US 12,348,539 B2
Systems, methods, and graphical user interfaces for configuring and executing one or more computer-executable threat hunting protocols in a cybersecurity threat detection and mitigation platform
Bryan Geraldo, Portland, OR (US); and Nathan Sorrel, Littleton, CO (US)
Assigned to Expel, Inc., Herndon, VA (US)
Filed by Expel, Inc., Herndon, VA (US)
Filed on Aug. 29, 2024, as Appl. No. 18/820,043.
Claims priority of provisional application 63/546,886, filed on Nov. 1, 2023.
Claims priority of provisional application 63/535,554, filed on Aug. 30, 2023.
Prior Publication US 2025/0080553 A1, Mar. 6, 2025
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/1416 (2013.01) [H04L 63/1425 (2013.01)] 19 Claims
OG exemplary drawing
 
18. A computer-implemented method for adaptive cybersecurity threat hunting, the method comprising:
sourcing, from a computer database, a corpus of raw event data that includes digital activity that occurred within one or more environments of a target subscriber;
identifying a set of attacker events indicative of a target attack type based on assessing the corpus of raw event data of the target subscriber, wherein the set of attacker events are used in a majority of real-world attacks of the target attack type;
computing, for each attacker event of the set of attacker events, an event frequency count that numerically represents an occurrence of a subject attacker event within historical raw event data of a plurality of subscribers;
identifying one or more infrequent attacker events of the set of attacker events based on the event frequency count computed for each attacker event of the set of attacker events, wherein the event frequency count of each infrequent attacker event of the one or more infrequent attacker events is below a predetermined minimum event frequency threshold value;
encoding a computer-executable threat hunting protocol configured to identify suspicious digital activity of the target attack type in the one or more environments of the target subscriber, wherein encoding the computer-executable threat hunting protocol includes:
constructing an attacker behavioral sequence model based on the set of attacker events and the one or more infrequent attacker events; and
surfacing, via a graphical user interface, suspicious sequences of digital activity that occurred in the one or more environments of the target subscriber in response to executing the computer-executable threat hunting protocol, wherein:
executing the computer-executable threat hunting protocol includes executing, via the one or more processors, the attacker behavioral sequence model,
executing the attacker behavioral sequence model includes assessing a target corpus of raw event data of a target timespan of the target subscriber to identify a plurality of suspicious sequences of digital activity within the target corpus of raw event data that satisfy predefined attacker-indicative conditions of the attacker behavioral sequence model, and
the suspicious sequences of digital activity include the plurality of suspicious sequences of digital activity identified by the attacker behavioral sequence model.