Penetration testing of a networked system

US 10,637,882 B2
Filed: 01/18/2018
Issued: 04/28/2020
Est. Priority Date: 01/30/2017
Status: Active Grant

First Claim

Patent Images

1. A method for executing a penetration test of a networked system by a penetration testing system so as to determine a method for an attacker to compromise the networked system, where the penetration testing system comprises (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module (RASM) installed on at least some network nodes of the networked system so that each network node of the networked system on which the RASM is installed is defined as a RASM-hosting network node, the method for executing the penetration test comprising:

a. obtaining, by each given RASM-hosting network node of one or more RASM-hosting network nodes, respective data of the given RASM-hosting network node, the obtaining comprising executing computer code of the RASM by one or more processors of the given RASM-hosting network node, the respective data including data about at least one member selected from the group consisting of;

A. an event of the given RASM-hosting network node,B. a condition of the given RASM-hosting network node, andC. a fact of the given RASM-hosting network node;

b. transmitting to the remote computing device, by each given RASM-hosting network node of the one or more RASM-hosting network nodes, the obtained respective data of the given RASM-hosting network node, the transmitting comprising executing computer code of the RASM by the one or more processors of the given RASM-hosting network node;

c. assessing, by the remote computing device, and based on the data transmitted by at least one RASM-hosting network node of the one or more RASM-hosting network nodes, if a first network node of the networked system can be compromised;

d. in response to assessing that the first network node of the networked system can be compromised, simulating or evaluating, by the remote computing device, a result of compromising the first network node of the networked system;

e. determining, by the remote computing device and based on the result of the compromising of the first network node of the networked system, that a second network node of the networked system can be compromised, wherein the determining that the second network node of the networked system can be compromised comprises (i) using knowledge about known methods of compromising networks or computing devices, and (ii) executing computer code of the penetration testing software module by one or more processors of the remote computing device;

f. determining, by the remote computing device and based on the determining that the second network node of the networked system can be compromised, the method for the attacker to compromise the networked system; and

g. reporting, by the remote computing device of the penetration testing system, the determined method for the attacker to compromise the networked system, the reporting comprising executing computer code of the penetration testing software module by the one or more processors of the remote computing device, wherein the reporting comprises at least one operation selected from the group consisting of (i) causing a display device to display a report including information about the determined method for the attacker to compromise the networked system, (ii) recording the report including the information about the determined method for the attacker to compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined method for the attacker to compromise the networked system,wherein the method for executing the penetration test is such that no network node of the networked system is put at risk of being compromised by the executing of the penetration test.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for penetration testing of a networked system comprising a set of network-nodes by a penetration testing system (e.g. to enforce first and/or second rules) are disclosed herein. The penetration testing system comprises: (i) reconnaissance agent software module (RASM) installed on multiple nodes (each of which is a RASM-hosting node) of the networked system to be penetration-tested and (ii) a penetration testing software module (PTSM) installed on a remote computing device (RCD). Internal data from each of the RASM-hosting nodes is collected and transmitted to the RCD. Analysis of the internal data collected from multiple RASM-hosting network nodes determines a method for an attacker to compromise the networked system. The first and second rules are defined herein. Alternatively or additionally, one or more of the RASM instances are pre-installed on one or more RASM-hosting nodes before the penetration testing commences.

52 Citations

View as Search Results

20 Claims

1. A method for executing a penetration test of a networked system by a penetration testing system so as to determine a method for an attacker to compromise the networked system, where the penetration testing system comprises (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module (RASM) installed on at least some network nodes of the networked system so that each network node of the networked system on which the RASM is installed is defined as a RASM-hosting network node, the method for executing the penetration test comprising:
- a. obtaining, by each given RASM-hosting network node of one or more RASM-hosting network nodes, respective data of the given RASM-hosting network node, the obtaining comprising executing computer code of the RASM by one or more processors of the given RASM-hosting network node, the respective data including data about at least one member selected from the group consisting of;
  
  A. an event of the given RASM-hosting network node,B. a condition of the given RASM-hosting network node, andC. a fact of the given RASM-hosting network node;
  
  b. transmitting to the remote computing device, by each given RASM-hosting network node of the one or more RASM-hosting network nodes, the obtained respective data of the given RASM-hosting network node, the transmitting comprising executing computer code of the RASM by the one or more processors of the given RASM-hosting network node;
  
  c. assessing, by the remote computing device, and based on the data transmitted by at least one RASM-hosting network node of the one or more RASM-hosting network nodes, if a first network node of the networked system can be compromised;
  
  d. in response to assessing that the first network node of the networked system can be compromised, simulating or evaluating, by the remote computing device, a result of compromising the first network node of the networked system;
  
  e. determining, by the remote computing device and based on the result of the compromising of the first network node of the networked system, that a second network node of the networked system can be compromised, wherein the determining that the second network node of the networked system can be compromised comprises (i) using knowledge about known methods of compromising networks or computing devices, and (ii) executing computer code of the penetration testing software module by one or more processors of the remote computing device;
  
  f. determining, by the remote computing device and based on the determining that the second network node of the networked system can be compromised, the method for the attacker to compromise the networked system; and
  
  g. reporting, by the remote computing device of the penetration testing system, the determined method for the attacker to compromise the networked system, the reporting comprising executing computer code of the penetration testing software module by the one or more processors of the remote computing device, wherein the reporting comprises at least one operation selected from the group consisting of (i) causing a display device to display a report including information about the determined method for the attacker to compromise the networked system, (ii) recording the report including the information about the determined method for the attacker to compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined method for the attacker to compromise the networked system,wherein the method for executing the penetration test is such that no network node of the networked system is put at risk of being compromised by the executing of the penetration test.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the RASM is installed on at least one of the one or more RASM-hosting network nodes prior to beginning the executing of the penetration test.
  - 3. The method of claim 1, wherein the RASM is installed on all of the one or more RASM-hosting network nodes prior to beginning the executing of the penetration test.
  - 4. The method of claim 1, wherein the information about the determined method for an attacker to compromise the networked system comprises at least one member selected from the group consisting of:
    - (i) information about a method for compromising one network node of the networked system (ii) information about one or more network nodes of the networked system which are vulnerable to attack, (iii) information about one or more resources of the networked system that could be damaged or exported out of the networked system by an attacker, and (iv) information about an ordered list of network nodes of the networked system, wherein an attacker could use a specific network node in said ordered list that is already compromised as a basis for compromising another network node that immediately follows said specific network node in said ordered list.
  - 5. The method of claim 1, wherein for at least one specific RASM-hosting network node of the one or more RASM-hosting network nodes, the obtained respective data of the specific RASM-hosting network node comprises internal data of the specific RASM-hosting network node.
  - 6. The method of claim 1, wherein at least one RASM-hosting network node of the one or more RASM-hosting network nodes performs at least one step selected from the group consisting of step (a) and step (b) in response to a receiving of one or more data-requesting commands from the remote computing device.
  - 7. The method of claim 1, wherein each RASM-hosting network node of the one or more RASM-hosting network nodes performs at least one step selected from the group consisting of step (a) and step (b) in response to a receiving of one or more data-requesting commands from the remote computing device.
  - 8. The method of claim 1, wherein all of the assessing that the first network node of the networked system can be compromised is performed by the remote computing device.
  - 9. The method of claim 1, wherein the using of knowledge about known methods of compromising networks or computing devices comprises using one or more databases that store the knowledge about known methods of compromising networks or computing devices.

10. A penetration testing system for executing a penetration test of a networked system so as to determine a method for an attacker to compromise the networked system, the penetration testing system comprising:
- a. a remote computing device comprising a computer memory and one or more processors, the remote computing device in electronic communication with the networked system;
  
  b. a first non-transitory computer-readable storage medium containing first code of a reconnaissance agent software module (RASM), wherein execution of the first code of the RASM by respective one or more processors of each given network node of a first set of network nodes of the networked system, causes the one or more processors of the given network node of the first set to carry out the following;
  
  i. obtaining respective data of the given network node of the first set, the respective data including data about at least one member selected from the group consisting of;
  
  A. an event of the given network node of the first set,B. a condition of the given network node of the first set, andC. a fact of the given network node of the first set; and
  
  ii. transmitting to the remote computing device and out of the given network node of the first set the obtained respective data of the given network node of the first set; and
  
  c. a second non-transitory computer-readable storage medium containing second code of a penetration testing software module, wherein execution of the second code of the penetration testing software module by the one or more processors of the remote computing device;
  
  i. assesses, based on the respective data transmitted by each given network node of a second set of network-nodes of the networked system, if a first network node of the networked system can be compromised;
  
  ii. in response to assessing that the first network node can be compromised, simulates or evaluates a result of compromising the first network node of the networked system;
  
  iii. determines, based on the result of the compromising of the first network node of the networked system, that a second network node of the networked system can be compromised, wherein the determining that the second network node of the networked system can be compromised comprises using knowledge about known methods of compromising networks or computing devices;
  
  iv. determines, based on the determining that the second network node of the networked system can be compromised, the method for the attacker to compromise the networked system; and
  
  v. reports the determined method for the attacker to compromise the networked system, wherein the reporting comprises at least one operation selected from the group consisting of (A) causing a display device to display a report including information about the determined method for the attacker to compromise the networked system, (B) recording the report including the information about the determined method for the attacker to compromise the networked system in a file, and (C) electronically transmitting a report including the information about the determined method for the attacker to compromise the networked system,wherein (i) the execution of the first code of the RASM by the respective one or more processors of each given network node of the first set of network nodes of the networked system and (ii) the execution of the second code of the penetration testing software module by the one or more processors of the remote computing device, subject the networked system to penetration testing in which no network node of the networked system is put at risk of being compromised.

11. A method for executing a penetration test of a networked system by a penetration testing system so as to determine a method for an attacker to compromise the networked system, where the penetration testing system comprises (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module (RASM) installable on network nodes of the networked system so that each network node of the networked system on which the RASM is installed is defined as a RASM-hosting network node, the method for executing the penetration test comprising:
- a. subsequent to an installing of the RASM on at least some network nodes of the networked system, which installing occurs prior to starting the executing of the penetration test, performing the following;
  
  i. obtaining, by each given RASM-hosting network node of one or more RASM-hosting network nodes, respective data of the given RASM-hosting network node, the obtaining comprising executing computer code of the RASM by one or more processors of the given RASM-hosting network node, the respective data including data about at least one member selected from the group consisting of;
  
  A. an event of the given RASM-hosting network node,B. a condition of the given RASM-hosting network node, andC. a fact of the given RASM-hosting network node; and
  
  ii. transmitting to the remote computing device, by each given RASM-hosting network node of the one or more RASM-hosting network nodes, the obtained respective data of the given RASM-hosting network node, the transmitting comprising executing computer code of the RASM by the one or more processors of the given RASM-hosting network node;
  
  c. assessing, by the remote computing device and based on the data transmitted by at least one RASM-hosting network node of the one or more RASM-hosting network nodes, of a first network node of the networked system can be compromised;
  
  d. in response to assessing that the first network node of the networked system can be compromised, simulating or evaluating, by the remote computing device, a result of compromising the first network node of the networked system;
  
  e. determining, by the remote computing device and based on the result of the compromising of the first network node of the networked system, that a second network node of the networked system can be compromised, wherein the determining that the second network node of the networked system can be comprosmised comprises (i) using knowledge about known methods compromising networks or computing devices, and (ii) executing computer code of the penetration testing software module by one or more processors of the remote computing device;
  
  f. determining, by the remote computing device and based on the determining that the second network node of the networked system can be compromised, the method for the attacker to compromise the networked system; and
  
  g. reporting, by the remote computing device of the penetration testing system, the method for the attacker to compromise the networked system, the reporting comprising executing computer code of the penetration testing software module by the one or more processors of the remote computing device, wherein the reporting comprises at least one operation selected from the group consisting of (i) causing a display device to display a report including information about the determined method for the attacker to compromise the networked system, (ii) recording the report including the information about the determined method for the attacker to compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined method for the attacker to compromise the networked system.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, further comprising the step of:
    - d. before commencing step (a), installing the RASM on the at least some network nodes of the networked system.
  - 13. The method of claim 11, wherein the information about the determined method for an attacker to compromise the networked system comprises at least one member selected from the group consisting of:
    - (i) information about a method for compromising one network node of the networked system (ii) information about one or more network nodes of the networked system which are vulnerable to attack, (iii) information about one or more resources of the networked system that could be damaged or exported out of the networked system by an attacker, and (iv) information about an ordered list of network nodes of the networked system, wherein an attacker could use a specific network node in said ordered list that is already compromised as a basis for compromising another network node that immediately follows said specific network node in said ordered list.
  - 14. The method of claim 11, wherein for at least one specific RASM-hosting network node of the one or more RASM-hosting network nodes, the obtained respective data of the specific RASM-hosting network node comprises internal data of the specific RASM-hosting network node.
  - 15. The method of claim 11, wherein at least one RASM-hosting network node of the one or more RASM-hosting network nodes performs at least one step selected from the group consisting of step a(i) and step a(ii) in response to a receiving of one or more data-requesting commands from the remote computing device.
  - 16. The method of claim 11, wherein all of the assessing that the first network node of the networked system can be compromised is performed by the remote computing device.
  - 17. The method of claim 11, wherein the using of the knowledge about known methods of compromising networks or computing devices comprises using one or more databases that store the knowledge about known methods of compromising networks or computing devices.
  - 18. The method of claim 11, wherein the method for executing the penetration test is performed so that no network node of the networked system is put at risk of being compromised by the executing of the penetration test.
  - 19. The method of claim 11, wherein the RASM is installed on all of the one or more RASM-hosting network nodes prior to beginning the executing of the penetration test.

20. A penetration testing system for executing a penetration test of a networked system so as to determine a method for an attacker to compromise the networked system, the penetration testing system comprising:
- a. a remote computing device comprising a computer memory and one or more processors, the remote computing device in electronic communication with the networked system;
  
  b. a first non-transitory computer-readable storage medium containing first code of a reconnaissance agent software module (RASM), wherein for a first set of network-nodes of the networked system on which the RASM is pre-installed before starting the executing of the penetration test, subsequent execution of the first code, after starting the executing of the penetration test, by respective one or more processors of each given network node of the first set of network nodes, causes the one or more processors of the given network node of the first set to carry out the following;
  
  i. obtaining respective data of the given network node of the first set, the respective data including data about at least one member selected from the group consisting of;
  
  A. an event of the given network node of the first set,B. a condition of the given network node of the first set, andC. a fact of the given network node of the first set; and
  
  ii. transmitting to the remote computing device and out of the given network node of the first set the obtained respective data of the given network node of the first set; and
  
  c. a second non-transitory computer-readable storage medium containing second code of a penetration testing software module, wherein execution of the second code of the penetration testing software module by the one or more processors of the remote computing device;
  
  i. assesses, based on the respective data transmitted by each given network node of a second set of network-nodes of the networked system, if a first network node of the networked system can be compromised;
  
  ii. in response to assessing that the first network node can be compromised, simulates or evaluates a result of compromising the first network node of the networked system;
  
  iii. determines, based on the result of the compromising of the first network node of the networked system, that a second network node of the networked system can be compromised, wherein the determining that the second network node of the networked system can be compromised comprises using knowledge about known methods of compromising networks or computing devices;
  
  iv. determines, based on the determining that the second network node of the networked system can be compromised, the method for the attacker to compromise the networked system; and
  
  v. reports the determined method for the attacker to compromise the networked system, wherein the reporting comprises at least one operation selected from the group consisting of (A) causing a display device to display a report including information about the determined method for the attacker to compromise the networked system, (B) recording the report including the information about the determined method for the attacker to compromise the networked system in a file, and (C) electronically transmitting a report including the information about the determined method for the attacker to compromise the networked system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Original Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Inventors
Gorodissky, Boaz, Ashkenazy, Adi, Segal, Ronen
Primary Examiner(s)
Doan, Trang T

Application Number

US15/874,429
Publication Number

US 20180219904A1
Time in Patent Office

831 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/048   mobile agents

H04L 43/50   Testing arrangements

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 63/30   for supporting lawful inter...

Penetration testing of a networked system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Penetration testing of a networked system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links