Historical exploit and vulnerability detection
First Claim
1. A method for improving security of networked information technology (“
- IT”
) assets in an IT infrastructure, comprising;
performing a vulnerability scan for one or more of the networked IT assets;
for a detected vulnerability of a respective one of the networked IT assets, determining one or more observables that indicate exploitation of the detected vulnerability;
searching a historic event log of the respective one of the networked IT assets for the one or more observables; and
determining whether the detected vulnerability was exploited in a past attack at the respective one of the networked IT assets using results of the searching;
wherein the determining the one or more observables that indicate exploitation of the detected vulnerability comprises;
converting a result from the vulnerability scan into a STIX (structured threat information expression) language expression including a common vulnerability enumeration (CVE) value; and
extracting the one or more observables from a vulnerability database using the STIX language expression.
3 Assignments
0 Petitions
Accused Products
Abstract
Disclosed herein are representative embodiments of methods, apparatus, and systems for improving the functioning of IT assets in an IT infrastructure. The embodiments help secure and protect against outside cybersecurity attacks on IT assets and infrastructures, such as internet-centric attacks. Particular embodiments comprise detecting exploitable vulnerabilities of IT assets of an IT infrastructure, using the observed vulnerability data together with collected event log data to determine whether a respective vulnerability has actually been exploited for an asset, integrating change audit data and third-party threat data with the vulnerability data for exploited vulnerabilities, generating user interfaces/reports that display selected aspects of the integrated data, and/or modifying the asset to address the exploited vulnerability in response.
77 Citations
19 Claims
-
1. A method for improving security of networked information technology (“
- IT”
) assets in an IT infrastructure, comprising;performing a vulnerability scan for one or more of the networked IT assets; for a detected vulnerability of a respective one of the networked IT assets, determining one or more observables that indicate exploitation of the detected vulnerability; searching a historic event log of the respective one of the networked IT assets for the one or more observables; and determining whether the detected vulnerability was exploited in a past attack at the respective one of the networked IT assets using results of the searching; wherein the determining the one or more observables that indicate exploitation of the detected vulnerability comprises; converting a result from the vulnerability scan into a STIX (structured threat information expression) language expression including a common vulnerability enumeration (CVE) value; and extracting the one or more observables from a vulnerability database using the STIX language expression. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- IT”
-
12. One or more non-transitory computer-readable media storing computer-executable instructions, which when executed by a computer cause the computer to perform a method, the method comprising:
-
searching a historic event log of an IT asset for one or more observables, the one or more observables being events or properties that evidence exploitation of a vulnerability at the IT asset; determining that the vulnerability was exploited in one or more past attacks of the IT asset using results of the searching; searching a bounded time frame encompassing the times of the one or more past attacks to obtain one or more change audit reports from a security configuration management tool, the change audit reports including data concerning file changes performed at the IT asset in the bounded time frame; and displaying an integrated report that reports the one or more past attacks of the IT asset together with change data obtained from the change audit reports. - View Dependent Claims (13, 14, 15)
-
-
16. A system comprising:
-
a vulnerability scanner configured to perform a vulnerability scan for one or more of the networked IT assets; a historical exploit and vulnerability detection tool configured to perform a past attack detection process comprising; for a detected vulnerability of a respective one of the networked IT assets, determining one or more observables that indicate exploitation of the detected vulnerability; searching a historic event log of the respective one of the networked IT assets for the one or more observables; and determining whether the detected vulnerability was exploited in the past attack at the respective one of the networked IT assets using results of the searching; searching a bounded time frame encompassing the times of the one or more past attacks to obtain one or more change audit reports from a security configuration management tool, the change audit reports including data concerning file changes performed at the IT asset in the bounded time frame; and displaying an integrated report that reports the one or more past attacks of the IT asset together with change data obtained from the change audit reports. - View Dependent Claims (17, 18, 19)
-
Specification