Taking privilege escalation into account in penetration testing campaigns

US 10,462,177 B1
Filed: 06/06/2019
Issued: 10/29/2019
Est. Priority Date: 02/06/2019
Status: Active Grant

First Claim

Patent Images

1. A method of carrying out a penetration testing campaign of a networked system by a simulated penetration testing system for the purpose of determining a way for an attacker to compromise the networked system, wherein the simulated penetration testing system assigns a plurality of network nodes of the networked system to classes based on current information about the compromisability of the plurality of network nodes at a current state of the penetration testing campaign, the classes consisting of (i) a red class, wherein each network node that is a member of the red class is known to be compromisable by the attacker in a way that gives the attacker full control of the red-class-member network node, (ii) a blue class, wherein each network node that is a member of the blue class is not known to be compromisable by the attacker, and (iii) a purple class, wherein each network node that is a member of the purple class is known to be compromisable by the attacker in a way that does not give the attacker full control of the purple-class-member network node, the method comprising:

a. selecting a first target network node of the plurality of network nodes of the networked system;

b. handling the first target network node, the handling of the first target network node comprising;

i. based on the selected first target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a first vulnerability that can compromise the first target network node;

ii. checking whether compromising the first target network node using the first vulnerability would result in the attacker achieving full control of the first target network node; and

iii. in response to determining that the compromising of the first target network node using the first vulnerability would result in the attacker achieving full control of the first target network node, assigning the first target network node to the red class;

c. selecting a second target network node of the plurality of network nodes of the networked system;

d. handling the second target network node, the handling of the second target network node comprising;

i. based on the selected second target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a second vulnerability that can compromise the second target network node;

ii. checking whether compromising the second target network node using the second vulnerability would result in the attacker achieving full control of the second target network node; and

iii. in response to determining that (i) the compromising of the second target network node using the second vulnerability would not result in the attacker achieving full control of the second target network node and (ii) the attacker would be able to achieve full control of the second target network node by using (A) one or more privilege escalation techniques and (B) one or more access rights to the second target network node obtained by the compromising of the second target network node using the second vulnerability, assigning the second target network node to the red class;

e. selecting a third target network node of the plurality of network nodes of the networked system;

f. handling the third target network node, the handling of the third target network node comprising;

i. based on the selected third target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a third vulnerability that can compromise the third target network node;

ii. checking whether compromising the third target network node using the third vulnerability would result in the attacker achieving full control of the third target network node; and

iii. in response to determining that (i) the compromising of the third target network node using the third vulnerability would not result in the attacker achieving full control of the third target network node and (ii) the attacker cannot achieve full control of the third target network node by using (A) any combination of privilege escalation techniques and (B) any combination of access rights to the third target network node obtained by the compromising of the third target network node using the third vulnerability, assigning the third target network node to the purple class;

g. based on at least one of the first vulnerability, the second vulnerability and the third vulnerability, determining the way for an attacker to compromise the networked system; and

h. reporting the determined way for an attacker to compromise the networked system, the reporting comprising at least one action selected from the actions group consisting of (i) causing a display device to display a report including information about the determined way to compromise the networked system, (ii) recording the report including the information about the determined way to compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined way to compromise the networked system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A simulated penetration testing system that assigns network nodes of the tested networked system to classes based on current information about the compromisability of the nodes at a current state of a penetration testing campaign, the classes consisting of (i) a red class for nodes known to be compromisable by the attacker in a way that gives the attacker full control of the nodes, (ii) a blue class for nodes that are not known to be compromisable by the attacker, and (iii) a purple class for nodes known to be compromisable by the attacker in a way that does not give the attacker full control of the purple-class-member network node. The campaign tests whether an attacker would be able to achieve full control of a target node by using privilege escalation techniques and one or more access rights achieved by compromising the target node.

101 Citations

View as Search Results

20 Claims

1. A method of carrying out a penetration testing campaign of a networked system by a simulated penetration testing system for the purpose of determining a way for an attacker to compromise the networked system, wherein the simulated penetration testing system assigns a plurality of network nodes of the networked system to classes based on current information about the compromisability of the plurality of network nodes at a current state of the penetration testing campaign, the classes consisting of (i) a red class, wherein each network node that is a member of the red class is known to be compromisable by the attacker in a way that gives the attacker full control of the red-class-member network node, (ii) a blue class, wherein each network node that is a member of the blue class is not known to be compromisable by the attacker, and (iii) a purple class, wherein each network node that is a member of the purple class is known to be compromisable by the attacker in a way that does not give the attacker full control of the purple-class-member network node, the method comprising:
- a. selecting a first target network node of the plurality of network nodes of the networked system;
  
  b. handling the first target network node, the handling of the first target network node comprising;
  
  i. based on the selected first target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a first vulnerability that can compromise the first target network node;
  
  ii. checking whether compromising the first target network node using the first vulnerability would result in the attacker achieving full control of the first target network node; and
  
  iii. in response to determining that the compromising of the first target network node using the first vulnerability would result in the attacker achieving full control of the first target network node, assigning the first target network node to the red class;
  
  c. selecting a second target network node of the plurality of network nodes of the networked system;
  
  d. handling the second target network node, the handling of the second target network node comprising;
  
  i. based on the selected second target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a second vulnerability that can compromise the second target network node;
  
  ii. checking whether compromising the second target network node using the second vulnerability would result in the attacker achieving full control of the second target network node; and
  
  iii. in response to determining that (i) the compromising of the second target network node using the second vulnerability would not result in the attacker achieving full control of the second target network node and (ii) the attacker would be able to achieve full control of the second target network node by using (A) one or more privilege escalation techniques and (B) one or more access rights to the second target network node obtained by the compromising of the second target network node using the second vulnerability, assigning the second target network node to the red class;
  
  e. selecting a third target network node of the plurality of network nodes of the networked system;
  
  f. handling the third target network node, the handling of the third target network node comprising;
  
  i. based on the selected third target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a third vulnerability that can compromise the third target network node;
  
  ii. checking whether compromising the third target network node using the third vulnerability would result in the attacker achieving full control of the third target network node; and
  
  iii. in response to determining that (i) the compromising of the third target network node using the third vulnerability would not result in the attacker achieving full control of the third target network node and (ii) the attacker cannot achieve full control of the third target network node by using (A) any combination of privilege escalation techniques and (B) any combination of access rights to the third target network node obtained by the compromising of the third target network node using the third vulnerability, assigning the third target network node to the purple class;
  
  g. based on at least one of the first vulnerability, the second vulnerability and the third vulnerability, determining the way for an attacker to compromise the networked system; and
  
  h. reporting the determined way for an attacker to compromise the networked system, the reporting comprising at least one action selected from the actions group consisting of (i) causing a display device to display a report including information about the determined way to compromise the networked system, (ii) recording the report including the information about the determined way to compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined way to compromise the networked system.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the assigning of the third target network node to the purple class comprises associating with the third target network node all access rights that would be available to the attacker after using the third vulnerability to compromise the third target network node.
  - 3. The method of claim 1, wherein the first target network node is selected from the network nodes assigned to the blue class.
  - 4. The method of claim 1, wherein the first target network node is selected from the network nodes assigned to the blue class or the purple class.
  - 5. The method of claim 1, wherein (i) a reconnaissance agent software module is installed on at least some network nodes of the plurality of network nodes, and (ii) the determining of the first vulnerability that can compromise the first target network node is based on data received from the reconnaissance agent software module installed on the first target network node.

6. A simulated penetration testing system for carrying out a penetration testing campaign of a networked system for the purpose of determining a way for an attacker to compromise the networked system, wherein the simulated penetration testing system assigns a plurality of network nodes of the networked system to classes based on current information about the compromisability of the plurality of network nodes at a current state of the penetration testing campaign, the classes consisting of (i) a red class, wherein each network node that is a member of the red class is known to be compromisable by the attacker in a way that gives the attacker full control of the red-class-member network node, (ii) a blue class, wherein each network node that is a member of the blue class is not known to be compromisable by the attacker, and (iii) a purple class, wherein each network node that is a member of the purple class is known to be compromisable by the attacker in a way that does not give the attacker full control of the purple-class-member network node, the penetration testing system comprising:
- a. a computing device comprising one or more processors, the computing device in networked communication with multiple network nodes of the networked system; and
  
  b. a non-transitory computer-readable storage medium containing program instructions, wherein execution of the program instructions by the one or more processors of the computing device causes the one or more processors of the computing device to carry out the following steps;
  
  i. selecting a first target network node of the plurality of network nodes of the networked system;
  
  ii. handling the first target network node, the handling of the first target network node comprising;
  
  A. based on the selected first target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes,determining a first vulnerability that can compromise the first target network node;
  
  B. checking whether compromising the first target network node using the first vulnerability would result in the attacker achieving full control of the first target network node; and
  
  C. in response to determining that the compromising of the first target network node using the first vulnerability would result in the attacker achieving full control of the first target network node, assigning the first target network node to the red class;
  
  iii. selecting a second target network node of the plurality of network nodes of the networked system;
  
  iv. handling the second target network node, the handling of the second target network node comprising;
  
  A. based on the selected second target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a second vulnerability that can compromise the second target network node;
  
  B. checking whether compromising the second target network node using the second vulnerability would result in the attacker achieving full control of the second target network node; and
  
  C. in response to determining that (I) the compromising of the second target network node using the second vulnerability would not result in the attacker achieving full control of the second target network node and (II) the attacker would be able to achieve full control of the second target network node by using (1) one or more privilege escalation techniques and (2) one or more access rights to the second target network node obtained by the compromising of the second target network node using the second vulnerability, assigning the second target network node to the red class;
  
  v. selecting a third target network node of the plurality of network nodes of the networked system;
  
  vi. handling the third target network node, the handling of the third target network node comprising;
  
  A. based on the selected third target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a third vulnerability that can compromise the third target network node;
  
  B. checking whether compromising the third target network node using the third vulnerability would result in the attacker achieving full control of the third target network node; and
  
  C. in response to determining that (I) the compromising of the third target network node using the third vulnerability would not result in the attacker achieving full control of the third target network node and (II) the attacker cannot achieve full control of the third target network node by using (1) any combination of privilege escalation techniques and (2) any combination of access rights to the third target network node obtained by the compromising of the third target network node using the third vulnerability, assigning the third target network node to the purple class;
  
  vii. based on at least one of the first vulnerability, the second vulnerability and the third vulnerability, determining the way for an attacker to compromise the networked system; and
  
  viii. reporting the determined way for an attacker to compromise the networked system, the reporting comprising at least one action selected from the actions group consisting of (i) causing a display device to display a report including information about the determined way to compromise the networked system, (ii) recording the report including the information about the determined way to compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined way to compromise the networked system.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The simulated penetration testing system of claim 6, wherein the assigning of the third target network node to the purple class comprises associating with the third target network node all access rights that would be available to the attacker after using the third vulnerability to compromise the third target network node.
  - 8. The simulated penetration testing system of claim 6, wherein the first target network node is selected from the network nodes assigned to the blue class.
  - 9. The simulated penetration testing system of claim 6, wherein the first target network node is selected from the network nodes assigned to the blue class or the purple class.
  - 10. The simulated penetration testing system of claim 6, additionally comprising:
    - c. a reconnaissance agent software module installed on at least some network nodes of the plurality of network nodes,wherein the determining of the first vulnerability that can compromise the first target network node is based on data received from the reconnaissance agent software module installed on the first target network node.

11. A method of carrying out a penetration testing campaign of a networked system by a simulated penetration testing system for the purpose of determining a way for an attacker to compromise the networked system, wherein the simulated penetration testing system assigns a plurality of network nodes of the networked system to classes based on current information about the compromisability of the plurality of network nodes at a current state of the penetration testing campaign, the classes consisting of (i) a red class, wherein each network node that is a member of the red class is known to be compromisable by the attacker in a way that gives the attacker full control of the red-class-member network node, (ii) a blue class, wherein each network node that is a member of the blue class is not known to be compromisable by the attacker, and (iii) a purple class, wherein each network node that is a member of the purple class is known to be compromisable by the attacker in a way that does not give the attacker full control of the purple-class-member network node, the method comprising:
- a. selecting a first target network node of the plurality of network nodes of the networked system;
  
  b. handling the first target network node, the handling of the first target network node comprising;
  
  i. based on the selected first target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a first vulnerability that can compromise the first target network node;
  
  ii. checking whether compromising the first target network node using the first vulnerability would result in the attacker achieving full control of the first target network node; and
  
  iii. in response to determining that the compromising of the first target network node using the first vulnerability would result in the attacker achieving full control of the first target network node, assigning the first target network node to the red class;
  
  c. selecting a second target network node of the plurality of network nodes of the networked system;
  
  d. handling the second target network node, the handling of the second target network node comprising;
  
  i. based on the selected second target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a second vulnerability that can compromise the second target network node;
  
  ii. checking whether compromising the second target network node using the second vulnerability would result in the attacker achieving full control of the second target network node; and
  
  iii. in response to determining that the compromising of the second target network node using the second vulnerability would not result in the attacker achieving full control of the second target network node, assigning the second target network node to the purple class;
  
  e. based on at least one of the first vulnerability and the second vulnerability, determining the way for an attacker to compromise the networked system; and
  
  f. reporting the determined way for an attacker to compromise the networked system, the reporting comprising at least one action selected from the actions group consisting of (i) causing a display device to display a report including information about the determined way to compromise the networked system, (ii) recording the report including the information about the determined way to compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined way to compromise the networked system.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the assigning of the second target network node to the purple class comprises associating with the second target network node all access rights that would be available to the attacker after using the second vulnerability to compromise the second target network node.
  - 13. The method of claim 11, wherein the first target network node is selected from the network nodes assigned to the blue class.
  - 14. The method of claim 11, wherein the first target network node is selected from the network nodes assigned to the blue class or the purple class.
  - 15. The method of claim 11, wherein (i) a reconnaissance agent software module is installed on at least some network nodes of the plurality of network nodes, and (ii) the determining of the first vulnerability that can compromise the first target network node is based on data received from the reconnaissance agent software module installed on the first target network node.

16. A simulated penetration testing system for carrying out a penetration testing campaign of a networked system for the purpose of determining a way for an attacker to compromise the networked system, wherein the simulated penetration testing system assigns a plurality of network nodes of the networked system to classes based on current information about the compromisability of the plurality of network nodes at a current state of the penetration testing campaign, the classes consisting of (i) a red class, wherein each network node that is a member of the red class is known to be compromisable by the attacker in a way that gives the attacker full control of the red-class-member network node, (ii) a blue class, wherein each network node that is a member of the blue class is not known to be compromisable by the attacker, and (iii) a purple class, wherein each network node that is a member of the purple class is known to be compromisable by the attacker in a way that does not give the attacker full control of the purple-class-member network node, the penetration testing system comprising:
- a. a computing device comprising one or more processors, the computing device in networked communication with multiple network nodes of the networked system; and
  
  b. a non-transitory computer-readable storage medium containing program instructions, wherein execution of the program instructions by the one or more processors of the computing device causes the one or more processors of the computing device to carry out the following steps;
  
  i. selecting a first target network node of the plurality of network nodes of the networked system;
  
  ii. handling the first target network node, the handling of the first target network node comprising;
  
  A. based on the selected first target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a first vulnerability that can compromise the first target network node;
  
  B. checking whether compromising the first target network node using the first vulnerability would result in the attacker achieving full control of the first target network node; and
  
  C. in response to determining that the compromising of the first target network node using the first vulnerability would result in the attacker achieving full control of the first target network node, assigning the first target network node to the red class;
  
  iii. selecting a second target network node of the plurality of network nodes of the networked system;
  
  iv. handling the second target network node, the handling of the second target network node comprising;
  
  A. based on the selected second target network node and based on the current assignment of the plurality of network nodes to the blue, red and purple classes, determining a second vulnerability that can compromise the second target network node;
  
  B. checking whether compromising the second target network node using the second vulnerability would result in the attacker achieving full control of the second target network node; and
  
  C. in response to determining that the compromising of the second target network node using the second vulnerability would not result in the attacker achieving full control of the second target network node, assigning the second target network node to the purple class;
  
  v. based on at least one of the first vulnerability and the second vulnerability, determining the way for an attacker to compromise the networked system; and
  
  vi. reporting the determined way for an attacker to compromise the networked system, the reporting comprising at least one action selected from the actions group consisting of (i) causing a display device to display a report including information about the determined way to compromise the networked system, (ii) recording the report including the information about the determined way to compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined way to compromise the networked system.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The simulated penetration testing system of claim 16, wherein the assigning of the second target network node to the purple class comprises associating with the second target network node all access rights that would be available to the attacker after using the second vulnerability to compromise the second target network node.
  - 18. The simulated penetration testing system of claim 16, wherein the first target network node is selected from the network nodes assigned to the blue class.
  - 19. The simulated penetration testing system of claim 16, wherein the first target network node is selected from the network nodes assigned to the blue class or the purple class.
  - 20. The simulated penetration testing system of claim 16, additionally comprising:
    - c. a reconnaissance agent software module installed on at least some network nodes of the plurality of network nodes,wherein the determining of the first vulnerability that can compromise the first target network node is based on data received from the reconnaissance agent software module installed on the first target network node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Original Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Inventors
Lasser, Menahem, Segal, Ronen
Primary Examiner(s)
Zhao, Don G

Application Number

US16/432,982
Time in Patent Office

145 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

G06F 8/61   Installation

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Taking privilege escalation into account in penetration testing campaigns

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

101 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Taking privilege escalation into account in penetration testing campaigns

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links