1. Field
The present disclosure relates generally to an improved computer system and to a method and apparatus for protecting a computer system. Specifically, the present disclosure relates to a method and apparatus for analyzing cyber-attacks on a computer system using linkographs.
2. Background
Many organizations employ computer networks in day-to-day activities. These activities include activities such as payroll, human resources, research, sales, marketing, and other suitable activities. These types of activities often include connectivity of internal computer networks of the organization to the outside world through the Internet.
More and more often, computer networks in organizations are attacked and compromised by adversaries. The adversaries may steal information about customers, transactions, research, or other confidential or sensitive information. In other cases, adversaries may take actions that hinder the ability of the organization to perform operations or may hijack computers for other uses.
In protecting computer networks from adversaries, various tools are currently present for use by organizations. These tools include signature-based detectors, whitelisting, blacklisting, intrusion detection and protection systems, and other suitable types of tools. Actions that may be taken using these types of tools include, for example, unplugging compromised hosts, quarantining compromised hosts, and other suitable actions.
With the increasing frequency of attacks by adversaries and the increasing sophistication of adversaries, organizations are often unable to prevent or mitigate every type of attack that may occur. Further, organizations are often unable to protect their computer networks from intrusions by adversaries.
With this environment, organizations operate knowing that unauthorized intrusions and breaches of security in computer networks will occur. As a result, obtaining information about the tactics, techniques, and protocols used by adversaries may be useful in mitigating damage that may be caused by an unauthorized intrusion by an adversary.
The information that currently may be obtained includes artifacts that indicate the occurrence of an intrusion. An artifact is any item that has been used, created, deleted, or modified by an adversary or is representative of malware. These artifacts include, for example, file names, language settings, compilation paths, Internet protocol (IP) addresses, and other indicators that show an intrusion has occurred. Identifying artifacts is useful but often does not provide sufficient information to mitigate an ongoing attack or a future attack on a computer network. Thus, computer networks are not as secure against attacks from threat factors as desired even with the expenditure of significant amounts of money and effort.
Therefore, it would be desirable to have a method and apparatus that take into account at least some of the issues discussed above, as well as other possible issues. For example, it would be desirable to have a method and apparatus that overcome the technical problem with obtaining information about an adversary to mitigate a current attack or prevent a future attack on a computer network.