Systems and methods for determining optimal remediation recommendations in penetration testing

US 10,382,473 B1
Filed: 03/21/2019
Issued: 08/13/2019
Est. Priority Date: 09/12/2018
Status: Active Grant

First Claim

Patent Images

1. A method for providing, by a penetration testing system, a recommendation for improving the security of a networked system against attackers, the method comprising:

a. carrying out one or more penetration tests of the networked system by the penetration testing system;

b. based on results of said one or more penetration tests of the networked system, determining multiple paths of attack available to the attackers, each path of attack of said determined multiple paths of attack being an ordered sequence of one or more attacker steps and one or more sub-goals, wherein there is at least one pair of equivalent attacker steps that can both be blocked by a single remediation action and that are included in different paths of attack of said determined multiple paths of attack;

c. obtaining a vulnerability metric that calculates a vulnerability score for any group of zero or more paths of attack available to the attackers;

d. for each specific attacker step that is included in at least one of said determined multiple paths of attack;

i. defining a corresponding group of paths of attack including said determined multiple paths of attack following exclusion therefrom of any path of attack that includes said specific attacker step and any path of attack that includes an attacker step that is equivalent to said specific attacker step, andii. setting a vulnerability grade of said specific attacker step based on a vulnerability score calculated by said vulnerability metric for said corresponding group of paths of attack;

e. selecting one attacker step included in at least one of said determined multiple paths of attack, the selecting of said one attacker step being based on the vulnerability grades of the attacker steps included in at least one of said determined multiple paths of attack; and

f. providing a recommendation to block said selected one attacker step to improve the security of the networked system, said providing of said recommendation comprising at least one operation selected from the group consisting of;

i. causing a display device to display information about said recommendation,ii. recording said information about said recommendation in a file, andiii. electronically transmitting said information about said recommendation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for providing a recommendation for improving the security of a networked system against attackers. The recommendation may include a recommendation of a single attacker step to be blocked to achieve optimal improvement in security, or of multiple such attacker steps. If the recommendation includes multiple attacker steps, the steps may be ordered such that the first attacker step is more important to block, provides a greater benefit by blocking, or is more cost effective to block than subsequent attacker steps in the ordered list of attacker steps.

129 Citations

View as Search Results

20 Claims

1. A method for providing, by a penetration testing system, a recommendation for improving the security of a networked system against attackers, the method comprising:
- a. carrying out one or more penetration tests of the networked system by the penetration testing system;
  
  b. based on results of said one or more penetration tests of the networked system, determining multiple paths of attack available to the attackers, each path of attack of said determined multiple paths of attack being an ordered sequence of one or more attacker steps and one or more sub-goals, wherein there is at least one pair of equivalent attacker steps that can both be blocked by a single remediation action and that are included in different paths of attack of said determined multiple paths of attack;
  
  c. obtaining a vulnerability metric that calculates a vulnerability score for any group of zero or more paths of attack available to the attackers;
  
  d. for each specific attacker step that is included in at least one of said determined multiple paths of attack;
  
  i. defining a corresponding group of paths of attack including said determined multiple paths of attack following exclusion therefrom of any path of attack that includes said specific attacker step and any path of attack that includes an attacker step that is equivalent to said specific attacker step, andii. setting a vulnerability grade of said specific attacker step based on a vulnerability score calculated by said vulnerability metric for said corresponding group of paths of attack;
  
  e. selecting one attacker step included in at least one of said determined multiple paths of attack, the selecting of said one attacker step being based on the vulnerability grades of the attacker steps included in at least one of said determined multiple paths of attack; and
  
  f. providing a recommendation to block said selected one attacker step to improve the security of the networked system, said providing of said recommendation comprising at least one operation selected from the group consisting of;
  
  i. causing a display device to display information about said recommendation,ii. recording said information about said recommendation in a file, andiii. electronically transmitting said information about said recommendation.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said selecting of said one attacker step included in at least one of said determined multiple paths of attack comprises selecting one attacker step whose vulnerability grade meets a predefined criterion.
  - 3. The method of claim 1, further comprising representing said determined multiple paths of attack available to the attackers by a graph, where each given path of attack of said determined multiple paths of attack corresponds to a path in said graph.
  - 4. The method of claim 1, further comprising representing said determined multiple paths of attack available to the attackers by a list, where each given path of attack of said determined multiple paths of attack corresponds to an item in said list that includes all sub-goals and all attacker steps included in said given path of attack.
  - 5. The method of claim 1, wherein each given path of attack of said determined multiple paths of attack starts at a starting sub-goal that is assumed to be achievable by the attackers and ends at a final sub-goal which is assumed to be a goal of the attackers in at least one test of said one or more tests.
  - 6. The method of claim 1, wherein said obtaining said vulnerability metric comprises obtaining a vulnerability metric that, for any group of one or more paths of attack available to the attackers, calculates said vulnerability score based on at least one member selected from the list consisting of:
    - costs of exploitation of attacker steps included in paths of attack included in said group of one or more paths of attack, costs of remediation of attacker steps included in paths of attack included in said group of one or more paths of attack, and probabilities of success of attacker steps included in paths of attack included in said group of one or more paths of attack.
  - 7. The method of claim 1, wherein (i) said selected one attacker step is equivalent to another attacker step included in a path of attack of said determined multiple paths of attack, and (ii) said recommendation comprises a recommendation to block said selected one attacker step and said another attacker step by carrying out a common remediation action.

8. A method for providing, by a penetration testing system, a recommendation for improving the security of a networked system against attackers, the method comprising:
- a. initializing a list of attacker steps that should be blocked to be an empty list;
  
  b. obtaining a halting condition, said halting condition including a Boolean condition applied to the list of attacker steps;
  
  c. carrying out one or more tests of the networked system by the penetration testing system;
  
  d. based on results of said one or more tests of the networked system, determining multiple paths of attack available to the attackers, each path of attack of said determined multiple paths of attack being an ordered sequence of one or more attacker steps and one or more sub-goals, wherein there is at least one pair of equivalent attacker steps that can both be blocked by a single remediation action and that are included in different paths of attack of said determined multiple paths of attack;
  
  e. initializing a group of relevant paths of attack to consist of said determined multiple paths of attack;
  
  f. obtaining a vulnerability metric that calculates a vulnerability score for any group of zero or more paths of attack available to the attackers;
  
  g. for each specific attacker step included in at least one member of said group of relevant paths of attack;
  
  i. defining a corresponding group of paths of attack including all members of said group of relevant paths of attack following exclusion therefrom of any path of attack that includes said specific attacker step and any path of attack that includes an attacker step that is equivalent to said specific attacker step, andii. setting a vulnerability grade of said specific attacker step based on a vulnerability score calculated by said vulnerability metric for said corresponding group of paths of attack;
  
  h. selecting one attacker step included in at least one member of said group of relevant paths of attack and adding said one attacker step to said list of attacker steps, the selecting of said one attacker step being based on the vulnerability grades of the attacker steps included in at least one member of said group of relevant paths of attack;
  
  i. modifying said group of relevant paths of attack by removing from it every path of attack that includes said one attacker step or an attacker step equivalent to said one attacker step;
  
  j. evaluating said halting condition for said list of attacker steps;
  
  k. in response to determining that (i) said halting condition is not satisfied, and (ii) said group of relevant paths of attack includes at least one path of attack, repeating steps g to k; and
  
  l. in response to determining that (i) said halting condition is satisfied, or (ii) said group of relevant paths of attack is empty, providing a recommendation to block one or more attacker steps from said list of attacker steps, thereby to improve the security of the networked system, said providing of said recommendation comprising at least one operation selected from the group consisting of;
  
  I. causing a display device to display information about said recommendation,II. recording said information about said recommendation in a file, andIII. electronically transmitting said information about said recommendation.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 9. The method of claim 8, wherein said selecting of said one attacker step included in at least one member of said group of relevant paths of attack comprises selecting one attacker step whose vulnerability grade meets a predefined criterion.
  - 10. The method of claim 8, further comprising representing said determined multiple paths of attack available to the attackers by a graph, where each given path of attack of said determined multiple paths of attack corresponds to a path in said graph.
  - 11. The method of claim 8, further comprising representing said determined multiple paths of attack available to the attackers by a list, where each given path of attack of said determined multiple paths of attack corresponds to an item in said list that includes all sub-goals and all attacker steps included in said given path of attack.
  - 12. The method of claim 8, wherein each given path of attack of said determined multiple paths of attack starts with a starting sub-goal that is assumed to be achievable by the attackers and ends with a final sub-goal which is assumed to be a goal of the attackers in at least one test of said one or more tests.
  - 13. The method of claim 8, wherein, said obtaining said vulnerability metric comprises obtaining a vulnerability metric that, for any group of one or more paths of attack available to the attackers, calculates said vulnerability score based on at least one member selected from the list consisting of:
    - costs of exploitation of attacker steps included in paths of attack included in said group of one or more paths of attack, costs of remediation of attacker steps included in paths of attack included in said group of one or more paths of attack, and probabilities of success of attacker steps included in paths of attack included in said group of one or more paths of attack.
  - 14. The method of claim 8, wherein (i) said list of attacker steps includes a first attacker step that is equivalent to a second attacker step included in a path of attack of said determined multiple paths of attack and not included in the list of attacker steps, and (ii) said recommendation comprises a recommendation to block said first attacker step and said second attacker step by carrying out a common remediation action.
  - 15. The method of claim 8, wherein (i) said list of attacker steps is an ordered list of attacker steps, (ii) the adding of said one attacker step to said list of attacker steps includes adding said one attacker step at an end of said ordered list of attacker steps such that said one attacker step becomes a last member of said ordered list of attacker steps, and (iii) said providing a recommendation to block one or more attacker steps from said list of attacker steps includes providing a recommendation to block said one or more attacker steps from said list of attacker steps according to an order of said one or more attacker steps in said ordered list of attacker steps.
  - 16. The method of claim 8, wherein said halting condition is true if and only if said list of attacker steps consists of one attacker step.
  - 17. The method of claim 8, wherein said halting condition is true if and only if said list of attacker steps consists of a pre-determined number of attacker steps.
  - 18. The method of claim 8, wherein said halting condition is true if and only if a sum of remediation costs of all members of said list of attacker steps satisfies a second Boolean condition.

19. A system for providing a recommendation for improving the security of a networked system against attackers, the system comprising:
- a. a penetration-testing-campaign module including;
  
  i. one or more penetration-testing-campaign hardware processors, andii. a penetration-testing-campaign non-transitory computer readable storage medium for instructions execution by the one or more penetration-testing-campaign hardware processors, the penetration-testing-campaign non-transitory computer readable storage medium having stored instructions to carry out one or more penetration tests of the networked system; and
  
  b. an attacker-step-selection module including;
  
  i. one or more attacker-step-selection hardware processors, andii. an attacker-step-selection non-transitory computer readable storage medium for instructions execution by the one or more attacker-step-selection hardware processors, the attacker-step-selection non-transitory computer readable storage medium having stored;
  
  1. instructions to receive, from said penetration-testing-campaign module, results of said one or more penetration tests of the networked system;
  
  2. instructions to determine, based on said received results, multiple paths of attack available to the attackers, each path of attack of said determined multiple paths of attack being an ordered sequence of one or more attacker steps and one or more sub-goals, wherein there is at least one pair of equivalent attacker steps that can both be blocked by a single remediation action and that are included in different paths of attack of said determined multiple paths of attack;
  
  3. instructions to obtain a vulnerability metric that calculates a vulnerability score for any group of zero or more paths of attack available to the attackers;
  
  4. instructions to be carried out for each specific attacker step that is included in at least one of said determined multiple paths of attack, including;
  
  A. instructions to define a corresponding group of paths of attack including said determined multiple paths of attack following exclusion therefrom of any path of attack that includes said specific attacker step and any path of attack that includes an attacker step that is equivalent to said specific attacker step, andB. instructions to set a vulnerability grade of said specific attacker step based on a vulnerability score calculated by said vulnerability metric for said corresponding group of paths of attack; and
  
  5. instructions to select one attacker step included in at least one of said determined multiple paths of attack, the selection of said one attacker step being based on the vulnerability grades of the attacker steps included in at least one of said determined multiple paths of attack; and
  
  c. a reporting module including;
  
  i. one or more reporting hardware processors, andii. a reporting non-transitory computer readable storage medium for instructions execution by the one or more reporting hardware processors, the reporting non-transitory computer readable storage medium having stored;
  
  1. instructions to receive, from said attacker-step-selection module, said selected one attacker step, and2. instructions to provide a recommendation to block said selected one attacker step to improve the security of the networked system, the instructions to provide said recommendation including at least one of (I) instructions to cause a display device to display information about said recommendation, (II) instructions to record said information about said recommendation in a file and (Ill) instructions to electronically transmit said information about said recommendation.

20. A system for providing a recommendation for improving the security of a networked system against attackers, the system comprising:
- a. a penetration-testing-campaign module including;
  
  i. one or more penetration-testing-campaign hardware processors, andii. a penetration-testing-campaign non-transitory computer readable storage medium for instructions execution by the one or more penetration-testing-campaign hardware processors, the penetration-testing-campaign non-transitory computer readable storage medium having stored instructions to carry out one or more penetration tests of the networked system; and
  
  b. an attacker-steps-selection module including;
  
  i. one or more attacker-steps-selection hardware processors, andii. an attacker-steps-selection non-transitory computer readable storage medium for instructions execution by the one or more attacker-steps-selection hardware processors, the attacker-steps-selection non-transitory computer readable storage medium having stored;
  
  1. first instructions to initialize a list of attacker steps that should be blocked to be an empty list;
  
  2. second instructions to obtain a halting condition, said halting condition including a Boolean condition applied to the list of attacker steps;
  
  3. third instructions to receive, from said penetration-testing-campaign module, results of said one or more penetration tests of the networked system;
  
  4. fourth instructions to determine, based on said results of said one or more penetration tests of the networked system, multiple paths of attack available to the attackers, each path of attack of said determined multiple paths of attack being an ordered sequence of one or more attacker steps and one or more sub-goals, wherein there is at least one pair of equivalent attacker steps that can both be blocked by a single remediation action and that are included in different paths of attack of said determined multiple paths of attack;
  
  5. fifth instructions to initialize a group of relevant paths of attack to consist of said determined multiple paths of attack;
  
  6. sixth instructions to obtain a vulnerability metric that calculates a vulnerability score for any group of zero or more paths of attack available to the attackers;
  
  7. seventh instructions to be carried out for each specific attacker step included in at least one member of said group of relevant paths of attack, including;
  
  A. instructions to define a corresponding group of paths of attack including all members of said group of relevant paths of attack following exclusion therefrom of any path of attack that includes said specific attacker step and any path of attack that includes an attacker step that is equivalent to said specific attacker step, andB. instructions to set a vulnerability grade of said specific attacker step based on a vulnerability score calculated by said vulnerability metric for said corresponding group of paths of attack;
  
  8. eighth instructions to select one attacker step included in at least one member of said group of relevant paths of attack and to add said one attacker step to said list of attacker steps, the selection of said one attacker step being based on the vulnerability grades of the attacker steps included in at least one member of said group of relevant paths of attack;
  
  9. ninth instructions to modify said group of relevant paths of attack by removing from it every path of attack that includes said one attacker step or an attacker step equivalent to said one attacker step;
  
  10. tenth instructions to evaluate said halting condition for said list of attacker steps;
  
  11. eleventh instructions, to be carried out in response to determining that (I) said halting condition is not satisfied, and (II) said group of relevant paths of attack includes at least one path of attack, to repeat said seventh instructions to said eleventh instructions; and
  
  12. twelfth instructions, to be carried out in response to determining that (I) said halting condition is satisfied, or (II) said group of relevant paths of attack is empty, to select one or more attacker steps from said list of attacker steps; and
  
  c. a reporting module including;
  
  i. one or more reporting hardware processors, andii. a reporting non-transitory computer readable storage medium for instructions execution by the one or more reporting hardware processors, the reporting non-transitory computer readable storage medium having stored;
  
  1. instructions to receive, from said attacker-steps-selection module, said selected one or more attacker steps; and
  
  2. instructions to provide a recommendation to block said selected one or more attacker steps to improve the security of the networked system, the instructions to provide said recommendation including at least one member selected from a group consisting of (I) instructions to cause a display device to display information about said recommendation, (II) instructions to record said information about said recommendation in a file and (Ill) instructions to electronically transmit said information about said recommendation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Original Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Inventors
Ashkenazy, Adi, Zini, Shahar, Lasser, Menahem
Primary Examiner(s)
Holder, Bradley W

Application Number

US16/360,063
Time in Patent Office

145 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

Systems and methods for determining optimal remediation recommendations in penetration testing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

129 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for determining optimal remediation recommendations in penetration testing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links