Abstract: The disclosed computer-implemented method for identifying suspicious singleton files using correlational predictors may include (1) identifying a set of known-clean computing devices that include no singleton files, (2) detecting at least one software component that is installed on a threshold number of the known-clean computing devices, (3) identifying an unvindicated computing device whose infection status is unknown, (4) determining that, in addition to being installed on the threshold number of known-clean computing devices, the software component is installed on the unvindicated computing device, (5) determining that the unvindicated computing device includes at least one singleton file, and then (6) classifying the singleton file as suspicious in response to determining that (A) the software component is installed on the unvindicated computing device and (B) the unvindicated computing device includes the singleton file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for predicting and protecting spearphishing targets are disclosed. In one particular exemplary embodiment, the techniques may be realized as a system for predicting and protecting spearphishing targets. The system may comprise one or more processors communicatively coupled to a network. The one or more processors may be configured to identify one or more potential spearphishing targets based on information from an organization, receive additional information associated with the one or more potential spearphishing targets and the organization from publicly available sources, determine a threat level of a spearphishing attack on the one or more potential spearphishing targets based on the information from the organization and the additional information, and generate a report of the one or more potential spearphishing targets and the threat level associated with the one or more potential spearphishing targets.

Abstract: The disclosed computer-implemented method for profiling client systems may include (1) identifying one or more administrative categories used to categorize clients according to system profiles of the clients, (2) collecting attribute information that associates one or more client attributes with the administrative category, (3) generating, based at least in part on the association between the client attribute and the administrative category, an association scoring protocol that estimates an association strength between clients and the administrative category, (4) assigning, based on the association scoring protocol, an association score to one or more clients, (5) determining, based on the association score being above a threshold, that the client should be associated with the administrative category, and (6) initiating one or more customized administrative actions for the client, based at least in part by the association of the client with the administrative category.

Abstract: The disclosed computer-implemented method for detecting security threats may include (1) detecting, by a software security program, a security incident at a client device such that the software security program generates a signature report to identify the security incident, (2) querying an association database with the signature report to deduce another signature report that a different software security program would have predictably generated at the client device, the different software security program having been unavailable at the client device at a time of detecting the security incident, and (3) performing at least one protective action to protect the client device from a security threat associated with the security incident based on the other signature report deduced by querying the association database. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for predicting security threats may include (1) predicting that a candidate security target is an actual target of a specific security attack according to a non-collaborative-filtering calculation, (2) predicting that the candidate security target is an actual target of a set of multiple specific security attacks, including the specific security attack, according to a collaborative filtering calculation, (3) filtering, based on the specific security attack also being predicted by the non-collaborative-filtering calculation, the specific security attack from the set of multiple specific security attacks predicted by the collaborative filtering calculation, and (4) notifying the candidate security target to perform a security action to protect itself from another specific security attack remaining in the filtered set of multiple specific security attacks based on an analysis of the filtered set of multiple specific security attacks.

Abstract: A computer-implemented method for identifying potentially malicious singleton files may include (1) identifying a set of benign singleton files and a set of malicious singleton files, (2) obtaining, for each singleton file in the sets of benign and malicious singleton files, file identification information that identifies the singleton file, (3) using the file identification information of the singleton files from the sets of benign and malicious singleton files to train a classifier to classify unknown singleton files, (4) detecting an unclassified singleton file, (5) analyzing, with the trained classifier, information that identifies the unclassified singleton file, (6) determining, based on the analysis of the information that identifies the unclassified singleton file, that the unclassified singleton file is suspicious, and (7) triggering a security action in response to determining that the unclassified singleton file is suspicious.

Abstract: The disclosed computer-implemented method for detecting security threats may include (1) detecting, by a software security program, a security incident at a client device such that the software security program generates a signature report to identify the security incident, (2) querying an association database with the signature report to deduce another signature report that a different software security program would have predictably generated at the client device, the different software security program having been unavailable at the client device at a time of detecting the security incident, and (3) performing at least one protective action to protect the client device from a security threat associated with the security incident based on the other signature report deduced by querying the association database. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for detecting anomalous network traffic are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting anomalous network traffic comprising the steps of receiving a list including a plurality of processes and, for each process, a list of approved types of network traffic; monitoring network traffic of each process on the list of processes; upon detecting network traffic for a process on the list of processes, determining that the type of network traffic detected is not on the list of approved types for that process; and identifying the process as infected based on determining that the type of network traffic detected is not on the list of approved types for that process.

Abstract: The disclosed computer-implemented method for classifying security events as targeted attacks may include (1) detecting a security event in connection with at least one organization, (2) comparing the security event against a targeted-attack taxonomy that identifies a plurality of characteristics of targeted attacks, (3) determining that the security event is likely targeting the organization based at least in part on comparing the security event against the targeted-attack taxonomy, and then in response to determining that the security event is likely targeting the organization, (4) classifying the security event as a targeted attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for protecting data files may include (1) identifying a data file to be protected against data loss, (2) identifying a set of software programs permitted to open the data file by (a) identifying a format of the data file and (b) identifying at least one software program capable of opening files of the format of the data file, (3) detecting an attempt to open the data file by a software program not included in the set of software programs, and (4) performing a security action in response to detecting the attempt to open the data file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting information leakage by an organizational insider may include (1) identifying a set of organizational insiders of an organization, (2) identifying a set of public forums used by one or more organizational insiders, (3) identifying a set of messages posted to one or more public forums, (4) creating a message record corresponding to each message, with the record including a message summary, and a set of message metadata fields, (5) consolidating message records with common metadata fields into a message summary record, and (6) identifying, based on the message summary record, an information leakage threat. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for attributing potentially malicious email campaigns to known threat groups may include (1) identifying a potentially malicious email campaign targeting at least one organization, (2) detecting, within the potentially malicious email campaign, an incriminating feature that has been linked to a known threat group, (3) determining, based at least in part on detecting the incriminating feature linked to the known threat group, that the known threat group is likely responsible for the potentially malicious email campaign, and then in response to determining that the known threat group is likely responsible for the potentially malicious email campaign, (4) attributing the potentially malicious email campaign to the known threat group. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for estimating confidence scores of unverified signatures may include (1) detecting a potentially malicious event that triggers a malware signature whose confidence score is above a certain threshold, (2) detecting another event that triggers another signature whose confidence score is unknown, (3) determining that the potentially malicious event and the other event occurred within a certain time period of one another, and then (4) assigning, to the other signature, a confidence score based at least in part on the potentially malicious event and the other event occurring within the certain time period of one another. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A disclosed method may include (1) tracking the health of a computing system over time by calculating, for each of several time periods, a health metric that indicates the computing system's health during the time period, (2) evaluating the health metrics of the time periods to identify an anomalous time period during which the health of the computing system changed, (3) locating one or more files that were present on the computing system during the anomalous time period and absent from the computing system during one or more other time periods, and (4) basing a reputation for the file(s) on an association between the file(s) and the computing system that includes the anomalous time period and excludes the other time period. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for classifying security events as targeted attacks may include (1) detecting a security event in connection with at least one organization, (2) comparing the security event against a targeted-attack taxonomy that identifies a plurality of characteristics of targeted attacks, (3) determining that the security event is likely targeting the organization based at least in part on comparing the security event against the targeted-attack taxonomy, and then in response to determining that the security event is likely targeting the organization, (4) classifying the security event as a targeted attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for using event-correlation graphs to generate remediation procedures may include (1) detecting a suspicious event involving a first actor within a computing system, (2) constructing, in response to detecting the suspicious event involving the first actor, an event-correlation graph that includes (i) a first node that represents the first actor, (ii) a second node that represents a second actor, and (iii) an edge that interconnects the first node and the second node and represents an additional suspicious event involving the first actor and the second actor, and (3) using the event-correlation graph to generate a procedure for remediating an effect of an attack on the computing system that is reflected in the event-correlation graph. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for detecting anomalous network traffic are disclosed. In one particular embodiment, the techniques may be realized as a method for detecting anomalous network traffic comprising the steps of receiving a list including a plurality of processes and, for each process, a list of approved types of network traffic; monitoring network traffic of each process on the list of processes; upon detecting network traffic for a process on the list of processes, determining that the type of network traffic detected is not on the list of approved types for that process; and identifying the process as infected based on determining that the type of network traffic detected is not on the list of approved types for that process.

Abstract: A computer-implemented method for detecting information leakage by an organizational insider may include (1) identifying a set of organizational insiders of an organization, (2) identifying a set of public forums used by one or more organizational insiders, (3) identifying a set of messages posted to one or more public forums, (4) creating a message record corresponding to each message, with the record including a message summary, and a set of message metadata fields, (5) consolidating message records with common metadata fields into a message summary record, and (6) identifying, based on the message summary record, an information leakage threat. Various other methods, systems, and computer-readable media are also disclosed.