Historical exploit and vulnerability detection

US 10,454,963 B1
Filed: 08/01/2016
Issued: 10/22/2019
Est. Priority Date: 07/31/2015
Status: Active Grant

First Claim

Patent Images

1. A method for improving security of networked information technology (“

IT”

) assets in an IT infrastructure, comprising;

performing a vulnerability scan for one or more of the networked IT assets;

for a detected vulnerability of a respective one of the networked IT assets, determining one or more observables that indicate exploitation of the detected vulnerability;

searching a historic event log of the respective one of the networked IT assets for the one or more observables; and

determining whether the detected vulnerability was exploited in a past attack at the respective one of the networked IT assets using results of the searching;

wherein the determining the one or more observables that indicate exploitation of the detected vulnerability comprises;

converting a result from the vulnerability scan into a STIX (structured threat information expression) language expression including a common vulnerability enumeration (CVE) value; and

extracting the one or more observables from a vulnerability database using the STIX language expression.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are representative embodiments of methods, apparatus, and systems for improving the functioning of IT assets in an IT infrastructure. The embodiments help secure and protect against outside cybersecurity attacks on IT assets and infrastructures, such as internet-centric attacks. Particular embodiments comprise detecting exploitable vulnerabilities of IT assets of an IT infrastructure, using the observed vulnerability data together with collected event log data to determine whether a respective vulnerability has actually been exploited for an asset, integrating change audit data and third-party threat data with the vulnerability data for exploited vulnerabilities, generating user interfaces/reports that display selected aspects of the integrated data, and/or modifying the asset to address the exploited vulnerability in response.

77 Citations

View as Search Results

19 Claims

1. A method for improving security of networked information technology (“
- IT”
  
  ) assets in an IT infrastructure, comprising;
  
  performing a vulnerability scan for one or more of the networked IT assets;
  
  for a detected vulnerability of a respective one of the networked IT assets, determining one or more observables that indicate exploitation of the detected vulnerability;
  
  searching a historic event log of the respective one of the networked IT assets for the one or more observables; and
  
  determining whether the detected vulnerability was exploited in a past attack at the respective one of the networked IT assets using results of the searching;
  
  wherein the determining the one or more observables that indicate exploitation of the detected vulnerability comprises;
  
  converting a result from the vulnerability scan into a STIX (structured threat information expression) language expression including a common vulnerability enumeration (CVE) value; and
  
  extracting the one or more observables from a vulnerability database using the STIX language expression.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - upon determining that the detected vulnerability was exploited in the past attack, altering a tag for the respective one of the networked IT assets in a security configuration management tool to a state indicating that the respective one of the networked IT assets has been exploited.
  - 3. The method of claim 1, further comprising:
    - upon determining that the detected vulnerability was exploited in the past attack, obtaining one or more change audit reports from a security configuration management tool, the change audit reports including data concerning file changes performed at the respective one of the networked IT assets.
  - 4. The method of claim 3, wherein the obtaining the one or more change audit reports comprises retrieving change audit reports from a time frame that encompasses a time of a first set of one or more observables for the detected vulnerability and that is expanded to further encompass a time of a second set of one or more observables for the detected vulnerability.
  - 5. The method of claim 1, further comprising:
    - upon determining that the detected vulnerability was exploited in a past attack, obtaining data from a third-party threat intelligence service indicating one or more of a severity of the past attack or an identity of a source of the past attack.
  - 6. The method of claim 1, further comprising:
    - modifying the respective one of the networked IT assets to remedy the vulnerability.
  - 7. The method of claim 1, wherein the searching of the historic event log of the respective one of the networked IT assets for the one or more observables is an adaptive search performed by:
    - searching for the one or more observables in a first historic time frame; and
      
      conditional on the one or more observables not being found or being found in the first historic time frame, searching for the one or more observables in a second historic time frame earlier than the first historic time frame.
  - 8. The method of claim 1, wherein the one or more observables are specified as a CybOX description characterized by Boolean operators that indicate conditions which, when satisfied, evidence an actual attack through the detected vulnerability.
  - 9. The method of claim 1, wherein the vulnerability database is a remote third-party vulnerability database.
  - 10. The method of claim 1, further comprising:
    - displaying an integrated report visually indicating one or more of;
      
      (a) an IP address of the respective one of the networked IT assets, (b) an attack count value identifying a number of attacks of the detected vulnerability, (c) an attacker count value identifying a number of unique attackers responsible for the attacks, (d) a changed files value identifying a number of changed files observed at the respective one of the networked IT assets as a result of the attacks and as memorialized by an security configuration management tool monitoring the IT assets, (e) a vulnerability count value identifying a number of vulnerabilities observed at the respective one of the networked IT assets upon perform the vulnerability scan, or (f) an exploit count value identifying a number of those vulnerabilities that were actually exploited.
  - 11. The method of claim 1, further comprising:
    - displaying an integrated report visually indicating one or more of;
      
      (a) a vulnerability ID value for the detected vulnerability;
      
      (b) a target value indicating an IP address of the asset on which the detected vulnerability was observed;
      
      (c) an attacker ID value indicating an IP address of a source of the attack on the detected vulnerability;
      
      (d) a time value indicating a date and time of the attack;
      
      or (e) log data indicating the one or more observables that evidence the attack.

12. One or more non-transitory computer-readable media storing computer-executable instructions, which when executed by a computer cause the computer to perform a method, the method comprising:
- searching a historic event log of an IT asset for one or more observables, the one or more observables being events or properties that evidence exploitation of a vulnerability at the IT asset;
  
  determining that the vulnerability was exploited in one or more past attacks of the IT asset using results of the searching;
  
  searching a bounded time frame encompassing the times of the one or more past attacks to obtain one or more change audit reports from a security configuration management tool, the change audit reports including data concerning file changes performed at the IT asset in the bounded time frame; and
  
  displaying an integrated report that reports the one or more past attacks of the IT asset together with change data obtained from the change audit reports.
- View Dependent Claims (13, 14, 15)
- - 13. The one or more non-transitory computer-readable media of claim 12, wherein the searching the historic event log is performed in an adaptive process that expands a historic time frame searched conditionally upon not finding evidence of a past attack exploiting the vulnerability of the IT asset in a smaller historic time frame.
  - 14. The one or more non-transitory computer-readable media of claim 12, wherein the method further comprises obtaining data from a third-party threat intelligence service indicating one or more of a severity of the past attacks or an identity of a source of the past attacks,and wherein the integrated report includes the one or more of the severity of the past attacks or the identity of the source of the past attacks.
  - 15. The one or more non-transitory computer-readable media of claim 12, wherein the one or more observables are specified as a CybOX description characterized by Boolean operators that indicate conditions which, when satisfied, evidence an actual attack through the vulnerability.

16. A system comprising:
- a vulnerability scanner configured to perform a vulnerability scan for one or more of the networked IT assets;
  
  a historical exploit and vulnerability detection tool configured to perform a past attack detection process comprising;
  
  for a detected vulnerability of a respective one of the networked IT assets, determining one or more observables that indicate exploitation of the detected vulnerability;
  
  searching a historic event log of the respective one of the networked IT assets for the one or more observables; and
  
  determining whether the detected vulnerability was exploited in the past attack at the respective one of the networked IT assets using results of the searching;
  
  searching a bounded time frame encompassing the times of the one or more past attacks to obtain one or more change audit reports from a security configuration management tool, the change audit reports including data concerning file changes performed at the IT asset in the bounded time frame; and
  
  displaying an integrated report that reports the one or more past attacks of the IT asset together with change data obtained from the change audit reports.
- View Dependent Claims (17, 18, 19)
- - 17. The system of claim 16, wherein the historical exploit and vulnerability detection tool is further configured to determine the one or more observables that indicate exploitation of the detected vulnerability by:
    - converting a result from the vulnerability scan into a standardized threat information expression including a common vulnerability enumeration (CVE) value; and
      
      extracting the one or more observables from a third-party remote vulnerability database using the standardized threat information expression.
  - 18. The system of claim 16, wherein the historical exploit and vulnerability detection tool is further configured to:
    - retrieve additional threat information concerning the exploitation from a third party remote threat intelligence provider.
  - 19. The system of claim 16, wherein the historical exploit and vulnerability detection tool is further configured to:
    - display an integrated report visually indicating an IP address of the respective one of the networked IT assets and one or more of;
      
      (a) an attack count value identifying a number of attacks of the detected vulnerability, (b) an attacker count value identifying a number of unique attackers responsible for the attacks, (c) a changed files value identifying a number of changed files observed at the respective one of the networked IT assets as a result of the attacks and as memorialized by an security configuration management tool monitoring the IT assets, (d) a vulnerability count value identifying a number of vulnerabilities observed at the respective one of the networked IT assets upon perform the vulnerability scan, (e) an exploit count value identifying a number of those vulnerabilities that were actually exploited, (f) a vulnerability ID value for the detected vulnerability;
      
      (g) a target value indicating an IP address of the asset on which the detected vulnerability was observed;
      
      (h) an attacker ID value indicating an IP address of a source of the attack on the detected vulnerability;
      
      (i) a time value indicating a date and time of the attack;
      
      or (j) log data indicating the one or more observables that evidence the attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tripwire Incorporated (Belden Inc.)
Original Assignee
Tripwire Incorporated (Belden Inc.)
Inventors
Smith, Travis
Primary Examiner(s)
Su, Sarah

Application Number

US15/225,639
Time in Patent Office

1,177 Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/2477   Temporal data queries

G06F 16/951   Indexing; Web crawling tech...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

Historical exploit and vulnerability detection

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

77 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Historical exploit and vulnerability detection

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

77 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links