Privilege assurance of enterprise computer network environments using lateral movement detection and prevention
Jason Crabtree, Vienna, VA (US); Andrew Sellers, Monument, CO (US); and Richard Kelley, Woodbridge, VA (US)
Assigned to QOMPLX LLC, Reston, VA (US)
Filed by QOMPLX LLC, Reston, VA (US)
Filed on Jun. 30, 2021, as Appl. No. 17/363,866.
Application 17/363,866 is a continuation in part of application No. 17/362,590, filed on Jun. 29, 2021.
Application 17/362,590 is a continuation in part of application No. 17/330,893, filed on May 26, 2021.
Application 17/330,893 is a continuation in part of application No. 17/008,276, filed on Aug. 31, 2020, granted, now 11,323,484.
Application 17/008,276 is a continuation in part of application No. 17/000,504, filed on Aug. 24, 2020, granted, now 11,477,245.
Application 17/000,504 is a continuation in part of application No. 16/945,743, filed on Jul. 31, 2020, granted, now 11,323,471.
Application 16/945,743 is a continuation in part of application No. 16/855,724, filed on Apr. 22, 2020, granted, now 11,218,510.
Application 16/855,724 is a continuation in part of application No. 16/836,717, filed on Mar. 31, 2020, granted, now 10,917,428.
Application 16/855,724 is a continuation in part of application No. 16/777,270, filed on Jan. 30, 2020, granted, now 11,025,674, issued on Jun. 1, 2021.
Application 16/836,717 is a continuation in part of application No. 16/720,383, filed on Dec. 19, 2019, granted, now 10,944,795, issued on Mar. 9, 2021.
Application 17/000,504 is a continuation in part of application No. 16/412,340, filed on May 14, 2019, granted, now 11,539,663.
Application 16/412,340 is a continuation in part of application No. 16/267,893, filed on Feb. 5, 2019, abandoned.
Application 16/267,893 is a continuation in part of application No. 16/248,133, filed on Jan. 15, 2019, abandoned.
Application 16/248,133 is a continuation in part of application No. 15/887,496, filed on Feb. 2, 2018, granted, now 10,783,241, issued on Sep. 22, 2020.
Application 15/887,496 is a continuation in part of application No. 15/849,901, filed on Dec. 21, 2017, granted, now 11,023,284.
Application 15/849,901 is a continuation in part of application No. 15/835,436, filed on Dec. 7, 2017, granted, now 10,572,828.
Application 15/849,901 is a continuation in part of application No. 15/835,312, filed on Dec. 7, 2017, granted, now 11,055,451.
Application 15/835,436 is a continuation of application No. 15/823,363, filed on Nov. 27, 2017, granted, now 10,560,483, issued on Feb. 11, 2020.
Application 15/823,363 is a continuation in part of application No. 15/823,285, filed on Nov. 27, 2017, granted, now 10,740,096, issued on Aug. 11, 2020.
Application 15/823,363 is a continuation in part of application No. 15/818,733, filed on Nov. 20, 2017, granted, now 10,673,887.
Application 15/823,285 is a continuation in part of application No. 15/813,097, filed on Nov. 14, 2017, abandoned.
Application 15/813,097 is a continuation in part of application No. 15/806,697, filed on Nov. 8, 2017, abandoned.
Application 15/806,697 is a continuation in part of application No. 15/790,457, filed on Oct. 23, 2017, granted, now 10,884,999, issued on Jan. 5, 2021.
Application 15/790,457 is a continuation in part of application No. 15/790,327, filed on Oct. 23, 2017, granted, now 10,860,951, issued on Dec. 8, 2020.
Application 15/790,327 is a continuation in part of application No. 15/788,718, filed on Oct. 19, 2017, granted, now 10,861,014, issued on Dec. 8, 2020.
Application 15/788,718 is a continuation in part of application No. 15/788,002, filed on Oct. 19, 2017, abandoned.
Application 15/788,002 is a continuation in part of application No. 15/787,601, filed on Oct. 18, 2017, granted, now 10,860,660, issued on Dec. 8, 2020.
Application 15/787,601 is a continuation in part of application No. 15/725,274, filed on Oct. 4, 2017, granted, now 10,609,079, issued on Mar. 31, 2020.
Application 15/725,274 is a continuation in part of application No. 15/673,368, filed on Aug. 9, 2017, abandoned.
Application 15/673,368 is a continuation of application No. 15/655,113, filed on Jul. 20, 2017, granted, now 10,735,456, issued on Aug. 4, 2020.
Application 15/655,113 is a continuation in part of application No. 15/616,427, filed on Jun. 7, 2017, abandoned.
Application 15/616,427 is a continuation in part of application No. 15/376,657, filed on Dec. 13, 2016, granted, now 10,402,906, issued on Sep. 3, 2019.
Application 15/616,427 is a continuation in part of application No. 15/343,209, filed on Nov. 4, 2016, granted, now 11,087,403.
Application 15/376,657 is a continuation in part of application No. 15/237,625, filed on Aug. 15, 2016, granted, now 10,248,910, issued on Apr. 2, 2019.
Application 15/376,657 is a continuation in part of application No. 15/229,476, filed on Aug. 5, 2016, granted, now 10,454,791, issued on Oct. 22, 2019.
Application 15/237,625 is a continuation in part of application No. 15/206,195, filed on Jul. 8, 2016, abandoned.
Application 15/206,195 is a continuation in part of application No. 15/186,453, filed on Jun. 18, 2016, abandoned.
Application 15/186,453 is a continuation in part of application No. 15/166,158, filed on May 26, 2016, abandoned.
Application 15/166,158 is a continuation in part of application No. 15/141,752, filed on Apr. 28, 2016, granted, now 10,860,962, issued on Dec. 8, 2020.
Application 15/141,752 is a continuation in part of application No. 15/091,563, filed on Apr. 5, 2016, granted, now 10,204,147, issued on Feb. 12, 2019.
Application 15/141,752 is a continuation in part of application No. 14/986,536, filed on Dec. 31, 2015, granted, now 10,210,255, issued on Feb. 19, 2019.
Application 15/091,563 is a continuation in part of application No. 14/925,974, filed on Oct. 28, 2015, abandoned.
Claims priority of provisional application 62/568,298, filed on Oct. 4, 2017.
Claims priority of provisional application 62/568,312, filed on Oct. 4, 2017.
Claims priority of provisional application 62/568,305, filed on Oct. 4, 2017.
Claims priority of provisional application 62/568,291, filed on Oct. 4, 2017.
Claims priority of provisional application 62/568,307, filed on Oct. 4, 2017.
Prior Publication US 2022/0060509 A1, Feb. 24, 2022
1. A system for privilege assurance of enterprise computer network environments using lateral movement detection and prevention, comprising:
a local session monitor comprising a first plurality of programming instructions stored in a memory of, and operating on a processor of, a first computing device within a computer network operating a directory access protocol, wherein the first plurality of programming instructions, when operating on the processor of the first computing device, cause the first computing device to:
receive a first plurality of session-based details for an authentication session for a user;
check the validity of the first plurality of session-based details, using a stored session configuration;
log the first plurality of session-based details;
receive a second plurality of session details;
compare the first and second pluralities of session details against a stored expected pattern to identify any mismatched data;
where invalid or mismatched information is identified in the first or second plurality of session-based details or in the comparison against a stored expected pattern, revoke authentication credentials for the authentication session and generate an event log indicating the particular session-based details that contain the invalid or mismatched information;
send the event log to a graph engine;
a graph engine comprising a second plurality of programming instructions stored in a memory of, and operating on a processor of, a second computing device, wherein the second plurality of programming instructions, when operating on the processor of the second computing device, cause the second computing device to:
receive the event log;
create and store a cyber-physical graph of the computer network using the event log, wherein the vertices of the cyber-physical graph represent directory access protocol objects and the edges of the cyber-physical graph represent the relationships between those objects;
perform a plurality of queries over time on the cyber-physical graph to identify a cyberattack parameter of interest;
receive results of the plurality of queries;
analyze the results to determine a plurality of high-risk hosts, the high-risk hosts being determined based on the number and value of user accounts associated with each object in the cyber-physical graph and its connections to neighboring objects; and
create and store a lateral movement path map comprising a plurality of identified paths involving each of the plurality of high-risk nodes.
