SYNTHETIC CYBER-RISK MODEL FOR VULNERABILITY DETERMINATION

US 20170126731A1
Filed: 01/06/2017
Published: 05/04/2017
Est. Priority Date: 11/11/2014
Status: Active Grant

First Claim

Patent Images

1-26. -26. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and device are presented for assessing a target network'"'"'s vulnerability to a real cyberthreat based on determining policy-based synthetic tests configured to model the behavior of the cyberthreat. Real-time feedback from the target network (e.g., servers, desktops, and network/monitoring hardware and/or software equipment) are received, analyzed, and used to determine whether any modifications to the same or a new synthesized test is preferred. The technology includes self-healing processes that, using the feedback mechanisms, can attempt to find patches for known vulnerabilities, test for unknown vulnerabilities, and configure the target network'"'"'s resources in accordance with predefined service-level agreements.

3 Citations

View as Search Results

50 Claims

1-26. -26. (canceled)

27. A method comprising:
- receiving information associated with a cyberthreat from an external source;
  
  using the information, identifying one or more instructions that when executed in a target network simulate an existence of the cyberthreat within the target network without executing and without implementing the cyberthreat in the target network;
  
  determining one or more agents to execute the one or more instructions;
  
  initiating execution of the one or more instructions by the one or more agents to simulate the existence of the cyberthreat within the target network; and
  
  receiving feedback identifying how the target network responds to the simulated existence of the cyberthreat within the target network.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34)
- - 28. The method of claim 27, wherein the feedback identifies whether one or more host devices or one or more security devices in the target network initiated at least one action related to the cyberthreat in response to the simulated presence of the cyberthreat.
  - 29. The method of claim 27, wherein:
    - the cyberthreat comprises a malware; and
      
      the one or more instructions when executed by the one or more agents create an appearance of the malware in the target network by at least one of;
      
      creating a specific file;
      
      creating a network communication on a specific port or to a specific destination;
      
      creating or accessing a user account, directory, or registry;
      
      or altering a service.
  - 30. The method of claim 27, wherein:
    - the target network comprises multiple host devices; and
      
      the method further comprises determining one or more of the host devices on which the one or more agents execute the one or more instructions.
  - 31. The method of claim 27, wherein:
    - the information associated with the cyberthreat comprises at least one of;
      
      one or more threat indicators, one or more behaviors, or one or more objectives of the cyberthreat; and
      
      identifying the one or more instructions comprises identifying one or more instructions that simulate at least one of;
      
      the one or more threat indicators, the one or more behaviors, or the one or more objectives of the cyberthreat.
  - 32. The method of claim 27, wherein:
    - the one or more instructions are configured to perform multiple steps to simulate the cyberthreat; and
      
      the feedback identifies a progression of the multiple steps in the target network.
  - 33. The method of claim 32, further comprising:
    - using the feedback, determining that one of the multiple steps to simulate the cyberthreat has not been completed in the target network; and
      
      identifying at least one additional instruction to be executed by the one or more agents or one or more additional agents in the target network.
  - 34. The method of claim 27, further comprising, in response to detecting that the target network fails to adequately respond to the simulated existence of the cyberthreat within the target network:
    - updating at least one of;
      
      one or more host devices in the target network or one or more security devices in the target network; and
      
      at least one of;
      
      (i) reinitiating execution of the one or more instructions to again simulate the existence of the cyberthreat within the target network or (ii) initiating execution of one or more additional instructions to simulate an existence of an additional cyberthreat within the target network.

35. A non-transitory computer readable storage medium containing computer-executable instructions that, when executed by at least one processor, cause the at least one processor to:
- receive information associated with a cyberthreat from an external source;
  
  using the information, identify one or more instructions that when executed in a target network simulate an existence of the cyberthreat within the target network without executing and without implementing the cyberthreat in the target network;
  
  determine one or more agents to execute the one or more instructions;
  
  initiate execution of the one or more instructions by the one or more agents to simulate the existence of the cyberthreat within the target network; and
  
  receive feedback identifying how the target network responds to the simulated existence of the cyberthreat within the target network.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42)
- - 36. The non-transitory computer readable storage medium of claim 35, wherein the feedback identifies whether one or more host devices or one or more security devices in the target network initiated at least one action related to the cyberthreat in response to the simulated presence of the cyberthreat.
  - 37. The non-transitory computer readable storage medium of claim 35, wherein:
    - the cyberthreat comprises a malware; and
      
      the one or more instructions when executed by the one or more agents create an appearance of the malware in the target network by at least one of;
      
      creating a specific file;
      
      creating a network communication on a specific port or to a specific destination;
      
      creating or accessing a user account, directory, or registry;
      
      or altering a service.
  - 38. The non-transitory computer readable storage medium of claim 35, wherein:
    - the target network comprises multiple host devices; and
      
      the non-transitory computer readable storage medium further contains computer-executable instructions that when executed cause the at least one processor to determine one or more of the host devices on which the one or more agents execute the one or more instructions.
  - 39. The non-transitory computer readable storage medium of claim 35, wherein:
    - the information associated with the cyberthreat comprises at least one of;
      
      one or more threat indicators, one or more behaviors, or one or more objectives of the cyberthreat; and
      
      the computer-executable instructions that when executed cause the at least one processor to identify the one or more instructions comprise;
      
      computer-executable instructions that when executed cause the at least one processor to identify one or more instructions that simulate at least one of;
      
      the one or more threat indicators, the one or more behaviors, or the one or more objectives of the cyberthreat.
  - 40. The non-transitory computer readable storage medium of claim 35, wherein:
    - the one or more instructions are configured to perform multiple steps to simulate the cyberthreat; and
      
      the feedback identifies a progression of the multiple steps in the target network.
  - 41. The non-transitory computer readable storage medium of claim 40, further containing computer-executable instructions that when executed cause the at least one processor to:
    - using the feedback, determine that one of the multiple steps to simulate the cyberthreat has not been completed in the target network; and
      
      identify at least one additional instruction to be executed by the one or more agents or one or more additional agents in the target network.
  - 42. The non-transitory computer readable storage medium of claim 35, further containing computer-executable instructions that when executed cause the at least one processor, in response to detecting that the target network fails to adequately respond to the simulated existence of the cyberthreat within the target network, to:
    - update at least one of;
      
      one or more host devices in the target network or one or more security devices in the target network; and
      
      at least one of;
      
      (i) reinitiate execution of the one or more instructions to again simulate the existence of the cyberthreat within the target network or (ii) initiate execution of one or more additional instructions to simulate an existence of an additional cyberthreat within the target network.

43. An apparatus comprising:
- at least one processor; and
  
  at least one memory storing computer-executable instructions that when executed cause the at least one processor to;
  
  receive information associated with a cyberthreat from an external source;
  
  using the information, identify one or more instructions that when executed in a target network simulate an existence of the cyberthreat within the target network without executing and without implementing the cyberthreat in the target network;
  
  determine one or more agents to execute the one or more instructions;
  
  initiate execution of the one or more instructions by the one or more agents to simulate the existence of the cyberthreat within the target network; and
  
  receive feedback identifying how the target network responds to the simulated existence of the cyberthreat within the target network.
- View Dependent Claims (44, 45, 46, 47, 48, 49, 50)
- - 44. The apparatus of claim 43, wherein the feedback identifies whether one or more host devices or one or more security devices in the target network initiated at least one action related to the cyberthreat in response to the simulated presence of the cyberthreat.
  - 45. The apparatus of claim 43, wherein:
    - the cyberthreat comprises a malware; and
      
      the one or more instructions when executed by the one or more agents create an appearance of the malware in the target network by at least one of;
      
      creating a specific file;
      
      creating a network communication on a specific port or to a specific destination;
      
      creating or accessing a user account, directory, or registry;
      
      or altering a service.
  - 46. The apparatus of claim 43, wherein:
    - the target network comprises multiple host devices; and
      
      the computer-executable instructions when executed further cause the at least one processor to determine one or more of the host devices on which the one or more agents execute the one or more instructions.
  - 47. The apparatus of claim 43, wherein:
    - the information associated with the cyberthreat comprises at least one of;
      
      one or more threat indicators, one or more behaviors, or one or more objectives of the cyberthreat; and
      
      the computer-executable instructions that when executed cause the at least one processor to identify the one or more instructions comprise;
      
      computer-executable instructions that when executed cause the at least one processor to identify one or more instructions that simulate at least one of;
      
      the one or more threat indicators, the one or more behaviors, or the one or more objectives of the cyberthreat.
  - 48. The apparatus of claim 43, wherein:
    - the one or more instructions are configured to perform multiple steps to simulate the cyberthreat; and
      
      the feedback identifies a progression of the multiple steps in the target network.
  - 49. The apparatus of claim 48, wherein the computer-executable instructions when executed further cause the at least one processor to:
    - using the feedback, determine that one of the multiple steps to simulate the cyberthreat has not been completed in the target network; and
      
      identify at least one additional instruction to be executed by the one or more agents or one or more additional agents in the target network.
  - 50. The apparatus of claim 43, wherein the computer-executable instructions when executed further cause the at least one processor, in response to detecting that the target network fails to adequately respond to the simulated existence of the cyberthreat within the target network, to:
    - update at least one of;
      
      one or more host devices in the target network or one or more security devices in the target network; and
      
      at least one of;
      
      (i) reinitiate execution of the one or more instructions to again simulate the existence of the cyberthreat within the target network or (ii) initiate execution of one or more additional instructions to simulate an existence of an additional cyberthreat within the target network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Goldman Sachs & Co. LLC (Goldman Sachs Group Incorporated)
Original Assignee
Goldman Sachs & Company (Goldman Sachs Group Incorporated)
Inventors
Vallone, David, Taylor, Peter, Venables, Phil J., Huang, Ruoh-Yann

Granted Patent

US 10,044,746 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/046   comprising network manageme...

H04L 41/0823   characterised by the purpos...

H04L 41/0886   Fully automatic configuration

H04L 41/145   involving simulating, desig...

H04L 41/147   for predicting network beha...

H04L 43/50   Testing arrangements

H04L 63/1433   Vulnerability analysis

SYNTHETIC CYBER-RISK MODEL FOR VULNERABILITY DETERMINATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

3 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

SYNTHETIC CYBER-RISK MODEL FOR VULNERABILITY DETERMINATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

3 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links