NETWORK ATTACK SIMULATION SYSTEMS AND METHODS

US 20170006055A1
Filed: 06/13/2016
Published: 01/05/2017
Est. Priority Date: 06/30/2015
Status: Active Grant

First Claim

Patent Images

1. A computer network attack simulation server system comprising:

a network connection for connecting the server system to a plurality of computers on the computer network;

one or more processors;

memory; and

one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for;

selecting one or more actions from a plurality of actions for operating on a first computer of the plurality of computers;

instructing the first computer to execute the one or more selected actions;

receiving, from the first computer, data generated in response to executing the one or more selected actions on the first computer;

identifying a target computer of the plurality of computers to access;

instructing the first computer to access the target computer using at least a portion of the data; and

receiving confirmation from at least one of the first computer and the target computer that the target computer was accessed by the first computer.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network attack simulation method including, at a network with a server and a plurality of computers, selecting one or more actions from a plurality of actions for operating on a first computer of the plurality of computers, transmitting instructions from the server to the first computer to execute the one or more selected actions, executing the one or more selected actions on the first computer, and generating data based on the execution of the selected actions. The method includes transmitting the data generated from the first computer to the server, identifying a target computer of the plurality of computers to access, transmitting one or more additional instructions from the server to the first computer to access the target computer using at least a portion of the data, and receiving confirmation from at least one of the first computer and the target computer that the target computer was accessed.

Citations

24 Claims

1. A computer network attack simulation server system comprising:
- a network connection for connecting the server system to a plurality of computers on the computer network;
  
  one or more processors;
  
  memory; and
  
  one or more programs, wherein the one or more programs are stored in the memory and configured to be executed by the one or more processors, the one or more programs including instructions for;
  
  selecting one or more actions from a plurality of actions for operating on a first computer of the plurality of computers;
  
  instructing the first computer to execute the one or more selected actions;
  
  receiving, from the first computer, data generated in response to executing the one or more selected actions on the first computer;
  
  identifying a target computer of the plurality of computers to access;
  
  instructing the first computer to access the target computer using at least a portion of the data; and
  
  receiving confirmation from at least one of the first computer and the target computer that the target computer was accessed by the first computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The server system of claim 1, further comprising instructions for determining which action or actions generated the at least a portion of the data used to access the target computer.
  - 3. The server system of claim 1, further comprising instructions for:
    - selecting one or more second actions from the plurality of actions for operating on the target computer of the plurality of computers;
      
      instructing the target computer to execute the one or more selected second actions;
      
      receiving, from the target computer, second data generated in response to executing the one or more selected second actions on the target computer;
      
      identifying a second target computer of the plurality of computers to access;
      
      instructing the target computer to access the second target computer using at least a portion of the second data; and
      
      receiving confirmation from at least one of the target computer and the second target computer that the second target computer was accessed by the first computer.
  - 4. The server system of claim 1, wherein the computer network comprises the server, the first computer, and the target computer.
  - 5. The server system of claim 1, wherein the data comprises information stored on the first computer.
  - 6. The server system of claim 1, wherein the one or more selected actions are selected based on one or more tactics, wherein the one or more tactics include at least one of persistence, privilege escalation, credential access, host enumeration, defense evasion, lateral movement, execution, command and control, and exfiltration.
  - 7. The server system of claim 1, wherein the computer network is a production computer network.
  - 8. The server system of claim 1, further comprising instructions for, prior to selecting one or more actions from a plurality of actions for operating on a first computer of the plurality of computers, detecting a configuration of at least a portion of the computer network by communicating with the plurality of computers.

9. A computer network attack simulation server method comprising:
- selecting one or more actions from a plurality of actions for operating on a first computer of a plurality of computers connected to a computer network;
  
  instructing the first computer to execute the one or more selected actions;
  
  receiving, from the first computer, data generated in response to executing the one or more selected actions on the first computer;
  
  identifying a target computer of the plurality of computers to access;
  
  instructing the first computer to access the target computer using at least a portion of the data; and
  
  receiving confirmation from at least one of the first computer and the target computer that the target computer was accessed by the first computer.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, further comprising determining which action or actions generated the at least a portion of the data used to access the target computer.
  - 11. The method of claim 9, further comprising:
    - selecting one or more second actions from the plurality of actions for operating on the target computer of the plurality of computers;
      
      instructing the target computer to execute the one or more selected second actions;
      
      receiving, from the target computer, second data generated in response to executing the one or more selected second actions on the target computer;
      
      identifying a second target computer of the plurality of computers to access;
      
      instructing the target computer to access the second target computer using at least a portion of the second data; and
      
      receiving confirmation from at least one of the target computer and the second target computer that the second target computer was accessed by the first computer.
  - 12. The method of claim 9, wherein the computer network comprises a server that instructs the first computer and the target computer.
  - 13. The method of claim 9, wherein the data comprises information stored on the first computer.
  - 14. The method of claim 9, wherein the one or more selected actions are selected based on one or more tactics, wherein the one or more tactics include at least one of persistence, privilege escalation, credential access, host enumeration, defense evasion, lateral movement, execution, command and control, and exfiltration.
  - 15. The method of claim 9, wherein the computer network is a production computer network.
  - 16. The method of claim 9, further comprising, prior to selecting one or more actions from a plurality of actions for operating on a first computer of the plurality of computers, detecting a configuration of at least a portion of the computer network by communicating with the plurality of computers.

17. A non-transitory computer readable storage medium comprising one or more programs, which when executed by a computer network attack simulation server, cause the server to:
- select one or more actions from a plurality of actions for operating on a first computer of a plurality of computers connected to a computer network;
  
  instruct the first computer to execute the one or more selected actions;
  
  receive, from the first computer, data generated in response to executing the one or more selected actions on the first computer;
  
  identify a target computer of the plurality of computers to access;
  
  instruct the first computer to access the target computer using at least a portion of the data; and
  
  receive confirmation from at least one of the first computer and the target computer that the target computer was accessed by the first computer.

18. A computer network attack simulation method comprising:
- at a computer network with a server and a plurality of computers;
  
  selecting one or more actions from a plurality of actions for operating on a first computer of the plurality of computers;
  
  determining at least one effect to the first computer that would be generated from executing the one or more actions on the first computer; and
  
  modifying the first computer according to the at least one effect without executing the one or more actions on the first computer.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The method of claim 18, further comprising, prior to determining at least one effect to the first computer from executing the one or more actions on the first computer, determining a risk to the first computer posed by executing the one or more actions on the first computer.
  - 20. The method of claim 19, wherein the risk is a risk of causing a fatal system error.
  - 21. The method of claim 20, wherein the risk is a percentage likelihood that the one or more actions will cause the fatal system error.
  - 22. The method of claim 19, wherein modification of the first computer according to the at least one effect without executing the one or more actions on the first computer is performed in response to determining that the risk to the first computer is above a threshold value.
  - 23. The method of claim 18, wherein the server logs the modification of the first computer.
  - 24. The method of claim 18, wherein the modification of the first computer comprises saving a file onto a memory of the first computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Mitre Corporation
Original Assignee
Mitre Corporation
Inventors
STROM, Blake E., KORBAN, Christopher, WOLF, Ross D., MILLER, Douglas, APPLEBAUM, Andrew

Granted Patent

US 10,218,735 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 30/20 Design optimisation, verifi...

H04L 63/1433 Vulnerability analysis

NETWORK ATTACK SIMULATION SYSTEMS AND METHODS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK ATTACK SIMULATION SYSTEMS AND METHODS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links