Testing for risk of macro vulnerability

US 10,534,917 B2
Filed: 12/12/2017
Issued: 01/14/2020
Est. Priority Date: 06/20/2017
Status: Active Grant

First Claim

Patent Images

1. A method of penetration testing of a network node by a penetration testing system, the penetration testing system comprising (A) a penetration testing software module and (B) a reconnaissance agent software module installed in the network node, where (i) a macro-supporting software application which supports auto-executing macros is installed on the network node, and (ii) the macro-supporting software application is configured to prompt a user of the network node upon detecting an opening of a file containing an auto-executing macro in the network node, the method comprising:

a. detecting, by the reconnaissance agent software module of the penetration testing system, a first event of the macro-supporting software application opening a file in the network node, wherein (i) opening the file either includes importing it into the network node or includes opening it from a storage device of the network node where it was saved after being imported into the network node, and (ii) the file is devoid of auto-executing macros;

b. in response to the detecting of the opening of the file in the network node, prompting the user of the network node to decide between permitting and not permitting execution of a macro;

c. ascertaining, by the reconnaissance agent software module, the decision made by the user in response to the prompting;

d. sending a message, by the reconnaissance agent software module to the penetration testing software module, the message containing information concerning the decision made by the user;

e. making a determination, by the penetration testing software module, regarding the vulnerability of the network node to a macro-based attack, the determination being based on the information concerning the decision made by the user;

f. reporting the determination, the reporting comprising at least one action selected form the group consisting of;

(i) causing a display device to display information about the determination, (ii) recording the information about the determination in a file, and (iii) electronically transmitting the information about the determination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are disclosed for penetration testing of a network node by a penetration testing system to determine vulnerability of network nodes to macro-based attacks. A reconnaissance agent runs in a network node to prompt user responses to macro warnings upon detecting file openings by macro-supporting software applications of files not containing auto-executing macros, and the responses are used for determining vulnerability.

55 Citations

View as Search Results

26 Claims

1. A method of penetration testing of a network node by a penetration testing system, the penetration testing system comprising (A) a penetration testing software module and (B) a reconnaissance agent software module installed in the network node, where (i) a macro-supporting software application which supports auto-executing macros is installed on the network node, and (ii) the macro-supporting software application is configured to prompt a user of the network node upon detecting an opening of a file containing an auto-executing macro in the network node, the method comprising:
- a. detecting, by the reconnaissance agent software module of the penetration testing system, a first event of the macro-supporting software application opening a file in the network node, wherein (i) opening the file either includes importing it into the network node or includes opening it from a storage device of the network node where it was saved after being imported into the network node, and (ii) the file is devoid of auto-executing macros;
  
  b. in response to the detecting of the opening of the file in the network node, prompting the user of the network node to decide between permitting and not permitting execution of a macro;
  
  c. ascertaining, by the reconnaissance agent software module, the decision made by the user in response to the prompting;
  
  d. sending a message, by the reconnaissance agent software module to the penetration testing software module, the message containing information concerning the decision made by the user;
  
  e. making a determination, by the penetration testing software module, regarding the vulnerability of the network node to a macro-based attack, the determination being based on the information concerning the decision made by the user;
  
  f. reporting the determination, the reporting comprising at least one action selected form the group consisting of;
  
  (i) causing a display device to display information about the determination, (ii) recording the information about the determination in a file, and (iii) electronically transmitting the information about the determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. The method of claim 1, wherein the penetration testing software module is installed on a remote computing device that is not the network node.
  - 3. The method of claim 1, wherein the penetration testing software module is installed on the network node.
  - 4. The method of claim 1, wherein the file is an attachment to a first email received in the network node.
  - 5. The method of claim 4, further comprising:
    - further detecting, by the reconnaissance agent software module of the penetration testing system, a second event, in which a second macro-supporting software application opens a second file in the network node, the second macro-supporting software application supporting auto-executing macros, wherein (i) opening the second file either includes importing it into the network node or includes opening it from a storage device of the network node where it was saved after being imported into the network node, (ii) the second file is an attachment to a second email received in the network node, and (iii) the second file does not contain an auto-executing macro,wherein, in response to the further detecting, the user of the network node is not prompted to decide between permitting and not permitting execution of a macro.
  - 6. The method of claim 5, wherein the second macro-supporting software application is different from the macro-supporting software application.
  - 7. The method of claim 5, wherein (i) the network node is included in a networked system of an organization, (ii) one of the first and second emails is received from a computing device that belongs to the networked system, and (iii) the other one of the first and second emails is received from a computing device that does not belong to the networked system.
  - 8. The method of claim 5, wherein (i) the first email is received from a first computing device that satisfies a pre-defined condition, and (ii) the second email is received from a second computing device that does not satisfy the pre-defined condition.
  - 9. The method of claim 5, wherein decisions whether or not to prompt the user of the network node to decide between permitting and not permitting execution of a macro when a file is opened, are made according to a random decision rule.
  - 10. The method of claim 5, wherein (i) the first email is received from a first computing device that is a member of a list of computing devices, the list being provided to the reconnaissance agent software module by the penetration testing software module, and (ii) the second email is received from a second computing device that is not a member of the list of computing devices.
  - 11. The method of claim 5, wherein decisions whether or not to prompt the user of the network node to decide between permitting and not permitting execution of a macro when a file is opened, are based on information provided to the reconnaissance agent software module by the penetration testing software module.
  - 12. The method of claim 1, wherein the file is located in a shared folder to which another network node has write permission.
  - 13. The method of claim 1, wherein the file is located in a removable storage device attached to the network node.
  - 14. The method of claim 1, wherein the file is received in the network node through a wireless communication channel.
  - 15. The method of claim 1, wherein (i) the message sent by the reconnaissance agent software module includes an identification of a provider of the file opened in the network node, and (ii) the determination regarding the vulnerability of the network node to a macro-based attack includes a determination regarding the vulnerability of the network node to a macro-based attack coming from said provider.
  - 16. The method of claim 1, wherein the prompting of the user of the network node is done by the reconnaissance agent software module.
  - 17. The method of claim 1, wherein the prompting of the user of the network node is initiated by the reconnaissance agent software module and done by the macro-supporting software application.
  - 18. The method of claim 1, wherein making the determination regarding the vulnerability of the network node to a macro-based attack includes making a first determination that the network node is vulnerable to a macro-based attack in a first class of instances, and making a second determination that the network node is not vulnerable to a macro-based attack in a second class of instances.
  - 19. The method of claim 18, wherein (i) in the first class of instances the macro-based attack is based on a first software application opening a file, and (ii) in the second class of instances the macro-based attack is based on a second software application opening a file.
  - 20. The method of claim 18, wherein (i) the network node is included in a networked system of an organization, (ii) in the first class of instances the macro-based attack is introduced by a file received from a computing device that belongs to the networked system, and (iii) in the second class of instances the macro-based attack is introduced by a file received from a computing device that does not belong to the networked system.
  - 21. The method of claim 18, wherein (i) the network node is included in a networked system of an organization, (ii) the network node is included in a sub-network of the networked system, (iii) in the first class of instances the macro-based attack is introduced by a file received from a computing device that belongs to the subnetwork, and (iv) in the second class of instances the macro-based attack is introduced by a file received from a computing device that does not belong to the sub-network.
  - 22. The method of claim 18, wherein (i) in the first class of instances the macro-based attack is introduced by a file received from a computing device that satisfies a predefined condition, and (ii) in the second class of instances the macro-based attack is introduced by a file received from a computing device that does not satisfy the predefined condition.
  - 23. The method of claim 1, wherein the determination regarding the vulnerability of the network node to a macro-based attack is a probabilistic determination.

24. A penetration testing system for testing a network node on which are installed (i) a reconnaissance agent software module of the penetration testing system and (ii), at least one macro-supporting software application which supports auto-executing macros, the penetration testing system comprising:
- a. a remote computing device comprising one or more processors and a data storage device, wherein a penetration testing software module of the penetration testing system is installed on the remote computing device, the remote computing device being in electronic communication with the network node;
  
  b. a first non-transitory computer-readable storage medium containing first program instructions, wherein execution of the first program instructions by one or more processors of the network node causes the one or more processors of the network node to carry out the following steps;
  
  i. detecting, by the reconnaissance agent software module, a first event of a first macro-supporting software application opening a file in the network node, wherein (i) opening the file either includes importing it into the network node or includes opening it from a storage device of the network node where it was saved after being imported into the network node, and (ii) the file is devoid of auto-executing macros,ii. in response to the detecting of the opening of the file in the network node, prompting a user of the network node to decide between permitting and not permitting execution of a macro,iii. ascertaining, by the reconnaissance agent software module, the decision made by the user of the network node in response to the prompting,iv. sending a message, by the reconnaissance agent software module to the penetration testing software module, the message containing information concerning the decision made by the user of the network node; and
  
  c. a second non-transitory computer-readable storage medium containing second program instructions, wherein execution of the second program instructions by the one or more processors of the remote computing device causes the one or more processors of the remote computing device to carry out the following steps;
  
  i. receiving a message sent by the reconnaissance agent software module, the message containing information concerning a decision made by the user of the network node in response to being prompted to decide between permitting and not permitting execution of a macro;
  
  ii. making a determination, by the penetration testing software module, regarding the vulnerability of the network node to a macro-based attack, the determination being based on the information concerning the decision made by the user of the network node;
  
  iii. reporting the determination, the reporting comprising at least one action selected from the group consisting of;
  
  (i) causing a display device of the remote computing device to display information about the determination, (ii) recording the information about the determination in a file on a data storage device of the remote computing device, and (iii) electronically transmitting the information about the determination to another computer.

25. A method of penetration testing of a network node to determine vulnerability to a macro-based attack, comprising:
- a. detecting, by a module of a penetration testing system, the module installed on the network node, an event of a macro-supporting software application opening a file in the network node, the file not containing any auto-executing macros;
  
  b. in response to the detecting, prompting a user of the network node to decide between permitting and not permitting execution of a macro;
  
  c. based on the decision made by the user, making a determination regarding the vulnerability of the network node to a macro-based attack; and
  
  d. reporting the determination, the reporting comprising at least one action selected from the group consisting of;
  
  (i) causing a display device to display information about the determination, (ii) recording the information about the determination in a file, and (iii) electronically transmitting the information about the determination.

26. A non-transitory computer-readable storage medium containing program instructions for penetration testing of a network node, wherein execution of the program instructions by one or more computer processors causes the one or more computer processors to carry out the following steps:
- a. detecting an event of a macro-supporting software application opening a file in the network node, the file not containing any auto-executing macros;
  
  b. in response to the detecting, prompting a user of the network node to decide between permitting and not permitting execution of a macro;
  
  c. based on the decision made by the user, making a determination regarding the vulnerability of the network node to a macro-based attack; and
  
  d. reporting the determination, the reporting comprising at least one action selected from the group consisting of;
  
  (i) causing a display device to display information about the determination, (ii) recording the information about the determination in a file, and (iii) electronically transmitting the information about the determination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Original Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Inventors
Segal, Ronen
Primary Examiner(s)
Jamshidi, Ghodrat

Application Number

US15/838,733
Publication Number

US 20180365429A1
Time in Patent Office

763 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 9/3017   Runtime instruction transla...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 67/535   Tracking the activity of th...

Testing for risk of macro vulnerability

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Testing for risk of macro vulnerability

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links