Invention Title:

AUTOMATED ATTACK CHAIN FOLLOWING BY A THREAT ANALYSIS PLATFORM

Publication number:

US20250371156

Publication date:

2025-12-04

Section:

Physics

Class:

G06F21/566

Inventors:

Bryan Burns 🇺🇸 Portland, OR, United States

Michael HORN 🇺🇸 San Carlos, CA, United States

Gregory Lee Wittel 🇺🇸 Mountain View, CA, United States

Steven Thomas JACKSON 🇺🇸 Anchorage, AK, United States

William METCALF 🇺🇸 Concordia, KS, United States

Jason WILLIAMS 🇺🇸 Firestone, CO, United States

Assignee:

CISCO TECHNOLOGY, INC. 🇺🇸 San Jose, CA, United States

Applicant:

Cisco Technology, Inc. 🇺🇸 San Jose, CA, United States

Smart overview of the Invention

The patent application outlines a threat analysis platform designed to automate the evaluation of security threats within IT environments. Users can submit objects like URLs and files for analysis, which are then processed by dedicated engines. These engines perform both static and dynamic analyses to assess the potential for malicious activity, such as phishing or malware. The platform's automated actions include navigating URLs, analyzing document content, and leveraging third-party security services.

Background

IT environments are vulnerable to various security threats, including malware and credential phishing. Malware encompasses software intended to harm or disrupt systems, while phishing tricks users into disclosing sensitive information. Traditionally, security analysts manually investigate these threats, often using time-consuming methods like setting up sandbox environments. This manual approach can lead to inconsistent results, especially when facing novel threats.

Detailed Functionality

The threat analysis platform automates the investigation of security threats by using specialized engines to perform a range of analyses. It can navigate URLs, extract and emulate macro code, and conduct image analysis, among other tasks. The platform can reinject newly discovered objects for further analysis, aggregate results, and present findings intuitively. It supports integration with other applications through APIs, enhancing the efficiency and accuracy of threat investigations.

Technical Implementation

The platform operates using cloud-based or on-premises computing resources, enabling flexible deployment options. It includes analysis engines capable of automating security investigations for various objects like URLs and files. The platform can work alongside existing security applications, such as SOAR tools, to streamline the analysis process. Automated actions help security teams quickly assess and respond to potential threats, improving IT environment security.

User Interaction

Security teams and other users can interact with the platform via client devices through web-based interfaces, standalone applications, or APIs. These interfaces allow users to submit objects for analysis and receive results. User accounts can be used to personalize the platform experience, store analysis histories, and manage access to features. The platform's design facilitates efficient threat investigation and enhances the overall security posture of IT environments.