| CPC H04L 63/1416 (2013.01) [H04L 41/22 (2013.01); H04L 63/029 (2013.01); H04L 63/1425 (2013.01); H04L 63/20 (2013.01)] | 20 Claims |
|
1. A system for detecting security threats, the system comprising:
one or more processors configured to execute program instructions, which, when executed, cause the one or more processors to implement operations comprising:
in an enrichment stage, receiving events pertaining to a monitored private network;
enriching the events by augmenting them with enrichment data; and
receiving, at an analysis engine, the enriched events and analysing the enriched events to detect security threat conditions indicated by the enriched events;
wherein at least one of the events is enriched based on external reconnaissance by:
extracting, from the at least one event, a private network address within the private network;
determining from the private network address a related public network address corresponding to the private network address, the related public address on a network interface between the private network and a public network, and
augmenting the event with external reconnaissance data, as determined by transmitting at least one reconnaissance message from an external reconnaissance device on the public network to the related public network address on the network interface between the public and the private networks.
|