Synthetic cyber-risk model for vulnerability determination

US 10,044,746 B2
Filed: 01/06/2017
Issued: 08/07/2018
Est. Priority Date: 11/11/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving information associated with a cyberthreat from an external source, wherein the cyberthreat is associated with one or more objectives;

using the information, mapping one or more characteristics of the cyberthreat into one or more instructions, wherein the one or more instructions when executed in a target network perform multiple steps to simulate an existence of the cyberthreat within the target network without implementing the one or more objectives of the cyberthreat in the target network;

determining one or more agents to execute the one or more instructions;

initiating execution of the one or more instructions by the one or more agents to simulate the existence of the cyberthreat within the target network;

receiving feedback including a progression of the multiple steps identifying how the target network responds to the simulated existence of the cyberthreat within the target network;

using the feedback, determining whether one of the multiple steps to simulate the cyberthreat has failed in the target network; and

responsive to determining that one of the multiple steps has failed, replacing at least one instruction for the failed step with at least one additional instruction to be executed by the one or more agents or one or more additional agents in the target network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and device are presented for assessing a target network'"'"'s vulnerability to a real cyberthreat based on determining policy-based synthetic tests configured to model the behavior of the cyberthreat. Real-time feedback from the target network (e.g., servers, desktops, and network/monitoring hardware and/or software equipment) are received, analyzed, and used to determine whether any modifications to the same or a new synthesized test is preferred. The technology includes self-healing processes that, using the feedback mechanisms, can attempt to find patches for known vulnerabilities, test for unknown vulnerabilities, and configure the target network'"'"'s resources in accordance with predefined service-level agreements.

Citations

20 Claims

1. A method comprising:
- receiving information associated with a cyberthreat from an external source, wherein the cyberthreat is associated with one or more objectives;
  
  using the information, mapping one or more characteristics of the cyberthreat into one or more instructions, wherein the one or more instructions when executed in a target network perform multiple steps to simulate an existence of the cyberthreat within the target network without implementing the one or more objectives of the cyberthreat in the target network;
  
  determining one or more agents to execute the one or more instructions;
  
  initiating execution of the one or more instructions by the one or more agents to simulate the existence of the cyberthreat within the target network;
  
  receiving feedback including a progression of the multiple steps identifying how the target network responds to the simulated existence of the cyberthreat within the target network;
  
  using the feedback, determining whether one of the multiple steps to simulate the cyberthreat has failed in the target network; and
  
  responsive to determining that one of the multiple steps has failed, replacing at least one instruction for the failed step with at least one additional instruction to be executed by the one or more agents or one or more additional agents in the target network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the feedback identifies whether one or more host devices or one or more security devices in the target network initiated at least one action related to the cyberthreat in response to the simulated existence of the cyberthreat.
  - 3. The method of claim 1, wherein:
    - the cyberthreat comprises a malware; and
      
      the one or more instructions when executed by the one or more agents create an appearance of the malware in the target network by at least one of;
      
      creating a specific file;
      
      creating a network communication on a specific port or to a specific destination;
      
      creating or accessing a user account, directory, or registry;
      
      or altering a service.
  - 4. The method of claim 1, wherein:
    - the target network comprises multiple host devices; and
      
      the method further comprises determining one or more of the host devices on which the one or more agents execute the one or more instructions.
  - 5. The method of claim 1, wherein:
    - the information associated with the cyberthreat comprises at least one of;
      
      one or more threat indicators, one or more behaviors, or the one or more objectives of the cyberthreat; and
      
      mapping the one or more characteristics of the cyberthreat into the one or more instructions comprises identifying one or more instructions that simulate at least one of;
      
      the one or more threat indicators, the one or more behaviors, or the one or more objectives of the cyberthreat.
  - 6. The method of claim 1, further comprising, in response to detecting that the target network fails to adequately respond to the simulated existence of the cyberthreat within the target network:
    - updating at least one of;
      
      one or more host devices in the target network or one or more security devices in the target network; and
      
      at least one of;
      
      (i) reinitiating execution of the one or more instructions to again simulate the existence of the cyberthreat within the target network or (ii) initiating execution of one or more additional instructions to simulate an existence of an additional cyberthreat within the target network.
  - 7. The method of claim 1, wherein the one or more instructions are a subset of a set of instructions of the cyberthreat such that the set of instructions includes at least one additional instruction not included in the subset.
  - 8. The method of claim 1, further comprising:
    - using the feedback, modifying at least one instruction of the one or more instructions for additional execution of the cyberthreat by the one or more agents or one or more additional agents in the target network.

9. A non-transitory computer readable storage medium containing computer-executable instructions that, when executed by at least one processor, cause the at least one processor to:
- receive information associated with a cyberthreat from an external source, wherein the cyberthreat is associated with one or more objectives;
  
  using the information, map one or more characteristics of the cyberthreat into one or more instructions, wherein the one or more instructions when executed in a target network perform multiple steps to simulate an existence of the cyberthreat within the target network without implementing the one or more objectives of the cyberthreat in the target network;
  
  determine one or more agents to execute the one or more instructions;
  
  initiate execution of the one or more instructions by the one or more agents to simulate the existence of the cyberthreat within the target network;
  
  receive feedback including a progression of the multiple steps identifying how the target network responds to the simulated existence of the cyberthreat within the target network;
  
  using the feedback, determine whether one of the multiple steps to simulate the cyberthreat has failed in the target network; and
  
  responsive to determining that one of the multiple steps has failed, replace at least one instruction for the failed step with at least one additional instruction to be executed by the one or more agents or one or more additional agents in the target network.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The non-transitory computer readable storage medium of claim 9, wherein the feedback identifies whether one or more host devices or one or more security devices in the target network initiated at least one action related to the cyberthreat in response to the simulated existence of the cyberthreat.
  - 11. The non-transitory computer readable storage medium of claim 9, wherein:
    - the cyberthreat comprises a malware; and
      
      the one or more instructions when executed by the one or more agents create an appearance of the malware in the target network by at least one of;
      
      creating a specific file;
      
      creating a network communication on a specific port or to a specific destination;
      
      creating or accessing a user account, directory, or registry;
      
      or altering a service.
  - 12. The non-transitory computer readable storage medium of claim 9, wherein:
    - the target network comprises multiple host devices; and
      
      the non-transitory computer readable storage medium further contains computer-executable instructions that when executed cause the at least one processor to determine one or more of the host devices on which the one or more agents execute the one or more instructions.
  - 13. The non-transitory computer readable storage medium of claim 9, wherein:
    - the information associated with the cyberthreat comprises at least one of;
      
      one or more threat indicators, one or more behaviors, or the one or more objectives of the cyberthreat; and
      
      the computer-executable instructions that when executed cause the at least one processor to map the one or more characteristics of the cyberthreat into the one or more instructions comprise;
      
      computer-executable instructions that when executed cause the at least one processor to identify one or more instructions that simulate at least one of;
      
      the one or more threat indicators, the one or more behaviors, or the one or more objectives of the cyberthreat.
  - 14. The non-transitory computer readable storage medium of claim 9, further containing computer-executable instructions that when executed cause the at least one processor, in response to detecting that the target network fails to adequately respond to the simulated existence of the cyberthreat within the target network, to:
    - update at least one of;
      
      one or more host devices in the target network or one or more security devices in the target network; and
      
      at least one of;
      
      (i) reinitiate execution of the one or more instructions to again simulate the existence of the cyberthreat within the target network or (ii) initiate execution of one or more additional instructions to simulate an existence of an additional cyberthreat within the target network.

15. An apparatus comprising:
- at least one processor; and
  
  at least one memory storing computer-executable instructions that when executed cause the at least one processor to;
  
  receive information associated with a cyberthreat from an external source, wherein the cyberthreat is associated with one or more objectives;
  
  using the information, map one or more characteristics of the cyberthreat into one or more instructions, wherein the one or more instructions when executed in a target network perform multiple steps to simulate an existence of the cyberthreat within the target network without implementing the one or more objectives of the cyberthreat in the target network;
  
  determine one or more agents to execute the one or more instructions;
  
  initiate execution of the one or more instructions by the one or more agents to simulate the existence of the cyberthreat within the target network;
  
  receive feedback including a progression of the multiple steps identifying how the target network responds to the simulated existence of the cyberthreat within the target network;
  
  using the feedback, determine whether one of the multiple steps to simulate the cyberthreat has failed in the target network; and
  
  responsive to determining that one of the multiple steps has failed, replace at least one instruction for the failed step with at least one additional instruction to be executed by the one or more agents or one or more additional agents in the target network.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the feedback identifies whether one or more host devices or one or more security devices in the target network initiated at least one action related to the cyberthreat in response to the simulated existence of the cyberthreat.
  - 17. The apparatus of claim 15, wherein:
    - the cyberthreat comprises a malware; and
      
      the one or more instructions when executed by the one or more agents create an appearance of the malware in the target network by at least one of;
      
      creating a specific file;
      
      creating a network communication on a specific port or to a specific destination;
      
      creating or accessing a user account, directory, or registry;
      
      or altering a service.
  - 18. The apparatus of claim 15, wherein:
    - the target network comprises multiple host devices; and
      
      the computer-executable instructions when executed further cause the at least one processor to determine one or more of the host devices on which the one or more agents execute the one or more instructions.
  - 19. The apparatus of claim 15, wherein:
    - the information associated with the cyberthreat comprises at least one of;
      
      one or more threat indicators, one or more behaviors, or the one or more objectives of the cyberthreat; and
      
      the computer-executable instructions that when executed cause the at least one processor to map the one or more characteristics of the cyberthreat into the one or more instructions comprise;
      
      computer-executable instructions that when executed cause the at least one processor to identify one or more instructions that simulate at least one of;
      
      the one or more threat indicators, the one or more behaviors, or the one or more objectives of the cyberthreat.
  - 20. The apparatus of claim 15, wherein the computer-executable instructions when executed further cause the at least one processor, in response to detecting that the target network fails to adequately respond to the simulated existence of the cyberthreat within the target network, to:
    - update at least one of;
      
      one or more host devices in the target network or one or more security devices in the target network; and
      
      at least one of;
      
      (i) reinitiate execution of the one or more instructions to again simulate the existence of the cyberthreat within the target network or (ii) initiate execution of one or more additional instructions to simulate an existence of an additional cyberthreat within the target network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Goldman Sachs & Co. LLC (Goldman Sachs Group Incorporated)
Original Assignee
Goldman Sachs & Co. LLC (Goldman Sachs Group Incorporated)
Inventors
Vallone, David, Taylor, Peter, Venables, Phil J., Huang, Ruoh-Yann
Primary Examiner(s)
Pyzocha, Michael

Application Number

US15/400,870
Publication Number

US 20170126731A1
Time in Patent Office

578 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/0823   characterised by the purpos...

H04L 41/0886   Fully automatic configuration

H04L 41/145   involving simulating, desig...

H04L 41/147   for predicting network beha...

H04L 43/50   Testing arrangements

H04L 63/1433   Vulnerability analysis

Synthetic cyber-risk model for vulnerability determination

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Synthetic cyber-risk model for vulnerability determination

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links