a whitelist; admitting the incoming data packets to the private computing entity if attributes of the incoming data packets match an attribute set on the whitelist and/or do not match an attribute set on the blacklist; receiving the suspicious packets by a sandbox server; unwrapping suspicious code in the suspicious packets by running and/or analyzing the suspicious code in the suspicious packets; building a file of deceptive solicited data, in response to requests of the unwrapped suspicious code; wherein the method further comprises steps of receiving the deceptive solicited data file by an undercover server; building a return data file comprising the set of deceptive solicited data and a hidden program; the hidden program is configured to implant a mole code in one or more malicious computers receiving the return data file; sending the return data file to network addresses specified in accordance with instructions in the suspicious code; the mole code is configured to cause the computers to implement a step of sending one or more telltale packets comprising network locations of said computers, which can be ping requests, to the undercover server; and the undercover server is further configured to implement a step of receiving the first informant packets, each of the first informant packet revealing a network location, such as an IP address, of one of the computers; an amalgamation of the telltale packets thereby providing a history of the network locations for each of the computers.
PCT/IL2021/050263 2020-03-09 2021-03-09 System and method for finding, tracking, and capturing a cyber-attacker WO2021181391A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IL27318320 2020-03-09
IL273183 2020-03-09

Publications (1)

Publication Number Publication Date
WO2021181391A1 true WO2021181391A1 (en) 2021-09-16

Family

ID=77671336

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2021/050263 WO2021181391A1 (en) 2020-03-09 2021-03-09 System and method for finding, tracking, and capturing a cyber-attacker

Country Status (1)

Country Link
WO (1) WO2021181391A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170078317A1 (en) * 2002-12-24 2017-03-16 Fred Herz Patents, LLC Distributed Agent Based Model For Security Monitoring And Response
US20170223046A1 (en) * 2016-01-29 2017-08-03 Acalvio Technologies, Inc. Multiphase threat analysis and correlation engine
US20180351969A1 (en) * 2017-05-30 2018-12-06 Cyemptive Technologies, Inc. Real-time detection of and protection from malware and steganography in a kernel mode

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170078317A1 (en) * 2002-12-24 2017-03-16 Fred Herz Patents, LLC Distributed Agent Based Model For Security Monitoring And Response
US20170223046A1 (en) * 2016-01-29 2017-08-03 Acalvio Technologies, Inc. Multiphase threat analysis and correlation engine
US20180351969A1 (en) * 2017-05-30 2018-12-06 Cyemptive Technologies, Inc. Real-time detection of and protection from malware and steganography in a kernel mode

Similar Documents

Publication Publication Date Title
Cabaj et al. Using software-defined networking for ransomware mitigation: the case of cryptowall
JP6086968B2 (en) System and method for local protection against malicious software
US9923909B2 (en) System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment
US10057295B2 (en) System and method for providing network and computer firewall protection with dynamic address isolation to a device
US9942270B2 (en) Database deception in directory services
US10542006B2 (en) Network security based on redirection of questionable network access
US9686301B2 (en) Method and system for virtual asset assisted extrusion and intrusion detection and threat scoring in a cloud computing environment
US10057284B2 (en) Security threat detection
JP6080910B2 (en) System and method for network level protection against malicious software
Modi et al. A survey of intrusion detection techniques in cloud
US9609019B2 (en) System and method for directing malicous activity to a monitoring system
US9667589B2 (en) Logical / physical address state lifecycle management
EP2147390B1 (en) Detection of adversaries through collection and correlation of assessments
JP2003527793A (en) Method for automatic intrusion detection and deflection in a network
CN103746956A (en) Virtual honeypot
WO2016081561A1 (en) System and method for directing malicious activity to a monitoring system
Nathiya et al. An effective hybrid intrusion detection system for use in security monitoring in the virtual network layer of cloud computing technology
US7469418B1 (en) Deterring network incursion
WO2021181391A1 (en) System and method for finding, tracking, and capturing a cyber-attacker
US20180219834A1 (en) Systems and methods for providing multi-level network security
US11863586B1 (en) Inline package name based supply chain attack detection and prevention
Kaur et al. Intrusion detection system using honeypots and swarm intelligence
WO2006092785A2 (en) Method and apparatus for the dynamic defensive masquerading of computing resources
Gheorghe et al. Attack evaluation and mitigation framework
CN116996294A (en) Network security protection method, device and equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21767043

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21767043

Country of ref document: EP

Kind code of ref document: A1