Rapid7, Inc.

Derek M Abdine

Thomas Eugene Sellers

Roy Donald Hodgman

Paul Deardorff

Andreas Galauner

Mark Momburg

Richard Ding Li

Anastasios Giakouminakis

Chad Loder

Prashant Subbarao

Methods and systems for monitoring network activity. Various embodiments may deploy virtual security appliances to a certain location or with a specific configuration based on data regarding previous attacks and attacker activity. Accordingly, the deployed virtual security appliance(s) are better suited to gather more useful behavior regarding threat actor behavior and attacks.

Virtual security appliances for eliciting attacks

Methods and systems for monitoring activity on a network. The systems may include a host computer executing a non-honeypot service. The host computer may also include a control module configured to enable or disable a honeypot service on the host computer in response to at least one of computational resource availability and configured tolerance for degraded service.

Controlled deployment of blended honeypot services

Systems and methods are disclosed to infer, using a machine learned model, a service protocol of a server based on the banner data produced by the server. In embodiments, the machine learned model is implemented by a network scanner configured to receive banner data from open ports on servers. A received banner is parsed into a set of features, such as the counts or presence of particular characters or strings in the banner. In embodiments, certain types of banner content such as network addresses, hostnames, dates, and times, are replaced with special characters. The machine learned model is applied to the features to infer a most likely protocol of the server port that produced the banner. Advantageously, the model can be trained to perform the inference task with high accuracy and without using human-specified rules, which can be brittle for unconventional banner data and carry undesired biases.

Scanning server ports to infer service protocols

Disclosed herein are methods, systems, and processes for recovering opaque credentials in deception systems. A plaintext credential is received at a honeypot and a plaintext lookup table is accessed. It is determined that the plaintext credential does not exist in the plaintext lookup table and the plaintext credential is added to the plaintext lookup table and a protocol specific plaintext lookup table. An opaque credential is generated for the plaintext credential and the opaque credential is added to a protocol specific opaque lookup table.

Honeypot opaque credential recovery

Machine learned inference of protocols from banner data

Disclosed herein are methods, systems, and processes for recovering opaque credentials in deception systems. A plaintext credential is received at a honeypot and a plaintext lookup table is accessed. It is determined that the plaintext credential does not exist in the plaintext lookup table and the plaintext credential is added to the plaintext lookup table and a protocol specific plaintext lookup table. An opaque credential is generated for the plaintext credential and the opaque credential is added to a protocol specific opaque lookup table. Attack context metadata associated with the original attack event is generated and stored in the protocol specific opaque lookup table in association with the plaintext credential and the opaque credential. If the honeypot receives the opaque credential from a subsequent attacker who initiates a subsequent attack event, the protocol specific opaque lookup table is accessed and the plaintext credential associated with the opaque credential is recovered. The plaintext credential, the opaque credential, and the attack context metadata are then exchanged with a credential exchange manager.

Reactive virtual security appliances

Blended honeypot

A solution recommendation (SR) tool can receive vulnerabilities identified by a vulnerability scanner and/or penetration testing tool. The SR tool can determine various approaches for remediating or mitigating the identified vulnerabilities, and can prioritize the various approaches based on the efficiency of the various approaches in remediating or mitigating the identified vulnerabilities. The SR tool can recommend one or more of the prioritized approaches based on constraints such as cost, effectiveness, complexity, and the like. Once the one or more of the prioritized approaches are selected, the SR tool can recommend the one or more prioritized approaches to third-party experts for evaluation.

Growing community of inventors

Los Angeles, CA, United States of America

Derek M Abdine