Systems and methods for cyber threat detection based on new and / or updated cyber threat intelligence

JP2025524952A5Pending Publication Date: 2026-06-08CENTRIPETAL NETWORKS INC

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
CENTRIPETAL NETWORKS INC
Filing Date
2023-07-24
Publication Date
2026-06-08

AI Technical Summary

Technical Problem

Existing network security systems struggle to effectively apply updated cyber threat intelligence to historical packet filtering data, leading to inefficiencies and potential loss of important data due to the dynamic nature of cyber threats and the lack of resources for retrospective analysis.

Method used

A cyber threat analysis system applies updated cyber threat intelligence to identify and update packet filtering rules, focusing on specific packet logs and captures related to known threats, and uses these criteria to refine and flag relevant data for improved detection and prevention.

Benefits of technology

This approach enhances the detection and prevention of cyber threats by efficiently applying updated intelligence to historical data, reducing resource waste and improving the accuracy of threat analysis.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 00000000_0000_ABST
    Figure 00000000_0000_ABST
Patent Text Reader

Abstract

Describe systems, methods, and apparatuses for detecting and / or analyzing cyber threats based on updated cyber threat intelligence related to cyber threats. Packet filtering output data, such as logs of packet communications and / or copies of packets, can be generated based on first cyber threat intelligence related to cyber threats. Thereafter, updated criteria based on the updated cyber threat intelligence can be applied to the packet filtering output data.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present disclosure relates to systems and methods for cyber threat detection based on new and / or updated cyber threat intelligence.

[0002] Cross - Reference to Related Applications This application claims priority to U.S. Provisional Patent Application No. 63 / 430,479, filed on Dec. 6, 2022, and also claims priority to U.S. Provisional Patent Application No. 63 / 391,987, filed on Jul. 25, 2022. Each of U.S. Provisional Patent Application No. 63 / 430,479 and U.S. Provisional Patent Application No. 63 / 391,987 is hereby incorporated by reference in its entirety.

Background Art

[0003] Threats to the security of computer networks can take various forms (such as unauthorized data transfer, hacking attempts, viruses, bots, and other types of malware). The scope of such threats has been on the rise, as has the effort of malicious actors who exploit weaknesses in computer network security. Threats often use the Internet to investigate, access, and / or attack computers and other devices on the networks of entities that can be connected to the Internet. For example, desktop computers, mobile devices, on - premise or cloud enterprise application servers, public web servers, and other types of computing devices can be directly connected to the networks owned and / or operated and managed by entities such as commercial businesses, governments, etc. These entity networks are then connected to the Internet and can access other Internet - connected hosts (e.g., public web servers, application servers, etc.) that have public addresses. In some cases, hosts connected to the Internet with such public addresses can be malicious.

Summary of the Invention

Problems to be Solved by the Invention

[0004] An entity can attempt to protect a network by filtering traffic between the entity host and hosts of other networks. Such filtering may attempt to analyze (such as collect information) packet communications across the boundaries of the entity network and may in some cases block them. In order to determine packets for collecting information, blocking packets, etc., a filtering device may be set with filtering rules that attempt to match packets against one or more criteria based on network threat intelligence. These filtering rules can be generated based on network threat intelligence. Network threat intelligence can be received from a number of sources and can include various specific or unspecific information regarding network threats.

[0005] Threats to network security are dynamic and can change over time. Furthermore, as the number of independent systems that detect and / or are affected by such threats increases, new information about some threats may come to light. For these and other reasons, network threat intelligence regarding a particular threat can be updated as the threat intelligence evolves. As the intelligence is updated, it may become more accurate and / or detailed, more reliable, and / or reflect an increased awareness of the severity of the threat. When receiving new network threat intelligence related to a particular threat, the filtering rules related to that threat can be updated based on the updated information in the new intelligence. These updated rules can then be applied to subsequently received packet communications and filter those communications based on the improved information.

[0006] Implementing an update to a packet communication filtering rule can improve the detection and / or prevention of threats to attack the network after such an update. However, since previous filtering was based on rules created using old (and perhaps more specific and / or less accurate) information, previous attacks by the same threats may not have been detected. In such previous filtering, data recording information about previously filtered packets may have been generated and / or copies of previously filtered packets may have been saved, but there are obstacles to applying updated threat intelligence to data obtained based on pre-update filtering. For example, if there is no knowledge (or at least suspicion) that the protected network has been subject to an obvious or continuous attack, the analyst may not consider applying updated threat intelligence to data from pre-update filtering, or there may be no available resources. Furthermore, the amount of data related to previous filtering, the ever-increasing cyber threats, and the specialized skills and resources required to recognize when the threat intelligence of a particular threat was updated are additional factors that can prevent retrospectively applying updated threat intelligence to data generated from pre-update filtering. Also, since the volume of previous filtering data may be controlled by deleting old data, important data may be lost if the relationship between old data and cyber threats is not determined before the scheduled deletion. **Means for Solving the Problem**

[0007] The following presents a simplified overview for providing a basic understanding of some aspects of the present disclosure. It is not intended to identify key or essential elements of the present disclosure, nor to delineate the scope of the present disclosure. The following overview merely simplifies and presents some concepts related to the present disclosure as a prelude to the description that follows.

[0008] A cyber threat analysis system may be composed of one or more servers or other computing devices, and updated cyber threat intelligence can be applied to the output data of packet filtering generated based on previous cyber threat intelligence. For example, based on the receipt of a first cyber threat intelligence, the cyber threat analysis system may first generate packet filtering rules composed of one or more criteria for filtering packet communications to detect cyber threats addressed by the first cyber threat intelligence. The cyber threat analysis system transmits the packet filtering rules and other rules generated based on other cyber threat intelligence and related to other cyber threats to a packet security gateway. The packet security gateway uses those rules to filter packet communications, generates packet filtering output data (such as packet logs and captured packets) of the filtered packets that match the criteria of those rules, and can transfer the packet filtering output data to the cyber threat analysis system. After receiving a second cyber threat intelligence, the cyber threat analysis system determines that the second cyber threat intelligence may be related to the same cyber threat as the first cyber threat intelligence, and further determines that the second cyber threat intelligence may include information that can be used to generate updated criteria related to the same cyber threat. The updated criteria may provide additional insights regarding the packet filtering output data generated by the packet security gateway using the filtering rules based on the first cyber threat intelligence. To focus on applying the updated criteria to data that may be related to the same cyber threat, the cyber threat analysis system can identify packet logs and / or captured packets generated using the pre-update filtering rules for that cyber threat, which were based on the first cyber threat intelligence.

[0009] The updated criteria may consist of data configured to match new and / or changed network threat indicators related to cyber threats (such as values of parameters and / or characteristics of filtered packets). The updated criteria can be applied by determining whether the identified packet logs contain values (e.g., one or more parameters and / or characteristics of filtered packets) that match one or more of the updated criteria. The updated criteria are applied to the data within the captured packets, and data may be omitted from the packet logs corresponding to the captured packets. For example, with the updated criteria, it may be determined that a packet corresponding to a particular packet log does not match the updated criteria and thus may no longer be associated with a cyber threat. Based on the application of the updated criteria, one or more outputs are generated based on whether the captured packets match or do not match the updated criteria.

[0010] These and other features will be described in detail below.

Brief Description of the Drawings

[0011] Some features are shown, by way of example, in the figures of the accompanying drawings and in examples where like reference numerals refer to like elements and are not limited to the examples.

Figure 1

Figure 2

Figure 3A

Figure 3B

Figure 4

Figure 5

Figure 6A

Figure 6B

Figure 6C

Figure 6D

Figure 6E

Figure 6F

Figure 7

Figure 8A

Figure 8B

Figure 9A

Figure 9B

Figure 9C

Figure 9D

Figure 9E

Figure 9F

Figure 9G

Figure 10A

Figure 10B

Figure 11A

Figure 11B

Figure 12A

Figure 12B

Figure 13A

Figure 13B

Figure 14A

Figure 14B

[0012] A cyber threat can consist of one or more threat actors attempting, or suspected of attempting, to perform some unauthorized action that affects a computing device or a network of target entities. Threat actors can include criminals, criminal organizations, states, or other persons or groups. Unauthorized actions can include damage and / or invalidation of equipment (such as ransomware, invalidation or damage of industrial equipment by hacking a network control system), access to and / or theft of data (such as stealing), execution of operations that provide benefits to the threat actor on a computing device or network (such as generating spam, mining cryptocurrency, executing a denial-of-service attack, etc.), and other types of actions not permitted by the target entity. Without limiting the generality of the above, cyber threats can include viruses and other malware, phishing attacks, attempts to hack a web server, and the like.

[0013] Cyber Threat Intelligence (CTI) can include information about cyber threats. Such information can be related to the nature of the threats. For example, CTI can indicate that the threats include viruses and other malware, bots, phishing attacks, theft, attempts at hacking, and / or other known or suspected types of activities. CTI can include information about threat actors related to or suspected of being related to cyber threats. CTI can include Network Threat Indicators (NTIs) or multiple NTIs related to cyber threats. An NTI can include one or more values of parameters or characteristics observable in relation to packet data communicated over a network, and / or some other indication. For example, an NTI can be a 5-tuple value (L3 host IP address, L4 port, and / or host / resource identifier specifying a related L3 protocol type) or a portion thereof, one or more other L3 header field values or portions thereof, one or more other L4 header field values or portions thereof, one or more L2 header field values or portions thereof, protocol version, host name or a portion thereof, domain name (e.g., fully qualified domain name (FQDN), a portion of a domain name (e.g., top-level domain and / or subdomain), universal resource identifier (URI) or a portion thereof, universal resource locator (URL) or a portion thereof, certificate or a portion thereof, certificate identifier or a portion thereof, certificate authority identifier or a portion thereof, packet size or portion, indicator associated with the data payload portion of the packet, type of HTTP request method (e.g., GET, PUT, PUSH, CONNECT, etc.), etc. An NTI can include metadata related to one or more packets. For example, an NTI can include one or more types of information related to one or more parameters or characteristics observable based on the behavior (or resulting actions) of a packet and / or a set of packets. For example, an NTI can include the time related to the communication of a packet, whether the packet has a specified temporal or other relationship with one or more other packets, directionality (e.g., incoming or outgoing), etc.NTI may include information (such as instructions) indicating a protocol decoder and / or a packet payload inspection algorithm. NTI is related to a flow and may indicate the number of packets in the flow and other information. A flow, or a microflow, may refer to a collection of packets with the same 5-tuple value generated by the same (single) event / action at the source host. A flow may be unidirectional (e.g., packets flowing from a first host as the source to a second host as the destination) or bidirectional (e.g., packets flowing from a first host as the source to a second host as the destination and packets flowing from the second host as the source to the first host as the destination). Packets in a bidirectional flow may have the same 5-tuple value, but the source field value and the destination field value may be swapped depending on the direction of the packet (from client to server, from server to client, etc.). A flow can constitute an application layer flow and can be distributed among multiple L3 / L4 flows and the related packets.

[0014] CTI can be received from one or more sources as CTI data in various formats. CTI data can include reports from CTI providers. CTI data consists of data delivered (e.g., in real time) via an application programming interface (API), text files, data downloaded from open source resources, and / or other types of data, regardless of the format. CTI data can be received from external sources (such as CTI providers described below) or from internal sources. For example, the cyber threat analysis system 130 described below generates CTI data (e.g., based on CTI data received from other sources and / or based on network traffic and / or behavior observed by the cyber threat analysis system 130). CTI data can explicitly identify one or more NTIs and / or derive NTIs from the information in the CTI data. CTI data and CTI can be incomplete and often are. For example, CTI data may constitute one type of NTI for a cyber threat, but lack other types of NTIs or lack the threat context related to one or more NTIs indicated by the CTI data. As more is learned about cyber threats over time, new CTI for those threats may consist of additional types of NTIs and / or changes to NTIs provided in previous CTI for those threats. Changing the NTIs can result in subsequent CTI data that includes NTIs not included in previous CTI data and / or subsequent CTI that does not include NTIs included in previous CTI data. CTI can consist of threat levels with values indicating the confidence level associated with the cyber threat. Also, or alternatively, the threat level for a particular cyber threat can be determined, assigned, and / or changed based on an analysis of the CTI for that particular threat. The threat level may indicate, for example, the level of confidence in the accuracy of the CTI, the likelihood that the threat is an actual threat, or both.Also, or alternatively, a threat level may indicate the potential severity of a cyber threat (e.g., a quantitative and / or qualitative estimate of potential data loss, damage, business disruption, or other possible impacts of a cyber threat). The threat level associated with a cyber threat can increase (or decrease) over time. The threat level and context of CTI (and / or NTI) can vary over time (e.g., the relevance may depend on a specific time frame).

[0015] Generally, CTI for a particular cyber threat evolves and / or otherwise changes over time. As more information is learned about a particular cyber threat, the CTI for that threat can become more accurate and / or reliable. In contrast, older CTI can become less reliable (or in a degraded state). For example, older CTI may have indicated a low severity and / or few concerns about a cyber threat, but later CTI may indicate that the cyber threat has become more of a problem than initially believed. As another example, older CTI may have provided certain information (e.g., one or more NTI) for detecting a cyber threat, but some of that information may later be determined to be inapplicable and / or irrelevant, and later CTI may include more focused and / or accurate information. As a further example, a threat actor may change the way it uses a network attack (e.g., to camouflage later attempts or to avoid repeating actions that are likely to be identified by a network security system), and later CTI may indicate new and / or changed NTI and / or other information related to the changed attack method.

[0016] CTI can be used to create packet filtering rules for a packet security gateway. Packet filtering rules are used to filter data packets passing through the packet security gateway. Packet filtering involves comparing the criteria of the packet filtering rules with the observable parameters and / or characteristics of the filtered packets to determine if there is a match. The criteria of the packet filtering rules may be based on NTI and / or other information obtained from CTI (and / or may include other criteria). For example, if CTI indicates (by providing values) certain NTI that may be associated with cyber threats, the criteria of the packet filtering rules based on that CTI include information (e.g., the values of those NTI) to compare with the packets to determine if those NTI are present in the packets. As a result of the filtering process, various types of packet filtering output data may occur. For example, a packet filtering gateway may generate log data where each packet log (such as an individual data record) corresponds to an individual packet and includes various data fields indicating the values of the various parameters and / or characteristics of that packet. These packet logs from the packet filtering gateway are distinct from the logs generated by other types of devices (such as firewalls) that may create logs of all traffic and may be generated for packets that match the filtering criteria of the packet filtering rules. One or more values of the packet log may include values that match the filtering criteria of the filtering rules (e.g., may include values that match one or more NTI of one or more filtering rule criteria associated with the packet log). The packet log can be a flow-level log (such as an L3 / L4 level flow log, an L5-L7 application / application flow log, etc.) that includes a collection of packet logs for individual packets. In addition to the log data, the output data of the packet filtering may include the captured packets.The captured packets can be copies of packets corresponding to one or more packet logs.

[0017] Based on the updated CTI received for a specific cyber threat, the packet matching criteria of the packet filtering rules related to that cyber threat can also be updated. The updated packet matching criteria may include information used to match a type of NTI that is different from the type of NTI that was matched by the previous packet matching criteria. For example, the previous criteria match an NTI that specifies a network address (or a range of network addresses), and the updated criteria match an NTI that specifies a domain name. The updated packet matching criteria may include information used to match a type of NTI that is the same as the type of NTI that was matched by the previous packet matching criteria. For example, the previous criteria match an NTI that specifies a range of network addresses, and the updated criteria match an NTI that specifies a different range of network addresses or an NTI that specifies a specific network address.

[0018] When receiving new CTI for a cyber threat, there may be significant benefits in applying that new CTI to existing packet filtering output data (such as log data and / or captured packets) collected based on the old CTI. For example, applying the new CTI to the existing packet filtering output data can more accurately evaluate whether the network was affected by the cyber threat during the period before the new CTI. Applying the new CTI to the existing packet filtering output data may also reveal additional information that can improve the future detection and / or prevention of cyber threats addressed by the new CTI. Applying the new CTI to the existing packet filtering output data may also reduce the resources required to store that data in some cases. For example, some of the existing packet filtering output data may be determined to be of low relevance, and it may be appropriate to delete such data or shorten the time it is retained.

[0019] However, applying new CTI to existing packet filtering output data (such as log data and / or captured packets) gives rise to various issues. Both the amount of packet filtering output data and the amount of new CTI may continuously increase at a significant rate. Applying an enlarged amount of new CTI to existing packet filtering output data may not be impossible but may not be practical. However, by guiding the application of new CTI to existing packet filtering output data using previous CTI related to a specific cyber threat, there is a possibility of addressing at least some of these issues. When the new CTI is related to a specific cyber threat, previous CTI related to (or likely to be related to) that cyber threat may be used to identify portions of the existing packet filtering output data that are likely to be related to the cyber threat. Subsequently, newer CTI is applied to the identified portions. This can avoid wasting processing resources for applying new CTI to a large amount of packet filtering output data that seems to have low relevance to the cyber threats addressed by the new CTI and improve efficiency.

[0020] FIG. 1 is a diagram showing an environment 100 related to the detection and / or analysis of cyber threats based on updated CTI and / or the detection and / or analysis of cyber threats based on updated packet matching criteria corresponding to the updated CTI. In the drawings subsequent to FIG. 1, the letter "n" is used to indicate any integer value of 2 or more, and does not necessarily represent the same value in all places where it is used. A series of three dots in the drawings is used to indicate the possibility of the existence of one or more additional elements similar to the elements at one or both ends of the series of three dots. The various similar elements shown in the drawings have similar reference numbers including an additional increment part. Elements with similar reference numbers can be referred to collectively or generically using the similar part of the reference numbers of the elements. For example, the first networks 105.1 to 105.n are collectively referred to as the first network 105, and any one of those first networks 105 may be referred to as the first network 105.

[0021] As shown in FIG. 1, the environment 100 may include one or more first networks 105. Alternatively, the environment 100 may include a single first network 105. Each first network 105 may include, for example, various types of networks (e.g., local area network (LAN), wide area network (WAN), virtual private network (VPN), software defined network (SDN), or a combination thereof) associated with one or more individuals and / or entities (e.g., government, enterprise, service provider). As will be described in detail below, each first network 105 may be served and / or protected by a packet security gateway (PSG110) that is controlled and / or managed by the cyber threat analysis system 130. In particular, each first network 105 includes one or more hosts that communicate via the PSG110 and the second network 125, and one or more external hosts may exist on one or more other networks. These external hosts may include any of the external hosts 140.1 to 140.n shown in FIG. 1 and / or hosts within other networks. One or more of the external hosts 140 may be part of a network that communicates via the second network 125, similar to the third networks 151 and 155 described below. The second network 125 includes, for example, the Internet or a portion thereof. The network 105 is a protected network (because the PSG110 exists), and networks other than the network 105 (e.g., the second network 125) may be unprotected networks.

[0022] The host includes, for example, a device that functions as a network node and / or is connected to a network and has an L3 network address assigned to one or more network interfaces of the device. The host can include computing devices such as servers, desktop computers, laptop computers, tablet computers, mobile devices (such as smartphones), routers, gateways, proxies, firewalls, switches, access points, etc. The computing device can include one or more processors configured to execute instructions, a memory for storing executable instructions and / or other data, and one or more network interfaces configured such that an arithmetic unit transmits and receives data via a network. The first network 105.1 can include hosts 120.1-1 through 120.1-n configured to communicate with one or more of the external hosts 140 and / or one or more other external hosts via the PSG110.1. Similarly, the first network 105.n can include hosts 120.n-l through 120.n-n configured to communicate with one or more of the external hosts 140 and / or one or more other external hosts via the PSGHO.n. Some or all of the first network 105 routes external communications through other devices such as firewalls, Internet service provider (ISP) gateways, proxy servers, etc. For example, the hosts of the first network 105 include firewalls, proxy servers, and / or other devices in the network path between other hosts in the network and the PSG110 of the network, and / or external communications with the PSG110 pass through an ISP gateway in the network path between the PSG110 and the second network 125. The environment 100 further includes one or more third networks, such as the third networks 151 and 155, that include hosts configured to communicate with hosts of other networks, but may not include the PSG110.For example, hosts 152-1 to 152-n of the third network 151 communicate with hosts of other networks via a firewall (FW) 153, and hosts 156-1 to 156-n of the third network 155 communicate with hosts of other networks via an Internet service provider (ISP) server 157.

[0023] The cyber threat analysis system 130 (hereinafter, the system 130) may include one or more computing devices (such as one or more servers) configured to communicate with the PSG 110 via the network 125. These communications may occur directly and / or via one or more intermediary systems (intermediary systems that receive log data and / or captured packets from the PSG 110 and transfer the log data and / or captured packets to the system 130 or another system that can be queried by the system 130). These communications include filtering rules transmitted from the system 130 to the PSG 110, which the PSG can apply to data packets passing through these gateways, as described below. Also, as described below, these communications may also include packet filtering output data received from the PSG 110. The packet filtering output data may include log data including a packet log of packets that match the criteria of the filtering rules. The packet filtering output data may or alternatively may include a copy of the matching packets (and / or packets related to the matching packets). The system 130 may further be configured to generate filtering rules based on CTI data received from one or more providers of CTI (e.g., via the network 125). For example, and as shown in FIG. 1, the environment 100 includes one or more cyber threat intelligence providers (CTIPs) 135.1 to 135.n.

[0024] As shown in FIG. 1, PSG 110 is disposed at or near the network boundary and can serve as an interface between the first network 105 and the second network 125. The PSG can filter packet data traffic passing through the PSG by applying filtering rules received from the system 130. That traffic can include packets transmitted from hosts on the first network 105 to external hosts via the second network 125 and packets received from external hosts via the second network 125 and addressed to hosts on the first network 105. For example, the filtering rules can include elements of the filtering rules described in any one or more of U.S. Patent No. 9,866,576 (the invention title "Rule-Based Network-Threat Detection" is incorporated herein by reference) or U.S. Patent Application Publication No. 2017 / 0324709 (the invention title "Efficient Packet Capture for Cyber Threat Analysis" is incorporated herein by reference). The filtering rules can include information for identifying cyber threats, the threat level of the threats, and criteria that can match. This criteria includes information that can be used to collate one or more NTIs related to the threat. Packets passing through the PSG 110 may match the filtering rules if one or more criteria of the filtering rules match the corresponding parameters and / or characteristics of the packet (or the flow or other packet group that makes up the packet). The filtering rules can further include one or more operators applied to packets that match the criteria of the filtering rules. For example, the "allow" operator permits the packet to continue towards the destination. As another example, the "block" operator causes the packet to be dropped or prevents its continuation to the destination.Filtering rules can also include instructions or other information to capture matching packets (and / or packets within a flow, or packets related to matching packets). Packet capture can include saving copies of packets and / or information related to the packets. Both blocked and permitted packets are captured. The PSG 110 can also generate a packet log based on the matching packets and can send not only the captured packets but also those packet logs to the system 130.

[0025] The PSG110 may include one or more processors and memory. The memory stores instructions that, when executed by one or more processors, cause the PSG110 to filter packets based on filtering rules (e.g., determine whether a packet matches one or more criteria of a filtering rule, apply operators, capture a packet), generate a packet log based on packet matches, transfer the packet log and captured packets to the system 130, receive and store filtering rules and other instructions from the system 130, configure or reconfigure the PSG110, and / or perform other operations. The PSG110 includes a first interface for connecting the PSG110 to a host on the first network 105 and a second interface for connecting the PSG to the second network 125, and these interfaces may be transparent at L2 and / or L3. In particular, these interfaces may lack assigned IP addresses or media access control (MAC) addresses, and packets can pass through the PSG110 without changing their L2 or L3 headers. The PSG110 may include an additional interface for assigning network addresses (e.g., a management interface) and / or an additional interface that enables the PSG110 to communicate with the system 130 and / or other computing devices (e.g., a host associated with an administrator or other user). The PSG110 may include the functions of a PSG described in one or more of U.S. Patent No. 9,866,576, U.S. Patent Application Publication No. 2017 / 0324709, or U.S. Patent No. 9,137,205 (the invention name "Methods and Systems for Protecting a Secured Network" is incorporated herein by reference), and / or other devices that perform operations similar to those described above for the PSG110.In addition, or alternatively, the PSG110 can perform (and / or incorporate) the functions of other types of devices (such as firewalls, proxy servers, other devices at the network perimeter, etc.).

[0026] FIG. 2 is a block diagram of an example of system 130. For convenience, it is shown as a single computing device (e.g., a server), but system 130 may alternatively be composed of a plurality of computing devices, and the operations and / or functions of system 130 described herein may be distributed among those plurality of computing devices (e.g., a plurality of servers). When implemented as a plurality of computing devices, the computing devices of system 130 can communicate via one or more networks (e.g., communicate via one or more local networks and / or network 125). System 130 may include a memory 201. Memory 201 may include one or more non-transitory, physical storage portions of any type (e.g., volatile, non-volatile). System 130 may further include one or more processors 211 and one or more network interfaces 212. Memory 201, processor 211, and network interface 212 can communicate via one or more data buses 210. Memory 201 can store instructions that, when executed by processor 211, cause system 130 to perform operations as described herein. Those instructions may be organized into and / or be part of one or more modules. Those modules may include a database management module 202 that includes instructions to store data (e.g., CTIP 135 and / or CTI data from other sources, filtering rules, packet logs, and / or packet captures from PHS 110), instructions to retrieve the data, instructions to delete the data, instructions to rearrange and / or index the data, instructions to update the data, etc. in a database 131 (which may in some cases be composed of one or more parts of another computing device and / or memory 201).The module can constitute a rule module 203 that includes instructions for analyzing CTI data, generating packet filtering rules based on the CTI data, communicating the packet filtering rules to the PSG110, and / or setting packet filtering rules based on a profile (such as a subscriber or customer profile) associated with a specific PSG110 or the like. The module can constitute an intelligence update module 204 that stores instructions for determining that multiple CTI data are related (or potentially related) to the same cyber threat, instructions for determining differences between CTI data related (or potentially related) to the same cyber threat, and / or instructions for applying differences determined in packet logs and / or captured packets generated based on previous versions of CTI for that cyber threat. The module 204 can also store instructions for generating a report of the analysis performed by the module 204, and the report can be transmitted and / or used for other systems and / or users (for example, in a forensic analysis of composite log data and / or other information, the forensic analysis may or may not be associated with improving the rules used by one or more PSG110s). The module 204 interacts with the module 203 (for example, causing an update of the packet filtering rules based on differences between multiple CTI data of a cyber threat), interacts with the module 202 (for example, causing the identification and / or acquisition of packet logs and / or captured packets related to a specific cyber threat), and / or interacts with other modules. The network interface 212 can connect the system 130 to the network 125, the database 131, and / or other networks for data transfer.

[0027] FIGS. 3A and 3B are sequence diagrams showing an example of events related to the detection and / or analysis of cyber threats based on updated CTI and / or updated NTI. FIG. 3B is a continuation of FIG. 3A. The examples of FIGS. 3A and 3B are simplified for illustration purposes. The number, order, and / or timing of the exemplary events vary, and one or more of the events shown in FIGS. 3A and 3B may be omitted or repeated, or additional events may occur.

[0028] In event 301, system 130 can receive CTI data from CTI provider 135.1. The CTI data can be composed of one or more data messages and / or files and can be composed of CTI related to one or more different cyber threats. The CTI data received in event 301 includes CTI 300.1 related to a first cyber threat and reflecting the knowledge of CTI provider 135.1 at time T1. T1 is included. CTI 300.1 T1 may indicate the nature of the first cyber threat (such as the type of attack that may be attempted, entities suspected of being related to the attack, suspected sources of the attack, and other information), or there may be no such indication at all. CTI 300.1 T1may indicate one or more NTI related to a first cyber threat. As described above, NTI includes one or more values of parameters or characteristics observable within or in relation to the communication of one or more data packets. NTI can be composed of one or more specific values (e.g., a specific source address and / or destination address, a specific source port and / or destination port, a specific protocol, a specific domain, etc.), a range of values (e.g., a range of source addresses and / or destination addresses, a range of source ports and / or destination ports, a part of a domain), or a combination of multiple specific values and / or ranges of values. NTI includes information observable based on the way and / or time a packet is sent or received, but is not part of the data within an actual packet. Examples of such NTI include the time (or time range) a packet passes through PSG110, whether a packet passes through PSG110 in relation to other packets that meet one or more criteria (e.g., regardless of the content of its data), whether data exists, etc. In the example of FIG. 3A, CTI300.1 T1 contains limited information about the nature of the first cyber threat and may further include data specifying or suggesting that the threat level related to the first cyber threat is low (or unknown). The NTI indicated by CTI300.1 T1 may also be limited (e.g., only a source address range and / or a destination address range). In event 302, system 130 can save CTI300.1 T1 to database 131. System 130 can save CTI300.1 T1 along with an identifier for the first cyber threat, and this identifier can be provided as part of CTI300.1 T1 or generated by system 130. Although not shown in FIG. 3A, the CTI data received in event 301 may include additional CTI related to additional cyber threats, and this additional CTI can also be saved to database 131 in event 302.

[0029] System 130 can receive CTI data from multiple CTI providers in a manner similar to that shown with respect to CTI provider 135.1. For example, at event 303, system 130 can receive data including CTI 300.n from CTI P 135.n. CTI 300.n can be related to one or more additional cyber threats and can indicate one or more NTI and / or one or more other types of information related to those additional cyber threats. At event 304, system 130 can store CTI 300.n in database 131, similar to other CTI received with the CTI data of event 303. CTI providers 135.1 and 135.n, and / or other CTI providers, can send additional CTI to system 130 before event 301, after event 301, before event 303, and / or after event 303, and the additional CTI data can include additional CTI (indicating NTI and / or other information) related to additional cyber threats, and the CTI can be further stored in database 131.

[0030] At event 305, system 130 T1 , CTI 300.n, and / or other CTI received by system 130, can generate one or more filtering rules. The rule generation at event 305 can include, for example, one or more operations as described in relation to one or more of the aforementioned patents or published patent applications. The generated filtering rules include one or more criteria, and the criteria include CTI 300.1 T1Information that matches the NTI indicated by may be included. The generated filtering rules also include criteria that include one or more NTIs indicated by CTI300.n and / or information that matches other CTIs received by system 130. Similarly, the filtering rules are composed of one or more operators and may include an indication of whether it is necessary to capture packets (and / or packet flows associated with such matching packets) that match the criteria of the filtering rules. In the examples of FIGS. 3A and 3B, the filtering rule generated for the first cyber threat event 305 includes criteria that include a range of source addresses and a range of destination addresses, the source address and destination address of the matching packets, the source port and destination port, and an instruction to log the protocol type, and an instruction to capture the packet flow associated with the matching packets. However, since the first cyber threat has a low threat level at time T1, its filtering rule may not indicate that it is necessary to determine or record other information about the packets. The filtering rule is transmitted to PSG110 at events 306 and 307 and stored in database 131 at event 308, similar to other filtering rules generated at event 305.

[0031] In event 309, PSG110.1 receives packets that are sent from host 120.1 to an external host (e.g., sent to external host 140). In event 310, PSG110.1 applies the criteria of the filtering rule received in event 306 to filter the packets. PSG110.1 may compare the received packets (and / or the time and / or relationship between the received packets and other packets, and / or other information about the received packets) with the criteria specified by the filtering rule applied as part of filtering event 310. If the packets (and / or information about the packets) match the criteria of the filtering rule, PSG110.1 executes the actions specified by the filtering rule (logging of the packets, logging and capturing of the packets, logging and capturing of the flow associated with the packets, etc.) and applies an operator (permitting the continuation of the packets, blocking the packets, etc.). If the packets are not blocked, in event 311 the packets are permitted to proceed towards the destination.

[0032] In event 312, PSG110.1 receives packets addressed to host 120.1 on the first network 105 (e.g., addressed) from an external host (e.g., external host 140). The packets received in event 312 may or may not be a response to packets sent from host 120.1 (e.g., the packet in event 312 can be the first packet in the flow between the external host and host 120.1). In event 313, PSG110.1 applies the criteria of the filtering rules to that packet, similar to the filtering in event 310, to determine whether the packet in transit matches the criteria of any packet filtering rule and filters the packet. If a match is found, PSG110.1 can perform one or more actions including applying one or more operators of one or more matching rules, logging the matching packets, and / or capturing the matching packets. If the packet is not blocked (e.g., the packet does not match the rule or the packet matches a rule that does not include a blocking operator), the packet is permitted to proceed towards the destination in event 314. Events such as events 309 to 314 may occur many more times in relation to the packets in transit communicated between host 120.1 and the external host. Some packets may be blocked and the transmission to the external host or host 120.1 may be prevented. In event 315, PSG110.1 can transfer the packet filtering output data generated in events 310 and 313 and other similar events to system 130. The transferred packet filtering output data includes log data (e.g., including the packet logs of the packets filtered during events 310 and 313 and other filtering events). The transferred packet filtering output data may also include the packets (PCAP) captured during events 310, 313, and / or other filtering events.

[0033] FIG. 4 shows an example of log data 401 that can be transmitted in event 315. The exemplary log data 401 is intended to provide an example of the types of information that can be included in such log data, in a convenient explanatory format, similar to the composite log data and / or other log data described herein. The format and / or content of the log data may be different from the example in FIG. 4. For example, the log data is not necessarily in tabular form. As another example, the log data need not include all of the information shown in log data 401, and / or may include other types of information.

[0034] In the exemplary log data 401, each entry is a packet log corresponding to a packet that matched one or more criteria of a filtering rule during filtering, and includes the value of that packet for one or more parameters and / or other characteristics (time, PSG_id, Host_id, etc.) shown in the header row at the top of FIG. 4. In the illustrated format of log data 401, each entry may be one line. In packet logs having other types of formats, the entry / log may be in other formats. Each cell in the "time" column may hold a value representing the time at which the packet corresponding to the row containing the cell passed through PSG110.1 (e.g., was filtered). For convenience, each value in the time column is a 9-digit value in the HH:MM:SS:sss format representing the time of day with millisecond precision, where the first and second digits are the hours (HH), the third and fourth digits are the minutes (MM), the fifth and sixth digits are the seconds (SS), and the remaining digits represent the milliseconds (s). Additional digits may be included to add a date component to the time value (e.g., HH can be extended to four or more digits to measure the time from an arbitrarily selected reference date).

[0035] Each cell in the 「PSG_id」 column may hold a value that identifies the PSG obtained by filtering the packets corresponding to the row containing that cell. As described below, the log data 401 is combined with similar log data from other PSGs 110, and the values in the PSG_id column in the combined log data can be used to distinguish data resulting from different PSGs and / or networks. For convenience, the PSG_id value is the same as the drawing reference number of PSG110.1 in FIG. 1. The actual PSG_id value may be composed of, for example, a MAC address or other unique value associated with the PSG. Each cell in the 「Host_id」 column may hold a value that identifies host 120.1 of network 105.1 associated with the filtered packets corresponding to the row containing that cell. Host 120.1 may be the host that sends packets to an external host or the host to which packets received from an external host are sent. For convenience, the values in the Host_id column are in the same format as the drawing reference number of host 120.1 in FIG. 1. The actual Host_id value is composed of, for example, a MAC address or other unique value associated with host 120.1.

[0036] Each cell in the 「Log_id」 column may hold a value that is a unique identifier for the packet log corresponding to the row containing that cell. In the examples from Figure 4 to 5D, relatively short values (a 4-digit number following 「L」) are used for the Log_id values, but the actual values can be much longer to facilitate unique identifier values for a much larger number of packet logs. Each cell in the 「Rule_id」 column may hold a value that identifies the filtering rule associated with the filtered packet (e.g., a filtering rule that includes the criteria matched by the filtered packet corresponding to the row containing that cell). For convenience, arbitrarily selected Rule_id values are shown in Figure 4 in the form of 「r***」. Although not shown, the packet log may also include a cell for the identifier of the cyber threat associated with the filtering rule that includes the criteria matched by the filtered packet corresponding to the row containing that cell. Such values include, for example, cyber threat identifiers as described above in relation to Event 302. The cells in the column for the cyber threat identifier may be blank for one or more packet logs, and the values in such columns may be modified (e.g., when it is later determined whether the log is associated with a particular cyber threat).

[0037] Each cell in the "Source_addr" column holds a value representing the address of the source of the filtered packet corresponding to the row containing that cell, and each cell in the "Dest_addr" column may hold a value representing the address of the destination of that filtered packet. The source address and the destination address may be Internet Protocol (IP) addresses. For convenience, the values in the Source_addr column and the Dest_addr column are arbitrarily selected values in the "IP***" format indicating an IP address. The actual Source_addr value and Dest_addr value may have the form of an IPv4, IPv6, and / or other IP version address. Also, or alternatively, the Source_addr value and the Dest_addr value may be composed of addresses other than IP. Each cell in the "S_port" column holds a value representing the source port of the filtered packet corresponding to the row containing that cell, and each cell in the "D_port" column may hold a value representing the destination port of that filtered packet. For convenience, the values in the S_port column and the D_port column are arbitrarily selected values in the "port *" format representing the source port or the destination port. The actual S_port and D_port values have numerical values identifying the port. Each cell in the "Prot." column may hold a value identifying the protocol associated with the packet corresponding to the row containing that cell. For convenience, the value in the Prot. column is an arbitrarily selected character representing the protocol. The actual Prot. value is an identifier of an L4 protocol (TCP, IP, etc.), an identifier of an upper-layer protocol (DNS, FTP, HTTP, HTTPS, TLS / SSL, etc.), and / or an identifier of another type of protocol. In the example of FIG. 4, the filtering rule associated with the first cyber threat includes only the matching criteria based on the NTI of the source address and the destination address, but for all packets that match the criteria of the filtering rule, the values of the source address, the destination address, the source port, the destination port, and the protocol are recorded. However, this is not necessarily the case.In the filtering rule, it is also possible to instruct to record only the cells associated with the NTI of the matched criteria in the log, or to instruct to record other combinations of values (regardless of whether they are part of the matching criteria of the filtering rule) in the log. As further shown in FIG. 4, each cell in the "Dir." column may hold a value indicating whether the packet corresponding to the row containing the cell is incoming from an external host (e.g., "in") or outgoing from host 120.1 (e.g., "out").

[0038] As further shown in FIG. 4, the exemplary log data 401 may include one or more additional columns. Each of the additional columns corresponds to a different parameter or characteristic, and the cells of such additional columns may hold the values of the corresponding parameters or characteristics of the filtered packets corresponding to the rows containing the cells. Such additional parameters or characteristics correspond to the NTI (or other information) associated with the criteria of the packet filtering rule. In one or more packet logs, some or all of the cells of the additional columns may be blank. For example, to conserve the processing resources of the PSG and / or to minimize latency, if one or more parameters / characteristics are not associated with the criteria of the rules matched by the filtered packets, and / or if the filtered packets are captured and the values of one or more parameters / characteristics of the additional columns are to be extracted later (if necessary), the values of one or more parameters / characteristics corresponding to the additional columns may not be extracted from the filtered packets that are the result of the filtering rules associated with cyber threats with low threat level values. The parameters / characteristics associated with the additional columns include one or more of the threat indicators described herein and / or other threat indicators or parameters / characteristics related to the packets.

[0039] Each cell in the 「Flow_id」 column may hold a value that identifies the flow associated with the filtered packets corresponding to the row containing that cell. For convenience, an arbitrarily selected Flow_id value is shown in Figure 4 in the form of 「flow *」. For example, the Flow_id value is used to identify the captured packets of the flow that constitutes the filtered packets. Also, or alternatively, the Flow_id value can be used to cross-reference (and / or generate) individual packet logs directed to one or more specific flows. Each cell in the 「PcapId」 column may hold a value indicating that the filtered packets corresponding to the row containing that cell (and / or the flow containing that filtered packet) have not been captured, or a value indicating a file or other reference for obtaining the capture of the filtered packets (and / or the flow containing that filtered packet). In the examples from Figure 4 to 5, the value 0 is used to indicate that the packets have not been captured, and the display of packet capture is shown as an arbitrarily selected value in the form of 「cap *」.

[0040] Returning to FIG. 3A, after receiving packet filtering output data (packet logs and / or captured packets) from PSG110.1 at event 315, system 130 can store the received packet filtering output data in database 131 (event 316). If the packet log is stored as part of event 316, the packet log can be appended to or otherwise combined with packet logs from other PSGs 110. Events 321 through 328 are each similar to events 309 through 316, but are performed with respect to packet communication between host 120.n of PSG110.n and network 105.n and an external host. Similar events can occur for other hosts 120 and PSGs 110 of the first network 105. In FIG. 3A, events related to PSG110.n that occur after events related to events associated with PSG110.1 are shown, but this is for convenience and to avoid making FIG. 3A difficult to understand. In particular, events associated with PSG110.1 may be temporally intermixed with events associated with PSG110.n and / or similar events associated with other PSGs 110. Further, after sending packet logs and / or captured packets to system 130 (e.g., as shown in events 315 and 327), PSG110 can continue to receive and filter packet communication based on filtering rules provided by system 130. Similarly, system 130 can continue to receive CTI data, generate and / or update filtering rules based on CTIs within the CTI data, and send those filtering rules to PSG110 for application to packet communication.

[0041] At event 341, system 130 can receive CTI data from CTI provider 135.1. That CTI data can include CTI300.1 related to a first cyber threat addressed by previous CTI300.1 T1 and may include CTI300.1 T2 For example, CTI300.1 T2reflects the knowledge of CTI provider 135.1 at time T2 after time T1 and indicates additional NTI and / or modified NTI that can be used to detect packet communications related to the first cyber threat. Additionally, or alternatively, CTI 300.1 T2 may 、 also include other information regarding the first cyber threat. For example, CTI 300.1 T2 includes information regarding an increase or decrease in the threat level related to the first cyber threat (and / or information indicating that the threat level needs to be changed (e.g., to system 130)), and may include additional information and / or modified information regarding the nature of the first cyber threat. In the examples of FIGS. 3A and 3B, CTI 300.1 T2 and CTI 300.1 T1 are received from the same CTI provider (CTI provider 135.1), but this is not necessarily the case. For example, the CTI data constituting CTI 300.1 T2 may be received from CTI provider 135.n, may be received from another CTI provider 135 different from CTI provider 135.1, and / or may be internally generated by system 130.

[0042] In event 342 after event 341 (FIG. 3B), system 130 determines that CTI 300.1 T2 and CTI 300.1 T1 are related (or likely to be related) to the same cyber threat. The determination of event 342 is based on, for example, determining that the cyber threat identifier included in (or associated with) CTI 300.1 T2 is the same as the cyber threat identifier included in (or associated with) CTI 300.1 T1 . Another example of the determination method for event 342 (e.g., when there is no cyber threat identifier in either or both of CTI 300.1 T1 and CTI 300.1 T2 , CTIP 135.1 is CTI 300.1 T1and CTI300.1 T2 If it is not recognized that they are related to the same cyber threat, CTI300.1 T1 and CTI300.1 T2 If they are received from sources using different cyber threat identifiers (such as), it will be described below in relation to Figure 6E. CTI300.1 T2 and CTI300.1 T1 The determination of whether CTI300.1 is related to the same cyber threat may not always be certain. For example, the determination of Event 342 includes the determination that CTI300.1 T2 and CTI300.1 T1 are likely to be related to the same cyber threat. Therefore, CTI300.1 T2 The criteria based on may be useful when applied to the packet logs and / or packet captures associated with CTI300.1 T1 However, it may not have reached the final conclusion that CTI300.1 T2 and CTI300.1 T1 are related to the same cyber threat. The system 130, for example, CTI300.1 T2 and CTI300.1 T1 It is determined that they are likely to be related to the same cyber threat, but CTI300.1 T2 It may also be determined that there is one or more previous instances of CTI that are likely to be related to the same cyber threat as. In such a situation, as will be described in more detail below, the system 130, CTI300.1 T2 Regarding CTI300.1 T1 The same procedure as described below regarding can be performed for each of the multiple instances of the previous CTI that may be related to the same cyber threat as CTI300.1 T2 and CTI300.1 T2 for.

[0043] In Event 343, the system 103, CTI300.1 T1 Regarding CTI300.1 T2By determining the changes, updated criteria for responding to the first cyber threat can be determined. The updated criteria include, for example, CTI300.1 T1 one or more changes to one or more NTIs indicated by (e.g., a change in the value of the NTI indicated by CTI300.1 T1 , an omission of one or more NTIs indicated by CTI300.1 T1 ) and / or information regarding one or more new NTIs (e.g., the value of a parameter / characteristic for which there was no corresponding NTI indicated by CTI300.1 T1 ). The determination of Event 343 may include a determination that the threat level of the first cyber threat has increased or decreased, that there has been a change in the nature of the first cyber threat (and / or that there is new information regarding it), that there has been a change in the type of business entity or other organization targeted by the first cyber threat (and / or that there is new information regarding it), and / or that there is other new information and / or changed information regarding the first cyber threat. When CTIs regarding the same cyber threat are received from multiple providers 135, the presence of CTIs from multiple providers regarding the same cyber threat is noteworthy and can serve as a basis for performing one or more actions (such as changing the trust level associated with the cyber threat, triggering the analysis of other cyber threats from multiple providers, etc.).

[0044] In Event 344, the system 130 can obtain, from the database 131, previously saved packet logs and captured packets associated with packet filtering rules, based on CTI300.1 T1 . Event 344 is a subset of the packet logs received by the system 130 in Event 315 and / or 327 (and / or received by the system 130 from other PSGs 110 and / or received at other times), and includes the identifier of the first cyber threat (if present) and / or CTI300.1 T1It may include identifying a packet log containing an identifier of a filtering rule based on it, and obtaining a subset of the identified packet log. Event 344 may include identifying captured packets associated with the identified packet log as a subset of the captured packets received by system 130 at event 315 and / or 327 (and / or received by system 130 from other PSGs 110, and / or received at other times), and obtaining a subset of the identified captured packets. In the case of log data such as exemplary log 401, this includes CTI 300.1 T1 Identifying and obtaining rows having Rule_id values corresponding to filtering rules previously generated based on it, and packet captures associated with those rows are included.

[0045] In event 345, system 130 may analyze the obtained packet log and / or captured packets by applying the updated criteria determined in event 343 to the packet log and / or packets previously identified as being related to (or potentially related to) a first cyber threat. The updated criteria include information for collating the new NTI and / or modified NTI determined in event 343, and / or CTI 300.1 T2Other criteria that have been changed or added may be included. For a non-limiting example of the analysis in step 345, it will be described in connection with FIGS. 5A through 5D. Packet logs and / or captured packets related to (or potentially related to) a particular cyber threat are a very small portion of the total amount of stored packet logs and packets. Instead of the entire set of stored packet logs and captured packets associated with all cyber threats, applying criteria that include information to match new NTI and / or changed NTI (and other criteria) to a very small portion of the stored data that is highly likely to be relevant makes it more efficient and highly likely to quickly detect previous impacts of cyber threats. After applying criteria that include information to match new and / or changed NTI (and / or other criteria) to a reduced data set related to a first cyber threat, as described below, the relevant portion of that reduced data set is further narrowed down. This can shorten the time required to detect and quantify the impact of the first cyber threat, and make it easier to identify the hosts affected by the first cyber threat and / or take targeted actions.

[0046] FIG. 5A shows an example of composite log data 501 that may be obtained by system 130 in step 344 and includes packet logs. The composite log data may include packet logs received from multiple PSGs 110. In the examples of FIGS. 3A and 3B, the first cyber threat is associated with the Rule_id value r002. The composite log data 501 may include all packet logs that include the Rule_id value r002 and that have been stored by system 130 (e.g., events 313 and 328). The composite log data 501 may be significantly reduced in size (e.g., orders of magnitude smaller) compared to all the packet logs stored in database 131. By applying the updated criteria for the first cyber threat (based on CTI300.1 T2 and not applying the updated criteria to other log data), the analysis and detection of the first cyber threat is significantly streamlined.

[0047] As a first example of how the updated criteria are applied to the composite log data 501, the previous CTI 300.1 T1 The NTI indicated by may have been composed of a range of source addresses including IP3, IP23, and IP33 and a range of destination addresses including IP4 and IP24. A later CTI 300.1 T2 then 、 These NTIs can be narrowed down to a specific source address IP23 and a specific destination address IP4. When criteria based on the narrowed-down source and destination address NTIs are applied to the composite log data 501, the system 130 can confirm that rows (and corresponding filtered packets) that match the updated criteria (e.g., rows a, j, and o including source address IP23 and destination address IP4) are likely related to a first cyber threat. Similarly, the system 130 determines that rows (and corresponding filtered packets) that do not match the updated criteria (e.g., rows not including source address IP23 and destination address IP4) are unrelated (or less likely to be related) to the first cyber threat and / or ignores and / or designates such rows (and corresponding filtered packets) as having low relevance.

[0048] As a second example of how the updated criteria are applied to the composite log data 501, CTI 300.1 T1 may not mention anything regarding the temporal indication related to the first cyber threat. CTI 300.1 T2It includes new information indicating that a first cyber threat is a type of malware that has been observed to be sending beacons to a command-and-control server during a specific time period. Further, a new NTI is shown that specifies that packet communications related to the first cyber threat occur between 10:00 PM and 2:00 AM. When the criteria based on the new NTI are applied to the composite log data 501, the system 130 can confirm that the rows (and corresponding filtered packets) that match the updated criteria (e.g., rows a-e, p, and q at times from 10:00 PM to 2:00 AM) are likely related to the first cyber threat. Similarly, the system 130 determines that rows (and corresponding filtered packets) that do not match the updated criteria (e.g., rows that do not include the time from 10:00 PM to 2:00 AM) are unrelated (or less likely to be related) to the first cyber threat and either ignores such rows (and corresponding filtered packets) and / or makes a determination to designate them as having low relevance.

[0049] As a third example of how the updated criteria are applied to the composite log data 501, CTI300.1 T2may include new information indicating that a first cyber threat has been observed in relation to a particular type of business. Network 105.1 is operated by that type of business, while network 105.n is operated by an unrelated type of business. The new information (the type of business related to the cyber threat) can be used to change (or create) filtering rules for those types of business (e.g., by including updated criteria configured to match the PSG_id value associated with network 105.1). When the updated criteria are applied to the composite log data 501, the system 130 can confirm that rows (and corresponding filtered packets) that match the updated criteria (e.g., rows b, f, h, j, k, m, and o that make up the PSG_id value associated with network 105.1) are likely related to the first cyber threat. The system 130 can similarly determine that rows (and corresponding filtered packets) that do not match the updated criteria (e.g., rows that do not include the PSG_id value associated with network 105.1) are unrelated (or less likely to be related) to the first cyber threat and either ignore such rows (and corresponding filtered packets) and / or make a determination to designate them as having low relevance.

[0050] Packet logs related to (or potentially related to) the first cyber threat, when first created during filtering, were not shown in the previous CTI300.1 T1 but are shown in later CTI300.1 T2One or more fields corresponding to one or more NTIs shown in may have missing values. As part of the passive / background update process, system 130 can input one or more of those fields based on the captured packets corresponding to those packet logs. For example, system 130 has additional processing resources that can be used for such purposes, thereby freeing up the resources of PSG110 for filtering operations. However, if there is no such passive / background update process, or if there is no time for such a process to complete at step 345, the packet logs identified as related to (or potentially related to) the first cyber threat (e.g., based on the Rule_id value r002) do not include the previous CTI300.1 T1 but are shown in later CTI300.1 T2 One or more fields corresponding to one or more NTIs shown in may have missing values. In such a situation, as part of applying the updated criteria based on later CTI300.1 T2 to the packet logs and / or packets previously identified as related to (or potentially related to) the first cyber threat, system 130 examines the captured packets to obtain data for one or more unpopulated packet log data fields corresponding to one or more NTIs that can be matched by the updated criteria, and by adding the data obtained from the captured packets to the previously unpopulated fields of the packet logs corresponding to those captured packets, those packet logs can be modified. The updated criteria can be applied to the modified packet logs. As a first example of a situation in which the updated criteria can be used in this way, a single IP address is associated with multiple domain names. One or more of these domain names may be associated with malicious activity, while one or more of the others may be harmless. As described in the example above, the previous CTI300.1 T1The NTI indicated by could have been composed of a range of source addresses including IP3, IP23, and IP33, and a range of destination addresses including IP4 and IP24. However, CTI300.1 T1 might not have included information about domains related to the first cyber threat. Later CTI300.1 T2 shows NTI that specifies, in addition to the NTI that designates the ranges of source and destination addresses, the domain names "www.ndgfare3.com" and "www.kxoidcxe.com" associated with the first cyber threat. CTI300.1 T1 due to the low threat level associated with , and / or T1 due to the absence of information about the related domain names in CTI300.1

[0051] Figure 5B shows an example of composite log data 502 that may be obtained by system 130 in step 344, and is further modified to complete fields in one of the additional columns corresponding to the domain name (DN) based on an inspection of the captured packets (e.g., filtered packets and / or packets of a flow that includes filtered packets). CTI300.1 T2When the updated criteria, which include the new NTI shown by [[ID=]], are applied to the changed packet log, System 130 can confirm that the lines (and corresponding filtered packets) that match the updated criteria (for example, lines a, f, h, j - m, and o that include either the domain name "www.ndgfare3.com" or "www.kxoidcxe.com") are likely related to a first cyber threat. Similarly, System 130 determines that lines (and corresponding filtered packets) that do not match the updated criteria (for example, lines that do not include either the domain name "www.ndgfare3.com" or "www.kxoidcxe.com") are unrelated (or less likely to be related) to the first cyber threat and decides to ignore such lines (and corresponding filtered packets) or mark them as having low relevance.

[0052] As another example of a situation where the data of packets captured when applying updated criteria can be used, certain types of malware may intentionally introduce errors into packet fields associated with and / or required by a particular protocol. Such malware is designed, for example, to interfere with detection methods focused on a particular protocol and / or to be deceptive when the protocol is "broken". CTI300.1 T1 may not 、 include information about protocol errors related to the first cyber threat. However, CTI300.1 T2 may indicate one or more NTIs based on syntax errors in Protocol B. CTI300.1 T1 the associated threat level is low, and / or CTI300.1 T1Since there is no information regarding protocol errors, filtering rule r002 may not be configured to check whether such errors are absent in the packets filtered by PSG110 or to include the indication of such errors in the packet logs of packets that match one or more criteria of filtering rule r002. However, since these packets are captured, the information can be extracted from these packets and added to their respective corresponding packet logs.

[0053] Figure 5C shows an example of composite log data 503 that may be obtained by system 130 in step 344, which has been modified to complete fields in one of the additional columns corresponding to protocol errors based on the inspection of captured packets (e.g., filtered packets and / or packets of a flow that includes filtered packets). CTI300.1 T2 When the updated criteria, including the new NTI indicated by T2 , are applied to the modified packet logs, system 130 can confirm that the rows (and corresponding filtered packets) that match the updated criteria (e.g., rows a, f, g, j, l, and m that include "B" in the "Prot." field and "syntax error" in the "Protocol Error" field) are likely to be related to the first cyber threat. Similarly, system 130 determines that the rows (and corresponding filtered packets) that do not match the updated criteria (e.g., rows that do not include both "B" in the "Prot." field and "syntax error" in the "Protocol Error" field) are unrelated (or less likely to be related) to the first cyber threat and may ignore such rows (and corresponding filtered packets) and / or determine that they are of low relevance.

[0054] As a further example of a situation where the data of packets captured when applying the updated criteria may be used, certain types of cyber threats may be associated with authentication certificates signed by a particular certificate authority. CTI300.1 T1 T1 may not mention anything about the details of the authentication certificate that may be related to the first cyber threat. However, CTI300.1 T2 T2 may contain information regarding the association between the first cyber threat and the use of a particular certificate signing authority ("dodgycertauth.com"). CTI300.1 T1 Due to the low threat level associated with T1 and / or CTI300.1 T1 not having information about the authentication certificate, the filtering rule r002 may not be configured for PSG110 to examine the certificate information in the filtered packets or to include the certificate information in the packet logs of the packets that match one or more criteria of the filtering rule r002. However, since these packets are captured, the information can be extracted from these packets and added to their respective corresponding packet logs.

[0055] FIG. 5D shows an example of composite log data 504 that may be obtained by the system 130 in step 344, and is further modified to complete the fields in one of the additional columns corresponding to the certificate signing authority based on an examination of the captured packets (e.g., filtered packets and / or packets of a flow that includes filtered packets). CTI300.1 T2When the updated criteria that include the new NTI shown by [[ID=]] are applied to the changed packet log, the system 130 can confirm that the lines (and corresponding filtered packets) that match the updated criteria (for example, lines c, g, k, and n that include "dodgycertauth.com" in the "CA" field) are likely related to the first cyber threat. Similarly, the system 130 determines that the lines (and corresponding filtered packets) that do not match the updated criteria (for example, lines that do not include "dodgycertauth.com" in the "CA" field) are unrelated (or less likely to be related) to the first cyber threat, and / or ignores such lines (and corresponding filtered packets), and / or determines that they are designated as having low relevance.

[0056] The above example is just a part of many ways in which subsequent CTI for a particular cyber threat may differ from previous CTI for the same threat, and those differences can be used to process packet filtering output data (such as packet logs and / or captured packets) collected based on the previous CTI. Generally, the criteria updated based on subsequent CTI can be used to narrow down and analyze the packet filtering output data collected and / or generated based on the previous CTI. The updated criteria include information that matches the new NTI shown by the subsequent CTI that was not included in the previous CTI, information that matches the change in the value of the NTI shown by the subsequent CTI compared to the value of the NTI shown by the previous CTI, information that matches the omission of the NTI shown by the previous CTI, and / or other information.

[0057] Furthermore, or alternatively, packet filtering output data collected and / or generated based on previous CTI-based criteria can be further analyzed based on new (or modified) criteria based on subsequent CTI that do not indicate changes or additions to the NTI. For example, in previous CTI of a cyber threat, some basic NTIs (such as one or more source addresses and destination addresses) may be indicated, and it may also be shown that the cyber threat is associated with a low threat level, but otherwise it is hardly included. Based on the previous CTI, filtering rules can be generated and sent to the PSG110. With this filtering rule, the PSG110 logs the source address and destination address of the filtered packets that match the criteria of the filtering rule, as well as the source port and destination port, and captures the packets, but does not log other information of those packets. Subsequent CTI of the cyber threat may show the same threat indicator values, but the threat level of the cyber threat may increase. In response to the increase in the threat level, the packet logs and captured packets generated based on the previous CTI are obtained, the captured packets are inspected, and information for completing additional fields of the obtained packet logs is obtained. The completed additional fields can then be subject to one or more additional analyses as described below.

[0058] Returning to FIG. 3B, in event 346, based on the analysis of step 345, system 130 can flag and / or update a portion of the saved packet log (and / or additional flagging / updating can be done during event 346). For example, for each packet communication determined to be corresponding to (or likely to correspond to) a cyber threat (e.g., the packet communications corresponding to lines a, j, and o in the first example of FIG. 5A, the packet communications corresponding to lines a - e, p, and q in the second example of FIG. 5A, the packet communications corresponding to lines b, f, h, j, k, m, and o in the third example of FIG. 5A, the packet communications corresponding to lines a, f, h, j - m, and o in the example of FIG. 5B, the packet communications corresponding to lines a, f, g, j, l, and m in the example of FIG. 5C, the packet communications corresponding to lines c, g, k, and n in the example of FIG. 5D), system 130 can replace a portion of the previously saved packet log with a modified packet log corresponding to those communications and with additional fields completed based on packet inspection. Also, or alternatively, system 130 can set a flag on the modified packet log (and / or the previously saved version of those packet logs) to indicate that those packet logs correspond to communications determined to be related to a first cyber threat. Such a flag can, for example, enable more rapid and efficient analysis of those portions of the logs when a subsequent CTI (such as one indicating updated criteria) is received for the first cyber threat. Also, or alternatively, as part of the update in event 346, system 130 can set a different flag on the packet log (e.g., the previously saved packet log and / or the modified packet log) corresponding to communications determined not to correspond to the first cyber threat (e.g., the packet communications corresponding to lines in FIGS. 5A - 5D that did not match the updated criteria). These different flags are used, for example, to indicate that a portion of the saved log with these different flags should be deleted or retained for a shorter period than the updated log portions determined to correspond to cyber threats.

[0059] In event 347, system 130 can further analyze the packet logs and / or other data obtained from the analysis of event 345. This further analysis can include searching for commonalities within the packet logs corresponding to communications that have been identified as corresponding to a first cyber threat. For example, during the analysis of event 345, values based on the inspection of the captured packets may have been entered into fields of additional columns of those packet logs, and some of those additional columns may not correspond to NTI that is known to be related to the first cyber threat. If a common value is displayed in most of the fields of any of the additional columns, that common value may be an NTI that can be used to improve the filtering rules associated with the first cyber threat. As another example, the time values of the packet logs corresponding to communications that have been identified as corresponding to a first cyber threat may be analyzed. If these time values are limited to a regular time window, that time window can be used to create a new NTI or narrow the time range of an existing NTI.

[0060] Also, or alternatively, the analysis of event 347 can include the analysis of other saved packet logs and / or saved packet captures that may not have previously been identified as potentially related to the first cyber threat (e.g., logs that do not include the Rule_id value r002). For example, CTI300.1 T2It includes new information indicating that the first cyber threat is associated with malware that follows a specific pattern of sending a first packet (or a series of packets) to a harmless website (such as "www.google.com") to confirm that Internet access is available, sending a second packet to a random address in a specific country to confirm that Internet access to that country is available, and sending a third packet to a command and control server associated with malware in that specific country. For communications where it is confirmed that the first cyber threat is addressed in Event 345, the host 120 associated with those communications is identified, and additional packet logs and / or packet captures associated with those hosts 120 (for example, within the time range corresponding to the three steps executed by the malware) are obtained. If there are additional logs and / or packet captures associated with these hosts 120 but not including Rule_id r002, and those logs and / or packet captures show activities associated with any of the three steps executed by the malware, additional confirmation of the first cyber threat or additional information about the first cyber threat can be obtained. As an additional example of the analysis of other saved packet logs and / or packet captures that may not have been previously associated with the first cyber threat, packet communications are logged multiple times if they match the criteria of multiple packet filtering rules (for example, there may be multiple logs for one packet, and each of those logs corresponds to the filtering of that packet based on different filtering rules). For example, the first filtering rule filters based on the source and destination addresses, and the second filtering rule filters based on the domain name and time. If it is confirmed that packet communications correspond to a cyber threat based on a match with the first filtering rule, packet logs corresponding to the match of that packet communication with other filtering rules can be retrieved from the saved packet logs.For example, a stored packet log can be searched to find other packet communications that occurred around the same time and have the same source and destination addresses. Based on the packet log that matches the same packet communication to a second filtering rule, additional NTI and / or other criteria associated with the second filtering rule, and / or other intelligence associated with the second filtering rule, are added to or combined with the criteria and intelligence associated with the first filtering rule.

[0061] In event 348, system 130 can flag and / or update (and / or can flag / update additionally during event 347) a portion of the stored packet log based on the analysis of event 347. The flagging and / or updating in event 348 is similar to the flagging and / or updating in event 346, but further includes flagging portions of the packet log that were not previously associated with the first cyber threat as being associated with the first cyber threat.

[0062] In addition to one or more outputs from events 346 to 348 that cause updates and / or flagging of data in database 131, system 130 can generate and / or cause one or more other types of outputs (e.g., event 349) based on the analysis of event 345 and / or event 347. Such outputs can include, for example, the detection and / or monitoring of cyber threats, the prevention and / or mitigation of damage caused by cyber threats, and / or the output of a display on a cyber analyst, system administrator, or other person involved in the remediation of cyber threats. Such a display can provide details, for example, of packet communications that have been confirmed to be affected (or likely to be affected) by a particular cyber threat, and / or packet communications that have been confirmed to be related to a particular cyber threat, hosts and / or other devices related to a particular threat within network 105 and / or that need to be isolated and / or quarantined, and / or other details regarding the cyber threat and / or the host or other device that has been affected. As shown in events 351 to 354, system 130 can modify and / or create filtering rules and generate and / or output for subsequent application by PSG 110 based on the analysis of event 345 and / or event 347. For example, CTI 300.1 T2 New or modified criteria based on, and / or criteria determined based on the analysis of event 345 and / or 347, are added to the filtering rules associated with the first cyber threat in event 351. As another example, new information within CTI 300.1 T2 or new information from the analysis within events 345 and / or 347 can cause the threat level associated with the first cyber threat to escalate, and event 351 can include outputting an instruction (e.g., an instruction to rule module 203) to change the operator within the filtering rule from "allow" to "block".

[0063] In the above example, a single instance of a previous CTI (CTI300.1 T1 ) was identified as being related to the same cyber threat (the first cyber threat) as the cyber threat associated with a later instance of CTI (CTI300.1 T2 ). However, as previously mentioned, it can be identified that multiple instances of a previous CTI may be related to the same cyber threat as the cyber threat associated with an instance of a later CTI. For example, in addition to CTI300.1 T1 , system 130 can identify CTI300.2 T2 received from (or internally generated by system 130) various other CTIPs that are potentially related to the first cyber threat and were received prior to CTI300.1 Ta , CTI300.3 Tb ,... CTI300.n Tn , etc. Based on the identification of multiple instances of a previous CTI, steps 342 through 354 are performed for each identified instance of the previous CTI with respect to the later CTI300.1 T2 . In particular, system 130 performs steps 342 through 354 for CTI300.1 T1 with respect to CTI300.1 T2 (as already described above), performs steps 342 through 354 for CTI300.2 Ta with respect to CTI300.1 T2 , performs steps 342 through 354 for CTI300.3 Tb with respect to CTI300. T2 ,... and performs steps 342 through 354 for CTI300.n Tn with respect to CTI300.1 T2 .

[0064] Figures 6A through 6F are flowcharts of exemplary methods for detecting and / or analyzing cyber threats based on new / updated CTI and / or based on updated criteria associated with the new / updated CTI. One, some, or all of the steps of the exemplary methods of FIGS. 6A through 6F may be performed by system 130 and / or by a combination of one or more computing devices configured to perform some or all of the operations and / or functions of system 130. For convenience, FIGS. 6A through 6F are described below in relation to system 130. Additionally, or alternatively, one, several, or all of the steps of the exemplary methods of FIGS. 6A through 6F may be performed by one or more other computing devices. One or more of the steps of the exemplary methods of FIGS. 6A through 6F may be rearranged (e.g., performed in a different order), combined, omitted, and / or otherwise changed, and / or additional other steps may be performed.

[0065] In step 601, system 130 determines whether new CTI (e.g., new CTI data) has been received from a CTI provider (e.g., one or more CTI providers 135) or another source, or has been generated internally. If No, step 601 is repeated until new CTI is received. If Yes, system 130 executes step 602. In step 602, system 130 determines whether there are one or more instances of previous CTI that may be related to the cyber threat associated with the new CTI. For convenience, the cyber threat associated with the new CTI is hereinafter referred to as the "new CTI cyber threat". Additional details of step 602 are described in connection with FIG. 6E. If system 130 cannot identify at least one instance of previous CTI in step 602, step 604 is executed. In step 604, system 130 can transfer the new CTI to rule module 203 (as described, for example, in connection with event 305 of FIG. 3A) to generate one or more filtering rules. After executing step 604, the system can repeat step 601 (indicated by connector AA).

[0066] In step 602, if system 130 determines at least one previous instance of CTI related to a new CTI cyber threat, step 605 is executed. In step 605, system 130 can select a previous CTI from one or more instances of the previous CTI determined in step 602. If system 130 determines multiple instances of the previous CTI in step 602, those determined previous instances (or pointers to those determined previous instances) are placed in a queue, and step 605 may include selecting the previous CTI of the next instance in the queue. If only a single previous CTI instance is determined in step 602, step 605 may include selecting that single previous CTI. As part of step 605, system 130 can also obtain the selected previous CTI (for example, obtain the NTI and other data indicated by the selected previous CTI). In step 606, system 130 determines whether there is a difference between the new CTI and the selected previous CTI. Event 343 in Figure 3B may include an example of step 606. If system 130 determines in step 607 that no difference was determined in step 606, system 130 can proceed to step 610. In step 610, system 130 can determine whether there are additional previous CTI instances that were determined in step 602 but have not yet been selected. If yes, system 130 returns to step 605 (indicated by connector FF). If no, system 130 returns to step 601 (indicated by connector AA). If system 130 determines in step 607 that a difference was determined in step 606, system 130 can proceed to step 608. In step 608, system 130 can obtain packet filtering output data (for example, packet logs and / or captured packets) associated with the selected previous CTI (for example, packet logs and / or captured packets generated based on packet filtering rules associated with the selected previous CTI).Event 344 of FIG. 3B may include an example of step 608. As part of step 608, system 130 can generate composite log data (such as composite log data 501, 502, 503, or 504 before adding data from the captured packets).

[0067] In step 614, system 130 determines whether the difference determined in step 606 indicates that the packet filtering criteria based on the selected previous CTI need to be updated based on the new CTI (for example, whether one or more values of the NTI need to be changed, whether one or more NTIs need to be added, whether one or more NTIs are no longer applicable, etc.). If No, system 130 executes step 628 (shown by connector BB in FIG. 6C) (described below). If Yes, system 130 executes step 615 (shown by connector CC in FIG. 6B). In step 615, system 130 can determine whether all the information required to apply the updated criteria is already included in the composite log data generated in step 608. For example, system 130 can determine whether there are non-null values in all the corresponding fields of the packet logs in the composite log data for all the NTIs whose values are provided by the new CTI. If Yes, system 130 executes step 620 (described below). If No (for example, if there is at least one new or changed NTI that cannot be evaluated based on the information in the composite log data generated in step 608), system 130 can execute step 616. Examples of scenarios corresponding to the "Yes" branch from step 615 are described above in connection with FIG. 5A. Examples of scenarios corresponding to the "No" branch from step 615 are described above in connection with FIGS. 5B, 5C, and 5D.

[0068] In step 616, system 130 determines whether the packet captured in step 608 has been acquired. If No (for example, if the previously selected CTI-based packet filtering rule did not instruct PSG 110 to capture the packet), system 130 executes step 620. If Yes, system 130 executes step 617. In step 617, system 130 can examine the acquired captured packet to check the values of parameters / characteristics corresponding to a new NTI or a modified NTI associated with the new CTI. In step 618, system 130 determines whether it can extract the values of the parameters / characteristics corresponding to the new NTI or the modified NTI from the acquired captured packet. If No (for example, if all of the new NTI or the modified NTI is associated with a portion of the acquired captured packet that is inaccessible for encryption), system 130 can execute step 620 (described below). If Yes (for example, if at least one value of at least one parameter / characteristic corresponding to the new or modified NTI is accessible from the acquired captured packet), system 130 can execute step 619. In step 619, system 130 extracts the values of the parameters / characteristics corresponding to the new NTI and / or the modified NTI from the captured packet and adds those values to the composite log data generated in step 608 (as a result, composite log data as shown in FIGS. 5A to 5D is generated). Based on step 619, or based on the "Yes" determination in step 615, or the "No" determination in either step 616 or 618, system 130 can execute step 620.

[0069] In step 620, system 130 can apply the updated criteria (e.g., information that matches the new NTI and / or the changed NTI) based on the new CTI to the composite log data, and thereby apply that updated criteria to the packet logs previously collected based on the selected previous CTI (e.g., the packet logs obtained in step 608) and the captured packets (e.g., information from the captured packets obtained in step 608 and added to the composite log data). As part of step 620, system 130 can determine packet communications that match (or do not match) the updated criteria (e.g., whether they match or do not match the new NTI and / or the changed NTI) within the composite log data (as described, for example, in connection with the examples of FIGS. 5A - 5D). If any of the updated criteria correspond to packet log fields from which values could not be extracted from the captured packets (e.g., if it was determined "No" in step 618), or if there are no captured packets (e.g., if it was determined "No" in step 616), system 130 determines that the updated criteria are indeterminate with respect to those packet logs (and corresponding packets) and, accordingly, sets a flag on those packet logs. Such a flag indicates, for example, that system 130 has not yet been able to confirm that those logs (and corresponding packets) are associated with a new CTI cyber threat, or that it cannot determine that those logs are not associated with a new CTI cyber threat.

[0070] In step 621, based on the matches and / or mismatches determined in step 620, system 130 updates the packet logs stored in database 131. Such updates may include, for example, flagging or otherwise marking portions of the packet logs that have been confirmed to be related to a new CTI cyber threat, portions of the packet logs that have been determined not to be related to a new CTI cyber threat, and / or portions of the packet logs that were indeterminate in the analysis, or updating the stored packet logs to include additional information added from the captured packets. As part of step 621, system 130 can also set flags and / or markings for the captured packets based on the matches and / or mismatches determined in step 620, or alternatively set them. These flags / markings indicate captured packets that have been confirmed to be related to a new CTI cyber threat, captured packets that have been determined not to be related to a new CTI cyber threat, and / or captured packets that were indeterminate in the analysis of step 620.

[0071] In step 622 (shown as connector DD in FIG. 6C), the system 130 can determine whether the new CTI indicates that the threat level associated with the new CTI cyber threat has increased (and / or whether the data generated based on the new CTI indicates it). If the answer is no, the system 130 executes step 634 (described below). If the answer is yes, the system 130 executes step 623. In step 623, the system 130 needs to extract values from the captured packets (if possible) and can determine whether there are additional parameters / characteristics not yet included in the composite log data. For example, when the threat level associated with the cyber threat reaches a threshold level, it may be appropriate to analyze a set of predetermined parameters / characteristics regardless of whether any of those parameters / characteristics are associated with a new NTI or a modified NTI within the new CTI. The set of predetermined parameters / characteristics may include one or more of the parameters / characteristics described herein. There may be multiple sets of predetermined parameters / characteristics corresponding to multiple thresholds. For example, a first set of predetermined parameters / characteristics corresponds to a first threshold and a first threat level, a second set of predetermined parameters / characteristics includes additional parameters / characteristics in addition to all the parameters / characteristics of the first set, corresponds to a second threshold (higher than the first threshold) and a second threat level (higher than the first threat level), a third set of predetermined parameters / characteristics includes additional parameters / characteristics in addition to all the parameters / characteristics of the second set, corresponds to a third threshold (higher than the second threshold) and a third threat level (higher than the second threat level), and so on.

[0072] If the system 130 determines in step 623 that there are no additional parameters / characteristics that need to be extracted from the captured packets, the system 130 can execute step 634. If the system 130 determines in step 623 that there are additional threat indicator values that need to be extracted from the captured packets because they are not yet included in the composite log data, it can execute step 624. In step 624, similar to step 617, the system 130 can examine the values of the additional parameters / characteristics in the acquired captured packets. In step 625, similar to step 618, the system 130 determines whether it was able to extract the value of any of these parameters / characteristics from the captured packets. If the answer is No (for example, if all of the additional parameters / characteristics are related to parts of the captured packets that are inaccessible for encryption), the system can execute step 634. If the answer is Yes (for example, if at least one of the additional parameters / characteristics is related to one or more parts of one or more of the accessible captured packets), the system 130 can execute step 626. In step 626, similar to step 619, the system 130 can extract the values corresponding to the additional parameters / characteristics from the captured packets and add those values to the composite log data.

[0073] As shown in FIG. 6A, if the system 130 determines at step 614 that there is no updated criterion based on the new CTI, the system 130 can perform step 628 similar to step 622. If the determination at step 628 is "No", the system 130 can perform step 634. If the determination at step 628 is "Yes", the system 130 can perform step 629 similar to step 623. If the determination at step 629 is "No", the system 130 can perform step 634. If the determination at step 629 is "Yes", the system 130 can perform step 630 similar to step 616. If the determination at step 630 is "No", the system 130 can perform step 634. If the determination at step 630 is "Yes", the system 130 can perform step 631 similar to step 617 and / or step 624. Based on step 631, the system 130 can perform step 632 similar to step 618 and step 625. If the determination at step 632 is "No", the system 130 can perform step 634. If the determination at step 632 is "Yes", the system 130 can perform step 633 similar to step 626 and / or step 619.

[0074] Based on step 626 or step 633, or based on a "No" determination in any of steps 622, 623, 625, 628, 629, 630, or 632, system 130 can execute step 634. In step 634, system 130 can further analyze the composite log data. In the analysis of step 634, as described in connection with event 347 in FIG. 3B, system 130 can search for common points within the composite log data. For example, values based on the inspection of captured packets are input into the fields of additional columns of the composite log data (e.g., step 619 and / or step 626, or step 633), and some of those additional columns may not correspond to the NTI indicated by a selected previous CTI or a new CTI. If a common value is displayed in most of the fields of any of the additional columns, that common value can be a new NTI that can be used to improve the filtering rules associated with the cyber threats of the new CTI. As another example, time values can be analyzed. If at least some of these time values are limited to a regular time window, that time window can be used to either be used as a new NTI or narrow the time range of an existing NTI.

[0075] In step 635, system 130 can update database 131 based on step 634. In step 636 (shown by connector EE in FIG. 6D), system 130 can determine additional portions of the saved packet logs and / or additional captured packets that may not have been previously associated with the new CTI cyber threat. In step 637, system 130 can analyze those additional saved packet logs and / or additional captured packets. For example, as described in connection with event 347 in FIG. 3B, the additional saved packet logs and / or additional captured packets are searched for additional packet communications between hosts associated with packet communications that have been confirmed to correspond to the new CTI cyber threat (e.g., based on the new CTI), and / or additional packet communications within the time range of those confirmed communications. As another example, as described in connection with event 347 in FIG. 3B, the additional saved packet logs and / or additional captured packets are searched to find additional data indicating that the confirmed communications also match other packet filtering rules associated with cyber threats that were not previously considered to be related to the new CTI cyber threat.

[0076] In step 643, system 130 can update database 131 based on step 637. In step 644, system 130 can send a pointer to the rule module 203 for updating / modifying one or more filtering rules associated with the new CTI cyber threat and / or for generating or modifying one or more additional filtering rules, based on the results of the analysis of one or more of steps 620, 634, and / or 637, and / or based on the results of the analysis of one or more of steps 621, 635, and / or 643. In step 645, system 130 generates and / or causes one or more outputs based on the analysis of one or more of steps 620, 634, and / or 637. One or more of event 349 and / or events 351 to 354 may include examples of step 645.

[0077] As can be seen from the above, the new CTI of the cyber threat can be used to obtain updated criteria (e.g., to match a refined set of NTIs), and using it, it can be confirmed that some packet communications filtered based on the previous CTI are associated (or likely to be associated) with that cyber threat. At the same time, such updated criteria are also used to determine that other packet communications filtered based on the previous CTI are not associated (or less likely to be associated) with that cyber threat. As also explained above, the new CTI can also be used, or alternatively, to determine additional values of parameters / characteristics associated with that cyber threat, and the additional values can also be used (e.g., as new NTIs) to determine packet communications that are likely to be associated with the cyber threat. Similarly, the refined NTI and / or additional NTI learned from the new CTI can also be, or alternatively, applied to data from external devices other than PSG110 (e.g., devices not managed and / or controlled by system 130).

[0078] For example, as shown in FIG. 1, communication between host 152 of the third network 151 and a host external to the third network 151 can pass through firewall 153 without passing through PSG110. Similarly, communication between host 156 of the third network 155 and a host external to the third network 155 can pass through ISP server 157 without passing through PSG110. Firewall 153 and / or ISP server 157 are configured to store specific basic data (e.g., 5-tuple or some of its values, directionality, time) for all packets communicated through these devices. The amount of such stored data can be substantial (e.g., much more than the amount of data related to filtering by PSG110), and much of that stored data can be related to communication unrelated to cyber threats. By applying criteria based on improved NTI and / or additional NTI obtained from new CTI (and / or application of new CTI to PSG110 packet logs, and / or packet captures based on previous CTI) to the stored data of packet traffic passing through external devices such as firewall 153 and / or ISP server 157, that data can be classified based on communication likely related to cyber threats and / or communication likely not related to cyber threats. External device data determined to be likely related to cyber threats is retained (and / or retained for a longer period), and external device data determined to be likely not related to cyber threats is discarded (and / or retained for a shorter period), thereby reducing data storage requirements. Further, by applying criteria based on improved NTI and / or additional NTI obtained from new CTI (and / or obtained by applying updated CTI to PSG110 packet logs and / or packet captures based on previous CTI) to external device data, it can be determined whether the host and / or network associated with that external device has already been affected by cyber threats.

[0079] In step 646, system 130 can determine whether to analyze external device data based on the improved NTI and / or additional NTI obtained from (or based on) the new CTI. These improved NTI and / or additional NTI include NTI from selected previous CTIs that were not changed by the new CTI, new NTI and / or changed NTI from the new CTI, and / or additional NTI determined in step 634 and / or step 637. If No, system 130 performs step 651 similar to step 610. If Yes, system 130 obtains data from the external device in step 647. In step 648, system 130 can determine a first group of packet communications that are identified by the external device data and match the criteria based on the improved NTI and / or additional NTI. At the same time, system 130 can determine a second group of packet communications that are identified by the external device data and do not match the criteria based on the improved NTI and / or additional NTI. In step 649, system 130 flags the first group of packet communications as likely to be related to the new CTI cyber threat, flags the second group of packet communications as less likely to be related to the new CTI cyber threat, and can transfer data indicating the flagged and unflagged communications to one or more other computing devices to perform actions (e.g., set a longer retention time for data related to the first group of packet communications and a shorter retention time for data related to the second group of packet communications). After step 649, system 130 performs step 651.

[0080] As can be seen from FIGS. 6A, 6B, 6C, and 6D, the method of this example can be iterative. For example, the packet filtering output data (such as packet logs and captured packets) based on the first CTI for a cyber threat is updated and / or improved based on the second updated CTI for that cyber threat, and after the filtering rules for the cyber threat are updated and / or generated based on the second CTI, a third further updated CTI for that cyber threat is received. The third CTI is applied to the packet filtering output data based on the updated filtering rules and / or the previous packet filtering output data updated and / or improved based on the second CTI. Thereby, further improved and / or further updated packet filtering output data, an output based on the further improved and / or further updated packet filtering output data, new and / or further modified filtering rules based on the further improved and / or further updated packet filtering output data, etc. can be generated. This process can be repeated any number of times with additional updates of the CTI for the cyber threat.

[0081] Figure 6E shows an example of steps that may be performed as part of step 602. In step 602.1, system 130 can determine whether the new CTI includes a threat identifier associated with a new CTI cyber threat (e.g., one assigned by a CTI provider). If no, the system proceeds to step 602.4 (described below). If yes, system 130 performs step 602.2. In step 602.2, system 130 can determine whether the threat identifier included in the new CTI leads to a threat identifier associated with one or more previous CTI instances (e.g., whether it is the same, mapped, or otherwise refers to that identifier). If yes, system 130 flags those one or more previous CTI instances in step 602.3 (e.g., for inclusion in a queue of previous CTI instances where the previous CTI was selected in step 605). If no, system 130 performs step 602.4.

[0082] In step 602.4, which is executed after step 602.3, system 130 can determine whether there is a threshold amount of overlap between the NTI indicated by the new CTI and the NTI indicated by one or more previous CTI instances. System 130 can determine the overlap, for example, if the NTI indicated by the new CTI is the same as the value indicated by a previous CTI instance or is within the range specified by a previous CTI instance. The threshold amount of overlap can be quantitative. For example, the threshold may require overlap for at least a specified amount of NTI and / or for a specified percentage of the NTI indicated by the new CTI. Alternatively, or in addition, the overlap can be qualitative. For example, the threshold may require overlap of the values of certain defined NTIs (such as source address and / or destination address). If system 130 determines in step 602.4 that there is a threshold amount of overlap between the NTI of the new CTI and the NTI of one or more previous CTI instances, system 130 can flag those one or more previous CTI instances (for example, for inclusion in a queue of previous CTI instances whose previous CTI is selected in step 605) in step 602.5. If system 130 determines in step 602.4 that there is no threshold amount of overlap between the NTI of the new CTI and the NTI of one or more previous CTI instances, system 130 executes step 602.6.

[0083] In step 602.6, which is executed after step 602.5 is executed, system 130 can determine whether there is a word match between one or more fields of the new CTI (e.g., the name or description of the malware, or a field providing other descriptions of the cyber threat) and one or more similar fields of one or more previous CTI instances. If system 130 determines in step 602.6 that there is a word match between the words of the new CTI and the words of one or more previous CTI instances, system 130 can flag those one or more previous CTI instances (e.g., for inclusion in a queue of previous CTI instances where the previous CTI is selected in step 605) in step 602.7. If system 130 determines in step 602.6 that there is no word match between the words of the new CTI and the words of one or more previous CTI instances, system 130 can execute step 602.8.

[0084] In step 602.8, which is executed after step 602.7, the system 130 can determine whether there are one or more other inputs indicating that the new CTI and one or more previous CTI instances may be related to the same cyber threat. The inputs for step 602.8 can originate from the activities of a human operator (such as a cyber analyst), and / or one or more automated processes (such as those generated by the execution of instructions of one or more modules of the system 130). The inputs for step 602.8 include, for example, one or more inputs indicating the relationship of cyber threats determined from an analysis as described below. If the system 130 determines in step 602.8 that there are one or more other inputs indicating that the new CTI and previous CTI instances may be related to the same cyber threat, the system 130 can flag those one or more previous CTI instances in step 602.9 (for example, to include them in the queue of previous CTI instances where the previous CTI was selected in step 605). If the system 130 determines in step 602.8 that there are no one or more other inputs indicating that the new CTI and one or more previous CTI instances may be related to the same cyber threat, it can execute step 602.10.

[0085] In step 602.10 (which may also be executed after the execution of step 602.9), the system determines whether at least one previous CTI instance was flagged in any of steps 602.3, 602.5, 602.7, or 602.9. If the answer is No, the system 130 proceeds to step 604. If the answer is Yes, the system 130 proceeds to step 605.

[0086] As shown in the various examples above, the methods and / or systems according to the present disclosure can be used in various ways to determine whether a subsequent CTI is related to a previous CTI, determine whether a subsequent CTI is updating a previous CTI, perform one or more analyses based on the updated CTI, and / or perform one or more actions based on one or more such analyses. The present disclosure is not limited to these examples. The following is another non-limiting example of how the methods and / or systems according to the present disclosure can be used to make such determinations, perform such analyses, and / or perform actions based on such analyses.

[0087] (1) Provider P1 (e.g., Provider 135) provides a CTI (“CTI1”) to System 130 notifying that a national entity in Country C1 is threatening to launch a cyber-attack against critical infrastructure industries in a specific region of the world that includes Country C1 (“Threat 1”). The filtering rule criteria include information that matches one or more NTIs based on CTI1, including all IP address ranges associated with Country C1. PSG110 filters packets based on that rule and transfers logs and captured packets related to traffic with Country C1 to System 130. System 130 indexes those logs and captured packets and associates them with Threat 1.

[0088] (2) Provider P2 (e.g., another provider 135) provides the system 130 with CTI ("CTI2") that notifies another threat ("Threat 2") that a global distributed denial-of-service DDOS attack is actively underway against a group of ISPs and may be a politically motivated retaliation against the customers of those ISPs. The criteria for the filtering rules include information that matches one or more NTIs based on CTI2, which includes the names and server IP addresses of the ISPs (including ISP1 and ISP2), and the source IP address of the attack. PSG110 inspects the packets based on its rules and forwards the logs and captured packets to the system 130. The system 130 indexes those logs and captured packets and associates them with Threat 2.

[0089] (3) Provider P1 provides the system 130 with additional CTI ("CTI3") that notifies that additional context regarding Threat 1 has been added, that the target critical infrastructure industries may span multiple countries including Country C1 and Country C2, and that the ISPs (including ISP3 and ISP4) providing services to Country C1 and Country C2 may be the routes for the attempted exfiltration. The system 130 analyzes the existing context of Threat 1 from the logs and captured packets related to Threat 1 mentioned in item (1) above. Based on this analysis, the system 130 retroactively indexes those logs and captured packets, associates them with the context of ISP3 and ISP4, and also instructs PSG110 to filter the packets based on the new / updated filtering rules, collect the logs of the traffic with Country C2, capture the packets, and forward those logs and captured packets to the system 130 (e.g., by sending new filtering rules and / or updated filtering rules). The system 130 receives the logs and captured packets of the traffic with Country C2 and associates those logs and captured packets with Threat 1.

[0090] (4) Provider P3 (e.g., another provider 135) provides CTI ("CTI4") to system 130 notifying that an active ransomware campaign is being executed through a targeted phishing attack delivered through a compromised website hosted by ISP4 with the threat "(Threat 3)". The filtering rule criteria includes information that matches one or more NTIs including phishing URLs, domains, and IP addresses hosted by ISP4 based on CTI4. Based on this rule, PSG110 starts filtering packets and collecting information related to Threat 3, and transfers logs and captured packets related to Threat 3 to system 130. System 130 determines that ISP4 is in country C1 which is common with Threat 1, and further analyzes the logs and packet captures related to Threat 1 (e.g., the logs and captured packets described in items (1) and (3)) to extract domains and URLs, and compares the extracted domains and URLs with the NTIs of Threat 3, but no matches are found and Threat 1 and Threat 3 seem to be unrelated.

[0091] (5) Provider P2 provides additional CTI ("CTI5") to system 130 notifying that Threat 2 is likely a proactive operation by a sophisticated actor to hide a more serious attack, and that the DDOS attack is concentrated on overloading the services of ISP1 in country C1. Based on this additional information, system 130 determines the commonality between Threat 2 and Threats 1 and 3, and they are all related to country C1. System 130 further analyzes all logs and captured packets related to Threats 1, 2, and 3, and starts extracting additional information useful for exfiltration detection.

[0092] (6) When the data transfer within the packet payload matches a specific unique value, provider P3 provides additional CTI ( "CTI6") to system 130, notifying the system 130 that there is a confirmed and verified NTI indicating Ryuk malware infection for threat 3. System 130 further analyzes the logs and captured packets related to threat 1, threat 2, and threat 3 to find this NTI and detect those that match the captured packets related to threat 1.

[0093] (7) Based on the analysis of item (6) and the previous item, system 130 determines that threat 1, threat 2, and threat 3 are related and associates those threats with a single sophisticated campaign that is executed in multiple stages. System 130 determines that the actual Ryuk malware intrusion occurred before threats 2 and 3 were known, when threat 1 was known. Through retroactive analysis using the updated information, system 130 detected the threat at a later point in time, which was the earliest point in time when a confirmable NTI was found (related to the event described in item (6)).

[0094] This disclosure encompasses numerous configurations of the devices and systems described herein, and the operations described herein can be distributed among the devices and systems in numerous ways and / or among other devices. One or more of the steps, operations, and / or functions described herein can be changed and / or executed in an order other than that explicitly described herein, and / or omitted, and / or other steps, operations, and / or functions may be added.

[0095] System 130 is directly connected to one or more PSG110s and, via filtering rules, actively instructs the PSG110s to log and / or capture packets based on threats when information regarding threats is received. The PSG110s can send the logs and / or captured packets to system 130 in real - time, near - real - time, or with a delay.

[0096] Additionally, or alternatively, system 130 may be indirectly connected to one or more PSGs 110. The indirect connection may be made, for example, via one or more computing devices that function as aggregators of logs and packet captures. The aggregator may include one or more computing devices configured to operate as a management platform for PSG 110. Also, or alternatively, the aggregator may include one or more computing devices configured to perform security information and event management (SIEM) system functions, with PSG 110 sending the logs and / or captured packets to the SIEM system and the SIEM system sending the logs and / or captured packets to system 130.

[0097] Also, or alternatively, system 130 may be configured to query and / or retrieve logs and / or captured packets from an external log and / or captured packet storage (e.g., rather than always receiving passively). Such queries are based on query parameters narrowed down based on evolving CTI. For example, entities associated with customers of network 105 may have captured packets and / or logs of all traffic stored for 365 days, and system 130 may retain only captured packets and / or logs with at least a minimal threat context (e.g., based on previously received CTI). System 130 can execute queries against the external storage store to selectively retrieve additional captured packets and / or logs needed to further apply new CTI.

[0098] Additionally, or alternatively, system 130 functions as a log and / or captured packet filter between PSG 110 (and / or other non-PSG sources of logs and / or packet captures) and a SIEM system or external storage. System 130 may be configured to forward all logs and / or captured packets associated with known threats and retain all logs and / or captured packets where the association with a threat is unknown. When new CTI is received and historical logs and captured packets are further analyzed, logs and captured packets that are retroactively detected as being associated with a threat are forwarded to the SIEM system or external store. This deployment model allows the SIEM system and / or external store to retain information known to be important and not retain information not known to be important until its importance is determined by system 130.

[0099] Additionally, or alternatively, system 130 may be configured to operate as a retention controller for logs and / or captured packets. System 130 may more quickly delete logs and / or captured packets stored by another system (such as a SIEM system, external storage, etc.) based on a determination of low importance (e.g., based on updated CTI, it is determined that the log and / or captured packet is not related to a cyber threat, or is likely to be related to a cyber threat with a low threat level, etc.), or may store them for a longer period based on a determination of importance (e.g., based on updated CTI, it is determined that the log and / or captured packet is related to a cyber threat, or is likely to be related to a cyber threat with a high threat level, etc.). System 130 may be configured to extend the data retention period applied to the data as the associated risk (e.g., the risk of addressing threats related to that data, and / or the risk correlated with the above importance) increases. As the risk increases, it becomes more likely that the data will be needed later. System 130 is configured to shorten the data retention period applied to the data as the associated risk decreases, with the decrease in risk corresponding to the low likelihood that the data will be needed.

[0100] Figure 6F shows an example of steps that system 130 executes as part of its operation as a retention controller. The steps of Figure 6F can be executed as part of step 645 (Figure 6D), as part of another step, or as an additional step separate from the steps already shown in Figures 6A through 6E. System 130 can execute step 645.1 after executing step 644 (Figure 6D) and / or after executing other portions of step 645 (e.g., steps related to causing other types of output and / or actions based on one or more analyses of steps 620, 634, and / or step 637). In step 645.1, system 130 can determine whether the importance of one or more logs and / or one or more captured packets has increased based on one or more analyses of steps 620, 634, and / or step 637. For example, the importance associated with a particular log or captured packet can increase with respect to one threat but decrease with respect to another threat. An increase in importance can include a determination that a log and / or captured packet is associated with a threat, a confirmation that a log and / or captured packet is associated with a threat, a determination of an increase in threat level, and / or other determinations that the importance of a log and / or captured packet has increased. If the importance has increased (even if the importance associated with another threat has decreased), system 130 can, in step 645.2, extend the retention period associated with the log and / or captured packet. Step 645.2 can include, for example, sending a message indicating an extension of the retention period, updating a data field and / or flag to indicate an extension of the retention period, and the like. After step 645.2, system 130 can execute step 646 (Figure 6D) and / or other portions of step 645 (e.g., in relation to causing other types of output and / or actions based on one or more analyses of steps 620, 634, and / or step 637). If the importance has not increased, system 130 can execute step 645.3.

[0101] In step 645.3, system 130 can determine whether the importance of the logs and / or one or more captured packets has decreased based on one or more analyses in steps 620, 634, and / or step 637. A decrease in importance includes a determination that the logs and / or captured packets are not associated with a threat, a confirmation that the logs and / or captured packets are not associated with a threat, a determination of a decrease in threat level, and / or other determinations that the importance of the logs and / or captured packets has decreased. If the importance has not decreased, system 130 can execute step 646 and / or other parts of step 645. If the importance has decreased, system 130 can execute step 645.4. In step 645.4, system 130 determines whether the retention period of the logs and / or captured packets has been previously extended (e.g., compared to the default retention period based on a previous importance determination). If not, system 130 may execute step 646 and / or other parts of step 645. If the retention period has been previously extended, system 130 can shorten the retention period associated with the logs and / or captured packets in step 645.5. Step 645.5 may include, for example, sending a message indicating the shortening of the retention period, updating data fields and / or flags to indicate the shortening of the retention period, and the like. After step 645.5, system 130 can execute step 646 and / or other parts of step 645.

[0102] As described above, system 130 can generate various outputs and / or perform other actions (e.g., based on one or more of the analyses of steps 620, 634, and / or step 637) based on judgments obtained by applying new CTI-based criteria to logs and / or captured packets associated with previous CTI. Such outputs and / or actions can include, alternatively or in addition, automatically sending alerts (and / or logs and / or captured packets) to a SIEM system, an orchestration platform (e.g., a security orchestration, automation, and response (SOAR) platform), and / or other external systems. If security system 130 directly or indirectly controls PSG110 and / or devices, security system 130 can send instructions (e.g., new rules and / or modified rules) to those PSG110 and / or other devices to expand or contract logging and / or packet capture (e.g., as described in the examples of paragraphs (1) through (7) above). Further, or alternatively, system 130 can change settings (e.g., within PSG110) that control whether packets are captured (either directly or via an intermediate system). For example, PSG110 is default-configured not to capture packets of blocked packet communications. Based on updated CTI, system 130 can determine whether packets need to be captured for subsequent blocked communications. Such captured packets can be used, for example, by system 130 for domain extraction (e.g., on non-IP-based blocks), enabling the capture of packets of lateral traffic that match the NTI and are only seen on the span and / or tap of PSG110.

[0103] FIG. 7 is a diagram showing an example of an environment 700 for detecting and / or analyzing cyber threats based on updated cyber threat intelligence and is used to explain some additional examples of filtering, aggregation, and / or retention control. The illustrated environment 700 is similar to the illustrated environment 100 of FIG. 1. However, to simplify the explanation of the following various further examples, system 130 is divided into a cyber threat analysis system 730A (system 730A) and a cyber threat analysis system 730B (system 730B), and the corresponding storage databases 731A and 731B are provided for systems 730A and 730B, respectively. Systems 730A and 730B, and databases 731A and 731B communicate with each other via network 701 and can communicate with other computing devices (such as PSG110, firewall 153, ISP157, SIEM system 702, CTIP135, etc.) via network 125. Also, or alternatively, one or more of systems 730A and 730B or databases 731A and 731B can communicate with each other via network 125.

[0104] System 730A and database 731A may include one or more computing devices (such as those described in connection with FIG. 2) configured to perform filtering, aggregation, and / or retention control operations as described below. System 730B and database 731B may include one or more additional computing devices (such as those described in connection with FIG. 2) configured to perform the operations as described below and other operations described herein in connection with system 130. Also, or alternatively, system 730A and database 731A may be configured to perform the operations described herein in connection with system 130. Systems 730A and 730B need not be implemented using separate computing devices (or a collection of computing devices) together with databases 731A and 731B. For example, the operations described below in connection with system 730A may be performed by a computing device based on execution of instructions included in one or more modules stored in the memory of the computing device, or alternatively, the operations described below in connection with system 730B (and / or the operations described herein in connection with system 130) may be performed by the same computing device based on execution of instructions included in one or more additional modules stored in the memory of that computing device. Similarly, the storage operations described below in connection with database 731A may be assigned to one or more first portions of the memory of the database / archive, and the storage operations described below in connection with database 731B (and / or the storage operations described herein in connection with database 131) may be assigned to one or more second portions of the memory of the same database / archive. In fact, the operations of systems 130, 730A, and 730B, and the operations of databases 131, 731A, and 731B can be integrated into any number of individual computing devices or allocated among those devices.

[0105] FIG. 7 also shows a SIEM system 702 and a corresponding data archive database 703 used by the SIEM system 702. The SIEM system 702 (including the archive 703) can provide services to one or more networks such as network 151 and / or network 155. For example, as described below, the SIEM system 702 and / or the archive 703 can be configured to store captured packets and / or other data output by a firewall 153, a server of the ISP 157, a proxy, and / or other types of computing devices. The SIEM system 702 and the archive 703 can each include one or more computing devices configured to perform operations as described herein.

[0106] Figures 8A and 8B are sequence diagrams showing an example of events related to filtering, aggregating, and / or retention control based on updated cyber threat intelligence. In particular, FIGS. 8A and 8B show an example of how system 730A operates to collect, filter, and transfer (or discard without transfer) packets captured by PSG110. System 730A can transfer a portion of the captured packets to system 730B for additional processing if there is subsequent CTI related to those packets (e.g., as described above in relation to system 130). System 730A can discard other captured packets if there is no subsequent CTI related to those other packets (e.g., without transferring them to system 730B or other computing devices). FIG. 8B is a continuation of FIG. 8A. The examples of FIGS. 8A and 8B are simplified for illustration purposes. The number, order, and / or timing of the exemplary events can vary, additional events may occur, and / or one or more of the events shown in FIGS. 8A and 8B may be omitted, repeated, or modified. Events (or portions thereof) such as those shown in FIGS. 8A and 8B may be executed alone or in combination with other events, such as those shown in one or more other figures and / or described herein.

[0107] In event 801, system 730B can receive CTI data 800.1 including data A (e.g., one or more NTIs) associated with a cyber threat or a potential cyber threat. Based on data A, system 730B generates one or more rules including filtering criteria based on data A (A-based criteria, which may include any type of the aforementioned packet filtering criteria), one or more operators configured to drop or permit the transmission of packets that match the A-based criteria, and instructions for generating logs of such matching packets (e.g., logs as described in relation to FIG. 4). As used herein, "····-based criteria" (where "····" is A or other characters) may be a single criterion (e.g., a specific value of a single NTI) or may be composed of multiple criteria (e.g., one or more possible values for each of multiple NTIs). One or more rules with A-based criteria are transferred to PSG110 in events 802 and 803. In event 806, system 730B can receive CTI data 800.2 including data B (e.g., one or more NTIs) associated with a cyber threat or a potential cyber threat. Based on data B, system 730B generates one or more rules including B-based criteria (based on data B and which may include any type of the aforementioned packet filtering criteria), one or more operators configured to drop or permit the transmission of packets that match the B-based criteria, and instructions for generating logs of such matching packets. One or more rules with B-based criteria may be transferred to PSG110 in events 807 and 808. CTI data 800.1 and 800.2, as well as other CTI data described in relation to FIGS. 8A and 8B, may be received from CTIP135, an internal source (e.g., one or more analysis programs executed by system 730B), and / or another source.

[0108] In event 811, system 730B can receive CTI data 800.3 that includes data C (e.g., one or more NTIs). Data C may not contain enough information to determine whether data C is related to a cyber threat or a potential cyber threat, and it may not be known. Alternatively, or in addition, other information may suggest that data C may not be important. For example, data C may have been received from a source known to provide data of questionable value. As another example, data C may have been identified in connection with an extensive effort to collect information that may be related to potential cyber threats (e.g., collection of data on all packet traffic over an extensive time range surrounding a potential incident), and there may not yet be sufficient reason to believe that data C is actually related to a potential cyber threat. Since there may not yet be information indicating whether data C is important (or will become important), system 730B may determine that analysis of the logs of packets that match C-based criteria may not be useful at this time and / or that long-term storage of such logs or packets that match C-based criteria is not justified at this time. However, data C may be shown to be important by later information, and it may be beneficial to temporarily store packets that match C-based criteria to allow time for the development and / or receipt of such later information.

[0109] Accordingly, at event 812, system 730B can instruct system 730A to monitor whether there are packets passing through PSG110 that match a C-based criterion (based on data C and including any type of the aforementioned packet filtering criteria), that a copy of such packets be stored for at least a predetermined period (e.g., 30 days, 60 days, 90 days, etc.), and that a log of such packets be generated at least at a minimal level of detail. For example, system 730B can instruct PSG110 to generate a log for packets that match the C-based criterion indicating a reference to the C-based criterion, a reference to the PSG that generated the log, the size of the packet that matches the C-based criterion, the time and / or date of the packet that matches the C-based criterion, and / or other basic information (e.g., 5-tuple). Alternatively, as described in more detail below, system 730B can instruct PSG110 to generate a log containing more or less information for each packet that matches the C-based criterion, or to not generate a log.

[0110] In event 813, system 730A can update the instruction list to save the instructions received in event 812. FIG. 9A shows at least a part of the stored data of system 730A and database 731A after event 813. The instruction list includes instruction 901 corresponding to the instructions received in event 812. Instruction 901 indicates that a log is to be generated for packets that match the C-based criteria and that such packets need to be saved, and further indicates the time associated with instruction 901. System 730A is configured to delete instruction 901 and / or delete the packets and / or logs saved based on instruction 901 if there are no further instructions related to the C-based criteria within a predetermined time from the time associated with instruction 901. Based on instruction 901, system 730A can generate one or more rules that include the C-based criteria, generate a log of packets that match the C-based criteria, capture the packets and logs, and instruct PSG110 to transfer the captured packets and logs to system 730A, but not instruct PSG110 to transfer such packets or logs to system 730B (and / or instruct PSG110 not to transfer such packets or logs to system 730B). In events 815 and 816, system 730A transfers those one or more rules to PSG110.

[0111] At event 819, system 730B can receive CTI data 800.4 including data D (e.g., one or more NTIs). Similar to data C, system 730B may determine that data D is not important (or not yet known to be important), that analyzing the log of packets matching D-based criteria is likely not useful at present, and / or that long-term storage of such logs or packets matching D-based criteria is not yet guaranteed, but that temporary storage of packets matching D-based criteria may be beneficial. Thus, at event 820 (similar to event 812), system 730B can instruct system 730A to monitor data traffic passing through PSG110 to check for packets matching D-based criteria (which are based on data D and may include any type of the above packet filtering criteria), save a copy of such packets for a predetermined time, and generate a log of such packets at least at a minimum level of detail. Event 821 is similar to event 813, and system 730A can update the list of saved instructions to include the instructions received at event 820. FIG. 9B shows at least a portion of the saved data of system 730A and database 731A after event 821. The saved data includes an instruction 902 to generate and save a log of packets matching D-based criteria and the time associated with that instruction. System 730A can be configured to delete instruction 902 and / or delete the packets saved based on instruction 902 if there are no further instructions related to D-based criteria within a predetermined time from the time associated with instruction 902. Based on instruction 902, system 730A can generate one or more rules that include D-based criteria, generate a log of packets matching D-based criteria, capture the packets and the log, and instruct PSG110 to transfer the captured packets and log to system 730A, but not (and / or instruct PSG110 not to transfer) such packets or log to system 730B.In events 823 and 824, system 730A transfers one or more of its rules to PSG110.

[0112] Based on the rules sent in events 802, 803, 807, and 808, PSG110 can filter the packet traffic of packets that match the A-based criteria and B-based criteria, record the packets that match the A-based criteria and B-based criteria in a log, and capture the packets that match the B-based criteria. In events 827 and 828, PSG110 transfers those logs and the captured packets (PCAP) to system 730B. Events 827 and 828 transfer those logs and the captured packets directly to system 730B. Alternatively, those logs and the captured packets are sent to system 730A, and system 730A transfers those logs and packets to system 730B. In event 829, system 730B may save the logs and the captured packets from events 827 and 828 to database 731B. Although not shown in FIG. 8A, system 730B can also perform additional processing on those logs and / or the captured packets (e.g., the processing described in connection with system 130, etc.).

[0113] Based on the rules sent in Events 815, 816, 823, and 824, PSG110 can filter the data traffic of packets that match the C-based criteria or D-based criteria, and generate and capture logs of the packets that match the C-based criteria or D-based criteria. In Events 832 and 833, PSG110 can transfer those logs and the captured packets (PCAP) to System 730A. In Event 834, System 730A saves the logs and the captured packets from Events 832 and 833 to Database 731A, and can index those saved logs and captured packets to the criteria, rules, and / or instructions associated with the capture and saving of those packets. FIG. 9C shows at least a portion of the saved data of System 730A and Database 731A after Event 834. The logs and the captured packets (PCAP) are saved to Database 731A. As indicated by the "C" and "D" labels in FIG. 9C, each of the logs and the saved packets is flagged as corresponding to the C-based criteria (and / or the rules sent in Events 815 and 816, and / or Instruction 901) or the D-based criteria (and / or the rules sent in Events 823 and 824, and / or Instruction 902), and / or is indicated in other ways (e.g., by saving to a specific memory address). As shown in the entries "C" and "D" of the "Pcaps Stored" table in FIG. 9C, System 730A can save data indicating that the packets indexed to the C-based and D-based criteria (and / or the corresponding rules and / or instructions) are saved to Database 731B. As shown in the entries "C" and "D" of the "Logs Stored" table in FIG. 9C, System 730A can save data indicating that the logs of the captured packets indexed to the C-based and D-based criteria (and / or the corresponding rules and / or instructions) are saved to Database 731B.Entries in the Pcaps Stored table and the Logs Stored table may also include an indication of the memory address in the database 731B where the log or packet associated with the entry is stored.

[0114] In event 835, the system 730A can determine whether the stored instructions need to further process any of the just-stored logs and / or packets, based on the fact that the logs and / or packets are stored in the database 731A. In the example of event 835, there is no such indication and no further processing of the stored logs or packets is performed. Events 832 through 835 may be repeated multiple times. In repetitions of event 832 and / or event 833, only the logs and copies of packets that match C-based criteria are received. In repetitions of event 832 and / or event 833, only the logs and copies of packets that match D-based criteria are received.

[0115] In event 838 (Figure 8B), system 730B can receive CTI data 800.5 that includes data E (e.g., one or more NTIs). System 730B determines that data E and data C may be related (or potentially related) to the same cyber threat (e.g., based on one or more determinations as described in relation to Figure 6E or otherwise described herein), and determines that captured packets that match C-based criteria may be important if those packets also match E-based criteria. Accordingly, system 730B sends an instruction to system 730A in event 839. In the instruction of event 839, system 730A may be instructed to check captured packets that match C-based criteria and / or to check logs of captured packets that match C-based criteria for matches with E-based criteria. System 730A may further be instructed to perform one or more additional actions associated with those logs and / or packets that may be related to a cyber threat if there are one or more packets (or logs of such packets) that match C-based criteria and they also match E-based criteria. Such additional actions may include sending an alert indicating that the logs and / or packets match C-based and E-based criteria to system 730B (and / or another computing device), indicating the relationship (or potential relationship) between those logs and / or packets and a cyber threat, and / or indicating one or more other actions, determinations, or other items.Also, or alternatively, further actions may include identifying and / or collecting packets that match C-based and E-based criteria, identifying and / or collecting other packets (e.g., all packets that match C-based criteria), identifying and / or collecting logs corresponding to packets that match C-based and E-based criteria (and / or logs corresponding to other packets), transferring such packets and / or logs, storing such packets and / or logs, and / or other actions. Additional examples of further actions are shown below. Although not shown in the example of FIG. 8B, the instruction for event 839 may also instruct the system 730A to monitor traffic passing through the PSG110 to detect packets that match E-based criteria, store a copy of such packets for a predetermined time, and / or initially generate a log of such packets. If such additional instructions were included in the system 730B, the system 730A could generate and send rules (e.g., similar to the rules for events 815, 816, 823, and 824) such as having the PSG110 monitor for packets that match E-based criteria, generate and capture a log of such packets, and transfer the log and the captured packets to the system 730A.

[0116] In event 840, system 730A can update the instruction list to include the instructions received in event 839. FIG. 9D shows at least a portion of the stored data of system 730A and database 731A after event 840. The data includes instruction 903 and the time associated with instruction 903. Instruction 903 indicates that system 730A needs to check the stored packets captured based on a C-based criterion for conformity with an E-based criterion. Instruction 903 may further indicate that if the stored packets conform to both the C-based criterion and the E-based criterion, further actions need to be taken (for example, issue a warning to system 730B and send a copy of the packets (and corresponding logs) that conform to the C-based and E-based criteria to system 730B). Instruction 903 also includes the time associated with instruction 903, and this time can be used to determine whether a predetermined time has elapsed (for example, to determine whether to delete instruction 903 if no related activity occurs).

[0117] As part of event 840, system 730A can determine whether a copy of a packet that conforms to a C-based criterion has already been stored in database 731A. System 730A can determine, based on the C entries in the Pcaps Stored table and the Logs Stored table, that there are stored packets that conform to a C-based criterion and logs corresponding to such packets. In event 843, system 730A can obtain the stored packets and corresponding logs that conform to a C-based criterion from database 731A. In event 844, system 730A can update the logs obtained based on the obtained packets. For each of the obtained packets, system 730A can update the corresponding log by reading data from the header fields of the packet, by reading the time data associated with the packet, and / or by extracting information from (or about) the packet and adding that information to the corresponding log. Each of the updated logs can be, for example, a log as described in relation to FIGS. 4 through 5D. As part of updating each corresponding log, system 730A can extract all (or substantially all, e.g., all information other than the payload field) of the information of the packet that is not encrypted or obfuscated and add that information to the corresponding log, or can extract not substantially all but a portion of the extractable information (e.g., system 730A can extract only the information of the additional fields necessary to check against an E-based criterion). In event 845, system 730A can store the updated logs in database 731B and can store data indexed to a C-based criterion, the rules of events 815 and 816, and / or instruction 901 for those updated logs. FIG. 9E shows at least a portion of the stored data of system 730A and database 731A after event 845.The updated log (“C-updated”) is stored in database 731A and flagged as corresponding to the C-based criteria (and / or rules sent at events 815 and 816 and / or instructions 901) and / or otherwise indicated (e.g., by storing at a particular memory address). As shown also in the entry “C-updated” in the “Logs Stored” table of FIG. 9E, system 730A can store data indicating that updated logs indexed to the C-based criteria (and / or corresponding rules and / or instructions) are stored in database 731B. An entry in the Logs Stored table can also include an indication of the memory address at which the log associated with the entry is stored in database 731B.

[0118] In event 846, system 730A can determine whether any of the updated logs of the packets that match the C-based criteria also match the E-based criteria. Although not shown in FIG. 8B, system 730A can hold local copies of those updated logs when saving the logs updated in event 845 and creating an index. Alternatively, after saving the logs updated in event 845 and creating an index, system 730A can obtain a copy of those updated logs as part of (or prior to) event 846. In event 846, system 730A determines that a portion of the updated log matches the E-based criteria, and thus can determine that the packets corresponding to that portion of the updated log match both the C-based and E-based criteria. In event 847, system 730A can save data for indexing that portion of the updated log and the corresponding saved packets against the C-based and E-based criteria (and / or instruction 903). FIG. 9F shows at least a portion of the saved data of system 730A and database 731A after event 847. As indicated by the "C-updated; E" label, a portion of the updated log of the packets that match the C-based criteria is flagged or shown to also match the E-based criteria. This flagging / indication may also include saving such logs (not shown) separately. As can be seen from the C and E labels on a portion of the saved packets, packets that match both the C-based and E-based criteria (and packets corresponding to logs that match the C-based and E-based criteria) are also flagged and / or indicated. As further shown in the C, E, and C-updated; E entries of the Pcaps Stored table and Logs Stored table in FIG. 9F, system 730A can save data indicating that the packets indexed against the C-based and E-based criteria (and / or instruction 903) and the logs of such packets are stored in database 731B.Entries in the Pcaps Stored table and the Logs Stored table may also include an indication of the memory address in the database 731B where the packets and logs associated with the entry are stored.

[0119] In event 848, system 730A can perform additional actions indicated by the instructions sent in event 839 and stored in event 840. For example, system 730A can send an alert to system 730B that a captured packet matching C-based criteria also matches E-based criteria. As part of event 848, system 730A may also send a copy of the captured packets that match both C-based and E-based criteria, and / or a copy of the logs corresponding to those captured packets, to system 730B. Also, or alternatively, system 730A may send all captured packets that match C-based criteria, and / or all logs corresponding to those captured packets. In event 849, system 730B stores the logs and captured packets from event 848 in database 731B. Although not shown in FIG. 8B, system 730B can also perform additional processing on those logs and / or captured packets (e.g., the processing described in connection with system 130).

[0120] System 730A can receive and store captured packets (from one or more PSG110s) that conform to C-based criteria, continue to create a log of such captured packets, and perform operations similar to those described above (such as log updates, determining whether the updated log conforms to E-based criteria) in relation to events 844 through 848 for such captured packets. Also, or alternatively, if system 730B sends additional instructions (e.g., based on additional CTI) indicating additional criteria that need to be checked for packets conforming to C-based and / or E-based criteria, system 730A can continue to perform operations similar to events 844 through 848 using the additional criteria. System 730A continues to perform operations based on instruction 903 and / or other instructions until otherwise instructed by system 730B. For example, based on the alerts, logs, and / or captured packets received at step 848, system 730B can determine that the PSG110 needs to start generating and / or capturing logs of packets that conform to C-based criteria and / or E-based criteria and send those logs and / or captured packets to system 730B. Based on such determination, system 730B can send rules (e.g., events similar to events 802, 803, 807, and 808) to the PSG100 and send one or more instructions to system 730A to cause system 730A to delete instruction 901 and / or 903 and / or cancel the rules sent at events 815 and 816. Also, or alternatively, system 730A can continue to store and process captured packets that conform to C-based criteria (and corresponding logs) until a related activity (e.g., there are no new instructions related to comparing those packets that conform to C-based criteria to other criteria such as whether they no longer conform to E-based criteria) has elapsed for a predetermined period of time.

[0121] In event 851, the system 730A determines that within a predetermined time from the time associated with instruction 902, there is no activity associated with the activity associated with instruction 902 and / or the stored packets (or logs of those packets) that match the D-based criteria. The absence of related activity means that there is no additional instruction to perform any action regarding the captured packets that match the D-based criteria (for example, no instruction to check such packets or corresponding logs to match other criteria), the packets that match the D-based criteria do not match other criteria indicated by additional instructions (if such additional instructions have been received), there is no access to the stored packets (or corresponding logs) that match the D-based criteria, and so on. Based on the determination that there is no related activity, the system 730A deletes instruction 902 of event 852 and generates an instruction to cancel the rules transmitted in events 823 and 824 and sends it to the PSG110 (in events 853 and 854). Canceling the rules transmitted in events 823 and 824 causes, for example, the PSG110 to stop capturing and transmitting packets that match the D-based criteria (and also generate and transmit a log of the packets that match the D-based criteria) based on the rules transmitted in events 823 and 824, but does not affect other rules related to the D-based criteria. Also, based on the determination that there is no related activity, the system 730A can delete the stored packets that match the D-based criteria (and corresponding logs) and are indexed to instruction 902 in event 855. FIG. 9G shows at least a part of the stored data of the system 730A and the database 731A after event 855.

[0122] The examples of FIGS. 8A and 8B are simplified for illustration purposes and there are numerous modifications within the scope of the present disclosure. Many of the events shown in FIGS. 8A and 8B can occur multiple times (e.g., events 827 to 829, events 832 to 835). When additional packets that match C-based and / or D-based criteria are received, those additional packets are indexed and stored. When additional logs of such packets are received, those additional logs are indexed and stored (e.g., adding a new log of packets that match C-based criteria to the previous log of packets that match C-based criteria, or adding a subsequent log of packets that match D-based criteria to the previous log of packets that match D-based criteria). Events similar to those shown in FIGS. 8A and 8B, but related to other CTI data and related instructions, rules, etc., can also occur multiple times and can occur alternately with the times of the events shown in FIGS. 8A and 8B. Instructions to cause system 730A to compare previously saved capture packets to additional criteria may differ from instruction 903. For example, such instructions may cause the saved packets to be compared to one or more additional criteria, but no alert may be sent or logs and / or captured packets may not be sent if they match one or more of those additional criteria. Instead, the instruction simply indicates that packets that match one or more additional criteria need to be noted, and one or more additional instructions cause the noted packets to be further compared to one or more additional sets of criteria and / or an alert (and / or logs and / or captured packets) to be sent after it is determined that one or more of the saved packets match multiple sets of criteria. One or more of those subsequent instructions may be received from system 730B and may include data that allows an additional portion of the log to be updated.For example, system 730B sends an instruction to system 730A to check whether the stored packets that conform to the D-based criteria match the F-based criteria, which indicates that packets that match the F-based criteria need only be recorded (e.g., no alert is sent). System 730B can send subsequent instructions to system 730A to have system 730A compare the packets that are confirmed to match the D-based and F-based criteria against the G-based criteria and send an alert if one or more packets match the D-based, F-based, and G-based criteria. When sending subsequent instructions related to the G-based criteria, system 730B may include data (e.g., a decryption algorithm) that enables reading of the packet portion related to the G-based criteria.

[0123] As a further example of a modification to the examples of FIGS. 8A and 8B, and as described above, the system 730A instructs the PSG110 (e.g., in steps such as events 815, 816, 823, and 824) to generate logs that contain more or less information about packets that match criteria such as C-based and D-based criteria. Alternatively, the system 730A does not instruct the PSG110 to generate logs of packets that match criteria such as C-based and D-based criteria, and / or instructs the PSG110 not to generate such logs. If the PSG110 does not generate such logs, event 844 can be modified to generate logs from the stored packets that match criteria such as C-based and D-based criteria. If the PSG110 generates logs of the captured packets that match criteria such as C-based and D-based criteria, it is not necessary to transfer those logs together with the captured packets. For example, the PSG110 can stream the logs to the system 730A and transfer the captured packets at a predefined time, or vice versa. Event 844 can include updating and generating logs, and / or generating logs based on previously generated logs. For example, event 844 can include generating a flow log that includes logs of a plurality of packets that are associated with a flow and / or otherwise associated, where the association may not have been recognized (and / or may have been difficult to recognize) until a plurality of packets were captured.

[0124] As a further example of a modification to the examples of FIGS. 8A and 8B, after it is determined that there has been no related activity within a predetermined period (e.g., in the case of event 851 regarding D-based criteria), it is not necessary to delete all data (e.g., stored packets and corresponding logs). For example, event 855 includes deleting the stored packets but retaining the corresponding logs or data based on those logs. Alternatively or additionally, it is also possible to retain data indicating the number of packets that matched D-based criteria during the period when rule 902 was active.

[0125] Figures 10A and 10B are sequence diagrams showing another example of events related to filtering, aggregation, and / or retention control based on updated cyber threat intelligence. Figure 10B is a continuation of Figure 10A. The examples of Figures 10A and 10B are similar to the examples of Figures 8A and 8B. However, in the examples of Figures 10A and 10B, the system 730A operates to collect, filter, and transfer (or discard without transfer) packets captured by network boundary devices other than the PSG 110. In the examples of Figures 10A and 10B, that boundary device is the firewall 153 of the network 151. However, events such as those shown in Figures 10A and 10B can be executed with respect to other types of boundary devices (such as proxies, servers associated with the ISP 157, etc.). The examples of Figures 10A and 10B are simplified for illustration purposes. The number, order, and / or timing of the exemplary events vary, and additional events may occur, and / or one or more of the events shown in Figures 10A and 10B may be omitted, repeated, or changed. Events (or portions thereof) such as those shown in Figures 10A and 10B may be executed alone or in combination with events such as one or more events shown in one or more other drawings and / or described herein.

[0126] In event 1001, which is similar to event 811 in FIG. 8A, system 730B can receive CTI data 1000.1 including data C. As in the examples of FIGS. 8A and 8B, system 730B determines that it is unlikely that the analysis of the log of packets matching the C-based criteria is useful and / or that the long-term storage of such logs or packets matching the C-based criteria is not yet guaranteed. However, data C may later be determined to be important, in which case it may be beneficial to temporarily store packets matching the C-based criteria. Event 1002 is similar to event 812, but system 730B can instruct system 730A to monitor data traffic passing through firewall 153 to detect packets matching the C-based criteria, store copies of such packets for at least a predetermined time, and generate a log of such packets at least at a minimum level of detail. Event 1003 is similar to event 813, but system 730A can update the instruction list to store the instructions received in event 1002. Based on those instructions, system 730A can generate an instruction including the C-based criteria and instruct firewall 153 to generate and capture a log of packets matching the C-based criteria and transfer the captured packets and logs to system 730A. Event 1004 is similar to events 815 and 816, but system 730A can transfer the generated instructions to firewall 153.

[0127] Event 1008 is similar to event 819 in FIG. 8A, but system 730B can receive CTI data 1000.2 including data D. As in the examples of FIGS. 8A and 8B, system 730B is unlikely to be useful for analyzing the log of packets that match D-based criteria, and / or long-term storage of such logs or packets that match D-based criteria is not yet guaranteed, but it can be determined that temporary storage of packets that match D-based criteria may be beneficial. Event 1009 is similar to event 820, but system 730B can instruct system 730A to monitor data traffic passing through firewall 153 to detect packets that match D-based criteria, store a copy of such packets for at least a predetermined time, and generate a log of such packets at least at a minimum level of detail. Event 1010 is similar to event 821, but system 730A can update the instruction list to store the instructions received in event 1009. Based on the instructions, system 730A can generate an instruction including D-based criteria and instruct firewall 153 to generate and capture a log of packets that match D-based criteria and transfer the captured packets and logs to system 730A. Event 1011 is similar to events 823 and 824, but system 730A can transfer the generated instructions to firewall 153.

[0128] Firewall 153 is configured such that all packets sent from hosts external to network 151 to host 152, and all packets sent from host 152 to hosts external to network 151, pass through firewall 153. In event 1015, firewall 153 sends a copy of the packets passing through firewall 153 that match either a C-based criterion or a D-based criterion, and a log of such packets, to system 730A. Event 1016 is similar to event 834, except that system 730A stores the logs and captured packets from event 1015 in database 731A, and can index those stored packets to the criteria and / or instructions on which they were based to capture and store those packets and generate corresponding logs. Event 1017 is similar to event 835, except that system 730A can determine whether, based on the logs and / or packets being stored in database 731A, the stored instructions indicate that any of the newly stored logs and / or packets need to be further processed. In the example of event 1017, there are no such instructions and no further processing of the stored logs or packets is performed. Events 1015 through 1017 can be repeated multiple times. In a repetition of event 1017, firewall 153 can send only the logs and copies of the packets that match the C-based criterion. In a repetition of event 1017, firewall 153 can send only the logs and copies of the packets that match the D-based criterion.

[0129] Event 1021 is similar to event 838 in FIG. 8B, but system 730B can receive CTI data 1000.3 including data E (e.g., one or more NTIs). System 730B may determine that data E and data C may be related (or potentially related) to the same cyber threat (e.g., based on one or more determinations as described in relation to FIG. 6E or otherwise described herein), and determine that captured packets that match C-based criteria may be important if those packets also match E-based criteria. Event 1022 is similar to event 839, but system 730B can send an instruction to system 730A to check whether captured packets that match C-based criteria also match E-based criteria. Event 1023 is similar to event 840, but system 730A can update the instruction list to include the instruction received in event 1022 and determine that there are stored packets that match C-based criteria. Event 1024 is similar to event 843, but system 730A can obtain stored packets from database 731A that match the logs corresponding to C-based criteria. Event 1025 is similar to event 844, but system 730A can update the obtained logs based on the obtained packets. Event 1026 is similar to event 845, but system 730A stores the updated logs in database 731B and can save data indexed to the instructions associated with capturing packets based on C-based criteria and / or C-based criteria.

[0130] Event 1027 (Figure 10B) is similar to event 846, but system 730A can determine that a part of the updated log conforms to the E-based criteria, and thus the packets corresponding to that part of the updated log conform to both the C-based and E-based criteria. In event 1028, it is similar to event 847, but system 730A can store data that indexes that part of the updated log and the corresponding stored packets to the C-based and E-based criteria (and / or the instructions stored in event 1023). In event 1029, based on the determination that there are packets that conform to both the C-based and E-based criteria, system 730A can execute further actions indicated by the instructions stored in event 1023. The further actions can include sending an alert to SIEM system 702 indicating that the captured packets that conform to the C-based criteria also conform to the E-based criteria, collecting and / or sending a copy of the captured packets that conform to both the C-based and E-based criteria, and / or collecting and / or sending a copy of the log corresponding to those captured packets. Also, or alternatively, system 730A may collect and / or send to SIEM system 702 all the captured packets that conform to the C-based criteria and / or all the logs corresponding to those captured packets. In addition to (or instead of) sending alerts, captured packets, and / or logs to SIEM system 702, system 730A can send alerts, captured packets, and / or logs to one or more other computing devices (such as system 730B, a SOAR platform, etc.).

[0131] System 730A can receive and store captured packets that conform to C-based criteria (from firewall 153), continue to create logs of such captured packets, and perform operations similar to those described above (such as log updates and determination of whether the updated logs conform to E-based criteria) in relation to such captured packets with respect to events 1025 to 1029. System 730A can continue this until another instruction is received from System 730B or another computing device and / or perform other operations (e.g., based on additional instructions related to packets that conform to C-based criteria). Also, or alternatively, System 730A can continue to store and process captured packets that conform to C-based criteria (and corresponding logs) until a related activity (e.g., there are no new instructions related to comparing those packets to other criteria such that the packets that conform to C-based criteria no longer conform to E-based criteria or other criteria) ceases for a predetermined period of time.

[0132] Events 1033 and 1034 are similar to events 851 and 852, respectively. Event 1035 is similar to event 853 or event 854, but differs in that a cancellation instruction is sent to firewall 153 in event 1035. Event 1036 is similar to event 855.

[0133] The examples of FIGS. 10A and 10B are simplified for illustration purposes and there are numerous changes within the scope of the present disclosure. Many of the events shown in FIGS. 10A and 10B can occur multiple times, and events similar to those shown in FIGS. 10A and 10B, but related to other CTI data and related instructions, rules, etc., can also occur multiple times and / or can occur alternately with the times of the events shown in FIGS. 10A and 10B. Instructions to cause system 730A to compare previously saved capture packets against additional criteria are different from the instructions saved in event 1023. Non-limiting examples of such different types of instructions are provided above in connection with the examples of FIGS. 8A and 8B. Other changes to the examples from FIGS. 10A to 10B can include changes similar to those described above in connection with the examples from FIGS. 8A to 8B. For example, system 730A can instruct firewall 153 to generate logs containing more or less information about packets that match criteria such as C-based or D-based criteria (e.g., in events such as event 1004 or 1011). Alternatively, system 730A can instruct firewall 153 not to generate logs of packets that match criteria such as C-based and D-based criteria and / or can instruct firewall 153 not to generate such logs. If firewall 153 does not generate such logs, event 1025 is modified to generate logs from saved packets that match criteria such as C-based and D-based criteria.

[0134] Figures 11A and 11B are sequence diagrams showing further examples of events related to filtering, aggregation, and / or retention control based on updated cyber threat intelligence. Figure 11B is a continuation of Figure 11A. In the examples of Figures 11A and 11B, firewall 153 captures some or all of the packets passing through firewall 153 (e.g., all packets sent from a host external to network 151 to host 152, and some or all of the packets sent from host 152 to a host external to network 151), generates at least some basic level of log for all those packets (e.g., a 5-tuple or a part thereof (e.g., the IP address of host 152 sending or receiving the packet, the media access control (MAC) address of the device sending or receiving the packet)), and can be configured to transfer the captured packets and logs to archive 703 (e.g., separately from all instructions received from system 730A or system 730B). However, capturing all packets generates a large amount of data, so archive 703 can be configured to store a copy of the captured packets and the corresponding logs for a default relatively short retention period (e.g., 5 days). If a particular packet is related to a cyber threat and that relationship is not detected within the default retention time, those packets are lost (as a result, they cannot be used for analysis and other activities related to detecting and / or remediating cyber threats). In some cases, there is initial information (such as data C or data D) that may be related to a cyber threat but is not yet known to be important. If subsequent information (such as data E) indicating the importance of the initial information is not received and addressed within the default retention time, important data (such as the initial packets related to the threat) may be lost.

[0135] To extend the retention time of packets that may be related to cyber threats, System 730A can request copies of packets captured based on initial information, save local copies of those packets, and / or notify that it is necessary to retain those packets in Archive 703 for a longer time than the default retention time, as described in more detail below. System 730A can determine, based on criteria from subsequent information, that some or all of the local copies of the packets are likely to be important, warn the SIEM system 703 about those packets, and / or retain those packets. Additional features are described below. The number, order, and / or timing of the events shown in FIGS. 11A and 11B can vary, additional events may occur, and / or one or more of the events shown in FIGS. 11A and 11B may be omitted, repeated, or modified. Events (or portions thereof) such as those shown in FIGS. 11A and 11B may be performed alone or in combination with other events shown in one or more other drawings and / or described herein, such as one or more of the events described herein.

[0136] Event 1104 is similar to event 811 in FIG. 8A, but system 730B can receive CTI data 1000.1 including data C. As in the examples of FIGS. 8A and 8B, system 730B may determine that it is unlikely that the analysis of the log of packets matching the C-based criteria is useful and / or that the long-term storage of such logs or packets matching the C-based criteria is not yet guaranteed. However, data C may later be determined to be important, in which case it may be beneficial to temporarily store packets that match the C-based criteria. Event 1105 is similar to event 812, but system 730B can monitor the packets and / or logs stored by archive 703 to check for packets and / or logs that match the C-based criteria, and can instruct system 730A to store a copy of such packets and / or logs for at least a predetermined time. The instruction for event 1105 further instructs to store correlated packets (and / or logs of correlated packets) as well. The correlated packets of a packet that matches a particular one or more sets of criteria can consist of the packets that are sent to (or received from) host 152 that sent or received the packet that matches that set of criteria, and the packets that are sent (or received) within the correlated packet time range (e.g., 15 minutes before and 15 minutes after the sending or receiving of the packet that matches that set of criteria). For example, if host 152-1 sends a packet that matches the C-based criteria at 12:00 PM on a particular day, the correlated packets of that packet sent at 12:00 PM may include all the packets sent to or from host 152-1 that pass through firewall 153 between 11:45 AM and 12:15 PM on the same day. For convenience, the correlated packets of a packet that matches a particular criteria are hereinafter referred to as "····-based criteria correlated packets". For example, the correlated packets of a packet that matches the C-based criteria are referred to as "C-based criteria correlated packets". The correlated packet time range varies depending on the criteria used to identify the packet.For example, the correlation packet time range of the C-based reference's correlation packet may be 15 minutes before and 15 minutes after the time associated with the packet that matches the C-based reference, while the correlation packet time range of the D-based reference's correlation packet may be 30 minutes before and 30 minutes after the time associated with the packet that matches the D-based reference.

[0137] Event 1106 is similar to event 813, but system 730A can update the instruction list to save the instructions received in event 1105. In event 1107, system 730A can transfer instructions to archive 703 to instruct the following: (i) Send a copy of the captured packet (and corresponding log) that matches the C-based reference and is currently stored by archive 703; (ii) Send a copy of the correlation packet (and corresponding log) of the C-based reference that is currently stored by archive 703; (iii) Send a copy of the packet that matches the C-based reference and is received thereafter by archive 703; (iv) Send a copy of the correlation packet of the C-based reference that is received thereafter by archive 703; (v) Send a copy of the log of the packet that matches the C-based reference and is received thereafter, and a copy of the log of the correlation packet of the C-based reference that is received thereafter; (vi) Start saving packets that match the C-based reference, logs of packets that match the C-based reference, correlation packets of the C-based reference, and logs of correlation packets of the C-based reference for a period longer than the default retention period (e.g., 30 days, 60 days, 90 days, etc.).

[0138] In event 1110, archive 703 transmits a copy of the captured packets (and corresponding logs) currently stored by archive 703 that match the C-based criteria, and a copy of the correlated packets (and corresponding logs) of the C-based criteria currently stored by archive 703. In event 1111, system 730A stores the packets and logs received in event 1110 in database 731A. As part of event 1111, system 730A indexes the stored packets and stored logs to the C-based criteria, the instructions stored in event 1106, and / or the instructions of event 1107. System 730A can index the stored packets and logs using the methods described in connection with FIGS. 8A, 8B, 9C, 9E, and 9F. The stored correlated packets of the C-based criteria and the corresponding logs may be further indexed so as to omit further processing of those packets and logs by system 730A, but those packets and logs are identified and transferred when appropriate (e.g., when it is determined that the packets or logs that match the C-based criteria match one or more additional criteria). In event 1112, which is similar to event 835, system 730A can determine whether the stored instructions indicate that any of the just-stored packets need to be further processed based on the packets being stored in database 731A. In the example of event 1112, there is no such indication and no further processing of the stored packets is performed. Events 1110 through 1112 are repeated multiple times (e.g., when archive 703 transfers a copy of additional packets that match the C-based criteria, and subsequent correlated packets of the C-based criteria received by archive 703, and the corresponding logs).

[0139] Event 1116 is similar to event 819 in FIG. 8A, but system 730B can receive CTI data 1100.2 including data D. As in the examples of FIGS. 8A and 8B, system 730B may determine that it is unlikely that analyzing the log of packets matching D-based criteria is useful and / or that long-term storage of such logs or packets matching D-based criteria has not yet been guaranteed. However, data D may later be determined to be important, in which case it may be beneficial to temporarily store packets matching D-based criteria. Event 1117 is similar to event 820, but system 730B can monitor whether the packets stored by archive 703 match D-based criteria and instruct system 730A to store a copy of such packets for at least a predetermined time. The instruction for event 1117 may further instruct that correlation packets of D-based criteria also need to be stored.

[0140] Event 1118 is similar to event 821, but system 730A can update the instruction list to store the instructions received in event 1117. In event 1119, system 730A can transfer instructions to archive 703 to: (i) send a copy of the captured packets (and corresponding logs) that match D-based criteria and are currently stored by archive 703; (ii) send a copy of the correlation packets of D-based criteria (and corresponding logs) currently stored by archive 703; (iii) send a copy of the packets received thereafter by archive 703 that match D-based criteria; (iv) send a copy of the correlation packets of D-based criteria received thereafter by archive 703; (v) send a copy of the log of the packets received thereafter that match D-based criteria and a copy of the log of the correlation packets of D-based criteria received thereafter; (vi) start storing packets that match D-based criteria, logs of packets that match D-based criteria, correlation packets of D-based criteria, and logs of correlation packets of D-based criteria for a period longer than the default retention period.

[0141] In event 1121, the archive 703 transmits a copy of the captured packets (and corresponding logs) that match the D-based criteria and are currently stored by the archive 703, and a copy of the correlated packets (and corresponding logs) of the D-based criteria currently stored by the archive 703. In event 1122, the system 730A stores the packets and logs received in event 1121 in the database 731A. As part of event 1122, the system 730A indexes the stored packets and stored logs to the D-based criteria, the instructions stored in event 1118, and / or the instructions of event 1119. The system 730A can index the stored packets and logs using the methods described in connection with FIGS. 8A, 8B, 9C, 9E, and 9F. The stored correlated packets of the D-based criteria and the corresponding logs may be further indexed so as to omit further processing of those packets and logs by the system 730A, but those packets and logs are identified and transferred when appropriate (e.g., when it is determined that a packet or log that matches the D-based criteria also matches one or more additional criteria). In event 1123, which is similar to event 835, the system 730A can determine whether the stored instructions indicate that any of the just-stored packets need to be further processed based on the packets being stored in the database 731A. In the example of event 1123, there is no such indication and no further processing of the stored packets is performed. Events 1121 through 1123 may be repeated multiple times (e.g., if the archive 703 transfers copies of additional packets that match the D-based criteria, and additional correlated packets of the D-based criteria and corresponding logs received later by the archive 703).

[0142] Event 1027 is similar to event 838 in FIG. 8B, but system 730B can receive CTI data 1100.3 including data E (e.g., one or more NTIs). System 730B may determine that data E and data C may be related (or potentially related) to the same cyber threat (e.g., based on one or more determinations as described in relation to FIG. 6E or otherwise described herein), and determine that captured packets that match C-based criteria may be important if those packets also match E-based criteria. Event 1128 is similar to event 839, but system 730B can send an instruction to system 730A to check whether captured packets that match C-based criteria also match E-based criteria. Event 1129 is similar to event 840, but system 730A can update the instruction list to include the instruction received in event 1128 and determine that there are stored packets that match C-based criteria. Event 1130 is similar to event 843, but system 730A can obtain stored packets that match C-based criteria and corresponding logs from database 731A. Event 1133 is similar to event 844, but system 730A can update the obtained logs for each of the obtained packets. Event 1134 is similar to event 845, but system 730A can store the updated logs in database 731B and save data indexed to instructions associated with capturing packets based on C-based criteria and / or C-based criteria.

[0143] Event 1139 (Figure 11B) is similar to event 846, but system 730A can determine that a packet corresponding to a portion of the saved update log that matches C-based criteria also matches E-based criteria, and thus, the packet corresponding to that portion of the saved update log matches both C-based and E-based criteria. Event 1140 is similar to event 847, but system 730A can save data that indexes that portion of the log and the corresponding saved packet to both C-based and E-based criteria (and / or the instructions saved in event 1129).

[0144] In event 1141, based on the determination that there are packets that match the C-based and E-based criteria, system 730A can execute further actions indicated by the instructions stored in event 1129. The further actions include that system 730A notifies the SIEM system 702 that the captured packets that match the C-based criteria also match the E-based criteria, that packets (and / or corresponding logs) that match the C-based and E-based criteria need to be retained continuously (e.g., extension of an additional period, a longer period, and / or until further notice), and / or that correlation packets of the C-based and E-based criteria (e.g., correlation packets of packets that match the C-based and E-based criteria) (and / or corresponding logs) need to be retained continuously (e.g., extension of an additional period, a longer period, and / or until further notice). The alert to be sent includes this. Also, alternatively, the alert may indicate that all packets (and / or corresponding logs) that match the C-based criteria need to be retained continuously, and / or that all correlation packets of the C-based criteria (and / or corresponding logs) need to be retained continuously. Further actions (and event 1141) also include that system 730A collects and / or transmits copies of packets that match the C-based and E-based criteria, copies of the logs corresponding to those packets, copies of correlation packets of the C-based and E-based criteria, copies of the logs corresponding to those packets, copies of all packets that match the C-based criteria, copies of the logs corresponding to those packets, copies of correlation packets of the C-based criteria of all packets that match the C-based criteria, and / or copies of the logs corresponding to those packets. In addition to (or instead of) sending alerts, captured packets, and / or logs to the SIEM system 702, system 730A can send alerts, captured packets, and / or logs to one or more other computing devices (such as system 730B, the SOAR platform, the archive 703, etc.).

[0145] System 730A can continue to receive and store packets (and corresponding logs) that conform to C-based criteria (from archive 703), continue to receive and store correlation packets (and corresponding logs) of C-based criteria, and continue to perform operations similar to those described above in relation to events 1111, 1112, and 1133 through 1141 on such packets and logs. System 730A can continue this until instructed by system 730B or another computing device. Also, or alternatively, System 730A can continue to store and process captured packets that conform to C-based criteria and corresponding logs (and / or continue to store correlation packets of C-based criteria and corresponding logs) until there are no more related activities over a predetermined period (e.g., no more new instructions related to comparing those packets that conform to C-based criteria to other criteria such that they no longer conform to E-based criteria or other criteria).

[0146] Events 1145 and 1146 are each similar to events 851 and 852. Event 1147 is similar to event 853 or event 854, but differs in that a cancellation instruction is sent to archive 703 in event 1147. Assuming there are no other instructions that require such an item or extend the retention period of such an item, the cancellation instruction for event 1147 causes archive 703 to stop transmitting the captured packets (or corresponding logs) that match the D-based criteria, stop transmitting the captured D-based criteria correlation packets (and corresponding logs), and return to the default retention period for such packets and logs. Event 1148 is similar to event 855, matches the D-based criteria, and includes deleting from database 731A the saved packets indexed to the rules saved in event 1118, the saved D-based criteria correlation packets indexed to the rules saved in event 1118, and the corresponding logs indexed to the rules saved in event 1118.

[0147] The examples of FIGS. 11A and 11B are simplified for illustrative purposes and there are numerous variations within the scope of the present disclosure. Many of the events shown in FIGS. 11A and 11B can occur multiple times, and events similar to those shown in FIGS. 11A and 11B, but related to other CTI data and associated instructions, rules, etc., can also occur multiple times and / or can occur alternately with the times of the events shown in FIGS. 11A and 11B. Instructions to cause system 730A to compare previously saved capture packets against additional criteria are different from the instructions stored in event 1129. Non-limiting examples of such different types of instructions are provided above in connection with the examples of FIGS. 8A and 8B. As another variation, system 730A does not initially instruct archive 703 to store packets that match C-based criteria, correlation packets for the C-based criteria, and corresponding logs for a long period of time (event 1107), and / or does not initially instruct archive 703 to store packets that match D-based criteria, correlation packets for the D-based criteria, and corresponding logs for a long period of time (event 1119). If such packets and logs are later determined to be important (e.g., based on a match with E-based criteria), a copy can be provided from the copy stored in database 731A to archive 703. As a further variation, logs of correlation packets can be updated and compared against later criteria, similar to logs of packets that match previous criteria (e.g., logs of correlation packets for C-based criteria are updated and compared against E-based criteria).

[0148] Other modifications to the example of FIGS. 11A - 11B may include modifications similar to those described above in connection with the example of FIGS. 8A - 8B. For example, the firewall 153 may be configured to generate logs that contain more or less information about packets that match criteria such as C - based and D - based criteria and / or correlated packets. Alternatively, the firewall 153 may not be configured to generate logs for packets that match criteria such as C - based and D - based criteria and / or correlated packets. If the firewall 153 does not generate such logs, the event 1133 can be modified to include generating logs from stored packets that match criteria such as C - based and D - based criteria and / or from stored correlated packets.

[0149] FIGS. 12A and 12B are flowcharts showing an example of a method for performing filtering, aggregation, and / or retention control based on updated cyber threat intelligence. One, some, or all of the steps of the exemplary method of FIGS. 12A - 12B can be performed by the system 730A and / or by a combination of one or more computing devices configured to perform some or all of the operations and / or functions of the system 730A. For convenience, FIGS. 12A and 12B are described below in connection with the system 730A. Also, or alternatively, one, several, or all of the steps of the exemplary method of FIGS. 12A and 12B may be performed by one or more other computing devices (e.g., system 730B or system 130). One or more steps of the exemplary method of FIGS. 12A and 12B may be rearranged (e.g., performed in a different order), combined, omitted, and / or otherwise modified, and / or additional steps may be added.

[0150] In step 1201, system 730A can determine whether it has received a new captured packet (e.g., from one or more PSGs 110 such as events 832 and 833, from firewall 153 such as event 1015, from archive 703 such as events 1110 and 1121, or from one or more other computing devices), or whether it has received one or more instructions (e.g., from system 730B such as events 812, 820, 839, 1002, 1009, 1022, 1105, 1117, and 1128, or from one or more other computing devices). If nothing has been received, step 1201 can be repeated. If a new captured packet is received, step 1231 (indicated by connector GG and described below in relation to FIG. 12B) is executed. If an instruction is received, step 1202 is executed.

[0151] In step 1202, system 730A can verify the received instruction and update the instruction list based on the received instruction. The received instruction may indicate that previously saved instructions need to be deleted. The received instruction may indicate that one or more new instructions need to be saved, as in the examples of events 813, 821, 840, 1003, 1010, 1023, 1106, 1118, and 1129. The new instructions may include an instruction to save captured packets that match one or more criteria, an instruction to further determine matches by comparing saved packets that match one or more criteria against one or more additional criteria, and / or an instruction to perform additional actions (e.g., send an alert based on one or more matches to one or more criteria, send a copy of a log and / or captured packet based on one or more matches to one or more criteria, and / or perform other actions). The received instruction may include a decryption algorithm and / or other information that can be used to process the saved packets. The received instruction may indicate that previously saved instructions need to be modified.

[0152] In step 1203, the system 730A can determine whether the instructions updated or added in step 1202 need to generate one or more rules (and / or other types of instructions) to be sent to one or more devices / sources of the captured packets (e.g., PSG 110 in the examples of FIGS. 8A and 8B, firewall 153 in the examples of FIGS. 10A and 10B, archive 703 in the examples of FIGS. 11A and 11B, and / or one or more other devices / sources). A rule (or instruction) can indicate capturing and transferring a copy of packets (and / or correlated packets) that match one or more criteria, transferring a copy of a packet that has already been captured, generating and / or transferring (or not) a log of the packet, and / or performing (or not performing) other actions. Examples of rules / instructions that can be generated and sent in step 1204 include the rules / instructions of events 815, 816, 823, 824, 1004, 1011, 1107, and 1119. The rules / instructions generated and sent in step 1204 may cancel one or more previous rules / instructions. If no rules / instructions are sent, step 1209 can be executed. If rules / instructions are to be sent, the system 730A can generate and send the corresponding rules / instructions in step 1204.

[0153] In step 1209 (e.g., executed as part of events 840, 1023, and 1129), system 730A can determine whether the instructions updated and / or added in step 1202 indicate that it is necessary to check whether one or more previously saved packets match one or more criteria. If the answer is no, step 1225 is executed. Step 1225 will be described below. If the answer is yes, step 1210 is executed. In step 1210, system 730A can determine whether a log of one or more previously saved packets that check whether they match one or more criteria has already been generated, and if such a log has been generated, whether an update to those logs (e.g., based on the instructions updated and / or added in step 1202) is necessary. If the answer is no, system 730A generates (or updates existing logs) those logs in step 1211, saves those logs (e.g., to database 731A), and / or indexes those logs (e.g., in relation to the instructions updated or added in step 1202 and / or in relation to the criteria associated with those instructions). Examples of step 1210 include events 844 and 845, events 1025 and 1026, and events 1133 and 1134. For example, if the instructions updated and / or added in step 1202 include additional information that can extract additional data from the captured packets, the previously generated logs are updated. As another example, in the case of logs that are received along with the captured packets and contain only basic or minimal information, the previously generated logs are updated.

[0154] After step 1211, or after being determined as "Yes" in step 1210, the system 730A can, in step 1212, obtain the log that was generated (and / or updated), indexed, and saved in step 1211, or the log that was previously generated, indexed, and saved and was determined not to need updating in step 1210. In step 1217, the system 730A compares with the log from which one or more criteria of the instructions updated and / or added in step 1202 were obtained, and determines whether there is a match. Examples of step 1217 include events 846, 1027, and 1139. In step 1218, the system 730A can save data for indexing the obtained log (or a part thereof) and / or the corresponding saved packet based on the match determined in step 1217. Examples of step 1218 include events 847, 1028, and 1140. In step 1219, the system 730A can determine whether the instructions updated and / or added in step 1202 indicate that further actions need to be taken based on the match determined in step 1217. Further actions include sending an alert (e.g., indicating that one or more packets match one or more criteria, indicating the relationship or potential relationship between one or more packets and one or more cyber threats, indicating that the packets and / or logs need to be retained, and / or indicating one or more other actions, decisions, or events), generating and / or indicating that packets (e.g., packets that match one or more criteria, correlated packets) need to be retained, indicating that logs need to be retained, collecting and / or sending packets (e.g., packets that match one or more criteria, correlated packets), collecting and / or sending logs, and / or other actions. If no further actions are indicated, the system 730A executes step 1225. If one or more additional actions are indicated, the indicated additional actions can be executed in step 1220.The examples of step 1220 include events 848, 1029, and 1141.

[0155] In step 1225, system 730A determines whether it is necessary to delete the stored instructions, packets, and / or logs. For example, system 730A can be configured to delete the stored packets, logs, and / or instructions when there is no related activity over a predetermined period (e.g., no further instructions related to the stored packets are received, the stored packets do not meet other criteria, the stored packets or logs are not accessed). The examples of step 1225 include events 851, 1033, and 1145.

[0156] If system 730A determines in step 1225 that there are stored instructions, packets, and / or logs to be deleted, those stored instructions, packets, and / or logs are deleted in step 1226. As part of step 1226, system 730A can generate and send one or more rules / instructions that cancel one or more previous rules / instructions that caused the transfer of the packet (and / or log). Examples of step 1226 include, for example, events 852 to 854, events 1034 to 1036, and events 1146 to 1148. After step 1226, or after a "No" determination in step 1225, system 730A repeats step 1201.

[0157] If the system 730A determines at step 1201 that a new packet has been received, the system 730A executes step 1231 (FIG. 12B). At step 1231, the system 730A stores the received packet (and the corresponding log if received), and can store data that indexes the received packet (and the log if received) to the criteria, instructions, and / or rules for receiving those packets. Examples of step 1231 include events 834, 1016, 1111, and 1122. At step 1232 (examples of which include events 835, 1017, 1112, and 1123), the system 730A determines (e.g., for comparison with additional criteria) whether any of the instructions stored by the system 730A indicates that any of the packets stored at step 1231 needs to be further processed. If No, the system 730A executes step 1225. If Yes, the system 730A executes step 1233. At step 1233, the system 730A can generate a log of the packets stored at step 1231. For example, if events 839 and 840 occurred before event 832, step 1233 may have been executed in the examples of FIGS. 8A and 8B. If a log was received with the packet, step 1233 includes updating those logs (e.g., based on the read fields of the packet) to enter additional fields. At step 1234, the system 730A can compare the log generated / updated at step 1233 to the criteria indicated by one or more stored instructions (e.g., instructions indicating that captured packets matching one or more criteria need to be compared to one or more additional criteria). At step 1239, the system 730A can store data that indexes one or more logs (generated / updated at step 1233) and one or more packets (stored at step 1231) based on the matches determined based on the comparison of step 1234.

[0158] In step 1241, system 730A can determine (e.g., by the stored instructions associated with the comparison in step 1234) whether further action is indicated based on the match determined by the comparison in step 1234. If yes, system 730A can perform the additional actions indicated in step 1242, which is similar to step 1220. If no, or after step 1242, system 730A performs step 1225 (indicated by connector HH).

[0159] Figures 13A and 13B are sequence diagrams showing additional examples of events related to filtering, aggregating, and / or retention control based on updated cyber threat intelligence. Figure 13B is a continuation of Figure 13A. In the examples of Figures 13A and 13B, similar to the examples of Figures 11A and 11B, the firewall 153 can capture some or all of the packets passing through the firewall 153 (e.g., all packets sent from a host outside the network 151 to the host 152, and some or all of the packets sent from the host 152 to a host outside the network 151), generate at least some basic level of logs for all those packets, and transfer the captured packets and the generated logs to the archive 703 for storage (e.g., separate from all instructions received from the system 730A or the system 730B). However, in the examples of Figures 13A and 13B, these packets and logs are transferred to the system 730A, and the system 730A transfers these packets and logs to the archive 703. The archive 703 can store the transferred packets and logs for a default retention period or a longer retention period based on instructions received from the system 730A. The system 730A can determine which packets and / or logs to store for a longer retention period based on a comparison with criteria based on CTI data. Similar to the examples of Figures 11A and 11B, in the examples of Figures 13A and 13B, the retention time of packets determined to be potentially important can be extended based on criteria potentially related to one or more cyber threats and / or updated criteria. The number, order, and / or timing of the events shown in Figures 13A and 13B can vary, additional events may occur, and / or one or more of the events shown in Figures 13A and 13B may be omitted, repeated, or changed. Events (or portions thereof) as shown in Figures 13A and 13B may be executed alone or in combination with events such as those shown in one or more other drawings and / or described herein.

[0160] Event 1303 is similar to event 811 in FIG. 8A, but system 730B can receive CTI data 1300.1 including data C. As in the examples of FIGS. 8A and 8B, system 730B determines that it is unlikely that the analysis of the log of packets matching the C-based criteria is useful and / or that the long-term storage of such logs or packets matching the C-based criteria is not yet guaranteed. However, it is possible that data C may later be determined to be important, in which case it may be beneficial to temporarily store packets matching the C-based criteria. Event 1304 is similar to event 812, but system 730B monitors whether the packets and / or logs stored by archive 703 match the C-based criteria, and can instruct system 730A to store a copy of the packets (and / or corresponding logs) matching the C-based criteria for at least a predetermined period longer than the default storage period. The instruction for event 1304 further instructs that the correlated packets of the C-based criteria (and / or the logs of such correlated packets) also need to be stored for at least a predetermined time. Event 1205 is similar to event 813, but system 730A can update the instruction list to store the instructions received in event 1204.

[0161] Event 1309 is similar to event 819 in FIG. 8A, but system 730B can receive CTI data 1300.2 including data D. As in the examples of FIGS. 8A and 8B, system 730B may determine that the analysis of the log of packets matching D-based criteria is unlikely to be useful and / or that the long-term storage of such logs or packets matching D-based criteria is not yet guaranteed. However, data D may later be determined to be important, in which case it may be beneficial to temporarily store packets matching D-based criteria. Event 1310 is similar to event 820, but system 730B monitors whether the packets stored by archive 703 match D-based criteria and can instruct system 730A to store a copy of the packets matching D-based criteria for at least a predetermined period longer than the default storage period. The instruction for event 1310 further instructs that the correlated packets of D-based criteria also need to be stored for at least a predetermined time. Event 1311 is similar to event 821, but system 730A can update the instruction list to store the instructions received in event 1310.

[0162] In event 1315, firewall 153 may transfer the captured packets and the logs associated with those captured packets to system 730A. In event 1316, system 730A can determine which of the packets and logs received in event 1215 are monitored packets or logs, or which are correlated packets (or corresponding logs) of the monitored packets. In particular, system 730A can determine which of the received packets and logs match the criteria of the stored instructions indicating the packets to be monitored and the correlated packets to be stored. In the examples of FIGS. 13A and 13B, these stored instructions include the instructions stored in events 1305 (indicating that packets and logs matching C-based criteria need to be monitored) and 1311 (indicating that packets and logs matching D-based criteria need to be monitored). In event 1316, system 730A identifies packets (and corresponding logs) matching C-based criteria, packets (and corresponding logs) matching D-based criteria, correlated packets (and corresponding logs) of C-based criteria, and correlated packets (and corresponding logs) of D-based criteria. In event 1317, system 730A can transfer the packets received in event 1315 and identified in event 1316 to archive 703. As part of event 1317, system 730A can also instruct archive 703 to store the packets and logs identified in event 1316 for a long period of time. In event 1318, system 730A stores the packets and logs identified in event 1316 in database 731A. As part of event 1318, system 730A indexes either the stored packets (and corresponding logs) matching C-based criteria and the correlated packets (and corresponding logs) of C-based criteria according to the C-based criteria and / or the instructions stored in event 1305. System 730A can index the stored packets and logs using the methods described in connection with FIGS. 8A, 8B, 9C, 9E, and 9F.The C-based reference correlation packets and corresponding logs may be further indexed so that further processing of those packets and logs by system 730A can be omitted, but those packets and logs are identified and transferred when appropriate (e.g., when a packet or log matching the C-based reference is determined to match one or more additional criteria). Similarly, as part of event 318, system 730A indexes any stored packets (and corresponding logs) that match the D-based reference, and the D-based reference correlation packets (and corresponding logs) to the D-based reference and / or the instructions stored in event 1311. The D-based reference correlation packets and corresponding logs may be further indexed so that further processing of those packets and logs by system 730A can be omitted, but those packets and logs are identified and transferred when appropriate (e.g., when a packet or log matching the D-based reference is determined to match one or more additional criteria). Event 1319 is similar to event 835, but system 730A can determine whether the stored instructions indicate that any of the just-stored packets need to be further processed based on the fact that the packets are just stored in database 731A. In the example of event 1319, there is no such indication and no further processing of the stored packets is performed.

[0163] Events 1315 to 1319 can be repeated multiple times. In the repetition of Event 1315, there may be no packets that match the C-based criteria. In such a case, Events 1316 to 1319 are changed to omit actions related to packets that match the C-based criteria or correlated packets of the C-based criteria. In the repetition of Event 1315, there may be no packets that match the D-based criteria. In such a case, Events 1316 to 1319 are changed to omit actions related to packets that match the D-based criteria or correlated packets of the D-based criteria. In the repetition of Event 1315, there may be no packets that match the C- or D-based criteria. In such a case, Event 1317 may be changed to omit actions related to packets that match the C-based criteria, correlated packets of the C-based criteria, packets that match the D-based criteria, or correlated packets of the D-based criteria, and Events 1318 and 1319 may not occur.

[0164] Event 1323 is similar to event 838 in FIG. 8B, but system 730B can receive CTI data 1100.3 including data E (e.g., one or more NTIs). System 730B may determine that data E and data C may be related (or potentially related) to the same cyber threat (e.g., based on one or more determinations as described in relation to FIG. 6E or otherwise described herein), and determine that captured packets that match C-based criteria may be important if those packets also match E-based criteria. Event 1324 is similar to event 839, but system 730B can send an instruction to system 730A to check whether captured packets that match C-based criteria also match E-based criteria. Event 1325 is similar to event 840, but system 730A can update the instruction list to include the instruction received in event 1324 and determine that there are stored packets that match C-based criteria. Event 1326 is similar to event 843, but system 730A can obtain stored packets that match C-based criteria and corresponding logs from database 731A. Event 1334 is similar to event 844, but system 730A can update the obtained logs for each of the obtained packets. Event 1335 is similar to event 845, but system 730A can store the updated logs in database 731B and store data indexed to the C-based criteria and / or instructions stored in event 1305 for those updated logs.

[0165] Event 1339 (Figure 13B) is similar to event 846, but system 730A determines that a portion of the stored update log of packets that conforms to C-based criteria also conforms to E-based criteria, and thus the packets corresponding to that portion of the stored update log conform to both C-based and E-based criteria. Event 1340 is similar to event 847, but system 730A can store data that indexes that portion of the log and the corresponding stored packets to C-based and E-based criteria (and / or the instructions stored in event 1325).

[0166] In Event 1341, based on the determination that there are packets that match both C-based and E-based criteria, System 730A can execute further actions indicated by the instructions stored in Event 1325. Further actions include that System 730A notifies the SIEM system 702 that the captured packets matching the C-based criteria also match the E-based criteria, that packets (and / or corresponding logs) matching both C-based and E-based criteria need to be retained continuously (e.g., extension of an additional period, a longer period, and / or until further notice), and / or that correlation packets of C-based and E-based criteria (e.g., correlation packets of packets matching both C-based and E-based criteria) (and / or corresponding logs) need to be retained continuously (e.g., extension of an additional period, a longer period, and / or until further notice), including sending an alert indicating this. Also, or alternatively, the alert may indicate that all packets (and / or corresponding logs) matching the C-based criteria need to be retained continuously, and / or that all correlation packets of the C-based criteria (and / or corresponding logs) need to be retained continuously. Further actions (and Event 1341) may also include that System 730A collects and / or sends copies of packets that match both C-based and E-based criteria, copies of logs corresponding to those packets, copies of correlation packets of C-based and E-based criteria, copies of logs corresponding to those packets, copies of all packets matching the C-based criteria, copies of logs corresponding to those packets, copies of correlation packets of the C-based criteria of all packets matching the C-based criteria, and / or copies of logs corresponding to those packets. In addition to (or instead of) sending alerts, packets, and / or logs to the SIEM system 702, System 730A can send alerts, packets, and / or logs to one or more other computing devices (such as System 730B, a SOAR platform, Archive 703, etc.).

[0167] System 730A continues to receive and store packets (and corresponding logs) that conform to the C-based criteria (from firewall 153), continues to receive and store correlated packets (and corresponding logs) of the C-based criteria, and can perform operations similar to those described above in relation to events 1318, 1319, and 1334 to 1341 on such packets and logs. System 730A can continue this until instructed by system 730B or another computing device. Also, or alternatively, System 730A can continue to store and process the captured packets and corresponding logs that conform to the C-based criteria (and / or continue to store the correlated packets and corresponding logs of the C-based criteria) until there are no related activities over a predetermined period (for example, the packets that conform to the C-based criteria no longer further conform to the E-based criteria or other criteria, there are no new instructions related to comparing those packets to other criteria, etc.).

[0168] Events 1345 and 1346 are similar to events 851 and 852 respectively. Event 1347 is similar to event 853 or event 854, but differs in that a cancellation instruction is sent to archive 703 in event 1347. Assuming there are no other instructions requesting an extension of the retention period of such items, the cancellation instruction of event 1347 causes archive 703 to return to the default retention period for packets (and corresponding logs) that conform to the D-based criteria and correlated packets (and corresponding logs) of the D-based criteria. Event 1348 is similar to event 855, conforms to the D-based criteria, and includes deleting from database 731A the stored packets indexed to the rules stored in event 1311, the stored correlated packets of the D-based criteria indexed to the rules stored in event 1311, and the corresponding logs indexed to the rules stored in event 1311.

[0169] The examples of FIGS. 13A and 13B are simplified for illustration purposes and there are numerous modifications within the scope of the present disclosure. Many of the events shown in FIGS. 13A and 13B can occur multiple times, and events similar to those shown in FIGS. 13A and 13B, but related to other CTI data and associated instructions, rules, etc., can also occur multiple times and / or can occur alternately with the times of the events shown in FIGS. 13A and 13B. Instructions to cause system 730A to compare previously stored capture packets against additional criteria are different from the instructions stored in event 1325. Non-limiting examples of such different types of instructions are provided above in connection with the examples of FIGS. 8A and 8B. As another modification, system 730A does not initially instruct archive 703 to store packets that match a C-based criterion, correlation packets of the C-based criterion, and corresponding logs for a long period of time (event 1107), and / or does not initially instruct archive 703 to store packets that match a D-based criterion, correlation packets of the D-based criterion, and corresponding logs for a long period of time (event 1317). If such packets and logs are later determined to be important (e.g., based on a match with an E-based criterion), a copy is provided from the copy stored in database 7,31A to archive 703. As a further modification, similar to the logs of packets that match previous criteria, the logs of correlation packets are updated and can be compared against later criteria (e.g., the logs of correlation packets of the C-based criterion are updated and compared against the E-based criterion).

[0170] Other modifications to the example of FIGS. 13A - 13B may include modifications similar to those described above in connection with the example of FIGS. 8A - 8B. For example, firewall 153 can be configured to generate logs that contain more or less information about packets and / or correlated packets that match criteria such as C - based and D - based criteria. Alternatively, firewall 153 may not be configured to generate logs for packets that match criteria such as C - based and D - based criteria, and / or for correlated packets. If firewall 153 does not generate such logs, event 1334 can be modified to include generating logs from stored packets that match criteria such as C - based and D - based criteria and / or from stored correlated packets.

[0171] FIGS. 14A and 14B are flowcharts showing an example of a method for performing filtering, aggregation, and / or retention control based on updated cyber - threat intelligence. One, some, or all of the steps of the exemplary method of FIGS. 14A - 14B can be performed by system 730A and / or by a combination of one or more computing devices configured to perform some or all of the operations and / or functions of system 730A. For convenience, FIGS. 14A and 14B are described below in connection with system 730A. Also, or alternatively, one, several, or all of the steps of the exemplary method of FIGS. 14A and 14B may be performed by one or more other computing devices (e.g., system 730B or system 130). One or more steps of the exemplary method of FIGS. 14A and 14B may be rearranged (e.g., performed in a different order), combined, omitted, and / or otherwise modified, and / or additional steps may be added.

[0172] In step 1401, system 730A can determine whether it has received a newly captured packet (e.g., from firewall 153 as in event 1315, or from one or more other computing devices), or whether it has received one or more instructions (e.g., from system 730B as in events 1304, 1310, and 1324, or from one or more other computing devices). If nothing has been received, step 1401 can be repeated. If a newly captured packet is received, step 1431 (indicated by connector II and described below in relation to FIG. 14B) is executed. If an instruction is received, step 1402 is executed.

[0173] In step 1402, system 730A can verify the received instruction and update the instruction list based on the received instruction. The received instruction may indicate that previously saved instructions need to be deleted. The received instruction may indicate that one or more new instructions need to be saved, such as in the examples of events 1305, 1311, and 1325. The new instructions may include an instruction to save captured packets that match one or more criteria, an instruction to further determine a match by comparing the saved packets that match one or more criteria with one or more additional criteria, an instruction to execute additional actions (e.g., send an alert based on one or more matches to one or more criteria, send a copy of the log and / or captured packets based on one or more matches to one or more criteria, and / or execute other actions). The received instruction may include a decryption algorithm, and / or other information that can be used to process the saved packets. The received instruction may indicate that previously saved instructions need to be modified.

[0174] In step 1409 (e.g., executed as part of event 1325), system 730A can determine whether the instructions updated and / or added in step 1402 indicate that it is necessary to check whether one or more previously saved packets match one or more criteria. If the answer is no, step 1425 is executed. Step 1425 will be described below. If the answer is yes, step 1410 is executed. In step 1410, system 730A can determine whether a log of one or more previously saved packets that check whether they match one or more criteria has already been generated, and if such a log has been generated, whether an update of those logs (e.g., based on the instructions updated and / or added in step 1402) is necessary. If the answer is no, system 730A generates (or updates existing logs) those logs in step 1411, saves those logs (e.g., in database 731A), and / or indexes those logs (e.g., in relation to the instructions updated or added in step 1402 and / or in relation to the criteria associated with those instructions). Examples of step 1411 include events 1334 and 1335. For example, if the instructions updated and / or added in step 1402 include additional information that can extract additional data from the captured packets, the previously generated logs are updated. As another example, in the case of a log received with the captured packets that contains only basic or minimal information, the previously generated logs are updated.

[0175] After step 1411, or after a determination of "Yes" in step 1410, system 730A can, in step 1412, obtain the log that was generated (and / or updated), indexed, and stored in step 1411, or the log that was previously generated, indexed, and stored and was determined in step 1410 not to require updating. In step 1417, system 730A compares with the log for which one or more criteria of the instructions updated and / or added in step 1402 were obtained, and determines whether there is a match. An example of step 1417 includes event 1339. In step 1418, system 730A can save data that indexes the obtained log (or a portion thereof) and / or the corresponding stored captured packet based on the match determined in step 1417. An example of step 1418 includes event 1340. In step 1419, system 730A can determine whether the instructions updated and / or added in step 1402 indicate that a further action needs to be performed based on the match determined in step 1417. Further actions include transmitting an alert (e.g., indicating that one or more packets match one or more criteria, indicating a relationship or potential relationship between one or more packets and one or more cyber threats, indicating that a packet and / or log needs to be retained, and / or indicating one or more other actions, decisions, or events), generating and / or indicating that a packet (e.g., a packet that matches one or more criteria, a correlated packet) needs to be retained, indicating that a log needs to be retained, collecting and / or transmitting a packet (e.g., a packet that matches one or more criteria, a correlated packet), collecting and / or transmitting a log, and / or other actions. If no further action is indicated, system 730A performs step 1225. If one or more additional actions are indicated, the indicated additional actions are performed in step 1420. An example of step 1420 includes event 1341.

[0176] In step 1425, system 730A determines whether it is necessary to delete the stored instructions, packets, and / or logs. For example, system 730A can be configured to delete the stored packets, logs, and / or instructions if there is no related activity over a predetermined period (e.g., no instructions related to the stored packets are received, the stored packets do not match other criteria, the stored packets or logs are not accessed). An example of step 1425 includes event 1345.

[0177] If system 730A determines in step 1425 that there are stored instructions, captured packets, and / or logs to be deleted, those stored instructions, captured packets, and / or logs are deleted in step 1426. As part of step 1426, system 730A can generate and send one or more instructions to cancel one or more previous instructions that caused the transfer of the packet (and / or log). Examples of step 1426 include events 1346 through 1348. After step 1426, or after a "No" determination in step 1425, system 730A repeats step 1401.

[0178] If the system 730A determines at step 1401 that a new packet has been received, the system 730A executes step 1431 (FIG. 14). At step 1431, the system 730A determines whether the received packet is a packet that the system 730A is monitoring (for example, whether the received packet corresponds to a stored instruction indicating a packet to be monitored). An example of step 1431 includes event 1316. If the answer is no, the system 730A transfers the received packet (and the corresponding log if received) to the archive 703 at step 1432 (for example, without an instruction to extend the retention time of these packets). After step 1432, if the system 730A determines that the packet received at step 1431 by the system that executes step 1425 (indicated by connector JJ) contains a packet that the system 730A is monitoring, the system 730A can execute step 1433. At step 1433, the system 730A transfers the received packet (and the corresponding log if received), but can include one or more instructions indicating packets and / or logs for which the retention period needs to be extended (for example, the monitored packets determined at step 1431, related packets of the monitored packets, the corresponding logs). An example of step 1433 includes event 1317. At step 1438, the system 730A can store the monitored packets determined at step 1431, as well as correlated packets and the corresponding logs. As part of step 1438, the system 730A can store data that indexes the received packets to the criteria and / or instructions for receiving those packets. An example of step 1438 includes event 1318.

[0179] In step 1439 (one example of which includes event 1319), system 730A determines whether any of the instructions stored by system 730A need to further process (e.g., for comparison with additional criteria) any of the packets stored in step 1338. If no, system 730A executes step 1425. If yes, system 730A executes step 1441. In step 1441, system 730A can generate (and / or update) a log of the packets stored in step 1438. If logs are received with the packets, step 1441 can include updating those logs (e.g., based on the read fields of the packets) to enter additional fields.

[0180] In step 1442, system 730A can compare the log generated / updated in step 1441 with criteria indicated by one or more stored instructions (e.g., instructions indicating that packets captured based on matching one or more criteria need to be compared with one or more additional criteria). In step 1445, system 730A can store data that indexes one or more logs (generated / updated in step 1441) and one or more packets (stored in step 1438) based on the matches determined based on the comparison of step 1442. In step 1446, system 730A can determine whether further actions are indicated (e.g., by a stored instruction associated with the comparison of step 1442) based on the matches determined by the comparison of step 1442. If yes, system 730A can execute the additional actions indicated in step 1447, which is similar to step 1420. If no, system 730A executes step 1425 (indicated by connector JJ).

[0181] As described above, previous CTIs may indicate a low threat level associated with a threat, and new CTIs for that threat may indicate a higher threat level. The reverse may also occur. For example, in a previous CTI, it may be shown that the threat level associated with a threat is high, while in a new CTI, it may be shown that the threat level associated with that threat is low. Determining that the initially high threat level needs to be lowered (e.g., by comparing criteria based on updated CTIs with logs or captured packets associated with previous CTIs) may be as valuable as determining that the initially low threat level needs to be raised. Threats can have a life cycle. For example, the NTI associated with a threat may initially be of low risk, but increase to high risk, then decrease to low risk, and return to high risk again. As yet another example, a legitimate website may be hacked and malware may be distributed. The hacked website may be repaired immediately, and the distribution of malware may stop. System 130 can use the life cycle of the NTI to block access to the hacked website until the threat associated with the hacked website decreases, or perform other procedures until that threat decreases. Such other procedures may include, for example, setting a high-risk profile for filtering rules (e.g., requiring additional logging or packet capture), enforcing the use of the latest Transport Layer Security (TLS) protocol, restricting encrypted sessions, and / or using a man-in-the-middle (MITM) decryption proxy to continue to recognize the content of malicious packets.

[0182] As described above, CTI can be received from a provider 135 external to the system 130. Additionally, or alternatively, the system 130 can generate its own CTI based on the analysis as described herein. For example, when analyzing existing logs and / or captured packets, the system 130 can further analyze the existing logs and / or captured packets, adjust filtering rules, and / or detect additional NTI that can be used to use the CTI from an external provider in any way. The system 130 can repeatedly execute multiple cycles such as CTI generation, application of criteria logs and / or packet captures based on the generated CTI, and generation of additional CTI.

[0183] As described above, new CTI can be used to analyze logs associated with previous CTI. Such analysis is performed based on information obtained from the analysis of captured packets associated with the previous CTI. However, such analysis can also be performed without analyzing the captured packets. For example, valuable information (affected hosts, threat handling, etc.) can be obtained by applying information from the new CTI to packet logs where there are no corresponding captured packets or where analysis of the corresponding captured packets is not required.

[0184] One or more of the features described herein may be embodied in computer-usable or readable data and / or computer-executable instructions, such as one or more program modules, executed by one or more computers or other devices described herein. A program module may consist of routines, programs, objects, components, data structures, etc., that perform particular tasks or implement particular abstract data types when executed by a processor of a computer or other device. The modules may be described in a source code programming language that is later compiled for execution, or in a scripting language such as HTML or XML (but not limited thereto). The computer-executable instructions may be stored on a non-transitory computer-readable medium such as a hard disk, optical disk, removable storage medium, solid state memory, RAM, etc. The functions of the program modules may be combined or distributed as needed. Further, the functions may be wholly or partially incorporated into firmware or hardware equivalents such as integrated circuits, field programmable gate arrays (FPGA). Certain data structures may be used to more effectively implement one or more of the functions described herein, and such data structures are contemplated within the scope of the computer-executable instructions and computer-usable data described herein. The various features described herein may be implemented as a method, computing device, system, and / or computer program product.

[0185] To avoid doubt, and without limiting the scope of the above or the drawings, the present application further includes the subject matter described in the following numbered paragraphs. Paragraph 1 Storing one or more first packets that match one or more first criteria and triggering a further action associated with at least a portion of the one or more first packets that may be related to a cyber threat based on at least a portion of the one or more first packets that match one or more third criteria. Item 2 Further comprising storing one or more second packets that match one or more second criteria and deleting the stored one or more second packets based on the absence of activities related to the stored one or more second packets, the method according to claim 1. Item 3 Triggering the deletion of the stored one or more second packets includes triggering the deletion without triggering a further action related to the one or more second packets, the method according to any one of claims 1 or 2. Item 4 Triggering the deletion of the stored one or more second packets includes triggering the deletion based on the absence of activities that continue for at least a predetermined period, the method according to any one of claims 1 to 3. Item 5 The absence of activities includes not being able to determine whether one or more second packets match criteria other than one or more second criteria, the method according to any one of claims 1 to 4. Item 6 The absence of activities includes the absence of an instruction to check whether one or more second packets match criteria other than one or more second criteria, the method according to any one of claims 1 to 5. Item 7 The absence of activities includes the absence of an attempt to access the stored one or more second packets, the method according to any one of claims 1 to 6. Item 8 The method according to any one of claims 1 to 7, wherein one or more second criteria are not known to correspond to cyber threats. Claim 9 The method according to any one of claims 1 to 8, wherein one or more first criteria are not known to correspond to cyber threats before receiving one or more third criteria. Claim 10 The method according to any one of claims 1 to 9, wherein each of one or more first criteria, one or more second criteria, and one or more third criteria includes data configured to match one or more network threat indicators. Claim 11 The method according to any one of claims 1 to 10, further comprising one or more of receiving one or more first packets without logs of the one or more first packets or receiving one or more second packets without logs of the one or more second packets. Claim 12 The method according to any one of claims 1 to 11, further comprising determining that at least a portion of one or more first packets matches one or more third criteria. Claim 13 Determining that at least a portion of one or more first packets matches one or more third criteria includes generating and / or updating one or more logs of the one or more first packets, comparing the one or more third criteria with the one or more logs, and determining at least a portion based on the one or more third criteria matching at least a portion of the one or more logs corresponding to at least a portion of the one or more first packets. The method according to claim 12. Claim 14 The method according to either claim 12 or 13, further comprising determining that at least a portion of the first packet matches one or more additional criteria before determining that at least a portion of the one or more first packets matches one or more third criteria. Claim 15 Causing a further action related to at least a portion of one or more first packets includes causing the further action based on a determination that at least a portion of the one or more first packets meets one or more additional criteria, the method of claim 14. Claim 16 The step of determining that at least a portion of one or more first packets meets one or more additional criteria includes making the determination without warning another computing device that the one or more first packets meet the one or more additional criteria, the method of either claim 14 or claim 15. Claim 17 A further action associated with at least a portion of one or more first packets includes warning one or more computing devices about one or more of: that at least a portion of the one or more first packets meets one or more third criteria, a relationship between at least a portion of the one or more first packets and a cyber threat, or a potential relationship between at least a portion of the one or more first packets and a cyber threat, the method according to any one of claims 1 to 16. Claim 18 A further action associated with at least a portion of one or more first packets includes causing the preservation of at least a portion of the one or more first packets, the method according to any one of claims 1 to 17. Claim 19 A further operation associated with at least a portion of one or more first packets includes storing at least a portion of the one or more first packets for at least an additional period, the method according to any one of claims 1 to 18. Claim 20 A further action associated with at least a portion of one or more first packets includes causing the preservation of one or more logs associated with at least a portion of the one or more first packets, the method according to any one of claims 1 to 19. Item 21 The method according to any one of Items 1 to 20, wherein the further action associated with at least a part of one or more first packets includes storing one or more of the one or more first packets, or one or more of the one or more logs associated with the one or more first packets. Item 22 The method according to any one of Items 1 to 21, wherein the further action associated with at least a part of one or more first packets includes one or more of collecting a log corresponding to at least a part of the one or more first packets, or collecting a log corresponding to the one or more first packets. Item 23 The method according to any one of Items 1 to 22, wherein the further action associated with at least a part of one or more first packets includes one or more of transmitting a log corresponding to at least a part of the one or more first packets to one or more computing devices, or transmitting a log corresponding to the one or more first packets to one or more computing devices. Item 24 The method according to any one of Items 1 to 23, further comprising receiving one or more first packets and / or one or more second packets from one or more packet security gateways configured to filter packet traffic based on one or more criteria, record packets in a log, permit the passage of packets that match one or more criteria, block the passage of packets that match one or more criteria, and capture packets that match one or more criteria. Item 25 The method according to Item 24, further comprising instructing one or more packet security gateways to transfer a copy of one or more first packets and / or one or more second packets to a computing device executing this method. Item 26 Instructing one or more packet security gateways to transfer copies of one or more first packets and / or one or more second packets to a computing device that executes the method includes instructing the one or more packet security gateways to transfer copies of the one or more first packets and / or the one or more second packets to the computing device, and not transferring copies of the one or more first packets and / or the one or more second packets to a packet log and / or one or more other computing devices to which the copies of the packets are transferred, the method according to claim 25. Claim 27 Instructing one or more packet security gateways to transfer copies of one or more first packets and / or one or more second packets includes instructing the one or more packet security gateways not to log one or more first packets and / or instructing the one or more packet security gateways not to log one or more second packets, the method according to claim 25 or 26. Claim 28 The method according to any one of claims 1 to 27, further comprising receiving one or more first packets and / or one or more second packets from one or more computing devices including one or more of a firewall, a computing device associated with an Internet service provider, an archive computing device, or a computing device at a network boundary. Claim 29 The method according to claim 28, further comprising instructing one or more computing devices to transfer copies of one or more first packets and / or one or more second packets. Claim 30 Receiving one or more first packets and / or one or more second packets from an archive configured to store packets over a default retention period, wherein further actions associated with at least a portion of the one or more first packets further include instructing the archive to store the one or more first packets for a period longer than the default retention period, the method according to any one of claims 1 to 29. Claim 31 The method according to any one of claims 1 to 30, further comprising one or more of receiving correlation packets associated with the one or more first packets or receiving correlation packets associated with the one or more second packets. Claim 32 The method according to any one of claims 1 to 31, further comprising one or more of requesting correlation packets associated with the one or more first packets or requesting correlation packets associated with the one or more second packets. Claim 33 The method according to any one of claims 1 to 32, wherein further actions associated with at least a portion of the one or more first packets include one or more of transferring correlation packets associated with at least a portion of the one or more first packets or transferring correlation packets associated with the one or more first packets. Claim 34 The method according to any one of claims 1 to 33, further comprising receiving a copy of a packet captured from packet traffic via a network device, determining that the received copy of the packet captured from packet traffic includes the one or more first packets and / or the one or more second packets, transferring the received copy of the packet captured from packet traffic, and instructing to retain the transferred copy of the one or more first packets and / or the one or more second packets. Item 35 The method according to item 34, wherein instructing to hold a transferred copy of one or more first packets and / or one or more second packets includes instructing to hold the transferred copy of the one or more first packets and / or the one or more second packets for an extended holding period longer than a default holding period. Item 36 The method according to item 34 or 35, further including not instructing to hold other packets including packets other than one or more first packets or one or more second packets among received copies of packets captured from packet traffic via a network device. Item 37 The method according to item 36, wherein not instructing to hold other packets includes not instructing to hold other packets for an extended holding period longer than a default holding period. Item 38 The method according to any one of items 1 to 37, including a method of performing filtering, aggregation, and / or retention control based on updated cyber threat information. Item 39 A system including one or more computing devices, the system being configured to execute the method according to any one of items 1 to 38. Item 40 One or more non-transitory computer-readable media including stored instructions that, when executed by one or more processors of one or more computing devices of the system, cause the system to execute the method according to any one of items 1 to 38. Item 41 Receiving data including a packet log corresponding to packets filtered by one or more computing devices and captured packets including copies of at least a portion of the filtered packets; receiving second cyber threat intelligence data; determining that the second cyber threat intelligence data and first cyber threat intelligence data are potentially associated with a common cyber threat; identifying a subset of the packet log and a subset of the captured packets associated with the first cyber threat intelligence data; and performing one or more actions on the subset of the packet log and / or the subset of the captured packets using criteria based on the second cyber threat intelligence data. Item 42 The method according to item 41, wherein one or more actions include updating one or more packet logs of the subset of the packet log by applying criteria to at least one of the subset of the packet log or the subset of the captured packets, and outputting one or more displays related to a common cyber threat based on the updated one or more packet logs. Item 43 The method according to item 41 or 42, wherein one or more actions include determining that one or more packet logs of the subset of the packet log are not associated with a common cyber threat by applying criteria to the subset of the captured packets, and outputting one or more displays related to a common cyber threat based on the determination that the one or more packet logs are not associated with a common cyber threat. Item 44 A system including one or more computing devices, the system being configured to perform the method of any one of items 41 to 43. Item 45 One or more non - transitory computer - readable media containing stored instructions that, when executed by one or more processors of one or more computing devices of the system, cause the system to perform the method of any one of claims 41 to 43. Claim 46 A method comprising: receiving data including a packet log corresponding to packets filtered by one or more computing devices; receiving second cyber - threat intelligence data; determining that the second cyber - threat intelligence data and first cyber - threat intelligence data are potentially associated with a common cyber - threat; identifying a subset of the packet log associated with the first cyber - threat intelligence data; and performing one or more actions on the subset of the packet log using criteria based on the second cyber - threat intelligence data. Claim 47 The method according to claim 46, wherein the one or more actions include applying criteria to data received from one or more computing devices to determine that one or more packet logs of the subset of the packet log are not associated with a common cyber - threat, and outputting one or more displays associated with the common cyber - threat based on the determination that the one or more packet logs are not associated with the common cyber - threat. Claim 48 The method according to claim 46 or 47, wherein the one or more actions include applying criteria to data received from one or more computing devices to confirm that one or more packet logs of the subset of the packet log are associated with a common cyber - threat, and outputting one or more displays associated with the common cyber - threat based on the confirmation that the one or more packet logs are associated with the common cyber - threat. Claim 49 A system including one or more computing devices, the system being configured to execute any of the methods of claims 46 to 48. Claim 50 One or more non-transitory computer-readable media including stored instructions that, when executed by one or more processors of one or more computing devices of the system, cause the system to execute any of the methods of claims 46 to 48. Claim 51 A method comprising: receiving data including captured packets including copies of packets filtered by one or more computing devices; receiving second cyber threat intelligence data; determining that the second cyber threat intelligence data and first cyber threat intelligence data are potentially associated with a common cyber threat; identifying a subset of the captured packets associated with the first cyber threat intelligence data; and performing one or more actions on the subset of the captured packets using criteria based on the second cyber threat intelligence data. Claim 52 The method of claim 51, wherein the one or more actions include: applying criteria to data received from one or more computing devices to confirm that one or more of the captured packets in the subset of the captured packets are not associated with a common cyber threat; and outputting one or more displays associated with the common cyber threat based on a determination that one or more of the captured packets are not associated with a common cyber threat. Claim 53 One or more actions include applying criteria to data received from one or more computing devices to confirm that one or more of the captured packets out of a subset of the captured packets are associated with a common cyber threat, and based on the confirmation that one or more of the captured packets are associated with a common cyber threat, outputting one or more displays associated with the common cyber threat, the method according to claim 51 or 52. Claim 54 A system including one or more computing devices, the system being configured to perform the method of any one of claims 51 to 53. Claim 55 One or more non-transitory computer-readable media including stored instructions that, when executed by one or more processors of one or more computing devices of the system, cause the system to perform the method of any one of claims 51 to 53. Claim 56 A method of using data received from one or more packet security gateways configured to apply packet matching criteria of packet filtering rules to network traffic passing therethrough during transfer between a protected network and an unprotected network, the method comprising: receiving, by a cyber threat analysis system including one or more servers, cyber threat intelligence data indicative of a plurality of cyber threats, the received cyber threat intelligence data including first cyber threat intelligence data indicative of a first cyber threat among the plurality of cyber threats; receiving, by the cyber threat analysis system and from the one or more packet security gateways, data that is a packet log corresponding to packets filtered by the one or more packet security gateways based on packet filtering rules, the packet log including network threat indicators corresponding to the filtered packets and matching the criteria of the packet filtering rules, the criteria of the packet filtering rules being based on the cyber threat intelligence data, the packet log, and captured packets including at least a portion of the filtered packets; receiving, by the cyber threat analysis system, second cyber threat intelligence data; determining, by the cyber threat analysis system, updated criteria based on the second cyber threat intelligence data that may correspond to the first cyber threat; identifying, by the cyber threat analysis system, a subset of the packet log associated with the first cyber threat and a subset of the captured packets associated with the first cyber threat; generating, by the cyber threat analysis system and by applying the updated criteria to at least one of the subset of the packet log or the subset of the captured packets, an updated packet log set associated with the first cyber threat; and by the cyber threat analysis system and based on the updated packet log set,A method including outputting one or more displays associated with a first cyber threat. Item 57 The filtered packets corresponding to the packet log include packets from network traffic passing through one or more packet security gateways during a first period, the first cyber threat intelligence data is generated at a time before the start of the first period, and the second cyber threat intelligence data is generated at a time after the start of the first period, the method according to item 56. Item 58 The filtered packets corresponding to the packet log include packets from network traffic passing through one or more packet security gateways during a first period, receiving cyber threat intelligence data includes receiving first cyber threat intelligence data before the start of the first period, and receiving second cyber threat intelligence data includes receiving second cyber threat intelligence data after the start of the first period, the method according to item 56 or 57. Item 59 Identifying a subset of the packet log and a subset of the captured packets is performed based on a determination that both the first cyber threat intelligence data and the second cyber threat intelligence data are associated with the first cyber threat, the method according to any one of items 56 to 58. Item 60 Identifying a subset of the packet log and a subset of the captured packets is performed based on a determination that the second cyber threat intelligence data includes one or more of a change in the value of a network threat indicator identified by the first cyber threat intelligence data or a value of a network threat indicator not identified by the first cyber threat intelligence data, the method according to any one of items 56 to 59. Item 61 The method according to any one of claims 56 to 60, wherein generating comprises generating an updated set of packet logs that includes network threat indicators not identified by the first cyber threat intelligence data from an identified subset of the captured packets. Claim 62 The updated set of packet logs includes network threat indicators from an identified subset of the captured packets, the network threat indicators including one or more of a source address, a destination address, a source port, a destination port, a protocol, an L3 header field value, an L4 header field value, an L2 header field value, a protocol version, a host name, a domain name, a portion of a domain name, a universal resource identifier (URI), a universal resource locator (URL), a certificate of authentication, a certificate authority, a size of the packet, a size of a portion of the packet, specific content of at least a portion of the data payload, an HTTP request method type, a time associated with the packet, or a relationship between the packet and one or more other packets, according to the method of any one of claims 56 to 61. Claim 63 The reference is based on one or more first network threat indicators from the first cyber threat intelligence data and includes one or more first references associated with the first cyber threat. The updated reference is based on one or more second network threat indicators from the second cyber threat intelligence data and is associated with the first cyber threat. The one or more second network threat indicators are different from the one or more first network threat indicators. Generating the updated packet log set further includes one or more of: verifying the relevance to the first cyber threat based on the presence of one or more second network threat indicators in one or more packet logs of a subset of the packet logs; or determining that there is no relevance to the first cyber threat based on the absence of one or more second network threat indicators in one or more packet logs of a subset of the packet logs. The method according to any one of claims 56 to 62. Claim 64 The method according to any one of claims 56 to 63, further comprising determining one or more common points related to the network threat indicators of the updated packet log set. Claim 65 The method according to any one of claims 56 to 64, further comprising determining that one or more packet logs not identified as part of a subset of the packet logs are relevant to the first cyber threat based on the updated set of packet logs. Claim 66 The method according to any one of claims 56 to 65, wherein identifying is further based on determining that the second cyber threat intelligence data raises the threat level associated with the first cyber threat. Claim 67 Generating, by a cyber threat analysis system and based on third cyber threat intelligence data related to a first cyber threat and updating second cyber threat intelligence data, a further updated set of packet logs related to the first cyber threat; and further comprising, by the cyber threat analysis system and based on the further updated set of packet logs, outputting one or more displays related to the first cyber threat, the method according to any one of claims 56 to 66. Claim 68 The outputting includes one or more of outputting a display on a display, changing a packet filtering rule to add one or more packet matching criteria, changing a packet filtering rule to block a packet, or changing a retention time associated with one or more packet logs, the method according to any one of claims 56 to 67. Claim 69 A cyber threat analysis system including one or more servers, the one or more servers being configured to perform the method according to any one of claims 56 to 68. Claim 70 One or more non-transitory computer-readable media including stored instructions that, when executed by one or more processors of a cyber threat analysis system, cause the cyber threat analysis system to perform the method according to any one of claims 56 to 68.

[0186] Although the present disclosure has been described based on various examples, many additional modifications and changes will be apparent to those skilled in the art in view of the present disclosure. In particular, the various processes described above can be executed in alternative sequences and / or in parallel (on different computing devices) in a manner more suitable for the requirements of a particular application to achieve similar results. Accordingly, it is understood that the present disclosure can be implemented in ways other than those specifically described without departing from the scope and spirit of the present disclosure. Although examples have been described above, the features and / or steps of those examples can be combined, divided, omitted, rearranged, modified, and / or extended in any way. Accordingly, the present disclosure should be considered exemplary in all respects and not limiting. Accordingly, the scope of the disclosure should be determined by the appended claims and their equivalents rather than by the examples.

Claims

1. A method for using data received from one or more packet security gateways, which are configured to apply packet matching criteria of packet filtering rules to network traffic passing through them during transit between a protected network and an unprotected network, Receiving cyber threat intelligence data indicating multiple cyber threats by a cyber threat analysis system including one or more servers, wherein the received cyber threat intelligence data includes first cyber threat intelligence data indicating a first cyber threat among the multiple cyber threats. The cyber threat analysis system receives data from one or more packet security gateways, wherein the data is A packet log corresponding to a packet filtered by one or more packet security gateways based on the packet filtering rule, wherein the packet log includes a network threat indicator corresponding to the filtered packet and matching the criteria of the packet filtering rule, and the criteria of the packet filtering rule is based on the cyber threat intelligence data, the packet log and A captured packet including at least a copy of the filtered packet, The cyber threat analysis system receives second cyber threat intelligence data, The cyber threat analysis system determines updated criteria based on the second cyber threat intelligence data that may address the first cyber threat, The cyber threat analysis system identifies a subset of the packet logs associated with the first cyber threat and a subset of the captured packets associated with the first cyber threat, The cyber threat analysis system generates an updated packet log set associated with the first cyber threat by applying the updated criteria to at least one of the subset of the packet logs or the subset of the captured packets, and A method comprising outputting one or more displays associated with the first cyber threat using the cyber threat analysis system and based on the updated packet log set.

2. The method according to claim 1, wherein the filtered packets corresponding to the packet log include packets from network traffic passing through one or more packet security gateways during a first period, the first cyber threat intelligence data is generated before the start of the first period, and the second cyber threat intelligence data is generated after the start of the first period.

3. The method according to claim 1, wherein the filtered packets corresponding to the packet log include packets from network traffic passing through one or more packet security gateways during a first period, receiving the cyber threat intelligence data includes receiving the first cyber threat intelligence data before the start of the first period, and receiving the second cyber threat intelligence data includes receiving the second cyber threat intelligence data after the start of the first period.

4. The method according to claim 1, wherein identifying the subset of the packet log and the subset of the captured packets is performed on the basis of determining that both the first cyber threat intelligence data and the second cyber threat intelligence data are associated with the first cyber threat.

5. Identifying the subset of the packet log and the subset of the captured packets is how the second cyber threat intelligence data can be interpreted. A change in the value of the network threat indicator identified by the first cyber threat intelligence data, or The method of claim 4, which is performed on the basis of a determination that includes one or more values ​​of network threat indicators not identified by the first cyber threat intelligence data.

6. The method according to claim 1, wherein generating includes generating the updated packet log set from an identified subset of the captured packets to include network threat indicators not identified by the first cyber threat intelligence data.

7. The method according to claim 1, wherein the updated packet log set includes network threat indicators from an identified subset of the captured packets, the network threat indicators include one or more of the following: source address, destination address, source port, destination port, protocol, L3 header field value, L4 header field value, L2 header field value, protocol version, hostname, domain name, part of a domain name, universal resource identifier (URI), universal resource locator (URL), authentication certificate, certificate authority, packet size, size of part of a packet, specific content of at least part of a data payload, HTTP request method type, time associated with a packet, or a relationship between a packet and one or more other packets.

8. The criteria include one or more first criteria based on one or more first network threat indicators from the first cyber threat intelligence data and associated with the first cyber threat, the updated criteria include one or more second network threat indicators from the second cyber threat intelligence data and associated with the first cyber threat, the one or more second network threat indicators differ from the one or more first network threat indicators in generating the updated packet logset, Based on the presence of one or more second network threat indicators in one or more packet logs of the subset of the packet logs, the association with the first cyber threat is confirmed, or The method according to claim 1, further comprising determining that there is no association with the first cyber threat based on the absence of the one or more second network threat indicators in one or more packet logs of a subset of the packet logs.

9. The method according to claim 1, further comprising determining one or more commonalities relating to network threat indicators of the updated packet logset.

10. The method according to claim 1, further comprising determining, based on the updated packet log set, that one or more of the packet logs not identified as part of the subset of the packet logs are related to the first cyber threat.

11. The method according to claim 1, wherein the identification is further based on determining that the second cyber threat intelligence data increases the threat level associated with the first cyber threat.

12. The cyber threat analysis system generates a further updated packet log set related to the first cyber threat, based on third cyber threat intelligence data that updates the second cyber threat intelligence data in relation to the first cyber threat. The method according to claim 1, further comprising outputting one or more displays relating to the first cyber threat by the cyber threat analysis system and based on the further updated packet log set.

13. The output mentioned above is, Outputting a display onto a screen, Modify the packet filtering rules to add one or more packet matching criteria, By changing packet filtering rules to block packets, or The method according to claim 1, comprising one or more of the following: changing the retention time associated with one or more packet logs.

14. A cyber threat analysis system comprising one or more servers, wherein the one or more servers are The system receives cyber threat intelligence data indicating multiple cyber threats, and the received cyber threat intelligence data includes first cyber threat intelligence data indicating a first cyber threat among the multiple cyber threats. One or more packet security gateways, configured to apply packet matching criteria of packet filtering rules to network traffic passing through them during transit between a protected network and an unprotected network, receive data from the packet security gateways, and the data is, A packet log corresponding to a packet filtered by one or more packet security gateways based on the packet filtering rule, wherein the packet log includes a network threat indicator corresponding to the filtered packet and matching the criteria of the packet filtering rule, and the criteria of the packet filtering rule are based on the cyber threat intelligence data, and the packet log and A captured packet including at least a copy of the filtered packet, We received the second cyber threat intelligence data. Based on the second cyber threat intelligence data that may address the first cyber threat, updated criteria are determined. Identify a subset of the packet logs associated with the first cyber threat and a subset of the captured packets associated with the first cyber threat. By applying the updated criteria to at least one of the subset of the packet logs or the subset of the captured packets, an updated packet log set associated with the first cyber threat is generated. A cyber threat analysis system configured to output one or more indicators associated with the first cyber threat based on the updated packet log set.

15. The cyber threat analysis system according to claim 14, wherein the filtered packets corresponding to the packet log include packets from network traffic passing through one or more packet security gateways during a first period, the first cyber threat intelligence data is generated before the start of the first period, and the second cyber threat intelligence data is generated after the start of the first period.

16. The cyber threat analysis system according to claim 14, wherein one or more servers are configured to identify the subset of the packet logs and the subset of the captured packets based on the determination that both the first cyber threat intelligence data and the second cyber threat intelligence data are associated with the first cyber threat.

17. The criteria include one or more first criteria based on one or more first network threat indicators from the first cyber threat intelligence data and associated with the first cyber threat, the updated criteria include one or more second network threat indicators from the second cyber threat intelligence data and associated with the first cyber threat, the one or more second network threat indicators differ from the one or more first network threat indicators and the one or more servers Based on the presence of one or more second network threat indicators in one or more packet logs of the subset of the packet logs, the association with the first cyber threat is confirmed, or Determining that there is no association with the first cyber threat based on the absence of one or more second network threat indicators in one or more packet logs of the subset of the packet logs, The cyber threat analysis system according to claim 14, configured to generate the updated packet log set.

18. When executed by one or more processors of the cyber threat analysis system, the cyber threat analysis system: The system receives cyber threat intelligence data indicating multiple cyber threats, and the received cyber threat intelligence data includes first cyber threat intelligence data indicating a first cyber threat among the multiple cyber threats. One or more packet security gateways, configured to apply packet matching criteria of packet filtering rules to network traffic passing through them during transit between a protected network and an unprotected network, receive data from the packet security gateways, and the data is, A packet log corresponding to a packet filtered by one or more packet security gateways based on the packet filtering rule, wherein the packet log includes a network threat indicator corresponding to the filtered packet and matching the criteria of the packet filtering rule, and the criteria of the packet filtering rule are based on the cyber threat intelligence data, and the packet log and A captured packet including at least a copy of the filtered packet, We received the second cyber threat intelligence data. Based on the second cyber threat intelligence data that may address the first cyber threat, updated criteria are determined. Identify a subset of the packet logs associated with the first cyber threat and a subset of the captured packets associated with the first cyber threat. By applying the updated criteria to at least one of the subset of the packet logs or the subset of the captured packets, an updated packet log set associated with the first cyber threat is generated. A computer program that causes the cyber threat analysis system, and based on the updated packet log set, to output one or more displays associated with the first cyber threat.

19. The computer program according to claim 18, wherein the filtered packets corresponding to the packet log include packets from network traffic passing through one or more packet security gateways during a first period, the first cyber threat intelligence data is generated before the start of the first period, and the second cyber threat intelligence data is generated after the start of the first period.

20. The computer program according to claim 18, which, when executed by one or more processors of the cyber threat analysis system, causes the cyber threat analysis system to identify the subset of the packet log and the subset of the captured packets based on the determination that both the first cyber threat intelligence data and the second cyber threat intelligence data are associated with the first cyber threat.