Abstract: Aspects of the disclosure relate to providing training and information based on simulated cybersecurity attack difficulty. A computing platform may retrieve data associated with a plurality of attack templates for simulating cybersecurity attacks. Subsequently, the computing platform may use one or more models to compute a predicted failure rate for each template of the plurality of attack templates in order to yield a plurality of predicted failure rates for an organization. Based on the plurality of predicted failure rates, the computing platform may use one or more of the plurality of attack templates to configure a simulated cybersecurity attack on the organization. Then, the computing platform may send, via the communication interface, to an administrator user device associated with the organization, information about the simulated cybersecurity attack and may execute the simulated cybersecurity attack.

Abstract: The technology disclosed relates to detection of data traffic in computing environments, such as cloud environments. Example systems and methods detect a plurality of workloads in a virtual network in a computing environment and deploy a plurality of probe agents to the plurality of workloads. Each respective probe agent detects network traffic on a respective workload of the plurality of workloads, scans a data packet that is at least one of sent or received by the respective workload, generates a data classification relative to the data packet, and generates a scan result that includes packet payload information and an indication of the data classification. The scan results are received from the plurality of probe agents and a computing action is performed based on scan results.

Abstract: Aspects of the disclosure relate to dynamically providing cybersecurity training based on user-specific threat information. A computing platform may receive, from a targeted attack protection (TAP) server, user-specific threat information indicating at least one threat that has been encountered by at least one user. The computing platform may identify one or more users to receive cybersecurity training in a first cybersecurity training topic based on the user-specific threat information indicating the at least one threat that has been encountered by the at least one user. Subsequently, the computing platform may load one or more cybersecurity training modules based on identifying the one or more users to receive the cybersecurity training in the first cybersecurity training topic. Then, the computing platform may provide the one or more cybersecurity training modules to one or more user computing devices.

Abstract: Aspects of the disclosure relate to dynamic cybersecurity event detection and training functions. A computing platform may monitor a plurality of user devices to detect a cybersecurity training triggering event. In response to the detection, one or more cybersecurity training session prompts may be generated and transmitted to one or more user devices. User input providing a response to the cybersecurity training session prompt may be evaluated for accuracy and scored for the cybersecurity training session. In some examples, an overall cybersecurity score for a user may be maintained and modified based on the score for the cybersecurity training session. One or more modifications may be identified and executed based on the scores generated.

Abstract: Systems and methods for privacy-preserving transformer model training are provided. The system includes one or more data repositories in a computer network or cloud infrastructure having data stored therein. The system anonymizes the data in the one or more documents, and trains a transformer model on the data outside of the network. The data includes sensitive information. Anonymizing the data is includes extracting the data from the one or more documents and irreversibly transforming the data in the one or more documents into context-preserving tensors. Training the transformer model on the data comprises using the context-preserving tensors instead of the data to train the transformer model on the data.

Abstract: A method for determining risks associated with an identity in an organization network, including scanning an active directory for a network including a plurality of identities, to extract a plurality of attributes of the identities and their corresponding values. analyzing the extracted attribute values for an identity in the network to identify one or more risks associated with that identity, which an attacker can exploit, assigning a score to each risk identified by said analyzing, and further assigning a score to the identity based on the scores of the one or more risks associated with the identity.

Abstract: Systems, methods, and products for identifying IP mass hosts and determining whether they are good or bad. One embodiment is a method including selecting a first candidate IP address, identifying a set of domains hosted at the IP address, and identifying registrants of the domains. A number of unique ones of the registrants is determined and if the number of unique registrants exceeds a threshold number, the candidate IP address is deemed an IP mass host. Otherwise, the candidate IP address is deemed not to be an IP mass host. For an IP mass host, domains that have bad reputations are identified, and it is determined whether the bad domains comprise at least a threshold percentage of the total hosted domains. If the IP mass host has at least the threshold percentage of bad domains, the IP mass host is deemed a bad mass host.

Abstract: Aspects of the disclosure relate to using a machine learning system to process a corpus of documents associated with a user to determine a user-specific consequence index. A computing platform may load a corpus of documents associated with a user. Subsequently, the computing platform may create a first plurality of smart groups based on the corpus of documents, and then may generate a first user interface comprising a representation of the first plurality of smart groups. Next, the computing platform may receive user input applying one or more labels to a plurality of documents associated with at least one smart group. Subsequently, the computing platform may create a second plurality of smart groups based on the corpus of documents and the received user input. Then, the computing platform may generate a second user interface comprising a representation of the second plurality of smart groups.

Abstract: Systems, methods and products for identifying “similar” threats by clustering the threats based on corresponding forensics. A corpus of forensic data for a plurality of threat URLs is obtained by a threat protection system, the data including forensic elements corresponding to each threat URLs. For each pair of threat URLs, the corresponding forensic elements are examined to identify shared forensic elements. A similarity score is then generated for the pair of threat URLs based on the comparison of the corresponding forensic elements, including both malicious and non-malicious elements. Based on the similarity score generated for each pair of threat URLs, clusters of the threat URLs are identified, with each cluster including a subset of the plurality of threat URLs. Clusters of URLs similar to a selected URL may be identified by accessing the threat cluster information using a similar-threat search interface or through internal APIs of the threat protection system.

Abstract: Aspects of the disclosure relate to identifying potentially malicious messages and generating instream alerts based on real-time message monitoring. A computing platform may monitor a plurality of messages received by a messaging server associated with an operator. Subsequently, the computing platform may detect that a message of the plurality of messages is potentially malicious. In response to detecting that the message of the plurality of messages is potentially malicious, the computing platform may execute one or more protection actions. In executing the one or more protection actions, the computing platform may generate an alert message comprising information indicating that the message of the plurality of messages is potentially malicious. Then, the computing platform may send the alert message to the messaging server, which may cause the messaging server to deliver the alert message to a computing device associated with an intended recipient of the message.

Abstract: Aspects of the disclosure relate to automated simulated phishing lure generation for cybersecurity training. The computing platform may receive personalization data. The computing platform may generate, using a phishing lure generation model, one or more simulated synthetic phishing lures based on the personalization data. The computing platform may send the one or more simulated synthetic phishing lures to one or more user devices and one or more commands directing the one or more user devices to display the one or more simulated synthetic phishing lures, which may cause the one or more user devices to display the one or more simulated synthetic phishing lures. The computing platform may receive, from the one or more user devices, feedback data corresponding to user interactions with the simulated one or more synthetic phishing lures. The computing platform may update, using the feedback data, the phishing lure generation model.

Abstract: Aspects of the disclosure relate to providing a flexible and automated system for automatically detecting when emails include harmful content, flagging the emails, providing interactive reporting functionality, and providing follow-up enforcement actions to protect users. A computing platform may intercept an email in transit to an email server. Subsequently, the computing platform may analyze the email and generate at least one unique link for reporting suspicious content associated with the email. Next, the computing platform may generate an email warning tag comprising text information and the at least one unique link for reporting the suspicious content associated with the email. Then, the computing platform may inject the email warning tag into the email to produce a modified email comprising content from the email and the email warning tag, and may send the modified email to the email server.

Abstract: Taking a zero-configuration approach, a domain name discovery system utilizes, in an iterative process, WHOIS data and infrastructure data for a seed domain to automatically discover domain names having registration and/or infrastructure details that match those of the seed domain. Registration information such as a registered email address associated with a domain name discovered through WHOIS data matching or infrastructure data matching is utilized in a reverse lookup for domain names having infrastructure or WHOIS registered information that fully matches the information associated with the domain name discovered through the iterative process. Domain names discovered through WHOIS data matching, infrastructure data matching, and reverse lookup can be presented through a user interface on a client device communicatively connected to the domain name discovery system over a network. The domain name discovery can be performed periodically or in near real time responsive to receiving a new seed domain.

Abstract: The technology disclosed relates to systems and methods for analyzing data posture in a computing environment. In one example, a computer-implemented method includes identifying one or more computing services in a target computing environment to scan for data posture analysis, obtaining an access permission corresponding to the one or more computing services in the target computing environment, and deploying, to a scanner cloud environment that is distinct from the target computing environment, a scanner in accordance with a scanner definition and based on the access permission corresponding to the one or more computing services. The method includes obtaining a scanner result from the scanner deployed to the scanner cloud environment. The scanner result represents a scan of storage resources in the one or more computing services in the target computing environment using the access permission. The method further includes generating a data posture analysis result based on the scanner result.

Abstract: Systems, methods, and apparatuses directed to efficiently determining whether a device making a request to access an application or service is a managed device and using that information to set an appropriate security policy for the device or the request to access the application or service. In some embodiments, a service or server (referred to as a Managed Device Identification Service) is configured to request a client certificate from a device that is requesting access to a cloud-based application or service as part of a protocol handshake. If a certificate is received, it is compared to a stored certificate to determine if the device is a managed device and as a result, the appropriate security policy.

Abstract: A domain processing system is enhanced with a first-pass domain filter configured for loading character strings representing a pair of domains consisting of a seed domain and a candidate domain in a computer memory, computing a similarity score and a dynamic threshold for the pair of domains, determining whether the similarity score exceeds the dynamic threshold, and iterating the loading, the computing, and the determining for each of a plurality of candidate domains paired with the seed domain. A similarity score between the seed domain and the candidate domain and a corresponding dynamic threshold for the pair are computed. If the similarity score exceeds the corresponding dynamic threshold, the candidate domain is provided to a downstream computing facility. Otherwise, it is dropped. In this way, the first-pass domain filter can significantly reduce the number of domains that otherwise would need to be processed by the downstream computing facility.

Abstract: The technology disclosed relates to a computer-implemented method for detecting data posture of a computing environment. The method includes performing a scan of one or more data structures, detecting a plurality of classified data substructures based on the scan of the one or more data structures and, for each respective data substructure, transforming a plurality of data items from the respective data substructure into a respective data substructure signature using a signature encoder. The method includes applying a similarity query to identify a set of data substructures, from the plurality of classified data substructures, having a threshold level of similarity based on data substructure signatures associated with the set of data substructures.

Abstract: Aspects of the disclosure relate to spear phishing simulation using machine learning. A computing platform may send, to an enterprise user device, a spear phishing message. The computing platform may receive initial user interaction information indicating how a user of the enterprise user device interacted with the spear phishing message. Based on the initial user interaction information and using a series of branching message templates, the computing platform may generate additional spear phishing messages. The computing platform may receive additional user interaction information indicating how the user interacted with the additional spear phishing messages. Based on the initial user interaction information and the additional user interaction information, the computing platform may compute spear phishing scores.

Abstract: A spammy app detection system may search a database for any new social media application discovered during a recent time period. A spammy app detection algorithm can be executed on the spammy app detection system on an hourly basis to determine whether any of such applications is spammy (i.e., posting to a social media page anomalously). The spammy app detection algorithm has a plurality of stages. When a new social media application fails any of the stages, it is identified as a spammy app. The spammy app detection system can update the database accordingly, ban the spammy application from further posting to a social media page monitored by the spammy app detection system, notify an entity associated with the social media page, further process the spammy application, and so on. In this way, the spammy app detection system can reduce digital risk and spam attacks.

Abstract: The technology disclosed relates to a system and method for detecting risk events in a cloud environment that obtains a set of risk signature definitions and deploys an event log scanner to the cloud environment. The event log scanner is configured to detect instances of candidate risk events in accordance with the set of risk signature definitions based on a scan of an event log and to label each detected instance with a signature identifier. Result metadata is received indicative of the detected instances. A cloud infrastructure graph is accessed that defines nodes that represent resources in the cloud environment and edges, between the nodes, that represent relationships between the resources. Context information is derived from the cloud infrastructure graph based on the result metadata. An output is generated representing a classification of one or more of the detected instances of candidate risk events as a risk event based on the context information relative to the set of risk signature definitions.