Abstract: An automated sandbox generator for a cyber-attack exercise on a mimic network in a cloud environment can include various components. The cloud deployment component deploys the mimic network in a sandbox environment in the cloud environment. The mimic network can be a clone of components from a network that exists in an organization's environment and/or, predefined example components. The attack engine deploys a cyber threat to use an exploit for the wargaming cyber-attack exercise in the mimic network. The user interface displays, in real time, results of the wargaming cyber-attack exercise being conducted in the sandbox environment, to create a behavioral profile of how the cyber threat using the exploit would actually perform in that particular organization's environment as well as have human users interact with the cyber threat deployed by the attack engine during the cyber-attack on the mimic network, as it happens in real time, during the wargaming cyber-attack exercise.

Abstract: A device linking service can unify data streams from different sources of access into a network to get a composite picture of a behavior of an individual physical network device that has different device identifiers from the different sources of access into the network via cross-referencing information from the different sources of access into the network. The device linking service creates a unified network device identifier for the different device identifiers from the different sources of access into the network. The device linking service supplies the unified network device identifier and associated information with the different device identifiers from the different sources of access into the network to a prediction engine. The prediction engine runs a simulation of attack paths for the network that a cyber threat may take.

Abstract: An open-source intelligence (OSINT) monitoring engine operating as an AI-driven system for monitoring incoming content received from an OSINT source to detect emerging cyber threats is described. The OSINT monitoring engine features a source evaluation module, a content processing engine, and a content classification engine. The source evaluation module determines a confidence level associated with a source of the incoming content and refrains from providing textual information associated with the incoming content unless the confidence level associated with the source is equal to or exceeds a prescribed threshold. The content processing engine identifies salient information from the textual information for use in identifying an emerging cyber threat.

Abstract: A cyber security system includes an importance node module to compute and use graphs to compute an importance of a node based on factors including a hierarchy and a job title of the user, aggregated account privileges from network domains and a level of shared resource access for the user. The graphs are supplied into an attack path modeling component to understand an importance of the network nodes and determine key pathways within the network that a cyber-attack would use, via a modeling the cyber-attack on a simulated and a virtual device version of the network. The cyber security system provides an intelligent prioritization of remediation action to a remediation suggester module to analyze results of the modeling the cyber-attack for each node and suggest how to perform intelligent prioritization of remediation action on a network node in one of a report and an autonomous remediation action.

Abstract: An automated training apparatus can include an importance node module to compute and use graphs to compute an importance of a node based on factors that include a hierarchy and a job title of the user in the organization, aggregated account privileges from different network domains, and a level of shared resource access for the user. The graphs are supplied into an attack path modeling component to understand an importance of the network nodes and determine key pathways and vulnerable network nodes that a cyber-attack would use, and a grouping module to analyze the importance of the network nodes and the key pathways and the vulnerable network nodes, and to classify the nodes based on security risks and the vulnerabilities to provide reports including areas of vulnerability and known weaknesses of the network.

Abstract: Aspects of the invention relate to a cyber security system that may enable an end user to communicate with a cyber security appliance to identify cyber threats across the client system. The system can include one or more host devices each having a user interface and an endpoint agent for facilitating bi-directional communication between the user and a cyber security appliance. The endpoint agent may include a communication facilitation module including a user interaction module configured to communicate with the user interface and a helper module configured to communicate with the cyber security appliance. The endpoint agent is configured to enable the bi-directional communication between the user interface and the cyber security appliance on receiving a query associated with identified unusual behavior.