Abstract: An electronic device for receiving and seamlessly providing cybersecurity analyzer updates and concurrent management systems for detecting cybersecurity threats including a processor and a memory communicatively coupled to the processor. The memory stores an analyzer logic to generate a first analyzer configured to receive a suspicious object for threat evaluation, an inspection logic to manage a first queue of suspicious objects for threat evaluation to the first analyzer, and an update logic to receive updated cybersecurity analytics content data. The analyzer logic receives updated cybersecurity analytics content data and can generate a second analyzer that incorporates at least a portion of the parsed updated cybersecurity analytics content data.

Abstract: Disclosed herein is a computerized method for emulating processing of a peripheral device including operations of providing an insertion emulation signal to a computing device emulating insertion of the peripheral device to a port of the computing device, intercepting a request for a device descriptor of the peripheral device from a PnP manager operating on the computing device, providing a device descriptor of the peripheral device to the PnP manager, wherein the PnP manager is configured to enumerate the emulated peripheral device, intercepting one or more universal serial bus (USB) request blocks (URBs) from the PnP manager, and responsive to each of the one or more URBs, providing a response to the PnP manager. The insertion emulation signal may emulate a voltage transition on a data line of the port of the computing device. The peripheral device may adhere to a USB standard.

Abstract: In an example, a threat intelligence controller is configured to operate on a data exchange layer (DXL). The threat intelligence controller acts as a DXL consumer of reputation data for a network object, which may be reported in various different types and from various different sources. Of the devices authorized to act as reputation data producers, each may have its own trust level. As the threat intelligence controller aggregates data from various providers, it may weight the reputation reports according to trust level. The threat intelligence engine thus builds a composite reputation for the object. When it receives a DXL message requesting a reputation for the object, it publishes the composite reputation on the DXL bus.

Abstract: An apparatus includes a memory that stores instructions; and a processing unit that executes the instructions to identify a created process, to receive a notification of a first event for an ancestor process and a notification for a second event for the created process, the notification of the first event indicating a first ActivityID and a first ID, the notification of the second event indicating a second ActivityID and a second ID, the first ID being different from the second ID, to perform a first determination that the created process was created by a component object model (COM) call, at least in part based on the second ID, and to perform a second determination that the ancestor process indirectly created the created process, at least in part based on the first and second ActivityIDs and the first determination.

Abstract: A method in an embodiment includes detecting a change for a virtual machine in a virtual server of a virtual network infrastructure, determining whether a virtual security appliance is configured in the virtual server, and sending a request to create the virtual security appliance in the virtual server. The method further includes allowing the virtual machine to initiate when the virtual security appliance is created in the virtual machine. The virtual security appliance performs security inspections on network packets sent from the virtual machine. In more specific embodiments, the method further includes creating an intercept mechanism in the virtual server to intercept the network packets from the virtual machine. In further embodiments, one or more security policies identify one or more virtual security appliances to process the network packets from the virtual machine.

Abstract: A system and method for detecting phishing cyberattacks. The method involves parsing a code segment retrieved using a suspect uniform resource locator (URL) to identify any links included in the code segment. From these links, additional code segments may be recovered in accordance with a code segment recovery scheme. Thereafter, analytics are performed on the retrieved and possibly recovered code segments. The analytics include determining whether any of the code segments is correlated with a code segment associated with a known prior phishing cyberattack. Upon completing the analytics, an alert message including meta-information associated with results from the analytics is generated to identify that the URL is associated with a known prior phishing cyberattack when one or perhaps a combination of code segments associated with the URL are correlated to any code segment associated with a known prior phishing cyberattack.

Abstract: A system and non-transitory computer-readable medium including security logic engine (SLE) to detect malicious objects based on operations conducted by an endpoint device and/or a malware detection system. The SLE includes formatting logic and a correlation engine. The formatting logic is configured to receive data from an endpoint device and a malware detection system via a network interface and to convert the data into a format used by logic within the SLE. The correlation engine is configured to (i) correlate a plurality of features included as part of the data with known behaviors and characteristics of at least malicious objects and (ii) correlate a first set of features of the plurality of features received from the endpoint device with a second set of features of the plurality of features received from the malware detection system to verify a determination of maliciousness by the endpoint device and/or the malware detection system.

Abstract: Embodiments are disclosed herein for remote retrieval of information from endpoints and comprise receiving a master query at an endpoint in a network environment and executing a set of one or more subqueries defined in the master query. Embodiments also comprise an execution of a first subquery that includes executing a function to produce a first output, applying one or more conditions to the first output to determine a second output, and determining a result of the master query based, at least in part, on the second output. In specific embodiments, the master query is received from another node over a network connection. In more specific embodiments, the function is executed on the endpoint to collect real-time information based on one or more parameters. In further embodiments, the function is one of a plug-in or a script.

Abstract: Apparatus, systems, and methods to classify malware with explainability are disclosed. An example apparatus includes at least one memory; instructions in the apparatus; and processor circuitry. The example processor circuitry is to execute the instructions to: generate feature vectors from a first input; train a neural network model using a first portion of the feature vectors; add one or more fully connected layers to the trained neural network model to form a hybrid model; validate the hybrid model using a second portion of the feature vectors; and deploy the validated hybrid model as a malware classifier, the malware classifier to provide a malware classification with explainability in response to a second input.

Abstract: A method performed by an enterprise search system to conduct an automated, computerized search for select operational attributes of a plurality of network devices is shown. The method comprises initiating the search via a user interface based on receipt of input information, which is used to form a query. The method then determines based on the query, one or more audits each specifying one or more tasks to be performed by at least a first network device to search for the select operational attributes. Subsequently, the method makes the one or more audits available to the first network device via a network, and receives, from the first network device, one or more responses to the query. The method may include generating one or more filter conditions to apply to results of executing the one or more tasks to yield the select operational attributes when included in the results.

Abstract: Methods, apparatus, systems, and articles of manufacture are disclosed. In one example, an apparatus includes at least one memory, instructions, and processor circuitry. The processor circuitry at least executes or instantiates the instructions to receive a group of indicators from a campaign attack, then query an indicator database with an indicator from the group of indicators, and then predict an identification of the campaign attack in response to the indicator having a current deterministic indicator and confidence scoring (DISC) score in the indicator database, wherein the DISC score represents at least one of a lethality component, a determinism component, or a confidence component of the indicator.

Abstract: A system for securing electronic devices includes a processor, non-transitory machine readable storage medium communicatively coupled to the processor, security applications, and a security controller. The security controller includes computer-executable instructions on the medium that are readable by the processor. The security application is configured to determine a suspicious file from a client using the security applications, identify whether the suspicious file has been encountered by other clients using the security applications, calculate a time range for which the suspicious file has been present on the clients, determine resources accessed by the suspicious file during the time range, and create a visualization of the suspicious file, a relationship between the suspicious file and the clients, the time range, and the resources accessed by the suspicious file during the time range.

Abstract: A system and method directed toward the deployment of one or more security plug-ins for software components (e.g., applications) that analyze incoming content and selectively prevent malicious portions of the content from being processed by the applications without limiting the processing and/or rendering of the legitimate (non-malicious) portions of the incoming content is described. Each of the security plug-ins is communicatively coupled to a published interface of a software component, such as an application. The security plug-in includes logic to (i) gain access to content received by the software component prior to processing of the content by the software component, (ii) parse the content into separate segments, (iii) analyze each content segment to determine whether the content segment is malicious or non-malicious, and (iv) permit rendering of one or more non-malicious content segments while preventing processing of one or more malicious content segments.

Abstract: Example apparatus disclosed herein to perform a cybersecurity investigation are to generate an information graph based on a set of information seeker tools in response to detection of a threat alert in a monitored network, and search the information graph for a reference pattern associated with a cybersecurity threat. Disclosed example apparatus are also to, in response to detection of a portion of the reference pattern in the information graph, (i) select a first one of information seeker tools associated with a first input-output relationship capable of expanding the portion of the reference pattern to complete the reference pattern, and (ii) execute the first one of information seeker tools to complete the reference pattern associated with the cybersecurity threat.

Abstract: A cloud-based system is design with multi-tenancy controls for conducting analytics performed on objects submitted by a subscriber. This system features an analysis monitoring service and an analysis selection services. The analysis monitoring service, operating as a first cloud service, includes logic that is configured to collect metadata associated with an operating state for each of a plurality of clusters and generate cluster selection information. The analysis selection service, operating as a second cloud service and communicatively coupled to the analysis monitoring service, is configured to select a cluster of the plurality of clusters to analyze the object for malware based, at least in part, on the cluster selection information provided from the analysis monitoring service.

Abstract: A device for verifying previous determinations from cybersecurity devices comprising a processor and a memory. The memory comprises submission analysis logic including workflow selector logic to receive the object data and process the object data to select at least one analyzer supported by the analyzer logic. The analyzer logic, in accordance with the selected analyzer(s), is configured to (i) analyze the object data for potential threats and embedded object data, (ii) generate results data based on that analysis, and (iii) pass the embedded object data back to the workflow selector for further analysis. Finally, the submission analysis logic comprises triage ticket generation logic to generate triage tickets for analyst review and alert logic to generate automatic alerts.

Abstract: Disclosed is a cyber-security system that is configured to aggregate and unify data from multiple components and platforms on a network. The system allows security administrators to design and implement a workflow of device-actions taken by security individuals in response to a security incident. Based on the nature of a particular threat, the cyber-security system may initiate an action plan that is tailored to the security operations center and their operating procedures to protect potentially impacted components and network resources.

Abstract: A technique verifies a determination of an exploit or malware in an object at a malware detection system (MDS) appliance through correlation of behavior activity of the object running on endpoints of a network. The appliance may analyze the object to render a determination that the object is suspicious and may contain the exploit or malware. In response, the MDS appliance may poll the endpoints (or receive messages pushed from the endpoints) to determine as to whether any of the endpoints may have analyzed the suspect object and observed its behaviors. If the object was analyzed, the endpoints may provide the observed behavior information to the appliance, which may then correlate that information, e.g., against correlation rules, to verify its determination of the exploit or malware. In addition, the appliance may task the endpoints to analyze the object, e.g., during run time, to determine whether it contains the exploit and provide the results to the appliance for correlation.

Abstract: A system for securing electronic devices includes a processor, a storage medium communicatively coupled to the processor, and a monitoring application comprising computer-executable instructions on the medium. The instructions are readable by the processor. The monitoring application is configured to receive an indication that a client has been affected by malware, cause the client to boot from a trusted operating system image, cause a launch of a secured security application on the client from a trusted application image, and analyze a malware status of the client through the secured security application.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed for generic process chain entity mapping. An example apparatus includes at least one memory, instructions in the apparatus, and processor circuitry to execute the instructions to receive process chain input data, the input data including a system path, identify a match between a path alias and the input data, wherein the path alias includes an alias for one or more system path format patterns, extract at least one of (1) metadata information or (2) command line parameter information from the match, and output transformed data based on the at least one of the extracted metadata information or command line parameter information, the transformed data output in a generalized format.