Systems and methods for dynamic removal of agents from nodes of penetration testing systems

US 10,574,687 B1
Filed: 10/24/2019
Issued: 02/25/2020
Est. Priority Date: 12/13/2018
Status: Active Grant

First Claim

Patent Images

1. A method of carrying out a penetration testing campaign of a networked system including multiple network nodes by a penetration testing system, the penetration testing system comprising (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module installed on at least some network nodes of the multiple network nodes, the method comprising:

a. for one network node of said at least some network nodes, evaluating a dynamic Boolean uninstalling condition;

b. in response to determining that said dynamic Boolean uninstalling condition is satisfied for said one network node, uninstalling the reconnaissance agent software module from said one network node,wherein said dynamic Boolean uninstalling condition is a Boolean condition (i) that when evaluated for a given network node at two points in time, may produce different values even if network connectivity and an on/off state of said given network node do not change between said two points in time, (ii) that at a time of installing the reconnaissance agent software module on said given network node, for at least one future time point, it is not possible to predict a value of said Boolean condition for said given network node at said at least one future time point, and (iii) for which any evaluation of whether said Boolean condition is satisfied for said given network node does not depend solely on whether said given network node takes part in a penetration testing campaign at the time of said evaluation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of carrying out a penetration testing campaign of a networked system by a penetration testing system, in which reconnaissance agent software modules are dynamically removed from at least one network node based on changing conditions in the tested networked system. The networked system includes multiple network nodes, and the penetration testing system includes a penetration testing software module and a reconnaissance agent software module installed on at least some network nodes of the multiple network nodes. For one network node, a dynamic Boolean uninstalling condition is evaluated, and in response to determining that the dynamic Boolean uninstalling condition is satisfied for that network node, the reconnaissance agent software module is uninstalled from that network node.

103 Citations

View as Search Results

20 Claims

1. A method of carrying out a penetration testing campaign of a networked system including multiple network nodes by a penetration testing system, the penetration testing system comprising (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module installed on at least some network nodes of the multiple network nodes, the method comprising:
- a. for one network node of said at least some network nodes, evaluating a dynamic Boolean uninstalling condition;
  
  b. in response to determining that said dynamic Boolean uninstalling condition is satisfied for said one network node, uninstalling the reconnaissance agent software module from said one network node,wherein said dynamic Boolean uninstalling condition is a Boolean condition (i) that when evaluated for a given network node at two points in time, may produce different values even if network connectivity and an on/off state of said given network node do not change between said two points in time, (ii) that at a time of installing the reconnaissance agent software module on said given network node, for at least one future time point, it is not possible to predict a value of said Boolean condition for said given network node at said at least one future time point, and (iii) for which any evaluation of whether said Boolean condition is satisfied for said given network node does not depend solely on whether said given network node takes part in a penetration testing campaign at the time of said evaluation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein said dynamic Boolean uninstalling condition depends on multiple dynamic Boolean sub-conditions, each dynamic Boolean sub-condition of said multiple dynamic Boolean sub-conditions being related to said one network node.
  - 3. The method of claim 1, wherein said dynamic Boolean uninstalling condition depends on a static Boolean sub-condition related to said one network node, in addition to depending on one or more dynamic Boolean sub-conditions.
  - 4. The method of claim 1, wherein said dynamic Boolean uninstalling condition depends on a given event type occurring at least a given number of times during a time interval of a given length immediately preceding the current time.
  - 5. The method of claim 1, wherein said dynamic Boolean uninstalling condition depends on a given event type occurring at least a given number of times since the reconnaissance agent software module was last installed in said one network node.
  - 6. The method of claim 1, wherein said evaluating of said dynamic Boolean uninstalling condition for said one network node is at least partially carried out by the reconnaissance agent software module installed on said one network node.
  - 7. The method of claim 1, wherein said evaluating of said dynamic Boolean uninstalling condition for said one network node is at least partially carried out by the penetration testing software module installed on the remote computing device.
  - 8. The method of claim 1, wherein said evaluating of said dynamic Boolean uninstalling condition for said one network node includes determining a value of said dynamic Boolean uninstalling condition at multiple points in time, wherein, for each point in time of said multiple points in time except a last of said multiple points in time, said value of said dynamic Boolean uninstalling condition is determined to be false for said one network node.
  - 9. The method of claim 8, wherein said determining of said value at said multiple points in time is automatically carried out according to a pre-defined schedule.
  - 10. The method of claim 8, wherein said determining of said value at said multiple points in time includes starting determining of said value for one of said multiple points in time in response to completing determining of said value for another of said multiple points in time.
  - 11. The method of claim 1, wherein said uninstalling is permanently uninstalling.
  - 12. The method of claim 1, wherein said uninstalling is temporarily uninstalling.
  - 13. The method of claim 12, wherein the reconnaissance agent software module includes a component that is executed when powering-up said one network node, wherein execution of said component determines whether the reconnaissance agent software module is currently temporarily uninstalled in said one network node.
  - 14. The method of claim 12, wherein the reconnaissance agent software module includes a component that is executed in response to said one network node receiving a command to re-install the reconnaissance agent software module, wherein execution of said component causes said reconnaissance agent software module to become active.
  - 15. The method of claim 1, further comprising:
    - c. re-installing the reconnaissance agent software module on at least one network node of said at least some network nodes from which the reconnaissance agent software module was previously uninstalled.
  - 16. The method of claim 15, wherein said re-installing of the reconnaissance agent software module is automatically carried out according to a pre-defined schedule.
  - 17. The method of claim 15, wherein said re-installing of the reconnaissance agent software module is carried out in response to a manual command.
  - 18. The method of claim 15, wherein said re-installing of the reconnaissance agent software module is carried out in response to a given condition becoming satisfied.

19. A system for carrying out a penetration testing campaign of a networked system including multiple network nodes, each network node of the multiple network nodes including one or more node processors, the system comprising:
- a. a penetration testing computing device in communication with at least some network nodes of the multiple network nodes, the penetration testing computing device comprising;
  
  i. one or more penetration testing processors; and
  
  ii. a penetration testing non-transitory computer readable storage medium for instructions execution by said one or more penetration testing processors, said penetration testing non-transitory computer readable storage medium having stored;
  
  A. data receiving instructions that, when executed by said one or more penetration testing processors, cause said penetration testing computing device to receive data from said at least some network nodes; and
  
  B. campaign instructions that, when executed by said one or more penetration testing processors, cause said penetration testing computing device to carry out the penetration testing campaign for testing the networked system based on said data received from said at least some network nodes; and
  
  b. a reconnaissance agent non-transitory computer readable storage medium for instructions execution by the one or more node processors of one network node of said at least some network nodes, said reconnaissance agent non-transitory computer readable storage medium having stored;
  
  i. reconnaissance agent instructions that, when executed by said one or more node processors of said one network node, cause said one network node to transmit from said one network node at least a portion of said data received by said penetration testing computing device;
  
  ii. condition evaluation instructions that, when executed by said one or more node processors of said one network node, cause said one network node to evaluate a dynamic Boolean uninstalling condition for said one network node; and
  
  iii. uninstalling instructions that, when executed by said one or more node processors of said one network node, cause said one network node to uninstall said reconnaissance agent instructions from said one network node, wherein said uninstalling instructions are executed in response to the condition evaluation instructions determining that said dynamic Boolean uninstalling condition is satisfied for said one network node,wherein said dynamic Boolean uninstalling condition is a Boolean condition (i) that when evaluated for a given network node at two points in time, may produce different values even if network connectivity and an on/off state of said given network node do not change between said two points in time, (ii) that at a time of installing said reconnaissance agent instructions on said given network node, for at least one future time point, it is not possible to predict a value of said Boolean condition for said given network node at said at least one future time point, and (iii) for which any evaluation of whether said Boolean condition is satisfied for said given network node does not depend solely on whether said given network node takes part in a penetration testing campaign at the time of said evaluation.

20. A system for carrying out a penetration testing campaign of a networked system including multiple network nodes, each network node of the multiple network nodes including one or more node processors, the system comprising:
- a. a reconnaissance agent non-transitory computer readable storage medium for instructions execution by the one or more node processors of one network node of the multiple network nodes, said reconnaissance agent non-transitory computer readable storage medium having stored;
  
  i. reconnaissance agent instructions that, when executed by said one or more node processors of said one network node, cause said one network node to transmit from said one network node data about said one network node; and
  
  ii. uninstalling instructions that, when executed by said one or more node processors of said one network node, cause said one network node to uninstall said reconnaissance agent instructions from said one network node; and
  
  b. a penetration testing computing device in communication with at least some network nodes of the multiple network nodes, wherein said at least some network nodes include said one network node, said penetration testing computing device comprising;
  
  i. one or more penetration testing processors; and
  
  ii. a penetration testing non-transitory computer readable storage medium for instructions execution by said one or more penetration testing processors, said penetration testing non-transitory computer readable storage medium having stored;
  
  A. data receiving instructions that, when executed by said one or more penetration testing processors, cause said penetration testing computing device to receive data from said at least some network nodes, said received data including said data about said one network node;
  
  B. campaign instructions that, when executed by said one or more penetration testing processors, cause said penetration testing computing device to carry out the penetration testing campaign for testing the networked system based on said data received from said at least some network nodes; and
  
  C. condition evaluation instructions that, when executed by said one or more penetration testing processors, cause said penetration testing computing device to evaluate a dynamic Boolean uninstalling condition for said one network node, the evaluation being based on said data about said one network node,wherein said uninstalling instructions are executed by said one or more node processors of said one network node in response to said condition evaluation instructions determining that said dynamic Boolean uninstalling condition is satisfied for said one network node,wherein said dynamic Boolean uninstalling condition is a Boolean condition (i) that when evaluated for a given network node at two points in time, may produce different values even if network connectivity and an on/off state of said given network node do not change between said two points in time, (ii) that at a time of installing said reconnaissance agent instructions on said given network node, for at least one future time point, it is not possible to predict a value of said Boolean condition for said given network node at said at least one future time point, and (iii) for which any evaluation of whether said Boolean condition is satisfied for said given network node does not depend solely on whether said given network node takes part in a penetration testing campaign at the time of said evaluation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Original Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Inventors
Lasser, Menahem
Primary Examiner(s)
Plecha, Thaddeus J

Application Number

US16/662,206
Time in Patent Office

124 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/2294   by remote test

G06F 11/3006   where the computing system ...

G06F 11/3668   Software testing software t...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

G06F 8/62   Uninstallation

H04L 63/1433   Vulnerability analysis

Systems and methods for dynamic removal of agents from nodes of penetration testing systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for dynamic removal of agents from nodes of penetration testing systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links