Abstract: A system for sanitizing an organization's network against attacker breach, including a data collector, gathering information about network hosts, an analyzer constructing the organization's network topology, a machine learning engine categorizing the hosts into organizational units and identifying key assets of the organization, a security rules engine mapping real-time data, and inferring security rules that prescribe on which specific hosts which specific credentials are permitted to be stored, and a user interface including an analyst dashboard enabling an analyst to visualize in real-time activities within the organizations' network, to automatically infer security rules for the network, to activate the security rules in the network, and to eliminate potential attack vectors for which the activated security rules are violated, and an attacker view visualizing the organization's network, identifying security rule violations across the organization's network, and enabling removal of credential-based securit

Abstract: A security system for point of sale (POS) terminals, including one or more POS processors for injecting decoy credit cards numbers into memories of corresponding one or more POS terminals, a secure database including entries of the decoy credit card numbers and, for each entry, a corresponding identifier of a specific POS terminal and a corresponding date & time, and a security manager receiving a notification of attempted use of a specific decoy credit card number, extracting the POS identifier and the date & time corresponding to the specific decoy credit card number from the database, identifying legitimate credit card numbers that were processed by the identified POS terminal during a time period including the date & time corresponding to the specific decoy credit card number, and alerting an authority that the legitimate credit card numbers may have been compromised.

Abstract: A network surveillance method to detect attackers, including planting one or more honeytokens in one or more resources in a network of computers in which users access the resources in the network based on credentials, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, including planting a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials, and planting a second honeytoken in R1, used to access a third resource, R3, using second decoy credentials, and alerting that an attacker is intruding the network only in response to both (i) an attempt to access R2 using the first decoy credentials, and (ii) a subsequent attempt to access R3 using the second decoy credentials.

Abstract: A system for managing attacker incidents, including a mobile device manager (MDM) receiving instructions to deploy deceptions on a mobile device used by an employee of an organization in conjunction with a network of the organization and, in response to the instructions, running a dedicated agent on the mobile device, wherein the dedicated agent is configured to register the mobile device and its current deceptions state, and install deceptions in the mobile device, a trap server triggering an incident in response to an attacker attempting to use deceptive data that was installed in the mobile device, and a deception management server sending instructions to the MDM to deploy deceptions on the mobile device, registering the mobile device and its deceptions state, receiving the notification from the trap server that an incident has occurred, and in response thereto instructing the MDM to run forensics on the mobile device.

Abstract: A system for detecting malicious activity in networks, including a deception manager having administrative credentials for a network, planting deceptions within network hosts, and distributing a decoy agent to each endemic decoy host (EDH), each deception including information regarding decoy communication ports of an EDH, each EDH having a group of ports, referred to as decoy ports, for connection by an attacker from a network host that the attacker has breached, wherein each decoy agent is programmed to alert the deception management server, and to proxy communication with the attacker to a trap server, in response to the decoy agent identifying the attacker attempting a connection to the decoy agent's EDH via one of the decoy ports, and a forensic collector that collects, from the breached network host, forensics of the attacker's activity, when the decoy agent acts as a proxy between the attacker and the trap server.

Abstract: A method for operation of a deception management server, for detecting and hindering attackers who target containerized clusters of a network, including learning the network environment, including finding existing container instances, finding existing services and relationships, extracting naming conventions in the environment, and classifying the most important assets in the environment, creating deceptions based on the learning phase, the deceptions including one or more of (i) secrets, (ii) environment variables pointing to deceptive databases, web servers or active directories, (iii) mounts, (iv) additional container instances comprising one or more of file server, database, web applications and SSH, (v) URLs to external services, and (vi) namespaces to fictional environments, planting the created deceptions via a container orchestrator, via an SSH directly to the containers, or via the container registry, and issuing an alert when an attacker attempts to connect to a deceptive entity.

Abstract: A system for generating and deploying custom deceptions for a network, including an administrator computer for generating custom deception entities (CDEs), each CDE including parameters including inter alia (i) a type of entity, (ii) conditions for deployment of the CDE, and (iii) a deception type, and a management server, comprising an application programming interface for use by the administrator computer to generate CDEs through the medium of a formal language for specifying deceptions, and a translator for translating formal language CDEs to deceptions that are installable in network endpoint computers, wherein the management computer receives a request from a network endpoint computer to retrieve CDEs, selects CDEs that are relevant to the requesting network endpoint computer based on the parameters of the CDE, translates the requested CDEs to installable deceptions, and transmits the installable deceptions to the network endpoint computer for installation thereon.

Abstract: A system for deceiving an attacker who harvests credentials within an enterprise network, including a management server deploying a deceptive agent on an endpoint computer of the enterprise network, the deceptive agent including a hook manager creating system hooks on resources in the endpoint computer that holds valuable credentials, which would be desired by attackers, and a deceptive content provider, generating deceptive content and returning the deceptive content to a malicious process run by an attacker on the endpoint computer, the malicious process making a read request directed to a resource in the endpoint computer that holds valuable credentials, thus making it appear to the attacker that a response is coming from the resource whereas in fact the response is coming from the deceptive agent, when the hook manager hooks the read request.

Abstract: A system to detect attackers who attempt to breach an enterprise network and attackers who have already breached the enterprise network, including an open source intelligence (OSINT) discoverer scanning the Internet to discover data related to an enterprise that is available online, an OSINT replacer generating deceptive files by replacing placeholders within template files with deceptive information, based on the data discovered by the OSINT discoverer, an OSINT distributor planting the deceptive files generated by the OSINT replacer within designated OSINT resources, and a deception management server that alerts an administrator in response to an attacker attempting to make a connection within the network using information in a deceptive file planted by the OSINT distributor.

Abstract: A cyber security system comprising circuitry of a decoy deployer planting one or more decoy lateral attack vectors in each of a first and a second group of resources within a common enterprise network of resources, the first and second groups of resources having different characteristics in terms of subnets, naming conventions, DNS aliases, listening ports, users and their privileges, and installed applications, wherein a lateral attack vector is an object of a first resource within the network that has a potential to be used by an attacker who discovered the first resource to further discover information regarding a second resource within the network, the second resource being previously undiscovered by the attacker, and wherein the decoy lateral attack vectors in the first group conform to the characteristics of the first group, and the decoy lateral attack vectors in the second group conform to the characteristics of the second group.

Abstract: A system for network surveillance to detect attackers, including a deception management server within a network of resources, including a deployment module managing and planting one or more decoy attack vectors in one or more of the resources in the network, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and one or more decoy servers accessible from resources in the network, each decoy server including an alert module that issues an alert when a specific resource in the network accesses the decoy server via one or more of the decoy attack vectors planted in the specific resource by the deployment module, and a delay module, delaying access to data on the decoy server while a resource accesses the decoy server.

Abstract: A method for cyber security, including detecting, by a management server, a breach by an attacker of a resource within a network of resources, predicting, by the management server, an attacker target subnet, based on connections created during the breach, and isolating, by the management server, the target subnet in response to the predicting a target subnet.

Abstract: A deception management system to detect attackers within a dynamically changing network of computer resources, including a deployment governor dynamically designating deception policies, each deception policy including names of non-existing web servers, and levels of diversity for planting the names of non-existing web servers in browser histories of web browsers within resources of the network, the levels of diversity specifying how densely the name of each non-existing web server is planted within resources of the network, a deception deployer dynamically planting the names of non-existing web servers in the browser histories of the web browsers in resources in the network, in accordance with the levels of diversity of the current deception policy, and a notification processor transmitting an alert to an administrator of the network in response to an attempt to access one of the non-existing web servers.

Abstract: A network surveillance system, including a management server within a network of resources in which users access the resources in the network based on credentials, including a deployment module planting honeytokens in resources in the network, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, and wherein the deployment module plants a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials, and plants a second honeytoken in R2, used to access a third resource, R3, using second decoy credentials, and an alert module alerting that an attacker is intruding the network only in response to both an attempt to access R2 using the first decoy credentials, and a subsequent attempt to access R3 using the second decoy credentials.

Abstract: A method for cyber security, including detecting, by a management server, a breach by an attacker of a resource within a network of resources, wherein access to the resources via network connections is governed by a firewall, predicting, by the management server, which servers in the network are compromised, based on connections created during the breach, and creating, by the management server, firewall rules to block access to the predicted compromised servers from the breached resource, in response to said predicting which servers.

Abstract: A deception management system (DMS) to detect attackers within a network of computer resources, including a discovery tool auto-learning the network naming conventions for user names, workstation names, server names and shared folder names, and a deception deployer generating one or more decoy attack vectors in the one or more resources in the network based on the network conventions learned by the discovery tool, so that the decoy attack vectors conform with the network conventions, wherein an attack vector is an object in a first resource of the network that has a potential to lead an attacker to access or discover a second resource of the network.

Abstract: A cyber security system to detect attackers, including a data collector collecting data regarding a network, the data including network resources and users, a learning module analyzing data collected by the network data collector, determining therefrom groupings of the network resources into at least two groups, and assigning a customized decoy policy to each group of resources, wherein a decoy policy for a group of resources includes one or more decoy attack vectors, and one or more resources in the group in which the one or more decoy attack vectors are to be planted, and wherein an attack vector is an object of a first resource that may be used to access or discover a second resource, and a decoy deployer planting, for each group of resources, one or more decoy attack vectors in one or more resources in that group, in accordance with the decoy policy for that group.

Abstract: A method for cyber security, including detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources in which users access the resources based on credentials, wherein each resource has a domain name server (DNS) record stored on a DNS server, changing, by the decoy management server, the DNS record for the breached resource on the DNS server, in response to the detecting, predicting, by the decoy management server, which credentials are compromised, based on credentials stored on the breached resource, and changing, by the decoy management server, those credentials that were predicted to be compromised, in response to the predicting which credentials.

Abstract: A network surveillance system including a deception management server within a network, including a deployment module managing and planting decoy attack vectors in network resources, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and decoy servers accessible from resources in the network via decoy attack vectors, each decoy server including a forensic alert module causing a real-time forensic application to be transmitted to a destination resource in the network when the decoy server is being accessed by a specific resource in the network via a decoy attack vector, wherein the forensic application, when launched in the destination resource, identifies a process running within the specific resource that is accessing that decoy server, logs the activities performed by the thus-identified process in a forensic report, and transmits the forensic report to the deception management server.

Abstract: A deception management system to detect attackers within a dynamically changing network, including a deployment governor dynamically designating a deception policy that includes one or more decoy attack vectors, one or more resources of the network in which the decoy attack vectors are generated, and a schedule for generating the decoy attack vectors in the resources, wherein an attack vector is an object in a first resource that may be used by an attacker to access or discover a second resource, and wherein the network of resources is dynamically changing, a deception deployer dynamically generating decoy attack vectors on resources in the network, in accordance with the current deception policy, a deception adaptor dynamically extracting characteristics of the network, and a deception diversifier dynamically triggering changes in the deception policy based on changes in the network as detected from the network characteristics extracted by the deception adaptor.