Threat analysis
First Claim
Patent Images
1. A method for analyzing a threat to system security, comprising:
- identifying a threat agent having an existing access level attained by the threat agent in the course of an attack;
using the existing access level to analyze an attack path between the threat agent and an asset, including by;
setting an updated access level initially to the existing access level; and
iteratively comparing the updated access level with a required access level associated with a next attack along the attack path to determine whether the next attack along the attack path would be successful and, if so, updating the updated access level to equal a resulting access level associated with the next attack, until it is determined that the asset has been reached via the attack path or that no further attack along the path would be successful; and
in the event it is determined that the asset would be reached by the threat agent via the attack path, taking a responsive action in real time, prior to the asset actually being reached by the threat agent, the responsive action comprising a control or other countermeasure that results in the threat agent being rendered unable to reach the asset via the attack path;
wherein comparing the updated access level with a required access level associated with a next attack along the attack path includes determining the required access level associated with the next attack along the attack path at least in part by checking a stored controls data to determine whether an existing control applicable to the next attack along the attack path is in place and, if so, updating an initial, uncontrolled required access level associated with the next attack along the path to an updated required access level that reflects the effect of the control, wherein said step of updating is performed prior to the updated required access level being compared to the existing access level.
6 Assignments
0 Petitions
Accused Products
Abstract
Virtual penetration testing using threat analysis is disclosed. Threat analysis may be achieved by evaluating attack paths and chain reactions of compromised assets created by threats, threat agents, or threat mechanisms. A threat agent having an existing access level is identified. The existing access level is used to analyze an attack path between the threat agent and an asset. The existing access level is updated if the analysis of the attack path between the threat agent and the asset indicates that an attack along the path would be successful.
330 Citations
17 Claims
-
1. A method for analyzing a threat to system security, comprising:
-
identifying a threat agent having an existing access level attained by the threat agent in the course of an attack; using the existing access level to analyze an attack path between the threat agent and an asset, including by; setting an updated access level initially to the existing access level; and iteratively comparing the updated access level with a required access level associated with a next attack along the attack path to determine whether the next attack along the attack path would be successful and, if so, updating the updated access level to equal a resulting access level associated with the next attack, until it is determined that the asset has been reached via the attack path or that no further attack along the path would be successful; and in the event it is determined that the asset would be reached by the threat agent via the attack path, taking a responsive action in real time, prior to the asset actually being reached by the threat agent, the responsive action comprising a control or other countermeasure that results in the threat agent being rendered unable to reach the asset via the attack path; wherein comparing the updated access level with a required access level associated with a next attack along the attack path includes determining the required access level associated with the next attack along the attack path at least in part by checking a stored controls data to determine whether an existing control applicable to the next attack along the attack path is in place and, if so, updating an initial, uncontrolled required access level associated with the next attack along the path to an updated required access level that reflects the effect of the control, wherein said step of updating is performed prior to the updated required access level being compared to the existing access level. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product for analyzing a threat to system security, the computer program product being embodied in a computer readable medium and comprising computer instructions for:
-
identifying a threat agent having an existing access level attained by the threat agent in the course of an attack; using the existing access level to analyze an attack path between the threat agent and an asset, including by; setting an updated access level initially to the existing access level; and iteratively comparing the updated access level with a required access level associated with a next attack along the attack path to determine whether the next attack along the attack path would be successful and, if so, updating the updated access level to equal a resulting access level associated with the next attack, until it is determined that the asset has been reached via the attack path or that no further attack along the path would be successful; and in the event it is determined that the asset would be reached by the threat agent via the attack path, taking a responsive action in real time, prior to the asset actually being reached by the threat agent, the responsive action comprising a control or other countermeasure that results in the threat agent being rendered unable to reach the asset via the attack path; wherein comparing the updated access level with a required access level associated with a next attack along the attack path includes determining the required access level associated with the next attack along the attack path at least in part by checking a stored controls data to determine whether an existing control applicable to the next attack along the attack path is in place and, if so, updating an initial, uncontrolled required access level associated with the next attack along the path to an updated required access level that reflects the effect of the control, wherein said step of updating is performed prior to the updated required access level being compared to the existing access level.
-
Specification