Abstract: A network surveillance method to detect attackers, including planting one or more honeytokens in one or more resources in a network of computers in which users access the resources in the network based on credentials, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, including planting a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials, and planting a second honeytoken in R1, used to access a third resource, R3, using second decoy credentials, and alerting that an attacker is intruding the network only in response to both (i) an attempt to access R2 using the first decoy credentials, and (ii) a subsequent attempt to access R3 using the second decoy credentials.

Abstract: A cyber security system comprising circuitry of a decoy deployer planting one or more decoy lateral attack vectors in each of a first and a second group of resources within a common enterprise network of resources, the first and second groups of resources having different characteristics in terms of subnets, naming conventions, DNS aliases, listening ports, users and their privileges, and installed applications, wherein a lateral attack vector is an object of a first resource within the network that has a potential to be used by an attacker who discovered the first resource to further discover information regarding a second resource within the network, the second resource being previously undiscovered by the attacker, and wherein the decoy lateral attack vectors in the first group conform to the characteristics of the first group, and the decoy lateral attack vectors in the second group conform to the characteristics of the second group.

Abstract: A system for network surveillance to detect attackers, including a deception management server within a network of resources, including a deployment module managing and planting one or more decoy attack vectors in one or more of the resources in the network, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and one or more decoy servers accessible from resources in the network, each decoy server including an alert module that issues an alert when a specific resource in the network accesses the decoy server via one or more of the decoy attack vectors planted in the specific resource by the deployment module, and a delay module, delaying access to data on the decoy server while a resource accesses the decoy server.

Abstract: A method for cyber security, including detecting, by a management server, a breach by an attacker of a resource within a network of resources, predicting, by the management server, an attacker target subnet, based on connections created during the breach, and isolating, by the management server, the target subnet in response to the predicting a target subnet.

Abstract: A network surveillance method to detect attackers, including planting one or more honeytokens in one or more resources in a network of computers in which users access the resources in the network based on credentials, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, including planting a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials, and planting a second honeytoken in R1, used to access a third resource, R3, using second decoy credentials, and alerting that an attacker is intruding the network only in response to both (i) an attempt to access R2 using the first decoy credentials, and (ii) a subsequent attempt to access R3 using the second decoy credentials.

Abstract: A deception management system to detect attackers within a dynamically changing network of computer resources, including a deployment governor dynamically designating deception policies, each deception policy including names of non-existing web servers, and levels of diversity for planting the names of non-existing web servers in browser histories of web browsers within resources of the network, the levels of diversity specifying how densely the name of each non-existing web server is planted within resources of the network, a deception deployer dynamically planting the names of non-existing web servers in the browser histories of the web browsers in resources in the network, in accordance with the levels of diversity of the current deception policy, and a notification processor transmitting an alert to an administrator of the network in response to an attempt to access one of the non-existing web servers.

Abstract: A network surveillance system, including a management server within a network of resources in which users access the resources in the network based on credentials, including a deployment module planting honeytokens in resources in the network, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, and wherein the deployment module plants a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials, and plants a second honeytoken in R2, used to access a third resource, R3, using second decoy credentials, and an alert module alerting that an attacker is intruding the network only in response to both an attempt to access R2 using the first decoy credentials, and a subsequent attempt to access R3 using the second decoy credentials.

Abstract: A deception management system to detect attackers within a dynamically changing network of computer resources, including a deployment governor dynamically designating deception policies, each deception policy including names of non-existing web servers, and levels of diversity for planting the names of non-existing web servers in browser histories of web browsers within resources of the network, the levels of diversity specifying how densely the name of each non-existing web server is planted within resources of the network, a deception deployer dynamically planting the names of non-existing web servers in the browser histories of the web browsers in resources in the network, in accordance with the levels of diversity of the current deception policy, and a notification processor transmitting an alert to an administrator of the network in response to an attempt to access one of the non-existing web servers.

Abstract: A system for network surveillance to detect attackers, including a deception management server within a network of resources, including a deployment module managing and planting one or more decoy attack vectors in one or more of the resources in the network, wherein an attack vector is an object in memory or storage of a first resource that may be used to access a second resource, and one or more decoy servers accessible from resources in the network, each decoy server including an alert module that issues an alert when a specific resource in the network accesses the decoy server via one or more of the decoy attack vectors planted in the specific resource by the deployment module, and a delay module, delaying access to data on the decoy server while a resource accesses the decoy server.

Abstract: A method for cyber security, including detecting, by a management server, a breach by an attacker of a resource within a network of resources, predicting, by the management server, an attacker target subnet, based on connections created during the breach, and isolating, by the management server, the target subnet in response to the predicting a target subnet.

Abstract: A cyber security system comprising circuitry of a decoy deployer planting one or more decoy lateral attack vectors in each of a first and a second group of resources within a common enterprise network of resources, the first and second groups of resources having different characteristics in terms of subnets, naming conventions, DNS aliases, listening ports, users and their privileges, and installed applications, wherein a lateral attack vector is an object of a first resource within the network that has a potential to be used by an attacker who discovered the first resource to further discover information regarding a second resource within the network, the second resource being previously undiscovered by the attacker, and wherein the decoy lateral attack vectors in the first group conform to the characteristics of the first group, and the decoy lateral attack vectors in the second group conform to the characteristics of the second group.

Abstract: A method for cyber security, including detecting, by a management server, a breach by an attacker of a resource within a network of resources, wherein access to the resources via network connections is governed by a firewall, predicting, by the management server, which servers in the network are compromised, based on connections created during the breach, and creating, by the management server, firewall rules to block access to the predicted compromised servers from the breached resource, in response to said predicting which servers.

Abstract: A system for augmenting an attacker map of a network of resources, including a deception management server within a network of resources, generating an attacker map for the network, the attacker map including one or more attack paths traversing some or all of the resources, each attack path corresponding to one or more successive attack vectors, wherein an attack vector is an object in memory or storage of a first resource of the network that may potentially lead an attacker to a second resource of the network, and a deployment module for planting one or more decoy attack vectors in some of all of the resources of the network, wherein the deception management server generates an augmented attacker map by augmenting the attack paths based on the decoy attack vectors added by the deployment module.

Abstract: A method for cyber security, including detecting, by a management server, a breach by an attacker of a resource within a network of resources, wherein access to the resources via network connections is governed by a firewall, predicting, by the management server, which servers in the network are compromised, based on connections created during the breach, and creating, by the management server, firewall rules to block access to the predicted compromised servers from the breached resource, in response to said predicting which servers.

Abstract: A deception management system (DMS) to detect attackers within a network of computer resources, including a discovery tool auto-learning the network naming conventions for user names, workstation names, server names and shared folder names, and a deception deployer generating one or more decoy attack vectors in the one or more resources in the network based on the network conventions learned by the discovery tool, so that the decoy attack vectors conform with the network conventions, wherein an attack vector is an object in a first resource of the network that has a potential to lead an attacker to access or discover a second resource of the network.

Abstract: A network surveillance system, including a management server within a network of resources in which users access the resources in the network based on credentials, including a deployment module planting honeytokens in resources in the network, wherein a honeytoken is an object in memory or storage of a first resource that may be used by an attacker to access a second resource using decoy credentials, and wherein the deployment module plants a first honeytoken in a first resource, R1, used to access a second resource, R2, using first decoy credentials, and plants a second honeytoken in R2, used to access a third resource, R3, using second decoy credentials, and an alert module alerting that an attacker is intruding the network only in response to both an attempt to access R2 using the first decoy credentials, and a subsequent attempt to access R3 using the second decoy credentials.

Abstract: A cyber security system to detect attackers, including a data collector collecting data regarding a network, the data including network resources and users, a learning module analyzing data collected by the network data collector, determining therefrom groupings of the network resources into at least two groups, and assigning a customized decoy policy to each group of resources, wherein a decoy policy for a group of resources includes one or more decoy attack vectors, and one or more resources in the group in which the one or more decoy attack vectors are to be planted, and wherein an attack vector is an object of a first resource that may be used to access or discover a second resource, and a decoy deployer planting, for each group of resources, one or more decoy attack vectors in one or more resources in that group, in accordance with the decoy policy for that group.

Abstract: A method for cyber security, including detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources in which users access the resources based on credentials, wherein each resource has a domain name server (DNS) record stored on a DNS server, changing, by the decoy management server, the DNS record for the breached resource on the DNS server, in response to the detecting, predicting, by the decoy management server, which credentials are compromised, based on credentials stored on the breached resource, and changing, by the decoy management server, those credentials that were predicted to be compromised, in response to the predicting which credentials.

Abstract: A method for cyber security, including detecting, by a decoy management server, a breach by an attacker of a specific resource within a network of resources in which users access the resources based on credentials, wherein each resource has a domain name server (DNS) record stored on a DNS server, changing, by the decoy management server, the DNS record for the breached resource on the DNS server, in response to the detecting, predicting, by the decoy management server, which credentials are compromised, based on credentials stored on the breached resource, and changing, by the decoy management server, those credentials that were predicted to be compromised, in response to the predicting which credentials.

Abstract: A deception management system (DMS) to detect attackers within a network of computer resources, including a discovery tool auto-learning the network naming conventions for user names, workstation names, server names and shared folder names, and a deception deployer generating one or more decoy attack vectors in the one or more resources in the network based on the network conventions learned by the discovery tool, so that the decoy attack vectors conform with the network conventions, wherein an attack vector is an object in a first resource of the network that has a potential to lead an attacker to access or discover a second resource of the network.