Using information about exportable data in penetration testing

US 10,469,521 B1
Filed: 04/10/2019
Issued: 11/05/2019
Est. Priority Date: 11/04/2018
Status: Active Grant

First Claim

Patent Images

1. A method of carrying out a penetration testing campaign of a networked system by a penetration testing system, using a lateral movement strategy based at least in part on information about files stored in network nodes of the networked system, the method comprising:

a. obtaining information about files stored in a plurality of network nodes of the networked system;

b. based on the obtained information, determining, for each network node of the plurality of network nodes, a corresponding data-value score according to a common data-value metric;

c. executing the penetration testing campaign, wherein the executing includes;

i. selecting a target network node of the networked system that will be a next network node that the penetration testing system will attempt to compromise or will attempt to determine to be compromisable, the selecting being based on the data-value scores corresponding to at least some of the plurality of network nodes, andii. attempting to compromise the selected target network node or attempting to determine that the selected target network node is compromisable;

d. based on results of the penetration testing campaign, determining a method by which an attacker could compromise the networked system; and

e. reporting the method by which the attacker could compromise the networked system, wherein the reporting comprises at least one action selected from the group consisting of (i) causing a display device to display a report including information about the determined method by which the attacker could compromise the networked system, (ii) recording the report including the information about the determined method by which the attacker could compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined method by which the attacker could compromise the networked system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Penetration testing campaigns are carried out using a lateral movement strategy based at least in part on information about files stored in network nodes of the networked system. Information is obtained about files stored in a plurality of network nodes of the networked system, and based on the obtained information, a corresponding data-value score for each network node of the plurality of network nodes is determined according to a common data-value metric. The penetration testing campaign is executed, during which a next network node targeted for determining its compromisability is selected based on the data-value scores corresponding to at least some of the plurality of network nodes. Based on results of the penetration testing campaign, a method by which an attacker could compromise the networked system is determined and reported.

Citations

21 Claims

1. A method of carrying out a penetration testing campaign of a networked system by a penetration testing system, using a lateral movement strategy based at least in part on information about files stored in network nodes of the networked system, the method comprising:
- a. obtaining information about files stored in a plurality of network nodes of the networked system;
  
  b. based on the obtained information, determining, for each network node of the plurality of network nodes, a corresponding data-value score according to a common data-value metric;
  
  c. executing the penetration testing campaign, wherein the executing includes;
  
  i. selecting a target network node of the networked system that will be a next network node that the penetration testing system will attempt to compromise or will attempt to determine to be compromisable, the selecting being based on the data-value scores corresponding to at least some of the plurality of network nodes, andii. attempting to compromise the selected target network node or attempting to determine that the selected target network node is compromisable;
  
  d. based on results of the penetration testing campaign, determining a method by which an attacker could compromise the networked system; and
  
  e. reporting the method by which the attacker could compromise the networked system, wherein the reporting comprises at least one action selected from the group consisting of (i) causing a display device to display a report including information about the determined method by which the attacker could compromise the networked system, (ii) recording the report including the information about the determined method by which the attacker could compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined method by which the attacker could compromise the networked system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of carrying out a penetration testing campaign of claim 1, wherein the data-value score corresponding to a given network node is based on the total size of all files residing in the given network node.
  - 3. The method of carrying out a penetration testing campaign of claim 1, wherein the data-value score corresponding to a given network node is based on the total size of all files residing in one or more given folders in the given network node.
  - 4. The method of carrying out a penetration testing campaign of claim 1, wherein the data-value score corresponding to a given network node is based on the total size of all files of one or more given types residing in the given network node.
  - 5. The method of carrying out a penetration testing campaign of claim 1, wherein the data-value score corresponding to a given network node is based on the number of all files residing in the given network node.
  - 6. The method of carrying out a penetration testing campaign of claim 1, wherein the data-value score corresponding to a given network node is based on the number of all files residing in one or more given folders in the given network node.
  - 7. The method of carrying out a penetration testing campaign of claim 1, wherein the data-value score corresponding to a given network node is based on the number of all files of one or more given types residing in the given network node.
  - 8. The method of carrying out a penetration testing campaign of claim 1, wherein the data-value score corresponding to a given network node is based on one or more numbers selected from the group consisting of:
    - a. total size of all files residing in the given network node,b. total size of all files residing in one or more given folders in the given network node,c. total size of all files of one or more given types residing in the given network node,d. total size of all files of one or more given types residing in one or more given folders in the given network node,e. number of all files residing in the given network node,f. number of all files residing in one or more given folders in the given network node,g. number of all files of one or more given types residing in the given network node,h. number of all files of one or more given types residing in one or more given folders in the given network node.
  - 9. The method of carrying out a penetration testing campaign of claim 1, wherein the data-value score corresponding to a given network node is based on a size of at least one file residing in a second network node that is reachable from the given network node.
  - 10. The method of carrying out a penetration testing campaign of claim 1, wherein the data-value score corresponding to a given network node is based on a number selected from the group consisting of (i) number of files residing in a second network node, (ii) number of files residing in one or more given folders in the second network node, (iii) number of files residing in the second network node and are of one or more given types, and (iv) number of files residing in the one or more given folders in the second network node and are of the one or more given types, the second network node being reachable from the given network node.

11. A penetration testing system for carrying out a penetration testing campaign of a networked system by using a lateral movement strategy based at least in part on information about files stored in network nodes of the networked system, the networked system comprising a plurality of network nodes interconnected by one or more networks, each network node of the plurality of network nodes including one or more processors, the penetration testing system comprising:
- a. a first non-transitory computer-readable storage medium having stored therein first program instructions, wherein execution of the first program instructions by the one or more processors of a given network node of the plurality of network nodes causes the one or more processors of the given network node to collect information about files stored in the given network node;
  
  b. a computing device comprising one or more processors, the computing device in networked communication with multiple network nodes of the networked system; and
  
  c. a second non-transitory computer-readable storage medium having stored therein second program instructions, wherein execution of the second program instructions by the one or more processors of the computing device causes the one or more processors of the computing device to carry out the following steps;
  
  i. for each given network node of the plurality of network nodes, performing one operation selected from the group consisting of (A) determining a corresponding data-value score according to a common data-value metric and (B) obtaining the corresponding data-value score according to the common data-value metric, the corresponding data-value score being based on collected information about files stored in the networked system;
  
  ii. executing the penetration testing campaign, wherein the executing includes;
  
  A. selecting a target network node of the networked system that will be next network node that the penetration testing system will attempt to compromise or will attempt to determine to be compromisable, the selecting being based on the data-value scores corresponding to at least some of the plurality of network nodes, andB. attempting to compromise the selected target network node or attempting to determine that the selected target network node is compromisable;
  
  iii. based on results of the penetration testing campaign, determining a method by which an attacker could compromise the networked system; and
  
  iv. reporting the method by which the attacker could compromise the networked system, wherein the reporting comprises at least one action selected from the group consisting of (A) causing a display device to display a report including information about the determined method by which the attacker could compromise the networked system, (B) recording the report including the information about the determined method by which the attacker could compromise the networked system in a file, and (C) electronically transmitting the report including the information about the determined method by which the attacker could compromise the networked system.

12. A method for delivering, by a penetration testing system, a recommendation for improving the security of a networked system against attackers, the method comprising:
- a. obtaining information about files stored in a plurality of network nodes of the networked system;
  
  b. based on the obtained information, determining, for each network node of the plurality of network nodes, a corresponding data-value score according to a common data-value metric;
  
  c. executing a penetration testing campaign for testing the networked system;
  
  d. determining the recommendation for improving the security of the networked system against attackers, wherein the determining of the recommendation includes selecting one or more network nodes of the networked system that should be protected against being compromised by the attackers, wherein the selecting of the one or more network nodes is based on (i) results of the penetration testing campaign and (ii) the data-value scores corresponding to at least some of the plurality of network nodes;
  
  e. performing at least one operation selected from the group consisting of;
  
  (i) causing a display device to display information about the recommendation for improving the security of the networked system against attackers, (ii) recording the information about the recommendation for improving the security of the networked system against attackers in a file, and (iii) electronically transmitting the information about the recommendation for improving the security of the networked system against attackers,
  
  wherein the data-value score corresponding to a given network node is based on one or more numbers selected from the group consisting of;
  
  A. total size of all files residing in the given network node;
  
  B. total size of all files residing in one or more given folders in the given network node;
  
  C. total size of all files of one or more given types residing in the given network node;
  
  D. total size of all files of one or more given types residing in one or more given folders in the given network node;
  
  E. number of all files residing in the given network node;
  
  F. number of all files residing in one or more given folders in the given network node;
  
  G. number of all files of one or more given types residing in the given network node; and
  
  H. number of all files of one or more given types residing in one or more given folders in the given network node.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12, wherein the data-value score corresponding to the given network node is based on the total size of all files residing in the given network node.
  - 14. The method of claim 12, wherein the data-value score corresponding to the given network node is based on the total size of all files residing in one or more given folders in the given network node.
  - 15. The method of claim 12, wherein the data-value score corresponding to the given network node is based on the total size of all files of one or more given types residing in the given network node.
  - 16. The method of claim 12, wherein the data-value score corresponding to the given network node is based on the number of all files residing in the given network node.
  - 17. The method of claim 12, wherein the data-value score corresponding to the given network node is based on the number of all files residing in one or more given folders in the given network node.
  - 18. The method of claim 12, wherein the data-value score corresponding to the given network node is based on the number of all files of one or more given types residing in the given network node.
  - 19. The method of claim 12, wherein the data-value score corresponding to the given network node is based on a size of at least one file residing in a second network node that is reachable from the given network node.

20. A method for delivering, by a penetration testing system, a recommendation for improving the security of a networked system against attackers, the method comprising:
- a. obtaining information about files stored in a plurality of network nodes of the networked system;
  
  b. based on the obtained information, determining, for each network node of the plurality of network nodes, a corresponding data-value score according to a common data-value metric;
  
  c. executing a penetration testing campaign for testing the networked system;
  
  d. determining the recommendation for improving the security of the networked system against attackers, wherein the determining of the recommendation includes selecting one or more network nodes of the networked system that should be protected against being compromised by the attackers, wherein the selecting of the one or more network nodes is based on (i) results of the penetration testing campaign and (ii) the data-value scores corresponding to at least some of the plurality of network nodes; and
  
  e. performing at least one operation selected from the group consisting of;
  
  (i) causing a display device to display information about the recommendation for improving the security of the networked system against attackers, (ii) recording the information about the recommendation for improving the security of the networked system against attackers in a file, and (iii) electronically transmitting the information about the recommendation for improving the security of the networked system against attackers, wherein the data-value score corresponding to a given network node is based on a number selected from the group consisting of (i) number of files residing in a second network node, (ii) number of files residing in one or more given folders in the second network node, (iii) number of files residing in the second network node and are of one or more given types, and (iv) number of files residing in the one or more given folders in the second network node that are of the one or more given types, the second network node being reachable from the given network node.

21. A penetration testing system configured to carry out a penetration testing campaign for testing a networked system and to deliver a recommendation for improving the security of the networked system against attackers based at least in part on information about files stored in network nodes of the networked system, the networked system comprising a plurality of network nodes interconnected by one or more networks, each network node of the plurality of network nodes including one or more processors, the penetration testing system comprising:
- a. a first non-transitory computer-readable storage medium having stored therein first program instructions, wherein execution of the first program instructions by the one or more processors of a given network node of the plurality of network nodes causes the one or more processors of the given network node to collect information about files stored in the given network node;
  
  b. a computing device comprising one or more processors, the computing device in networked communication with multiple network nodes of the networked system; and
  
  c. a second non-transitory computer-readable storage medium having stored therein second program instructions, wherein execution of the second program instructions by the one or more processors of the computing device causes the one or more processors of the computing device to carry out the following steps;
  
  i. for each given network node of the plurality of network nodes, performing one operation selected from the group consisting of (A) determining a corresponding data-value score according to a common data-value metric and (B) obtaining the corresponding data-value score according to the common data-value metric, the corresponding data-value score being based on collected information about files stored in the networked system;
  
  ii. executing the penetration testing campaign;
  
  iii. determining the recommendation for improving the security of the networked system against attackers, wherein the determining of the recommendation includes selecting one or more network nodes of the networked system that should be protected against being compromised by the attackers, wherein the selecting of the one or more network nodes is based on (A) results of the penetration testing campaign and (B) the data-value scores corresponding to at least some of the plurality of network nodes; and
  
  iv. performing at least one action selected from the group consisting of;
  
  (A) causing a display device to display information about the recommendation for improving the security of the networked system against attackers, (B) recording the information about the recommendation for improving the security of the networked system against attackers in a file, and (C) electronically transmitting the information about the recommendation for improving the security of the networked system against attackers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Original Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Inventors
Segal, Ronen, Lasser, Menahem
Primary Examiner(s)
Song, Hosuk

Application Number

US16/379,820
Time in Patent Office

209 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1433 Vulnerability analysis

H04L 63/20 for managing network securi...

Using information about exportable data in penetration testing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Using information about exportable data in penetration testing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links