Locally detecting phishing weakness

US 10,574,684 B2
Filed: 01/25/2018
Issued: 02/25/2020
Est. Priority Date: 07/09/2017
Status: Active Grant

First Claim

Patent Images

1. A method of penetration testing of a network node by a penetration testing system, the penetration testing system comprising (A) a reconnaissance agent software module installed in the network node, and (B) a penetration testing software module installed on a remote computing device, the method comprising:

a. sending to the network node, by the penetration testing software module, a test message containing at least one member selected from the group consisting of an Internet link and an attachment file;

b. detecting, in the network node and by the reconnaissance agent software module installed in the network node, an event occurring in the network node, the event being a member of the group consisting of an event of selecting of the Internet link by a user of the network node, an event of opening of the attachment file by the user of the network node, an event caused by the selecting of the Internet link, and an event caused by the opening of the attachment file;

c. sending, by the reconnaissance agent software module installed in the network node, a reporting message to the remote computing device, the reporting message containing information concerning an occurrence of the detected event;

d. making a determination, by the penetration testing software module, that the network node is vulnerable to an attack, the determination being based on the information concerning the occurrence of the detected event included in the reporting message; and

e. reporting the determination by the penetration testing software module, the reporting comprising at least one operation selected from the group consisting of;

(i) causing a display device to display information about the determination, (ii) recording the information about the determination in a file, and (iii) electronically transmitting the information about the determination.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems of testing for phishing security vulnerabilities are disclosed, including methods of penetration testing of a network node by a penetration testing system comprising a reconnaissance agent software module installed in the network node, and a penetration testing software module installed on a remote computing device. Penetration testing systems are provided so as to locally detect weaknesses that would expose network nodes to phishing-based attacks.

48 Citations

View as Search Results

14 Claims

1. A method of penetration testing of a network node by a penetration testing system, the penetration testing system comprising (A) a reconnaissance agent software module installed in the network node, and (B) a penetration testing software module installed on a remote computing device, the method comprising:
- a. sending to the network node, by the penetration testing software module, a test message containing at least one member selected from the group consisting of an Internet link and an attachment file;
  
  b. detecting, in the network node and by the reconnaissance agent software module installed in the network node, an event occurring in the network node, the event being a member of the group consisting of an event of selecting of the Internet link by a user of the network node, an event of opening of the attachment file by the user of the network node, an event caused by the selecting of the Internet link, and an event caused by the opening of the attachment file;
  
  c. sending, by the reconnaissance agent software module installed in the network node, a reporting message to the remote computing device, the reporting message containing information concerning an occurrence of the detected event;
  
  d. making a determination, by the penetration testing software module, that the network node is vulnerable to an attack, the determination being based on the information concerning the occurrence of the detected event included in the reporting message; and
  
  e. reporting the determination by the penetration testing software module, the reporting comprising at least one operation selected from the group consisting of;
  
  (i) causing a display device to display information about the determination, (ii) recording the information about the determination in a file, and (iii) electronically transmitting the information about the determination.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the detected event is one member of the group consisting of the event of selecting the Internet link and the event caused by the selecting of the Internet link.
  - 3. The method of claim 1, wherein the detected event is one member of the group consisting of the event of opening the attachment file and the event caused by the opening of the attachment file.
  - 4. The method of claim 2, wherein the Internet link comprises an invalid or inactive Internet address.
  - 5. The method of claim 2, wherein the Internet link is contained in a body of the test message.
  - 6. The method of claim 2, wherein the Internet link is contained in a file attached to the test message.
  - 7. The method of claim 1, wherein the detecting of the event comprises detecting an outgoing message sent by the network node and having a specific characteristic.
  - 8. The method of claim 7, wherein the specific characteristic of the outgoing message includes a specific characteristic of the content of the outgoing message.
  - 9. The method of claim 7, wherein the specific characteristic of the outgoing message includes a specific characteristic of the address to which the outgoing message is being sent.
  - 10. The method of claim 9, wherein the outgoing message is an email message and the specific characteristic of the address is that the address is a loopback address.
  - 11. The method of claim 1, wherein the detecting of the event comprises detecting an execution of a specific executable file by the network node.
  - 12. The method of claim 1, wherein the detecting of the event comprises detecting a specific registry-related operation.
  - 13. The method of claim 1, wherein the detecting of the event comprises detecting a specific file-related operation.

14. A penetration testing system for testing a network node on which a reconnaissance agent software module is installed, the penetration testing system comprising:
- a. a remote computing device in electronic communication with the network node and comprising one or more processors, wherein a penetration testing software module of the penetration testing system is installed on the remote computing device;
  
  b. a first non-transitory computer-readable storage medium containing first program instructions, wherein execution of the first program instructions by one or more processors of the network node causes the one or more processors of the network node to carry out the following;
  
  i. in response to receiving, from the penetration testing software module installed on the remote computing device, a test message containing at least one member selected from the group consisting of an Internet link and an attachment file, detecting, in the network node and by the reconnaissance agent software module, an event occurring in the network node, the event being a member of the group consisting of an event of selecting of the link by a user of the network node, an event of opening of the attachment file by the user of the network node, an event caused by the selecting of the link, and an event caused by the opening of the attachment file, andii. sending, by the reconnaissance agent software module, a reporting message to the remote computing device, the reporting message containing information concerning an occurrence of the detected event; and
  
  c. a second non-transitory computer-readable storage medium containing second program instructions, wherein execution of the second program instructions by one or more processors of the remote computing device causes the one or more processors of the remote computing device to carry out the following;
  
  i. in response to receiving the reporting message from the reconnaissance agent software module installed in the network node, making a determination, by the penetration testing software module, that the network node is vulnerable to an attack, the determination being based on the information concerning the occurrence of the detected event included in the reporting message, andii. reporting the determination by the penetration testing software module, the reporting comprising at least one operation selected from the group consisting of;
  
  (i) causing a display device to display information about the determination, (ii) recording the information about the determination in a file, and (iii) electronically transmitting the information about the determination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Original Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Inventors
Segal, Ronen, Lasser, Menahem
Primary Examiner(s)
Truong, Thanhnga B

Application Number

US15/879,726
Publication Number

US 20190014141A1
Time in Patent Office

761 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

Locally detecting phishing weakness

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

14 Claims

Specification

Use Cases

Quick Links

Others

Locally detecting phishing weakness

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

14 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others