Abstract: Provided are systems, methods, and computer-program products for providing network deceptions using a network tunnel. In various implementations, a network device on a first network can be configured as a projection point. A projection point can be configured as one endpoint of a network tunnel. The other end of the network tunnel can terminate at a deception farm. The deception farm can host a second network, where the second network includes network devices configured as deception mechanisms. By assigning a deception mechanism a network address from the first network, the network address and the network tunnel enable the deception mechanism to appear as a node in the first network.

Abstract: Provided are systems, methods, and computer-program products for providing network deceptions using a network tunnel. In various implementations, a network device on a first network can be configured as a projection point. A projection point can be configured as one endpoint of a network tunnel. The other end of the network tunnel can terminate at a deception farm. The deception farm can host a second network, where the second network includes network devices configured as deception mechanisms. By assigning a deception mechanism a network address from the first network, the network address and the network tunnel enable the deception mechanism to appear as a node in the first network.

Abstract: Provided are systems, methods, and computer-program products for deception mechanisms in a containerized environment. In various implementations, a deception platform can detect the configuration of a containerized environment, including namespaces, services, and configuration of the environment. The deception platform can determine appropriate decoy containerized services for the environment, and can deploy the decoy alongside production containerized service. The deception platform can further determine decoy breadcrumbs for luring attackers to the decoy containerized service. The decoy breadcrumbs can be injected into the environment at locations where an attacker will look for information for further infiltrating the environment. The deception platform can then monitor the decoy containerized service for unexpected accesses.

Abstract: Provided are systems, methods, and computer-program products for providing network deceptions using a network tunnel. In various implementations, a network device on a first network can be configured as a projection point. A projection point can be configured as one endpoint of a network tunnel. The other end of the network tunnel can terminate at a deception farm. The deception farm can host a second network, where the second network includes network devices configured as deception mechanisms. By assigning a deception mechanism a network address from the first network, the network address and the network tunnel enable the deception mechanism to appear as a node in the first network.

Abstract: Provided are systems, methods, and computer-program products for providing network deceptions using a network tunnel. In various implementations, a network device on a first network can be configured as a projection point. A projection point can be configured as one endpoint of a network tunnel. The other end of the network tunnel can terminate at a deception farm. The deception farm can host a second network, where the second network includes network devices configured as deception mechanisms. By assigning a deception mechanism a network address from the first network, the network address and the network tunnel enable the deception mechanism to appear as a node in the first network.

Abstract: Provided are systems, methods, and computer program products for a cyber-vaccination technique. In various implementations, the technique includes determine characteristics of a testing environment. A testing environment can be used to analyze malware programs. The technique can further include configuring a production network device with the characteristics, so that the production network device resembles the testing environment. The production network device is used for network operations, which excludes analyzing malware programs.

Abstract: Provided are methods, network devices, and computer-program products for a domain name system (DNS) threat detection engine for analyzing DNS traffic for potential threats. In various implementations, the DNS threat detection engine can include threat profiles that include characteristics of network threats associated with DNS. When a DNS message includes a characteristic associated with a particular threat profile, a remediation rule associated with the threat profile can be used to modify the DNS message, including modifying the destination for the DNS message. When the DNS message is received at the new destination, the DNS message can be analyzed to determine whether the DNS message is associated with a threat to the network.

Abstract: Provided are methods, network devices, and computer-program products for dynamically configuring a deception mechanism in response to network traffic from a possible network threat. In various implementations, a network deception system can receive a packet from a network. The network deception system can determine an intent associated with the packet by examining the contents of the packet. The network deception system can further configure a deception mechanism to respond to the intent, for example with the appropriate network communications, software or hardware configuration, and/or data.

Abstract: Provided are systems, methods, and computer program products for a cyber-vaccination technique. In various implementations, the technique includes determine characteristics of a testing environment. A testing environment can be used to analyze malware programs. The technique can further include configuring a production network device with the characteristics, so that the production network device resembles the testing environment. The production network device is used for network operations, which excludes analyzing malware programs.

Abstract: Provided are methods, including computer-implemented methods or methods implemented by a network device, devices including network devices, and computer-program products for providing dynamic security mechanisms for mixed networks. A mixed network can include an IoT type device and a non-IoT device. Using a configuration of the network, a deception device type can be determined. A second network that includes a deception mechanism corresponding to the deception device type can be determined. A network tunnel from the mixed network to the second network can be configured. The network tunnel enables the deception mechanism to be a node on the mixed network, such that the deception mechanism can be accessed from the mixed network. The deception mechanism can be used to monitor the mixed network for network abnormalities. An action can be taken when the deception mechanism detects an abnormality.

Abstract: Provided are systems, methods, and computer-program products for a targeted threat intelligence engine, implemented in a network device. The network device may receive incident data, which may include information derived starting at detection of an attack on the network until detection of an event. The network device may include analytic engines that run in a predetermined order. An analytic engine can analyze incident data of a certain data type, and can produce a result indicating whether a piece of data is associated with the attack. The network device may produce a report of the attack, which may include correlating the results from the analytic engines. The report may provide information about a sequence of events that occurred in the course of the attack. The network device may use the record of the attack to generate indicators, which may describe the attack, and may facilitate configuring security for a network.

Abstract: Provided are methods, network devices, and computer-program products for targeted threat intelligence using a high-interaction network. In some implementations, a network device in a network may receive suspect network traffic. The suspect network traffic may include network traffic identified as potentially causing harm to the network. The network device may determine that the suspect traffic is associated with an unknown threat. The network device may further analyze the suspect network traffic using a high-interaction network. In various implementations, the high-interaction network may be configured to emulate at least a part of the network. In various implementations, analyzing the suspect network traffic may include determining a behavior of the suspect network traffic in the high-interaction network. The network device may further generate indicators, where the indicators may describe the suspect network traffic.

Abstract: Provided are systems, methods, and computer program products for a cyber-vaccination technique. In various implementations, the cyber-vaccination technique includes using a network device that is infected by a malware program to determining a marker generated by the malware program. The marker may indicate to the malware program that the network device has been infected by the malware program. Determining the marker can include identifying a placement of the marker on the network device. The technique further includes identifying one or more other network devices that have not previously been infected by the malware program. The technique further includes automatically distributing copies of the marker. When a copy of the marker is received at one of the previously identified, uninfected network devices, the identified network device can place the marker on the identified network device according to the identified placement.

Abstract: Methods, devices, and systems are described for diverting a computer hacker from a physical or other targeted production computer to a decoy software-based host emulator that emulates the physical computer. The decoy has the exact same IP address as the physical computer. In order to avoid packet collisions, a programmable physical switch and a virtual networking switch are employed, both of which can use software-defined networking (SDN). The virtual switch prevents packets from the decoy from flowing out of its virtual network until commanded. Upon a command, the physical switch redirects specific flows to the virtual switch, and the virtual switch opens specific flows from the decoy. The specific flows are those with packets containing the hacker's computer IP address, production computer IP address, and production computer port. The packets are associated with TCP connections or UDP sessions. The decoy host emulator can be a virtual machine (VM) running alongside many other VMs in a single computer.

Abstract: Provided are systems, methods, and computer-program products for providing network deceptions using a network tunnel. In various implementations, a network device on a first network can be configured as a projection point. A projection point can be configured as one endpoint of a network tunnel. The other end of the network tunnel can terminate at a deception farm. The deception farm can host a second network, where the second network includes network devices configured as deception mechanisms. By assigning a deception mechanism a network address from the first network, the network address and the network tunnel enable the deception mechanism to appear as a node in the first network.

Abstract: Provided are systems, methods, and computer program products for a cyber-antibody technique. In various implementations, the technique includes monitoring, by a network device infected with an unknown malware program, packets set by the network device onto a network. The technique further includes identifying a packet that is associated with the unknown malware program. The packet can be identified from among the monitored packets. Identifying the packet can include determining a characteristic of the packet. The technique further includes identifying packets that have a characteristic similar to the characteristic of the packet. The technique can further include inserting data associated with a known malware program into the identified packets. The technique can further include distributing the characteristic to other network devices, to similarly taint packets that may be issued from those other network devices.

Abstract: Provided are methods, network devices, and computer-program products for a network deception system. The network deception system can engage a network threat with a deception mechanism, and dynamically escalating the deception to maintain the engagement. The system can include super-low, low, and high-interaction deceptions. The super-low deceptions can respond to requests for address information, and requires few computing resources. When network traffic directed to the super-low deception requires a more complex response, the system can initiate a low-interaction deception. The low-interaction deception can emulate multiple devices, which can give the low-interaction deception away as a deception. Hence, when the network traffic includes an attempted connection, the system can initiate a high-interaction deception. The high-interaction more closely emulates a network device, and can be more difficult to identify as a deception.

Abstract: Provided are systems, methods, and computer program products for a cyber-vaccination technique. In various implementations, the technique includes determine characteristics of a testing environment. A testing environment can be used to analyze malware programs. The technique can further include configuring a production network device with the characteristics, so that the production network device resembles the testing environment. The production network device is used for network operations, which excludes analyzing malware programs.

Abstract: Provided are systems, methods, and computer program products for a cyber-antibody technique. In various implementations, the technique includes monitoring, by a network device infected with an unknown malware program, packets set by the network device onto a network. The technique further includes identifying a packet that is associated with the unknown malware program. The packet can be identified from among the monitored packets. Identifying the packet can include determining a characteristic of the packet. The technique further includes identifying packets that have a characteristic similar to the characteristic of the packet. The technique can further include inserting data associated with a known malware program into the identified packets. The technique can further include distributing the characteristic to other network devices, to similarly taint packets that may be issued from those other network devices.

Abstract: Provided are systems, methods, and computer program products for a cyber-vaccination technique. In various implementations, the cyber-vaccination technique includes using a network device that is infected by a malware program to determining a marker generated by the malware program. The marker may indicate to the malware program that the network device has been infected by the malware program. Determining the marker can include identifying a placement of the marker on the network device. The technique further includes identifying one or more other network devices that have not previously been infected by the malware program. The technique further includes automatically distributing copies of the marker. When a copy of the marker is received at one of the previously identified, uninfected network devices, the identified network device can place the marker on the identified network device according to the identified placement.