Verifying success of compromising a network node during penetration testing of a networked system

US 10,257,220 B2
Filed: 05/18/2018
Issued: 04/09/2019
Est. Priority Date: 01/30/2017
Status: Active Grant

First Claim

Patent Images

1. A method of carrying out a penetration testing campaign of a networked system by a penetration testing system, the penetration testing system comprising (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module (RASM) installed on at least some network nodes of the networked system, the method comprising:

a. subsequent to installing the RASM on the at least some network nodes, initiating the penetration testing campaign;

b. subsequent to the initiating of the penetration testing campaign, selecting a target network node of the networked system on which the RASM is installed;

c. based on the target network node, selecting a potential vulnerability that may compromise the target network node;

d. subsequent to the selecting of the potential vulnerability, receiving at the remote computing device and from the RASM installed on the target network node, internal data of the target network node;

e. validating that the target network node could be successfully compromised using the selected potential vulnerability, the validating being carried out in a manner which does not expose the target network node to a risk of being compromised and which is based on the received internal data of the target network node;

f. based on the potential vulnerability, determining a method for an attacker to compromise the target network node;

g. based on the method for an attacker to compromise the target network node, determining a security vulnerability of the networked system; and

h. reporting the security vulnerability of the networked system, the reporting comprising at least one of (i) causing a display device to display a report including information about the determined security vulnerability of the networked system, (ii) recording the report including the information about the determined security vulnerability of the networked system in a file, and (iii) electronically transmitting the report including the information about the determined security vulnerability of the networked system,wherein each of steps a-h is performed by executing computer code of the penetration testing software module by one or more processors of the remote computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of carrying out a penetration testing campaign of a networked system by a penetration testing system comprising (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module (RASM) installed on at least some network nodes of the networked system. In embodiments, at least the following is performed at the remote computing device: a target network node of the networked system on which the RASM is installed is selected; based on the target network node, a potential vulnerability that may compromise the target network node is selected; internal data of the target network node is received; and a validation step is performed. The validation is (i) carried out in a manner which does not expose the target network node to a risk of being compromised and (ii) is based on the received internal data of the target network node.

56 Citations

View as Search Results

18 Claims

1. A method of carrying out a penetration testing campaign of a networked system by a penetration testing system, the penetration testing system comprising (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module (RASM) installed on at least some network nodes of the networked system, the method comprising:
- a. subsequent to installing the RASM on the at least some network nodes, initiating the penetration testing campaign;
  
  b. subsequent to the initiating of the penetration testing campaign, selecting a target network node of the networked system on which the RASM is installed;
  
  c. based on the target network node, selecting a potential vulnerability that may compromise the target network node;
  
  d. subsequent to the selecting of the potential vulnerability, receiving at the remote computing device and from the RASM installed on the target network node, internal data of the target network node;
  
  e. validating that the target network node could be successfully compromised using the selected potential vulnerability, the validating being carried out in a manner which does not expose the target network node to a risk of being compromised and which is based on the received internal data of the target network node;
  
  f. based on the potential vulnerability, determining a method for an attacker to compromise the target network node;
  
  g. based on the method for an attacker to compromise the target network node, determining a security vulnerability of the networked system; and
  
  h. reporting the security vulnerability of the networked system, the reporting comprising at least one of (i) causing a display device to display a report including information about the determined security vulnerability of the networked system, (ii) recording the report including the information about the determined security vulnerability of the networked system in a file, and (iii) electronically transmitting the report including the information about the determined security vulnerability of the networked system,wherein each of steps a-h is performed by executing computer code of the penetration testing software module by one or more processors of the remote computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the internal data includes data about an internal event of the target network node.
  - 3. The method of claim 1 wherein the internal data includes data about an internal condition of the target network node.
  - 4. The method of claim 1 wherein the internal data includes data about an internal fact of the target network node.
  - 5. The method of claim 1 wherein the selecting of the potential vulnerability is based on one or more properties of the target node.
  - 6. The method of claim 1 wherein:
    - i. the method further comprises performing the following steps, subsequent to steps b-f and before step g;
      
      A. selecting an additional target network node of the networked system on which the RASM is installed;
      
      B. based on the additional target network node, selecting an additional potential vulnerability that may compromise the additional target network node;
      
      C. subsequent to the selecting of the additional potential vulnerability, receiving at the remote computing device and from the RASM installed on the additional target network node, internal data of the additional target network node;
      
      D. validating that the additional target network node could be successfully compromised using the additional potential vulnerability, the validating being carried out in a manner which does not expose the additional target network node to a risk of being compromised and which is based on the received internal data of the additional target network node; and
      
      E. based on the additional potential vulnerability, determining a method for an attacker to compromise the additional target network node; and
      
      ii. the determining of the security vulnerability of the networked system is further based on the method for an attacker to compromise the additional target network node.
  - 7. The method of claim 1, wherein the information about the determined security vulnerability of the networked system comprises at least one of:
    - (i) information about a method for compromising the target network node (ii) information about one or more network nodes of the networked system which are vulnerable to attack, (iii) information about one or more resources of the networked system that could be damaged or exported out of the networked system by an attacker, and (iv) information about an ordered list of network nodes of the networked system, wherein an attacker could use a specific network node in said ordered list that is already compromised as a basis for compromising another network node that immediately follows said specific network node in said ordered list.
  - 8. The method of claim 1, wherein the receiving of the internal data of the target network node is in response to sending by the remote computing device a message to the target network node, the message requesting specific internal data according to the selected potential vulnerability.

9. A method of carrying out a penetration testing campaign of a networked system by a penetration testing system, the penetration testing system comprising (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module (RASM) installed on at least some network nodes of the networked system, the method comprising:
- a. subsequent to installing the RASM on the at least some network nodes, initiating the penetration testing campaign;
  
  b. subsequent to the initiating of the penetration testing campaign, selecting a target network node of the networked system on which the RASM is installed;
  
  c. based on the target network node, selecting a potential vulnerability that may compromise the target network node;
  
  d. receiving at the remote computing device and from the RASM installed on the target network node, internal data of the target network node;
  
  e. validating that the target network node could be successfully compromised using the selected potential vulnerability, the validating being carried out in a manner which does not expose the target network node to a risk of being compromised and which is based on the received internal data of the target network node;
  
  f. based on the potential vulnerability, determining a method for an attacker to compromise the target network node;
  
  g. based on the method for an attacker to compromise the target network node, determining a security vulnerability of the networked system; and
  
  h. reporting the security vulnerability of the networked system, the reporting comprising at least one of (i) causing a display device to display a report including information about the determined security vulnerability of the networked system, (ii) recording the report including the information about the determined security vulnerability of the networked system in a file, and (iii) electronically transmitting the report including the information about the determined security vulnerability of the networked system,wherein each of steps a-h is performed by executing computer code of the penetration testing software module by one or more processors of the remote computing device.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9 wherein the internal data includes data about an internal event of the target network node.
  - 11. The method of claim 9 wherein the internal data includes data about an internal condition of the target network node.
  - 12. The method of claim 9 wherein the internal data includes data about an internal fact of the target network node.
  - 13. The method of claim 9 wherein the selecting of the potential vulnerability is based on one or more properties of the target node.
  - 14. The method of claim 9 wherein:
    - i. the method further comprises performing the following steps, subsequent to steps b-f and before step g;
      
      A. selecting an additional target network node of the networked system on which the RASM is installed;
      
      B. based on the additional target network node, selecting an additional potential vulnerability that may compromise the additional target network node;
      
      C. receiving at the remote computing device and from the RASM installed on the additional target network node, internal data of the additional target network node;
      
      D. validating that the additional target network node could be successfully compromised using the additional potential vulnerability, the validating being carried out in a manner which does not expose the additional target network node to a risk of being compromised and which is based on the received internal data of the additional target network node; and
      
      E. based on the additional potential vulnerability, determining a method for an attacker to compromise the additional target network node; and
      
      ii. the determining of the security vulnerability of the networked system is further based on the method for an attacker to compromise the additional target network node.
  - 15. The method of claim 9, wherein the information about the determined security vulnerability of the networked system comprises at least one of:
    - (i) information about a method for compromising the target network node (ii) information about one or more network nodes of the networked system which are vulnerable to attack, (iii) information about one or more resources of the networked system that could be damaged or exported out of the networked system by an attacker, and (iv) information about an ordered list of network nodes of the networked system, wherein an attacker could use a specific network node in said ordered list that is already compromised as a basis for compromising another network node that immediately follows said specific network node in said ordered list.
  - 16. The method of claim 9, wherein the receiving of the internal data of the target network node is in response to sending by the remote computing device a message to the target network node, the message requesting specific internal data according to the selected potential vulnerability.

17. A penetration testing system for carrying out a penetration testing campaign of a networked system in cooperation with a reconnaissance agent software module (RASM) installed on at least some network nodes of the networked system, the penetration testing system comprising:
- A. a remote computing device comprising a computer memory and one or more processors, the remote computing device in electronic communication with the networked system; and
  
  B. a non-transitory computer-readable storage medium containing first, second, third, fourth, fifth, sixth, seventh and eighth program instructions of a penetration testing software module, wherein;
  
  a. execution of the first program instructions, by the one or more processors of the remote computing device and subsequent to installing the RASM on the at least some network nodes, initiates the penetration testing campaign;
  
  b. execution of the second program instructions, by the one or more processors of the remote computing device and subsequent to the initiating of the penetration testing campaign, selects a target network node of the networked system on which the RASM is installed;
  
  c. execution of the third program instructions, by the one or more processors of the remote computing device, selects, based on the target network node, a potential vulnerability that may compromise the target network node;
  
  d. execution of the fourth program instructions, by the one or more processors of the remote computing device and subsequent to the selecting of the potential vulnerability, receives at the remote computing device and from the RASM installed on the target network node, internal data of the target network node;
  
  e. execution of the fifth program instructions, by the one or more processors of the remote computing device, validates that the target network node could be successfully compromised using the selected potential vulnerability such that the validating is carried out in a manner which does not expose the target network node to a risk of being compromised and which is based on the received internal data of the target network node;
  
  f. execution of the sixth program instructions, by the one or more processors of the remote computing device, determines, based on the potential vulnerability, a method for an attacker to compromise the target network node;
  
  g. execution of the seventh program instructions, by the one or more processors of the remote computing device, determines, based on the method for an attacker to compromise the target network node, a security vulnerability of the networked system; and
  
  h. execution of the eighth program instructions, by the one or more processors of the remote computing device, reports the security vulnerability of the networked system, the reporting comprising at least one of (i) causing a display device to display a report including information about the determined security vulnerability of the networked system, (ii) recording the report including the information about the determined security vulnerability of the networked system in a file, and (iii) electronically transmitting the report including the information about the determined security vulnerability of the networked system.

18. A penetration testing system for carrying out a penetration testing campaign of a networked system in cooperation with a reconnaissance agent software module (RASM) installed on at least some network nodes of the networked system, the penetration testing system comprising:
- A. a remote computing device comprising a computer memory and one or more processors, the remote computing device in electronic communication with the networked system; and
  
  B. a non-transitory computer-readable storage medium containing first, second, third, fourth, fifth, sixth, seventh and eighth program instructions of a penetration testing software module, wherein;
  
  a. execution of the first program instructions, by the one or more processors of the remote computing device and subsequent to installing the RASM on the at least some network nodes, initiates the penetration testing campaign;
  
  b. execution of the second program instructions, by the one or more processors of the remote computing device and subsequent to the initiating of the penetration testing campaign, selects a target network node of the networked system on which the RASM is installed;
  
  c. execution of the third program instructions, by the one or more processors of the remote computing device, selects, based on the target network node, a potential vulnerability that may compromise the target network node;
  
  d. execution of the fourth program instructions, by the one or more processors of the remote computing device, receives at the remote computing device and from the RASM installed on the target network node, internal data of the target network node;
  
  e. execution of the fifth program instructions, by the one or more processors of the remote computing device, validates that the target network node could be successfully compromised using the selected potential vulnerability such that the validating is carried out in a manner which does not expose the target network node to a risk of being compromised and which is based on the received internal data of the target network node;
  
  f. execution of the sixth program instructions, by the one or more processors of the remote computing device, determines, based on the potential vulnerability, a method for an attacker to compromise the target network node;
  
  g. execution of the seventh program instructions, by the one or more processors of the remote computing device, determines, based on the method for an attacker to compromise the target network node, a security vulnerability of the networked system; and
  
  h. execution of the eighth program instructions, by the one or more processors of the remote computing device, reports the security vulnerability of the networked system, the reporting comprising at least one of (i) causing a display device to display a report including information about the determined security vulnerability of the networked system, (ii) recording the report including the information about the determined security vulnerability of the networked system in a file, and (iii) electronically transmitting the report including the information about the determined security vulnerability of the networked system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Original Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Inventors
Gorodissky, Boaz, Ashkenazy, Adi, Segal, Ronen
Primary Examiner(s)
Shaw, Brian F

Application Number

US15/983,309
Publication Number

US 20180270268A1
Time in Patent Office

326 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/048   mobile agents

H04L 43/50   Testing arrangements

H04L 63/1433   Vulnerability analysis

H04L 63/30   for supporting lawful inter...

Verifying success of compromising a network node during penetration testing of a networked system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Verifying success of compromising a network node during penetration testing of a networked system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links