Actively identifying and neutralizing network hot spots

US 10,164,982 B1
Filed: 11/28/2017
Issued: 12/25/2018
Est. Priority Date: 11/28/2017
Status: Active Grant

First Claim

Patent Images

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for actively identifying network resources that have privileged access escalation vulnerabilities, the operations comprising:

identifying a first identity having a first level of privileged network access;

identifying a network resource that the first identity is communicating with;

classifying the network resource as a network resource to be dynamically monitored;

dynamically monitoring connections activity of the identified network resource to determine a second identity through an automated process,wherein the second identity is dynamically identified through the automated process based on;

the second identity having a second level of privileged network access that is different from the first level of privileged network access; and

the second identity having attempted to establish a connection with the network resource that the first identity is communicating with;

classifying, based on the determination of the second identity, the network resource as a potential source of privileged access escalation vulnerabilities; and

performing, based on the classification that the network resource is a potential source of privileged access escalation vulnerabilities, at least one of;

triggering an alert regarding the potential source of privileged access escalation vulnerabilities;

performing a network security remediation operation for at least one of the first identity, the second identity, and the network resource; and

identifying a plurality of other identities with levels of privileged network access different from the first level of privileged network access and that have attempted to establish connections with the network resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed embodiments include identifying a first identity having a first level of privileged network access, identifying a network resource that the first identity is communicating with, classifying the network resource as a network resource to be dynamically monitored, dynamically monitoring connections activity of the identified network resource to determine a second identity, wherein the second identity is determined based on it having a second level of privileged network access that is different from the first level of privileged network access and having attempted to establish a connection with the network resource, classifying, based on the determination of the second identity, the network resource as a potential source of privileged access escalation vulnerabilities, and performing, based on the classification that the network resource is a potential source of privileged access escalation vulnerabilities, at least one of: triggering an alert regarding the potential source of privileged access escalation vulnerabilities, performing a network security remediation operation for at least one of the first identity, the second identity, and the network resource, and identifying a plurality of other identities with levels of privileged network access different from the first level of privileged network access and that have attempted to establish connections with the network resource.

Citations

22 Claims

1. A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for actively identifying network resources that have privileged access escalation vulnerabilities, the operations comprising:
- identifying a first identity having a first level of privileged network access;
  
  identifying a network resource that the first identity is communicating with;
  
  classifying the network resource as a network resource to be dynamically monitored;
  
  dynamically monitoring connections activity of the identified network resource to determine a second identity through an automated process,wherein the second identity is dynamically identified through the automated process based on;
  
  the second identity having a second level of privileged network access that is different from the first level of privileged network access; and
  
  the second identity having attempted to establish a connection with the network resource that the first identity is communicating with;
  
  classifying, based on the determination of the second identity, the network resource as a potential source of privileged access escalation vulnerabilities; and
  
  performing, based on the classification that the network resource is a potential source of privileged access escalation vulnerabilities, at least one of;
  
  triggering an alert regarding the potential source of privileged access escalation vulnerabilities;
  
  performing a network security remediation operation for at least one of the first identity, the second identity, and the network resource; and
  
  identifying a plurality of other identities with levels of privileged network access different from the first level of privileged network access and that have attempted to establish connections with the network resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The non-transitory computer readable medium of claim 1, wherein the first identity is identified based on a domain administrator group.
  - 3. The non-transitory computer readable medium of claim 1, wherein the first identity is identified based on an ability of the first identity to change passwords of other identities.
  - 4. The non-transitory computer readable medium of claim 1, wherein the first identity is identified based on an inspection of network application data traffic.
  - 5. The non-transitory computer readable medium of claim 1, wherein the first identity is identified based on an inspection of network authentication traffic.
  - 6. The non-transitory computer readable medium of claim 1, wherein the network security remediation operation includes rotating a password associated with at least one of the first identity and the second identity.
  - 7. The non-transitory computer readable medium of claim 1, wherein the network security remediation operation includes terminating a network session between the network resource and at least one of the first identity and the second identity.
  - 8. The non-transitory computer readable medium of claim 1, wherein the processor is further configured to perform a further network security remediation operation for the plurality of other identities.
  - 9. The non-transitory computer readable medium of claim 1, wherein the first identity is a local computer system account.
  - 10. The non-transitory computer readable medium of claim 1, wherein the first identity is a network account.
  - 11. The non-transitory computer readable medium of claim 1, wherein the first identity is an instance of a virtual computing resource.
  - 12. The non-transitory computer readable medium of claim 1, wherein the first identity is a token.
  - 13. The non-transitory computer readable medium of claim 1, wherein the alert identifies the network resource and privileged access escalation vulnerabilities.
  - 14. The non-transitory computer readable medium of claim 1, wherein the plurality of other identities are identified based on having active connections to the network resource.
  - 15. The non-transitory computer readable medium of claim 1, wherein the plurality of other identities are identified based on having attempted to connect to other network resources that are also classified as potential sources of privileged access escalation vulnerabilities.
  - 16. The non-transitory computer readable medium of claim 1, wherein the first level of privileged network access and second level of privileged network access are based on different network security group memberships.
  - 17. The non-transitory computer readable medium of claim 1, wherein the first level of privileged network access and second level of privileged network access are based on different network security tiers within a multi-tier network security framework.

18. A computer-implemented method for actively identifying network resources that have privileged access escalation vulnerabilities, the method comprising:
- identifying a first identity having a first level of privileged network access;
  
  identifying a network resource that the first identity is communicating with;
  
  classifying the network resource as a network resource to be dynamically monitored;
  
  dynamically monitoring connections activity of the identified network resource to determine a second identity through an automated process,wherein the second identity is dynamically identified through the automated process based on;
  
  the second identity having a second level of privileged network access that is different from the first level of privileged network access; and
  
  the second identity having attempted to establish a connection with the network resource that the first identity is communicating with;
  
  classifying, based on the determination of the second identity, the network resource as a potential source of privileged access escalation vulnerabilities; and
  
  performing, based on the classification that the network resource is a potential source of privileged access escalation vulnerabilities, at least one of;
  
  triggering an alert regarding the potential source of privileged access escalation vulnerabilities;
  
  performing a network security remediation operation for at least one of the first identity, the second identity, and the network resource; and
  
  identifying a plurality of other identities with levels of privileged network access different from the first level of privileged network access and that have attempted to establish connections with the network resource.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The computer-implemented method of claim 18, wherein the network security remediation operation includes rotating a password associated with at least one of the first identity and the second identity.
  - 20. The computer-implemented method of claim 18, further comprising performing a further network security remediation operation for the plurality of other identities.
  - 21. The computer-implemented method of claim 18, wherein the plurality of other identities are identified based on having attempted to connect to other network resources that are also classified as potential sources of privileged access escalation vulnerabilities.
  - 22. The computer-implemented method of claim 18, wherein the first level of privileged network access and second level of privileged network access are based on different network security group memberships.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CyberArk Software Ltd.
Original Assignee
CyberArk Software Ltd.
Inventors
Lazarovitz, Lavi, Hecht, Asaf
Primary Examiner(s)
Gee, Jason K

Application Number

US15/824,878
Time in Patent Office

392 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 43/065   related to network devices

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04W 12/068   using credential vaults, e....

H04W 12/069   using certificates or pre-s...

H04W 12/122   Counter-measures against at...

Actively identifying and neutralizing network hot spots

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Actively identifying and neutralizing network hot spots

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links