Method, apparatus, and system to map network reachability

The invention claimed is: 1. An apparatus, comprising: a network reachability module configured to map and dynamically track network reachability of a cyber-security response-orchestrator engine, where the cyber-security response-orchestrator engine is configured to perform autonomous actions, without a human to initiate the actions, to mitigate a detected cyber threat, where the network reachability module includes a tracking module to 1) monitor network traffic on a network and 2) maintain a list of known devices on the network, wherein the network is dynamically tracked and the list is updated as previously unknown devices on the network are detected, and where the network reachability module further includes a trigger module configured to cooperate with the tracking module, where the trigger module is configured to generate a spoofed communication, supported by a network protocol used by the network, that is used to map network reachability of i) network devices, ii) network addresses, and iii) any combination of both, which either 1) can receive or 2) cannot receive protocol communications from a location of a host for the cyber-security response-orchestrator engine. 2. The apparatus of claim 1 , where the tracking module is further configured to 3) maintain known subnets on the network within the list, wherein the list is updated as previously unknown subnets on the network are detected. 3. The apparatus of claim 2 , where the trigger module and the tracking module are further configured to cooperate to repeatedly, on their own initiative, go through and check network addresses to see if at least one network device in each known subnet can be reached, via the generated spoofed communication, and then periodically recheck the network addresses with network devices in each known subnet over time, and where the network reachability module is configured to combine i) the monitoring of the network traffic and maintaining the list of known devices and known subnets on the network, with ii) autonomous periodic generation of the spoofed communication by the trigger module to check whether if at least one network address in each subnet, for each of the known subnets, can be reached, where the combination automates a rollout process for the cyber-security response-orchestrator engine. 4. The apparatus of claim 2 , where the tracking module is configured to determine when a connection has been established for legitimate communications between a first device in its subnet and a second device at a target address, where the gap determination module is configured to determine when a gap of time is found to communicate to the trigger module to send the generated spoofed communication, which is addressed to go to the target address, via the established connection, in order to check if a successful protocol communication could be reached from the cyber-security response-orchestrator engine to the second device at the target network address, where the cyber-security response-orchestrator engine is further configured to carry out, as at least one of the autonomous actions that the cyber-security response-orchestrator engine can take, is to orchestrate cutting off network connections between the first device and the second device when the cyber threat is detected. 5. The apparatus of claim 2 , where a user interface module is configured to cooperate with a data store that is configured to store the network reachability of i) network devices, ii) network addresses, and iii) any combination of both, which 1) can receive or 2) cannot receive protocol communications from a location of a host for the cyber-security response-orchestrator engine, in order to generate a graphical map of network addresses that 1) can receive or 2) cannot receive protocol communications from the location of the host for the cyber-security response-orchestrator engine, where the user interface module is further configured to generate multiple categories of subnets that appear on the map of network reachability on a display screen, where the multiple categories of subnets graphically represented on the display screen include at least a first category of subnets that 1) can receive and 2) a second category of subnets that cannot receive protocol communications from the location of the host for the cyber-security response-orchestrator engine. 6. The apparatus of claim 1 , where the trigger module is configured to deliberately generate any of i) a first spoofed transmission communication operating as the spoofed communication or ii) a first response communication with falsified identity information to imitate a network address of a first device sending legitimate communications to a second device on the network operating as the spoofed communication, and where the trigger module is configured to deliberately generate the first spoofed transmission or the first response communication to also have some information or characteristic that makes a reply by the second device on the network to this spoofed communication uniquely identifiable from legitimate communications between the first device and the second device, where the tracking module is configured to identify a subsequent communication in a stream of communications between the first device and the second device that specifically corresponds back to the generated first spoofed transmission communication or the generated first response communication. 7. The apparatus of claim 6 , where the trigger module is further configured to generate the first response communication in a form of an acknowledge packet with falsified identity information to imitate a network address of the first device sending legitimate communications to the second device on the network as well as the acknowledge packet was generated with the information and/or characteristic that makes the reply from the second device to the spoofed acknowledge packet uniquely identifiable when a subsequent communication is sent by the second device on the network. 8. The apparatus of claim 1 , where the trigger module and the tracking module are further configured to cooperate, where the tracking module is configured to track a time of day and a traversal path of the spoofed communication as well as a number of times that the generated spoofed protocol communication could not be received from a location of a host for the cyber-security response-orchestrator engine, where the trigger module is configured with intelligence to vary any of the time of day and the traversal path of the generated spoofed communication when the number of times that previous generated spoofed protocol communications could not be received at that time of day or via that traversal path exceeds a threshold amount. 9. The apparatus of claim 1 , where the network reachability module is configured to supply information concerning the reachability of a first device on a first subnet mapped by the network reachability module to the cyber-security response-orchestrator engine in order facilitate the cyber-security response-orchestrator engine to select a possible autonomous action when the first device in the network is exhibiting malicious behavior, where the possible autonomous action includes when the cyber-security response-orchestrator engine cannot reach the first device in the first subnet via a protocol communication, then the cyber-security response-orchestrator engine is configured to use an alternative approach, and not attempt to generate a direct protocol communication to the first device in the first subnet, in order to mitigate the detected cyber threat. 10. The apparatus of claim 1 , further comprising: a gap determination module configured to cooperate with the trigger module, where the gap determ