Penetration Testing of a Networked System

US 20180219904A1
Filed: 01/18/2018
Published: 08/02/2018
Est. Priority Date: 01/30/2017
Status: Active Grant

First Claim

Patent Images

1. A method for executing a penetration test of a networked system by a penetration testing system so as to determine, while enforcing first and second rules, a method for an attacker to compromise the networked system, where the penetration testing system comprises (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module (RASM) installed on at least some network nodes of the networked system so that each network node of the networked system on which the RASM is installed is defined as a RASM-hosting network node, the method for executing the penetration test comprising:

a. obtaining, by each given RASM-hosting network node of one or more RASM-hosting network nodes, respective internal data of the given RASM-hosting network node, the obtaining comprising executing computer code of the RASM by one or more processors of the given RASM-hosting network node, the respective internal data including data about at least one of;

A. an internal event of the given RASM-hosting network node,B. an internal condition of the given RASM-hosting network node, andC. an internal fact of the given RASM-hosting network node; and

b. transmitting to the remote computing device, by each given RASM-hosting network node of the one or more RASM-hosting network nodes, the obtained respective internal data of the given RASM-hosting network node, the transmitting comprising executing computer code of the RASM by the one or more processors of the given RASM-hosting network node;

c. analyzing, by the remote computing device, the internal data transmitted by at least one RASM-hosting network node of the one or more RASM-hosting network nodes, so as to determine the method for the attacker to compromise the networked system, the analyzing comprising executing computer code of the penetration testing software module by one or more processors of the remote computing device; and

d. reporting, by the penetration testing system, the method for the attacker to compromise the networked system, the reporting comprising executing computer code of the penetration testing software module by the one or more processors of the remote computing device, wherein the reporting comprises at least one of (i) causing a display device to display a report including information about the determined method for the attacker to compromise the networked system, (ii) recording the report including the information about the determined method for the attacker to compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined method for the attacker to compromise the networked system,wherein each given RASM-hosting network node of the one or more RASM-hosting network nodes performs at least one of step (a) and step (b) in response to a receiving of one or more data-requesting commands from the remote computing device, and wherein the method for executing the penetration test is performed in a manner that enforces the first and second rules such that;

A. according to the first rule, all of the analyzing of the internal data for determining the method for the attacker to compromise the networked system is performed by the remote computing device; and

B. according to the second rule, no network node of the networked system is ever put at risk of being compromised by the executing of the penetration test.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for penetration testing of a networked system comprising a set of network-nodes by a penetration testing system (e.g. to enforce first and/or second rules) are disclosed herein. The penetration testing system comprises: (i) reconnaissance agent software module (RASM) installed on multiple nodes (each of which is a RASM-hosting node) of the networked system to be penetration-tested and (ii) a penetration testing software module (PTSM) installed on a remote computing device (RCD). Internal data from each of the RASM-hosting nodes is collected and transmitted to the RCD. Analysis of the internal data collected from multiple RASM-hosting network nodes determines a method for an attacker to compromise the networked system. The first and second rules are defined herein. Alternatively or additionally, one or more of the RASM instances are pre-installed on one or more RASM-hosting nodes before the penetration testing commences.

62 Citations

View as Search Results

20 Claims

1. A method for executing a penetration test of a networked system by a penetration testing system so as to determine, while enforcing first and second rules, a method for an attacker to compromise the networked system, where the penetration testing system comprises (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module (RASM) installed on at least some network nodes of the networked system so that each network node of the networked system on which the RASM is installed is defined as a RASM-hosting network node, the method for executing the penetration test comprising:
- a. obtaining, by each given RASM-hosting network node of one or more RASM-hosting network nodes, respective internal data of the given RASM-hosting network node, the obtaining comprising executing computer code of the RASM by one or more processors of the given RASM-hosting network node, the respective internal data including data about at least one of;
  
  A. an internal event of the given RASM-hosting network node,B. an internal condition of the given RASM-hosting network node, andC. an internal fact of the given RASM-hosting network node; and
  
  b. transmitting to the remote computing device, by each given RASM-hosting network node of the one or more RASM-hosting network nodes, the obtained respective internal data of the given RASM-hosting network node, the transmitting comprising executing computer code of the RASM by the one or more processors of the given RASM-hosting network node;
  
  c. analyzing, by the remote computing device, the internal data transmitted by at least one RASM-hosting network node of the one or more RASM-hosting network nodes, so as to determine the method for the attacker to compromise the networked system, the analyzing comprising executing computer code of the penetration testing software module by one or more processors of the remote computing device; and
  
  d. reporting, by the penetration testing system, the method for the attacker to compromise the networked system, the reporting comprising executing computer code of the penetration testing software module by the one or more processors of the remote computing device, wherein the reporting comprises at least one of (i) causing a display device to display a report including information about the determined method for the attacker to compromise the networked system, (ii) recording the report including the information about the determined method for the attacker to compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined method for the attacker to compromise the networked system,wherein each given RASM-hosting network node of the one or more RASM-hosting network nodes performs at least one of step (a) and step (b) in response to a receiving of one or more data-requesting commands from the remote computing device, and wherein the method for executing the penetration test is performed in a manner that enforces the first and second rules such that;
  
  A. according to the first rule, all of the analyzing of the internal data for determining the method for the attacker to compromise the networked system is performed by the remote computing device; and
  
  B. according to the second rule, no network node of the networked system is ever put at risk of being compromised by the executing of the penetration test.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the RASM is installed on at least one of the one or more RASM-hosting network nodes prior to the beginning of the executing of the penetration test.
  - 3. The method of claim 1, wherein the RASM is installed on all of the one or more RASM-hosting network nodes prior to the beginning of the executing of the penetration test.
  - 4. The method of claim 1, wherein the RASM is installed on every network node of the networked system which is a RASM-hosting network node prior to the beginning of the executing of the penetration test.
  - 5. The method of claim 1, wherein at least one given RASM-hosting network node of the one or more RASM-hosting network nodes performs the obtaining in response to the receiving, by the given RASM-hosting network node, of the one or more data-requesting commands from the remote computing device.
  - 6. The method of claim 1, wherein at least one given RASM-hosting network node of the one or more RASM-hosting network nodes obtains at least some of the respective internal data of the given RASM-hosting network node transmitted in step (b) before the receiving of the one or more data-requesting commands by the given RASM-hosting network node.
  - 7. The method of claim 1, wherein each given RASM-hosting network node of the one or more RASM-hosting network nodes performs both steps (a) and (b) in response to the receiving, by the given RASM-hosting network node, of the one or more data-requesting commands from the remote computing device.
  - 8. The method of claim 1, wherein the information about the method for an attacker to compromise the networked system comprises at least one of:
    - (i) information about a method for compromising one network node of the networked system (ii) information about one or more network nodes of the networked system which are vulnerable to attack, (iii) information about one or more resources of the networked system that could be damaged or exported out of the networked system by an attacker, and (iv) information about an ordered list of network nodes of the networked system, wherein an attacker could use a specific network node in said ordered list that is already compromised as a basis for compromising another network node that immediately follows said specific network node in said ordered list.
  - 9. The method of claim 1, wherein said analyzing comprises:
    - i) assessing, by said remote computing device, if a first network node can be compromised;
      
      ii) in the event that the assessing indicates that said first network node can be compromised,A. simulating or evaluating, by said remote computing device, a result of compromising said first network node; and
      
      B. determining, by said remote computing device and based on said result, that a second network node can be compromised.

10. A penetration testing system for executing a penetration test of a networked system so as to determine, while enforcing first and second rules, a method for an attacker to compromise the networked system, the penetration testing system comprising:
- a. a remote computing device comprising a computer memory and one or more processors, the remote computing device in electronic communication with the networked system;
  
  b. a first non-transitory computer-readable storage medium containing first code of a reconnaissance agent software module (RASM), wherein execution of the first code of the RASM by respective one or more processors of each given network node of a first set of network nodes of the networked system, causes the one or more processors of the given network node of the first set to carry out the following;
  
  i. obtaining respective internal data of the given network node of the first set, the respective internal data including data about at least one of;
  
  A. an internal event of the given network node of the first set,B. an internal condition of the given network node of the first set, andC. an internal fact of the given network node of the first set; and
  
  ii. transmitting to the remote computing device and out of the given network node of the first set the obtained respective internal data of the given network node of the first set,such that at least one of the obtaining and the transmitting is performed in response to one or more data-requesting commands issued by the remote computing device;
  
  c. a second non-transitory computer-readable storage medium containing second code of a penetration testing software module, wherein execution of the second code of the penetration testing software module by the one or more processors of the remote computing device;
  
  i. analyzes the respective internal data transmitted by each given network node of a second set of network-nodes of the networked system so as to determine the method for the attacker to compromise the networked system; and
  
  ii. reports the method for the attacker to compromise the networked system, wherein the reporting comprises at least one of (A) causing a display device to display a report including information about the determined method for the attacker to compromise the networked system, (B) recording the report including the information about the determined method for the attacker to compromise the networked system in a file, and (C) electronically transmitting a report including the information about the determined method for the attacker to compromise the networked system,wherein (i) the execution of the first code of the RASM by the respective one or more processors of each given network node of the first set of network nodes of the networked system; and
  
  (ii) the execution of the second code of the penetration testing software module by the one or more processors of the remote computing device, subject the networked system to penetration testing while enforcing both of the first and second rules such that;
  
  A. according to the first rule, all of the analyzing of the internal data for determining the method for the attacker to compromise the networked system is performed by the remote computing device; and
  
  B. according to the second rule, no network node of the networked system is ever put at risk of being compromised by the executing of the penetration test.
- View Dependent Claims (11)
- - 11. The penetration testing system of claim 10, wherein the analyzing performed by the execution of the second code of the penetration testing software module by the one or more processors of the remote computing device comprises:
    - i) assessing if a first network node can be compromised;
      
      ii) in the event that the assessing indicates that said first network node can be compromised,A. simulating or evaluating a result of compromising said first network node; and
      
      B. determining that a second network node can be compromised.

12. A method for executing a penetration test of a networked system by a penetration testing system so as to determine a method for an attacker to compromise the networked system, where the penetration testing system comprises (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module (RASM) installable on network nodes of the networked system so that each network node of the networked system on which the RASM is installed is defined as a RASM-hosting network node, the method for executing the penetration test comprising:
- a. subsequent to an installing of the RASM on at least some network nodes of the networked system, which installing occurs prior to starting the executing of the penetration test, performing the following;
  
  i. obtaining, by each given RASM-hosting network node of one or more RASM-hosting network nodes, respective internal data of the given RASM-hosting network node, the obtaining comprising executing computer code of the RASM by one or more processors of the given RASM-hosting network node, the respective internal data including data about at least one of;
  
  A. an internal event of the given RASM-hosting network node,B. an internal condition of the given RASM-hosting network node, andC. an internal fact of the given RASM-hosting network node; and
  
  ii. transmitting to the remote computing device, by each given RASM-hosting network node of the one or more RASM-hosting network nodes, the obtained respective internal data of the given RASM-hosting network node, the transmitting comprising executing computer code of the RASM by the one or more processors of the given RASM-hosting network node;
  
  b. analyzing, by the remote computing device, the internal data transmitted by at least one RASM-hosting network node of the one or more RASM-hosting network nodes, so as to determine the method for the attacker to compromise the networked system, the analyzing comprising executing computer code of the penetration testing software module by one or more processors of the remote computing device; and
  
  c. reporting, by the penetration testing system, the method for the attacker to compromise the networked system, the reporting comprising executing computer code of the penetration testing software module by the one or more processors of the remote computing device, wherein the reporting comprises at least one of (i) causing a display device to display a report including information about the determined method for the attacker to compromise the networked system, (ii) recording the report including the information about the determined method for the attacker to compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined method for the attacker to compromise the networked system,wherein each given RASM-hosting network node of the one or more RASM-hosting network nodes performs at least one of step a(i) and step a(ii) in response to a receiving of one or more data-requesting commands from the remote computing device.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method of claim 12, further comprising the step of:
    - d. before commencing step (a), installing the RASM on the at least some network nodes of the networked system.
  - 14. The method of claim 12 wherein the method for executing the penetration test is performed in a manner that enforces at least one of first and second rules such that:
    - A. according to the first rule, all of the analyzing of the internal data for determining the method for the attacker to compromise the networked system is performed by the remote computing device; and
      
      B. according to the second rule, no network node of the networked system is ever put at risk of being compromised by the executing of the penetration test.
  - 15. The method of claim 12, wherein at least one given RASM-hosting network node of the one or more RASM-hosting network nodes performs the obtaining in response to the receiving, by the given RASM-hosting network node, of the one or more data-requesting commands from the remote computing device.
  - 16. The method of claim 12, wherein at least one given RASM-hosting network node of the one or more RASM-hosting network nodes obtains at least some of the respective internal data of the given RASM-hosting network node transmitted in step a(ii) before the receiving of the one or more data-requesting commands by the given RASM-hosting network node.
  - 17. The method of claim 12, wherein each given RASM-hosting network node of the one or more RASM-hosting network nodes performs both steps a(i) and a(ii) in response to the receiving, by the given RASM-hosting network node, of the one or more data-requesting commands from the remote computing device.
  - 18. The method of claim 12, wherein the information about the method for an attacker to compromise the networked system comprises at least one of:
    - (i) information about a method for compromising one network node of the networked system (ii) information about one or more network nodes of the networked system which are vulnerable to attack, (iii) information about one or more resources of the networked system that could be damaged or exported out of the networked system by an attacker, and (iv) information about an ordered list of network nodes of the networked system, wherein an attacker could use a specific network node in said ordered list that is already compromised as a basis for compromising another network node that immediately follows said specific network node in said ordered list.
  - 19. The method of claim 12, wherein said analyzing comprises:
    - i) assessing, by said remote computing device, if a first network node can be compromised;
      
      ii) in the event that the assessing indicates that said first network node can be compromised,A. simulating or evaluating, by said remote computing device, a result of compromising said first network node; and
      
      B. determining, by said remote computing device and based on said result, that a second network node can be compromised.

20. A penetration testing system for executing a penetration test of a networked system so as to determine a method for an attacker to compromise the networked system, the penetration testing system comprising:
- a. a remote computing device comprising a computer memory and one or more processors, the remote computing device in electronic communication with the networked system;
  
  b. a first non-transitory computer-readable storage medium containing first code of a reconnaissance agent software module (RASM), wherein for a first set of network-nodes of the networked system on which the RASM is pre-installed before starting the executing of the penetration test, subsequent execution of the first code, after starting the executing of the penetration test, by respective one or more processors of each given network node of the first set of network nodes, causes the one or more processors of the given network node of the first set to carry out the following;
  
  i. obtaining respective internal data of the given network node of the first set, the respective internal data including data about at least one of;
  
  A. an internal event of the given network node of the first set,B. an internal condition of the given network node of the first set, andC. an internal fact of the given network node of the first set; and
  
  ii. transmitting to the remote computing device and out of the given network node of the first set the obtained respective internal data of the given network node of the first set,such that at least one of the obtaining and the transmitting is performed in response to one or more data-requesting commands issued by the remote computing device; and
  
  c. a second non-transitory computer-readable storage medium containing second code of a penetration testing software module, wherein execution of the second code of the penetration testing software module by the one or more processors of the remote computing device;
  
  i. analyzes the respective internal data transmitted by each given network node of a second set of network-nodes of the networked system, so as to determine the method for the attacker to compromise the networked system; and
  
  ii. reports the method for the attacker to compromise the networked system, wherein the reporting comprises at least one of (A) causing a display device to display a report including information about the determined method for the attacker to compromise the networked system, (B) recording the report including the information about the determined method for the attacker to compromise the networked system in a file, and (C) electronically transmitting a report including the information about the determined method for the attacker to compromise the networked system,wherein (i) the execution of the first code of the RASM by the respective one or more processors of each given network node of the first set of network nodes of the networked system; and
  
  (ii) the execution of the second code of the penetration testing software module by the one or more processors of the remote computing device, subject the networked system to penetration testing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Original Assignee
XM Ltd.
Inventors
GORODISSKY, Boaz, ASHKENAZY, Adi, SEGAL, Ronen

Granted Patent

US 10,637,882 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/048   mobile agents

H04L 43/50   Testing arrangements

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04L 63/30   for supporting lawful inter...

Penetration Testing of a Networked System

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Penetration Testing of a Networked System

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others