Systems and methods for determining optimal remediation recommendations in penetration testing
First Claim
1. A method for providing, by a penetration testing system, a recommendation for improving the security of a networked system against attackers, the method comprising:
- a. carrying out one or more penetration tests of the networked system by the penetration testing system;
b. based on results of said one or more penetration tests of the networked system, determining multiple paths of attack available to the attackers, each path of attack of said determined multiple paths of attack being an ordered sequence of one or more attacker steps and one or more sub-goals, wherein there is at least one pair of equivalent attacker steps that can both be blocked by a single remediation action and that are included in different paths of attack of said determined multiple paths of attack;
c. obtaining a vulnerability metric that calculates a vulnerability score for any group of zero or more paths of attack available to the attackers;
d. for each specific attacker step that is included in at least one of said determined multiple paths of attack;
i. defining a corresponding group of paths of attack including said determined multiple paths of attack following exclusion therefrom of any path of attack that includes said specific attacker step and any path of attack that includes an attacker step that is equivalent to said specific attacker step, andii. setting a vulnerability grade of said specific attacker step based on a vulnerability score calculated by said vulnerability metric for said corresponding group of paths of attack;
e. selecting one attacker step included in at least one of said determined multiple paths of attack, the selecting of said one attacker step being based on the vulnerability grades of the attacker steps included in at least one of said determined multiple paths of attack; and
f. providing a recommendation to block said selected one attacker step to improve the security of the networked system, said providing of said recommendation comprising at least one operation selected from the group consisting of;
i. causing a display device to display information about said recommendation,ii. recording said information about said recommendation in a file, andiii. electronically transmitting said information about said recommendation.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for providing a recommendation for improving the security of a networked system against attackers. The recommendation may include a recommendation of a single attacker step to be blocked to achieve optimal improvement in security, or of multiple such attacker steps. If the recommendation includes multiple attacker steps, the steps may be ordered such that the first attacker step is more important to block, provides a greater benefit by blocking, or is more cost effective to block than subsequent attacker steps in the ordered list of attacker steps.
-
Citations
20 Claims
-
1. A method for providing, by a penetration testing system, a recommendation for improving the security of a networked system against attackers, the method comprising:
-
a. carrying out one or more penetration tests of the networked system by the penetration testing system; b. based on results of said one or more penetration tests of the networked system, determining multiple paths of attack available to the attackers, each path of attack of said determined multiple paths of attack being an ordered sequence of one or more attacker steps and one or more sub-goals, wherein there is at least one pair of equivalent attacker steps that can both be blocked by a single remediation action and that are included in different paths of attack of said determined multiple paths of attack; c. obtaining a vulnerability metric that calculates a vulnerability score for any group of zero or more paths of attack available to the attackers; d. for each specific attacker step that is included in at least one of said determined multiple paths of attack; i. defining a corresponding group of paths of attack including said determined multiple paths of attack following exclusion therefrom of any path of attack that includes said specific attacker step and any path of attack that includes an attacker step that is equivalent to said specific attacker step, and ii. setting a vulnerability grade of said specific attacker step based on a vulnerability score calculated by said vulnerability metric for said corresponding group of paths of attack; e. selecting one attacker step included in at least one of said determined multiple paths of attack, the selecting of said one attacker step being based on the vulnerability grades of the attacker steps included in at least one of said determined multiple paths of attack; and f. providing a recommendation to block said selected one attacker step to improve the security of the networked system, said providing of said recommendation comprising at least one operation selected from the group consisting of; i. causing a display device to display information about said recommendation, ii. recording said information about said recommendation in a file, and iii. electronically transmitting said information about said recommendation. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for providing, by a penetration testing system, a recommendation for improving the security of a networked system against attackers, the method comprising:
-
a. initializing a list of attacker steps that should be blocked to be an empty list; b. obtaining a halting condition, said halting condition including a Boolean condition applied to the list of attacker steps; c. carrying out one or more tests of the networked system by the penetration testing system; d. based on results of said one or more tests of the networked system, determining multiple paths of attack available to the attackers, each path of attack of said determined multiple paths of attack being an ordered sequence of one or more attacker steps and one or more sub-goals, wherein there is at least one pair of equivalent attacker steps that can both be blocked by a single remediation action and that are included in different paths of attack of said determined multiple paths of attack; e. initializing a group of relevant paths of attack to consist of said determined multiple paths of attack; f. obtaining a vulnerability metric that calculates a vulnerability score for any group of zero or more paths of attack available to the attackers; g. for each specific attacker step included in at least one member of said group of relevant paths of attack; i. defining a corresponding group of paths of attack including all members of said group of relevant paths of attack following exclusion therefrom of any path of attack that includes said specific attacker step and any path of attack that includes an attacker step that is equivalent to said specific attacker step, and ii. setting a vulnerability grade of said specific attacker step based on a vulnerability score calculated by said vulnerability metric for said corresponding group of paths of attack; h. selecting one attacker step included in at least one member of said group of relevant paths of attack and adding said one attacker step to said list of attacker steps, the selecting of said one attacker step being based on the vulnerability grades of the attacker steps included in at least one member of said group of relevant paths of attack; i. modifying said group of relevant paths of attack by removing from it every path of attack that includes said one attacker step or an attacker step equivalent to said one attacker step; j. evaluating said halting condition for said list of attacker steps; k. in response to determining that (i) said halting condition is not satisfied, and (ii) said group of relevant paths of attack includes at least one path of attack, repeating steps g to k; and l. in response to determining that (i) said halting condition is satisfied, or (ii) said group of relevant paths of attack is empty, providing a recommendation to block one or more attacker steps from said list of attacker steps, thereby to improve the security of the networked system, said providing of said recommendation comprising at least one operation selected from the group consisting of; I. causing a display device to display information about said recommendation, II. recording said information about said recommendation in a file, and III. electronically transmitting said information about said recommendation. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for providing a recommendation for improving the security of a networked system against attackers, the system comprising:
-
a. a penetration-testing-campaign module including; i. one or more penetration-testing-campaign hardware processors, and ii. a penetration-testing-campaign non-transitory computer readable storage medium for instructions execution by the one or more penetration-testing-campaign hardware processors, the penetration-testing-campaign non-transitory computer readable storage medium having stored instructions to carry out one or more penetration tests of the networked system; and b. an attacker-step-selection module including; i. one or more attacker-step-selection hardware processors, and ii. an attacker-step-selection non-transitory computer readable storage medium for instructions execution by the one or more attacker-step-selection hardware processors, the attacker-step-selection non-transitory computer readable storage medium having stored; 1. instructions to receive, from said penetration-testing-campaign module, results of said one or more penetration tests of the networked system; 2. instructions to determine, based on said received results, multiple paths of attack available to the attackers, each path of attack of said determined multiple paths of attack being an ordered sequence of one or more attacker steps and one or more sub-goals, wherein there is at least one pair of equivalent attacker steps that can both be blocked by a single remediation action and that are included in different paths of attack of said determined multiple paths of attack; 3. instructions to obtain a vulnerability metric that calculates a vulnerability score for any group of zero or more paths of attack available to the attackers; 4. instructions to be carried out for each specific attacker step that is included in at least one of said determined multiple paths of attack, including; A. instructions to define a corresponding group of paths of attack including said determined multiple paths of attack following exclusion therefrom of any path of attack that includes said specific attacker step and any path of attack that includes an attacker step that is equivalent to said specific attacker step, and B. instructions to set a vulnerability grade of said specific attacker step based on a vulnerability score calculated by said vulnerability metric for said corresponding group of paths of attack; and 5. instructions to select one attacker step included in at least one of said determined multiple paths of attack, the selection of said one attacker step being based on the vulnerability grades of the attacker steps included in at least one of said determined multiple paths of attack; and c. a reporting module including; i. one or more reporting hardware processors, and ii. a reporting non-transitory computer readable storage medium for instructions execution by the one or more reporting hardware processors, the reporting non-transitory computer readable storage medium having stored; 1. instructions to receive, from said attacker-step-selection module, said selected one attacker step, and 2. instructions to provide a recommendation to block said selected one attacker step to improve the security of the networked system, the instructions to provide said recommendation including at least one of (I) instructions to cause a display device to display information about said recommendation, (II) instructions to record said information about said recommendation in a file and (Ill) instructions to electronically transmit said information about said recommendation.
-
-
20. A system for providing a recommendation for improving the security of a networked system against attackers, the system comprising:
-
a. a penetration-testing-campaign module including; i. one or more penetration-testing-campaign hardware processors, and ii. a penetration-testing-campaign non-transitory computer readable storage medium for instructions execution by the one or more penetration-testing-campaign hardware processors, the penetration-testing-campaign non-transitory computer readable storage medium having stored instructions to carry out one or more penetration tests of the networked system; and b. an attacker-steps-selection module including; i. one or more attacker-steps-selection hardware processors, and ii. an attacker-steps-selection non-transitory computer readable storage medium for instructions execution by the one or more attacker-steps-selection hardware processors, the attacker-steps-selection non-transitory computer readable storage medium having stored; 1. first instructions to initialize a list of attacker steps that should be blocked to be an empty list; 2. second instructions to obtain a halting condition, said halting condition including a Boolean condition applied to the list of attacker steps; 3. third instructions to receive, from said penetration-testing-campaign module, results of said one or more penetration tests of the networked system; 4. fourth instructions to determine, based on said results of said one or more penetration tests of the networked system, multiple paths of attack available to the attackers, each path of attack of said determined multiple paths of attack being an ordered sequence of one or more attacker steps and one or more sub-goals, wherein there is at least one pair of equivalent attacker steps that can both be blocked by a single remediation action and that are included in different paths of attack of said determined multiple paths of attack; 5. fifth instructions to initialize a group of relevant paths of attack to consist of said determined multiple paths of attack; 6. sixth instructions to obtain a vulnerability metric that calculates a vulnerability score for any group of zero or more paths of attack available to the attackers; 7. seventh instructions to be carried out for each specific attacker step included in at least one member of said group of relevant paths of attack, including; A. instructions to define a corresponding group of paths of attack including all members of said group of relevant paths of attack following exclusion therefrom of any path of attack that includes said specific attacker step and any path of attack that includes an attacker step that is equivalent to said specific attacker step, and B. instructions to set a vulnerability grade of said specific attacker step based on a vulnerability score calculated by said vulnerability metric for said corresponding group of paths of attack; 8. eighth instructions to select one attacker step included in at least one member of said group of relevant paths of attack and to add said one attacker step to said list of attacker steps, the selection of said one attacker step being based on the vulnerability grades of the attacker steps included in at least one member of said group of relevant paths of attack; 9. ninth instructions to modify said group of relevant paths of attack by removing from it every path of attack that includes said one attacker step or an attacker step equivalent to said one attacker step; 10. tenth instructions to evaluate said halting condition for said list of attacker steps; 11. eleventh instructions, to be carried out in response to determining that (I) said halting condition is not satisfied, and (II) said group of relevant paths of attack includes at least one path of attack, to repeat said seventh instructions to said eleventh instructions; and 12. twelfth instructions, to be carried out in response to determining that (I) said halting condition is satisfied, or (II) said group of relevant paths of attack is empty, to select one or more attacker steps from said list of attacker steps; and c. a reporting module including; i. one or more reporting hardware processors, and ii. a reporting non-transitory computer readable storage medium for instructions execution by the one or more reporting hardware processors, the reporting non-transitory computer readable storage medium having stored; 1. instructions to receive, from said attacker-steps-selection module, said selected one or more attacker steps; and 2. instructions to provide a recommendation to block said selected one or more attacker steps to improve the security of the networked system, the instructions to provide said recommendation including at least one member selected from a group consisting of (I) instructions to cause a display device to display information about said recommendation, (II) instructions to record said information about said recommendation in a file and (Ill) instructions to electronically transmit said information about said recommendation.
-
Specification