SYSTEM AND METHOD FOR IDENTIFYING EXPLOITABLE WEAK POINTS IN A NETWORK

US 20140007241A1
Filed: 10/17/2012
Published: 01/02/2014
Est. Priority Date: 06/27/2012
Status: Active Grant

First Claim

Patent Images

1. A system for identifying exploitable weak points in a network, comprising:

one or more passive scanners configured to observe connections in the network to identify network addresses and open ports associated with the observed connections;

one or more active scanners configured to scan the network to enumerate current connections in the network and identify network addresses and open ports associated with the current connections in the network; and

one or more processors coupled to the one or more passive scanners and the one or more active scanners, wherein the one or more processors are configured to;

model trust relationships in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners;

identify exploitable weak points in the network based on the information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners;

simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network; and

enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.

104 Citations

View as Search Results

32 Claims

1. A system for identifying exploitable weak points in a network, comprising:
- one or more passive scanners configured to observe connections in the network to identify network addresses and open ports associated with the observed connections;
  
  one or more active scanners configured to scan the network to enumerate current connections in the network and identify network addresses and open ports associated with the current connections in the network; and
  
  one or more processors coupled to the one or more passive scanners and the one or more active scanners, wherein the one or more processors are configured to;
  
  model trust relationships in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners;
  
  identify exploitable weak points in the network based on the information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners;
  
  simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network; and
  
  enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The system recited in claim 1, wherein the exploitable weak points include hosts that have internally exploitable services, hosts that have remotely exploitable services, hosts that have exploitable client software, hosts that have exploitable client software and connect to remote networks or process content from the remote networks, destination hosts that accept exploitable trust relationships from internally exploitable source hosts, and destination hosts that accept exploitable trust relationships from remotely exploitable source hosts.
  - 3. The system recited in claim 2, wherein the one or more processors are further configured to:
    - identify, among the network addresses and open ports associated with the connections observed with the one or more passive scanners, network addresses having exploitable services that permit external access on one or more predetermined ports; and
      
      include the identified network addresses having the exploitable services that permit external access on the one or more predetermined ports among the hosts that have the remotely exploitable services.
  - 4. The system recited in claim 2, wherein the one or more processors are further configured to:
    - identify, among the network addresses and open ports associated with the current connections enumerated with the one or more active scanners, network addresses having exploitable services that permit remote or uncredentialed checks, network addresses having exploitable services on one or more predetermined ports, and network addresses having remotely exploitable patch audits associated with a low access complexity rating; and
      
      include the identified network addresses having one or more of the exploitable services that permit the remote or uncredentialed checks, the exploitable services on the one or more predetermined ports, or the remotely exploitable patch audits associated with the low access complexity rating among the hosts that have the internally exploitable services.
  - 5. The system recited in claim 4, wherein the one or more processors are further configured to:
    - identify, among the network addresses and open ports associated with the connections observed with the one or more passive scanners, network addresses paired with open ports that accept external connections;
      
      determine, among the network addresses paired with the open ports that accept the external connections, network addresses that correspond to one or more of the network addresses associated with the hosts that have the internally exploitable services; and
      
      include the determined network addresses that correspond to one or more of the network addresses associated with the hosts that have the internally exploitable services among the hosts that have the remotely exploitable services.
  - 6. The system recited in claim 2, wherein the one or more processors are further configured to:
    - identify, among the network addresses and open ports associated with the connections observed with the one or more passive scanners, network addresses having exploitable services on port zero;
      
      identify, among the network addresses and open ports associated with the current connections enumerated with the one or more active scanners, network addresses having remotely exploitable patch audits associated with one or more of a medium access complexity rating or a high access complexity rating; and
      
      include the identified network addresses having the exploitable services on port zero and the identified network addresses having the remotely exploitable patch audits associated with one or more of the medium access complexity rating or the high access complexity rating among the hosts that have the exploitable client software.
  - 7. The system recited in claim 6, wherein the one or more processors are further configured to:
    - identify, among the network addresses and open ports associated with the connections observed with the one or more passive scanners, network addresses that connected to destinations external to the network, network addresses that correspond to mobile devices, and network addresses that used one or more proxy or mail gateway protocols;
      
      determine, among the network addresses that connected to destinations external to the network, correspond to mobile devices, and used the one or more proxy or mail gateway protocols, network addresses that correspond to one or more of the network addresses associated with the hosts that have the exploitable client software; and
      
      include the determined network addresses that correspond to one or more of the network addresses associated with the hosts that have the exploitable client software among the hosts that have exploitable client software and connect to remote networks or process content from the remote networks.
  - 8. The system recited in claim 2, wherein the one or more processors are further configured to identify, among the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, internal connections from source hosts in the network to destination hosts in the network, wherein the modeled trust relationships associate network addresses corresponding to the destination hosts with network addresses corresponding to the source hosts that have connected thereto.
  - 9. The system recited in claim 8, wherein the one or more processors are further configured to:
    - select a destination host among the destination hosts associated with the identified internal connections; and
      
      include network addresses that correspond to the source hosts that have connected to the selected destination host and that further correspond to one or more of the hosts that have the remotely exploitable services or the hosts that have exploitable client software and connect to remote networks or process content from the remote networks among the exploitable trust relationships that the selected destination host accepts from remotely exploitable source hosts.
  - 10. The system recited in claim 9, wherein the one or more processors are further configured to:
    - identify network addresses that correspond to the source hosts that have connected to the selected destination host and that further correspond to one or more of the hosts that have the internally exploitable services or the hosts that have exploitable client software;
      
      determine, among the identified network addresses, network addresses that have not been included among the exploitable trust relationships that the selected destination host accepts from remotely exploitable source hosts; and
      
      include the determined network addresses among the exploitable trust relationships that the selected destination host accepts from internally exploitable source hosts.
  - 11. The system recited in claim 10, wherein the one or more processors are further configured to:
    - select the host associated with the simulated attack among the hosts that have the internally exploitable services, wherein the selected host comprises a destination host selected from among the destination hosts associated with the identified internal connections;
      
      use the modeled trust relationships to determine network addresses that correspond to the source hosts that have observed connections or enumerated current connections to the network address associated with the selected host; and
      
      process the determined network addresses that correspond to the source hosts that have connected to the selected host to enumerate the remote network addresses that could compromise the network and determine the exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack.
  - 12. The system recited in claim 11, wherein the one or more processors are configured to process the determined network addresses that correspond to the source hosts that have connected to the selected host using a simulation algorithm that further causes the one or more processors to:
    - select a current network address among the determined network addresses that correspond to the source hosts that have connected to the selected host;
      
      include the current network address among the enumerated remote network addresses that could compromise the network if the source host associated with the current network address connects to the selected host on an exploitable port, wherein the exploitation path includes an exploit used to connect to the selected host on the exploitable port;
      
      use the modeled trust relationships to determine second order network addresses that correspond to source hosts that have connected to the current network address if the hosts that have the internally exploitable services include the source host associated with the current network address, wherein the second order network addresses exclude network addresses that are included among one or more of the enumerated remote network addresses that could compromise the network or the hosts that have the internally exploitable services; and
      
      execute the simulation algorithm to iteratively process the second order network addresses that correspond to the source hosts that have connected to the current network address until no further second order network addresses are determined.
  - 13. The system recited in claim 12, wherein the simulation algorithm further causes the one or more processors to iteratively process the determined network addresses that correspond to the source hosts that have connected to the selected host until all source hosts that have connected to the selected host have been processed.
  - 14. The system recited in claim 1, wherein the one or more processors are further configured to generate a report that describes the exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack according to one or more severity levels.
  - 15. The system recited in claim 1, wherein the exploitable weak points in the network include one or more of a network vulnerability having a publicly known exploit associated therewith or a network vulnerability satisfying one or more predetermined criteria associated with a vulnerability scoring system.
  - 16. The system recited in claim 1, further comprising a log aggregator configured to collect events that describe activity in the network, wherein the one or more processors are further configured to model the trust relationships and identify the exploitable weak points in the network based on information associated with the events collected at the log aggregator.

17. A method for identifying exploitable weak points in a network, comprising:
- configuring one or more passive scanners to identify network addresses and open ports associated with connections that the one or more passive scanners observe in the network;
  
  configuring one or more active scanners to enumerate current connections in the network and identify network addresses and open ports associated with the current connections enumerated with the one or more active scanners;
  
  modeling trust relationships in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners;
  
  identifying exploitable weak points in the network based on the information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners;
  
  simulating an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network; and
  
  enumerating remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 18. The method recited in claim 17, wherein the exploitable weak points include hosts that have internally exploitable services, hosts that have remotely exploitable services, hosts that have exploitable client software, hosts that have exploitable client software and connect to remote networks or process content from the remote networks, destination hosts that accept exploitable trust relationships from internally exploitable source hosts, and destination hosts that accept exploitable trust relationships from remotely exploitable source hosts.
  - 19. The method recited in claim 18, further comprising:
    - identifying, among the network addresses and open ports associated with the connections observed with the one or more passive scanners, network addresses having exploitable services that permit external access on one or more predetermined ports; and
      
      including the identified network addresses having the exploitable services that permit external access on the one or more predetermined ports among the hosts that have the remotely exploitable services.
  - 20. The method recited in claim 18, further comprising:
    - identifying, among the network addresses and open ports associated with the current connections enumerated with the one or more active scanners, network addresses having exploitable services that permit remote or uncredentialed checks, network addresses having exploitable services on one or more predetermined ports, and network addresses having remotely exploitable patch audits associated with a low access complexity rating; and
      
      including the identified network addresses having one or more of the exploitable services that permit the remote or uncredentialed checks, the exploitable services on the one or more predetermined ports, or the remotely exploitable patch audits associated with the low access complexity rating among the hosts that have the internally exploitable services.
  - 21. The method recited in claim 20, further comprising:
    - identifying, among the network addresses and open ports associated with the connections observed with the one or more passive scanners, network addresses paired with open ports that accept external connections;
      
      determining, among the network addresses paired with the open ports that accept the external connections, network addresses that correspond to one or more of the network addresses associated with the hosts that have the internally exploitable services; and
      
      including the determined network addresses that correspond to one or more of the network addresses associated with the hosts that have the internally exploitable services among the hosts that have the remotely exploitable services.
  - 22. The method recited in claim 18, further comprising:
    - identifying, among the network addresses and open ports associated with the connections observed with the one or more passive scanners, network addresses having exploitable services on port zero;
      
      identifying, among the network addresses and open ports associated with the current connections enumerated with the one or more active scanners, network addresses having remotely exploitable patch audits associated with one or more of a medium access complexity rating or a high access complexity rating; and
      
      including the identified network addresses having the exploitable services on port zero and the identified network addresses having the remotely exploitable patch audits associated with one or more of the medium access complexity rating or the high access complexity rating among the hosts that have the exploitable client software.
  - 23. The method recited in claim 22, further comprising:
    - identifying, among the network addresses and open ports associated with the connections observed with the one or more passive scanners, network addresses that connected to destinations external to the network, network addresses that correspond to mobile devices, and network addresses that used one or more proxy or mail gateway protocols;
      
      determining, among the network addresses that connected to destinations external to the network, correspond to mobile devices, and used the one or more proxy or mail gateway protocols, network addresses that correspond to one or more of the network addresses associated with the hosts that have the exploitable client software; and
      
      including the determined network addresses that correspond to one or more of the network addresses associated with the hosts that have the exploitable client software among the hosts that have exploitable client software and connect to remote networks or process content from the remote networks.
  - 24. The method recited in claim 18, further comprising identifying, among the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners, internal connections from source hosts in the network to destination hosts in the network, wherein the modeled trust relationships associate network addresses corresponding to the destination hosts with network addresses corresponding to the source hosts that have connected thereto.
  - 25. The method recited in claim 24, further comprising:
    - selecting a destination host among the destination hosts associated with the identified internal connections; and
      
      including network addresses that correspond to the source hosts that have connected to the selected destination host and that further correspond to one or more of the hosts that have the remotely exploitable services or the hosts that have exploitable client software and connect to remote networks or process content from the remote networks among the exploitable trust relationships that the selected destination host accepts from remotely exploitable source hosts.
  - 26. The method recited in claim 25, further comprising:
    - identifying network addresses that correspond to the source hosts that have connected to the selected destination host and that further correspond to one or more of the hosts that have the internally exploitable services or the hosts that have exploitable client software;
      
      determining, among the identified network addresses, network addresses that have not been included among the exploitable trust relationships that the selected destination host accepts from remotely exploitable source hosts; and
      
      including the determined network addresses among the exploitable trust relationships that the selected destination host accepts from internally exploitable source hosts.
  - 27. The method recited in claim 26, further comprising:
    - selecting the host associated with the simulated attack among the hosts that have the internally exploitable services, wherein the selected host comprises a destination host selected from among the destination hosts associated with the identified internal connections;
      
      using the modeled trust relationships to determine network addresses that correspond to the source hosts that have observed connections or enumerated current connections to the network address associated with the selected host; and
      
      processing the determined network addresses that correspond to the source hosts that have connected to the selected host to enumerate the remote network addresses that could compromise the network and determine the exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack.
  - 28. The method recited in claim 27, wherein the determined network addresses that correspond to the source hosts that have connected to the selected host are processed using a simulation algorithm that comprises:
    - selecting a current network address among the determined network addresses that correspond to the source hosts that have connected to the selected host;
      
      including the current network address among the enumerated remote network addresses that could compromise the network if the source host associated with the current network address connects to the selected host on an exploitable port, wherein the exploitation path includes an exploit used to connect to the selected host on the exploitable port;
      
      using the modeled trust relationships to determine second order network addresses that correspond to source hosts that have connected to the current network address if the hosts that have the internally exploitable services include the source host associated with the current network address, wherein the second order network addresses exclude network addresses that are included among one or more of the enumerated remote network addresses that could compromise the network or the hosts that have the internally exploitable services;
      
      executing the simulation algorithm to iteratively process the second order network addresses that correspond to the source hosts that have connected to the current network address until no further second order network addresses are determined; and
      
      iteratively processing the determined network addresses that correspond to the source hosts that have connected to the selected host until all source hosts that have connected to the selected host have been processed.
  - 29. The method recited in claim 17, further comprising generating a report that describes the exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack according to one or more severity levels.
  - 30. The method recited in claim 17, wherein the exploitable weak points in the network include one or more of a network vulnerability having a publicly known exploit associated therewith or a network vulnerability satisfying one or more predetermined criteria associated with a vulnerability scoring system.
  - 31. The method recited in claim 17, further comprising:
    - configuring a log aggregator to collect events that describe activity in the network; and
      
      using information associated with the events collected at the log aggregator to model the trust relationships and identify the exploitable weak points in the network.

32. A computer-readable storage medium having computer-executable instructions stored thereon for identifying exploitable weak points in a network, wherein executing the computer-executable instructions one or more processors causes the one or more processors to:
- configure one or more passive scanners to identify network addresses and open ports associated with connections that the one or more passive scanners observe in the network;
  
  configure one or more active scanners to enumerate current connections in the network and identify network addresses and open ports associated with the current connections enumerated with the one or more active scanners;
  
  model trust relationships in the network based on information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners;
  
  identify exploitable weak points in the network based on the information associated with the connections observed with the one or more passive scanners and the current connections enumerated with the one or more active scanners;
  
  simulate an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network; and
  
  enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network based on the simulated attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable Network Security Incorporated (Tenable Holdings, Inc.)
Inventors
Gula, Ron, Deraison, Renaud

Granted Patent

US 9,043,920 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

H04L 41/12   Discovery or management of ...

H04L 63/1433   Vulnerability analysis

H04L 67/10   in which an application is ...

SYSTEM AND METHOD FOR IDENTIFYING EXPLOITABLE WEAK POINTS IN A NETWORK

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

104 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR IDENTIFYING EXPLOITABLE WEAK POINTS IN A NETWORK

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links