Abstract: Security in a computing environment is enhanced by analyzing telemetry data from an agent on a device, along with user integrity information, to detect events that suggest compromised credentials. When such an event is detected, a risk level is assigned based on the analysis. This risk level is then correlated with a corresponding authentication difficulty level, which specifies the types and strengths of authentication mechanisms to be used. The selected authentication difficulty level is applied across multiple devices within the environment, enabling adaptive and dynamic protection against unauthorized access due to compromised credentials.

Abstract: Techniques for countering ransomware are provided in which key material can be captured, for example, by a telemetry component. The key material is created or otherwise used by a process executing on a monitored computing device and characterizes entropy used by ransomware to generate a ransomware encryption key. This captured key material is used to reconstruct the ransomware encryption key. This key, in turn, is used to decrypt ransomware-encrypted files.

Abstract: An agent executing on a monitored computing device intercepts runtime execution data associated with a process by utilizing hooks into cryptographic application programming interfaces (APIs). The agent constructs a dynamic execution graph, where each node represents an intercepted cryptographic API call and each edge reflects an inferred relationship between nodes derived from the runtime execution data. Cryptographic entanglement metrics are computed based on the dynamic execution graph, characterizing structural properties of cryptographic behavior within the process. When these computed metrics indicate that the process is part of a ransomware attack, one or more remediation actions are initiated to thwart the advancement of the attack.

Abstract: Applications and processes executing on an endpoint are monitored to identify behavior indicative of malicious activity such as a ransomware attack. Messages generated from this monitoring as well as messages derived from external sources are stored in a queue for routing. A router selects some messages from the queue based on a routing policy and sends them to a cloud-based platform that can initiate various actions based on received messages. The router also sends some messages from the queue to a module that analyzes the messages and reduces their size by aggregating, correlating, and detecting relevant information. The module puts the modified messages back into the queue for further routing by the router according to the policy. Related apparatus, systems, techniques and articles are also described.

Abstract: Time series behavioral data derived from operating system events on a monitored computing device is monitored at a kernel level. Based on this monitoring, a feature vector is populated or updated with features indicative of ransomware. These features are extracted or otherwise derived from the time series behavioral data. The feature vector can be input into a machine learning model (e.g., a modified gated recurrent unit, etc.) to characterize whether the time series behavioral data is indicative of a ransomware event. Data indicating a probability of a ransomware event occurring is provided to a consuming application or process. One or more remediation actions to thwart the ransomware event can be initiated when the probability level is above a threshold.

Abstract: Information characterizing a security event is received from an agent executing on an endpoint computing device. The received information identifies a plurality of files encrypted as part of a ransomware attack and key material used when encrypting each of the files. Based on the received information, a surveyor package is generated which includes decryptor logic to decrypt at least a portion of the files. The surveyor package is deployed to the agent so that it can be unpacked and executed to decrypt at least a portion of the files. Once these files are decrypted, then can be transported to a safe computing environment Related apparatus, systems, techniques and articles are also described.

Abstract: Data is received that comprises or characterizes an executable and dynamic linked library (DLL). Features are then extracted from the executable and DLL. The extracted features are input into at least one machine learning model to generate a suspiciousness score. The machine learning model can be trained to determine whether the executable file comprises ransomware. An execution chain of trust score for the executable and DLL can later be determined based on the extracted features and the suspiciousness score. This execution chain of trust score for the executable and DLL characterizes one or more associated parent processes. This suspiciousness score and the execution chain of trust score can be used to determine whether or not to initiate one or more ransomware countermeasures. Related apparatus, systems, techniques and articles are also described.

Abstract: A notification message is received indicating an upload of a file to a cloud service. An analysis engine (which can execute one or more machine learning models or other analysis operations) can generate information that characterizes the file which can be indicative of a level of trustworthiness for the file. In response to the generated information, each of a plurality of judges are notified to commence or revisit a judging process. In response to the notifications, the judges (which can execute one or more machine learning models or other analysis operations) retrieve the generated information and determine a respective trustworthiness score for the file. These scores can be stored in a corresponding judge database and/or data can be provided which characterizes the determined trustworthiness scores to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: A program identity of an unknown binary is inferred in response to a trigger (e.g., a request to access or execute the unknown binary, etc.). One or more authentication factors are then executed to authenticate the inferred program identity of the unknown binary as being one of a plurality of different programs. The program can be selectively provided with access to system resources and/or sensitive operations can be limited based on a program nature of the authenticated program identity. In some variations, the authentication factors cause a modified authentication workflow in which a human user provides input as to whether or not to authenticate the inferred program identity.

Abstract: Applications and processes executing on an endpoint are monitored to identify behavior indicative of malicious activity such as a ransomware attack. Messages generated from this monitoring as well as messages derived from external sources are stored in a queue for routing. A router selects some messages from the queue based on a routing policy and sends them to a cloud-based platform that can initiate various actions based on received messages. The router also sends some messages from the queue to a module that analyzes the messages and reduces their size by aggregating, correlating, and detecting relevant information. The module puts the modified messages back into the queue for further routing by the router according to the policy. Related apparatus, systems, techniques and articles are also described.