| CPC H04L 63/0236 (2013.01) [H04L 63/10 (2013.01); H04L 63/1408 (2013.01); H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01); H04L 63/1441 (2013.01)] | 17 Claims |
|
1. A threat detection device, comprising:
a network interface configured to communicate data traffic between one or more network devices in a private network and one or more network devices in a public network; and
a processor operably coupled to the network interface, configured to:
receive, via the network interface and from the public network, a data sample comprising configuration information for a first network device in the public network;
obtain a plurality of threat indicators configured to guide analysis of the data sample, wherein:
each threat indicator of the plurality of threat indicators is associated with a configuration setting; and
the configuration setting being used to identify at least one network device from the one or more network devices in the public network as a bad actor;
determine whether the data sample matches at least one threat indicator of the plurality of threat indicators;
in response to determining that the data sample matches the at least one threat indicator of the plurality of threat indicators, generate a bad actor profile for the first network device, wherein:
the bad actor profile comprises a first device identifier for the first network device; and
the first device identifier identifies the first network device among the one or more network devices in the public network;
intercept, via the network interface, data traffic transmitted from the one or more network devices in the public network to a second network device in the private network;
determine whether first information in the data traffic matches second information in the bad actor profile;
in response to determining that the first information in the data traffic matches the second information in the bad actor profile, determine that the data traffic comprises communication between the first network device in the public network and the second network device in the private network;
determine a second device identifier within the data traffic;
determine that the second device identifier matches the first device identifier in the bad actor profile;
in response to determining that the second device identifier matches the first device identifier in the bad actor profile, determine that the data traffic comprises additional communication between the first network device in the public network and the second network device in the private network;
perform a search in the public network using the first device identifier for the first network device;
identify a third device identifier associated with the first network device based on results of the search;
store the third device identifier in the bad actor profile; and
block data communications between the second network device in the private network and the first network device in the public network.
|