SETTING-UP PENETRATION TESTING CAMPAIGNS

US 20180219901A1
Filed: 08/21/2017
Published: 08/02/2018
Est. Priority Date: 01/30/2017
Status: Active Grant

First Claim

Patent Images

1-60. -60. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for penetration testing of a networked system by a penetration testing system (e.g. that is controlled by a user interface of a computing device) are disclosed herein. In one example, a penetration testing campaign is executed according to a manual and explicit selecting of one or more goals of an attacker of the penetration testing campaign. Alternatively or additionally, a penetration testing campaign is executed according to an automatic selecting of of one or more goals of the attacker (e.g. according to a type of attacker of the penetration testing campaign).

Citations

97 Claims

1-60. -60. (canceled)

61. A method of penetration testing of a networked system by a penetration testing system that is controlled by a user interface of a computing device so that a penetration testing campaign is executed according to one or more manually and explicitly-selected goals of an attacker of the penetration testing campaign, the method comprising:
- receiving, by the penetration testing system and via the user interface of the computing device, one or more manually-entered inputs, the one or more manually-entered inputs explicitly selecting one or more goals of the attacker of the penetration testing campaign, wherein at least one goal of the one or more goals satisfies at least one condition selected from the group consisting of;
  
  i. the at least one goal is a resource-specific goal;
  
  ii. the at least one goal is a file-specific goal;
  
  iii. the at least one goal is a node-count-maximizing goal;
  
  iv. the at least one goal is a file-count-maximizing goal;
  
  v. the at least one goal is an encryption-related goal;
  
  vi. the at least one goal is a file-exporting goal;
  
  vii. the at least one goal is a file-size-related goal;
  
  viii. the at least one goal is a file-type-related goal;
  
  ix. the at least one goal is a file-damage-related goal; and
  
  x. the at least one goal is a node-condition-based goal;
  
  executing the penetration testing campaign, by the penetration testing system and according to the manually and explicitly-provided selection of the one or more goals of the attacker, so as to test the networked system; and
  
  reporting, by the penetration testing system, at least one security vulnerability determined to exist in the networked system by the executing of the penetration testing campaign, wherein the reporting comprises at least one of (i) causing a display device to display a report describing the at least one security vulnerability, and (ii) electronically transmitting a report describing the at least one security vulnerability.
- View Dependent Claims (62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75)
- - 62. The method of claim 61 wherein the at least one goal is a resource-specific goal.
  - 63. The method of claim 61 wherein the at least one goal is a file-specific goal.
  - 64. The method of claim 61 wherein the at least one goal is a node-count-maximizing goal.
  - 65. The method of claim 61 wherein the at least one goal is a file-count-maximizing goal.
  - 66. The method of claim 61 wherein the at least one goal is an encryption-related goal.
  - 67. The method of claim 61 wherein the at least one goal is a file-exporting goal.
  - 68. The method of claim 61 wherein the at least one goal is a file-size-related goal.
  - 69. The method of claim 61 wherein the at least one goal is a file-type-related goal.
  - 70. The method of claim 61 wherein the at least one goal is a file-damage-related goal.
  - 71. The method of claim 61 wherein the at least one goal is a node-condition-based goal.
  - 72. The method of claim 61, wherein before receiving the one or more manually-entered inputs that explicitly select the one or more goals of the attacker, the penetration testing system automatically computes and displays an explicit recommendation for selecting the one or more goals of the attacker.
  - 73. The method of claim 72 wherein the received one or more manually-entered inputs comprises an explicit user approval of the explicit recommendation.
  - 74. The method of claim 61, further comprising:
    - subsequent to the receiving by the penetration testing system of the one or more manually-entered inputs that explicitly select the one or more goals of the attacker, receiving, by the penetration testing system and via the user interface of the computing device, one or more additional manually-entered inputs, the one or more additional manually-entered inputs explicitly selecting a value for a second information item of the campaign of the penetration testing system, wherein the second information item is not a goal of the attacker.
  - 75. The method of claim 74 wherein the executing of the penetration testing campaign is performed using both (i) the manually and explicitly selected value for the second information item, and (ii) the manually and explicitly selected one or more goals of the attacker.

76. A system for penetration testing of a networked system, the system comprising:
- a. a goals-selection user interface including one or more user interface components for manual and explicit selection of one or more goals of an attacker of a penetration testing campaign, wherein at least one goal of the one or more goals satisfies at least one condition selected from the group consisting of;
  
  i. the at least one goal is a resource-specific goal;
  
  ii. the at least one goal is a file-specific goal;
  
  iii. the at least one goal is a node-count-maximizing goal;
  
  iv. the at least one goal is a file-count-maximizing goal;
  
  v. the at least one goal is an encryption-related goal;
  
  vi. the at least one goal is a file-exporting goal;
  
  vii. the at least one goal is a file-size-related goal;
  
  viii. the at least one goal is a file-type-related goal;
  
  ix. the at least one goal is a file-damage-related goal; and
  
  x. the at least one goal is a node-condition-based goal;
  
  b. a penetration-testing-campaign module programmed to perform the penetration testing campaign whose attacker has the one or more goals that are manually and explicitly selected via the goals-selection user interface; and
  
  c. a reporting module for reporting at least one security vulnerability determined to exist in the networked system according to results of the penetration testing campaign that is performed by the penetration-testing-campaign module, wherein the reporting module is configured to report the at least one security vulnerability by performing at least one of (i) causing a display device to display a report describing the at least one security vulnerability, and (ii) electronically transmitting a report describing the at least one security vulnerability.

77-90. -90. (canceled)

91. A method of penetration testing of a networked system by a penetration testing system that is controlled by a user interface of a computing device so that a penetration testing campaign is executed according to an automatic selecting of one or more goals of an attacker of the penetration testing campaign, the method comprising:
- a. determining, by the penetration testing system, a type of the attacker of the penetration testing campaign;
  
  b. automatically selecting, by the penetration testing system and according to the type of the attacker of the penetration testing campaign, one or more goals of the attacker;
  
  c. executing the penetration testing campaign, by the penetration testing system and according toi. the type of the attacker of the penetration testing campaign, andii. the automatically selected one or more goals,so as to test the networked system;
  
  d. reporting, by the penetration testing system, at least one security vulnerability determined to exist in the networked system by the executing of the penetration testing campaign, wherein the reporting comprises at least one of (i) causing a display device to display a report describing the at least one security vulnerability, and (ii) electronically transmitting a report describing the at least one security vulnerability.
- View Dependent Claims (94, 95)
- - 94. The method of claim 91 wherein at least one goal of the one or more goals satisfies at least one condition selected from the group consisting of:
    - i. the at least one goal is a resource-specific goal;
      
      ii. the at least one goal is a file-specific goal;
      
      iii. the at least one goal is a node-count-maximizing goal;
      
      iv. the at least one goal is a file-count-maximizing goal;
      
      v. the at least one goal is an encryption-related goal;
      
      vi. the at least one goal is a file-exporting goal;
      
      vii. the at least one goal is a file-size-related goal;
      
      viii. the at least one goal is a file-type-related goal;
      
      ix. the at least one goal is a file-damage-related goal; and
      
      x. the at least one goal is a node-condition-based goal.
  - 95. The method of claim 91, wherein the automatic selecting of one or more goals includes performing at least one ofa. in response to a determination that the attacker type is state-sponsored, automatically selecting a goal to export as many files that are of a file type that may contain drawings as possible;
    - b. in response to a determination that the attacker type is cyber-criminal, automatically selecting a goal to export as many Excel files as possible.

92-93. -93. (canceled)

96. A system for penetration testing of a networked system, the system comprising:
- a. a goals-selection module configured to;
  
  i. determine a type of an attacker of a penetration testing campaign; and
  
  ii. based on a result of the determining, automatically select one or more goals of the attacker of the penetration testing campaign;
  
  b. a penetration-testing-campaign module programmed to perform the penetration testing campaign according to;
  
  i. the type of the attacker of the penetration testing campaign, andii. the automatically selected one or more goals;
  
  c. a reporting module for reporting at least one security vulnerability determined to exist in the networked system according to results of the penetration testing campaign that is performed by the penetration-testing-campaign module, wherein the reporting module is configured to report the at least one security vulnerability by performing at least one of (i) causing a display device to display a report describing the at least one security vulnerability, and (ii) electronically transmitting a report describing the at least one security vulnerability.

97-140. -140. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Original Assignee
XM Ltd.
Inventors
GORODISSKY, Boaz, ASHKENAZY, Adi, SEGAL, Ronen

Granted Patent

US 10,999,308 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

SETTING-UP PENETRATION TESTING CAMPAIGNS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

97 Claims

Specification

Solutions

Use Cases

Quick Links

SETTING-UP PENETRATION TESTING CAMPAIGNS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

97 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links