US20160308895A1 - System and method for securing a computer system against malicious actions by utilizing virtualized elements - Google Patents
System and method for securing a computer system against malicious actions by utilizing virtualized elements Download PDFInfo
- Publication number
- US20160308895A1 US20160308895A1 US14/691,027 US201514691027A US2016308895A1 US 20160308895 A1 US20160308895 A1 US 20160308895A1 US 201514691027 A US201514691027 A US 201514691027A US 2016308895 A1 US2016308895 A1 US 2016308895A1
- Authority
- US
- United States
- Prior art keywords
- simulator
- breach
- nodes
- products
- computing system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000009471 action Effects 0.000 title claims abstract description 86
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000004088 simulation Methods 0.000 claims description 111
- 238000012545 processing Methods 0.000 claims description 22
- 238000004891 communication Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 14
- 230000004044 response Effects 0.000 claims description 9
- 230000000694 effects Effects 0.000 claims description 7
- 230000002265 prevention Effects 0.000 claims description 7
- 238000012360 testing method Methods 0.000 claims description 5
- 230000002155 anti-virotic effect Effects 0.000 claims description 4
- 238000007689 inspection Methods 0.000 claims description 4
- 230000000116 mitigating effect Effects 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims 2
- 230000008569 process Effects 0.000 description 17
- 239000008186 active pharmaceutical agent Substances 0.000 description 12
- 238000005067 remediation Methods 0.000 description 10
- 238000003860 storage Methods 0.000 description 9
- 238000004519 manufacturing process Methods 0.000 description 8
- 230000008859 change Effects 0.000 description 7
- 230000008595 infiltration Effects 0.000 description 7
- 238000001764 infiltration Methods 0.000 description 7
- 230000008520 organization Effects 0.000 description 7
- 230000005540 biological transmission Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000010200 validation analysis Methods 0.000 description 6
- 238000002347 injection Methods 0.000 description 5
- 239000007924 injection Substances 0.000 description 5
- 238000012546 transfer Methods 0.000 description 5
- 238000012795 verification Methods 0.000 description 5
- 239000000243 solution Substances 0.000 description 4
- 239000003795 chemical substances by application Substances 0.000 description 3
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000015556 catabolic process Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 235000000332 black box Nutrition 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000009395 breeding Methods 0.000 description 1
- 230000001488 breeding effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000010367 cloning Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000013479 data entry Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000005065 mining Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000013522 software testing Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G06F17/5009—
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45504—Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
Definitions
- the invention described herein generally relates to a computer protection system, and in particular, a system for detecting and protecting against threats from malware vulnerabilities by simulating malicious actions, analyzing the results, and applying or suggesting remediation.
- Computing devices have increasingly become repositories for sensitive data of corporations and users. This has given rise to malicious users who try to gain access to these computing devices. Additionally, malicious users often attempt to install programs that track user interactions or utilize the computing resources of computing devices for malicious purposes.
- the Internet today is a breeding ground for criminal activity. Home users, small and medium businesses, international corporations and governmental bodies all suffer from constant attacks cause by malware such as viruses and Trojans.
- Malware, short for malicious software is any hostile or intrusive software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of executable code, scripts, active content, and other software.
- Malware can steal personal and corporate bank account information, steal credit card numbers, conduct distributed-denial-of-service (DDoS) attacks with the instigators then demanding money to stop the attacks—a cyber racket, create networks of Trojan proxy servers (these can be used to send spam, and for commercial gain), create zombie networks, which can be exploited in multiple ways, create programs which download and install adware to the victim machine, install Trojan dialers which will repeatedly call pay services, etc. Consequently, anti-malware software has been developed to block these malicious users from gaining access to computing devices. However, malicious users continually attempt to circumvent the protection that anti-malware software provides. Malware has gotten more sophisticated and there is thus a need for new and advanced system and methods for securing against vulnerabilities to breaches from malware.
- DDoS distributed-denial-of-service
- the present invention provides a method and system for protecting a computing system.
- the system comprising a memory device having executable instructions stored therein and a processing device, in response to the executable instructions, operative to allocate simulator nodes, the simulator nodes emulating operations of devices in a target system, simulate malicious action utilizing the simulator nodes, and determine that the malicious action was successful.
- the simulator nodes may include at least one of virtual machines, virtual appliances, operating environments, and physical devices.
- the simulator nodes are configured to virtualize or clone at least one of hardware, software, cloud computing, network and communication elements.
- the simulator nodes may also be operable to establish communication connections.
- the processing device is operative to configure a security system of the target system based on the simulation of the malicious action.
- the security system may also include one or more security controllers.
- the one or more security controllers includes at least one of firewall products, antivirus products, endpoint security products, web application firewall (WAF) products, access control list (ACL) features of network products (e.g., switches, routers, proxies and etc.), data leakage prevention (DLP) products, mobile device management (MDM) products, mobile access management (MAM) products, and content inspection products.
- firewall products e.g., antivirus products, endpoint security products, web application firewall (WAF) products, access control list (ACL) features of network products (e.g., switches, routers, proxies and etc.), data leakage prevention (DLP) products, mobile device management (MDM) products, mobile access management (MAM) products, and content inspection products.
- DLP data leakage prevention
- MDM mobile device management
- MAM mobile access management
- the processing device of the system may be further operable to configure the security controller, and re-simulate the malicious action.
- the malicious action may comprise a breach scenario.
- the breach scenario may include a plurality of operations performed by the simulator nodes.
- the processing device of the system is further operable to update a snapshot of currently known breaches with the determination that the malicious action was successful, the snapshot comprising a graph including nodes representative of simulator nodes and edges representative of specific scenarios and simulation results of the specific scenarios, determine whether the snapshot has new breach scenarios and previously known scenarios that have been fixed, and conclude the new breach scenarios and the previously known scenarios that have been fixed by searching the graph.
- the system for protecting a computing system comprises a memory device having executable instructions stored therein and a processing device, in response to the executable instructions, operative to prepare breach simulation tasks by reading configurations for types of breach scenarios and preparing a list of tasks to be simulated, send breach simulation tasks to simulator nodes, the simulator nodes simulating parties involved in the types of breach scenarios, execute the breach simulation tasks on the simulator nodes, receive results from the simulator nodes, determine that the parties report on a same result, determine that the parties report on successful results, and identify a successful breach based on the parties report on the same result and the parties report on the successful results.
- the parties may include at least one of client devices and servers.
- the processing device is further configured to determine proper execution of the breach simulation tasks, and verify data received by the parties and data transmitted from the parties are consistent with a breach.
- the processing device is further configured to verify the data received by the parties and the data transmitted from the parties are identical.
- the breach scenarios may comprise sequences of moves executed on the simulator nodes with specific configurations and data assets.
- the processing device may be further configured to send the breach simulation tasks to the simulator nodes by generating one or more virtual devices configured to perform the breach simulation tasks.
- Breach simulation tasks may include data transfers, file modifications, change in system configuration, and changes to access permissions.
- the results received from the simulator nodes may include a hash of transferred and received data.
- the system for protecting a computing system comprises a memory device having executable instructions stored therein and a processing device, in response to the executable instructions, operative to parse a breach scenario file, the breach scenario file comprising a graph including action component nodes connected by edges, determine a root node from the action component nodes, execute the root node with breach point data, generate a root node return value based on the execution of the root node, the root node return value including a modified copy of the breach point data, determine children nodes from the action component nodes connected to the root node, execute the children nodes wherein each execution of the children nodes produces children node return values for a subsequent one of the children nodes, and return a final return value from the execution of the children nodes.
- the root node return value may be representative of a result from the execution of the root node.
- the processing device is further configured to generate the root node return value by modifying the breach point data.
- the processing device is further configured to modify the breach point data by at least one of adding new keys, deleting key, and changing key values.
- Certain embodiments may include the processing device further configured to generate the root node return value by generating a false return value upon an unsuccessful execution of the root node.
- Action component nodes may include executable instructions for execution of breach tasks.
- the processing device can also be further configured to establish the root node as a first step among the action component nodes.
- the breach point data may comprise a data structure including keys and values and generally includes information for executing the action component nodes.
- the values can contain Internet protocol (IP) addresses, ports, data, protocols, and filenames that are accessible by the keys.
- IP Internet protocol
- Embodiments of the present invention may be used to protect systems against malicious actions. Additionally, embodiments of the present invention can quantify risk by identifying what types of malicious actions are possible on a system and their impact. Further, system administrators may validate security controllers and determine which security controllers are effective or ineffective in providing protection to a system.
- FIG. 1 illustrates a computing system according to an embodiment of the present invention
- FIG. 2A illustrates a configuration platform system according to an embodiment of the present invention
- FIG. 2B illustrates an orchestration platform system according to an embodiment of the present invention
- FIG. 2C illustrates a data platform system according to an embodiment of the present invention
- FIG. 2D illustrates an execution platform system according to an embodiment of the present invention
- FIG. 2E illustrates a client system according to an embodiment of the present invention
- FIG. 3 illustrates a flowchart of a method for protecting a computing system according to an embodiment of the present invention
- FIG. 4 illustrates a flowchart of a method for preparing a breach simulation for verification according to an embodiment of the present invention
- FIG. 5 illustrates a flowchart of a method for managing breach simulation results according to an embodiment of the present invention
- FIG. 6 illustrates a flowchart of a method for executing a breach scenario according to an embodiment of the present invention.
- FIG. 7 illustrates an interface tool for editing breach scenarios according to an embodiment of the present invention.
- a malicious action is generally intended to include an action executed by an attacker as part of a breach scenario
- breach scenario (or simply referred to as a breach)—as used herein, is generally intended to include one or more malicious actions that represent a scenario that was found successful from an attacker point of view (e.g., by playing a sequence of moves in a scenario on one or more defined devices) and violating a security policy;
- scenario is generally intended to include a sequence of playbook moves executed over specific devices (e.g., by simulation) in attempt to violate a security policy (e.g., from device A, exploit operating system (OS) vulnerability on device B to run a remote process that will read finance report file from the local disk, encrypt it using some given key, and send it as attachment by using Gmail Simple Mail Transfer Protocol (SMTP) service to a given email address);
- a security policy e.g., from device A, exploit operating system (OS) vulnerability on device B to run a remote process that will read finance report file from the local disk, encrypt it using some given key, and send it as attachment by using Gmail Simple Mail Transfer Protocol (SMTP) service to a given email address
- playbook move (or simply referred to as a move)—as used herein, is generally intended to include a sequence of building blocks that could be executed by an attacker on a single device or between a plurality of devices (e.g., encode a file using base64 encoding, and send it over Transmission Control Protocol (TCP) port 80 to an external server on the Internet;
- TCP Transmission Control Protocol
- building block as used herein, is generally intended to include an action that could be executed by an attacker (e.g., open TCP socket to specific server on specific port);
- device as used herein, is generally intended to include anything that is capable of executing or running a code, programming instructions (examples of devices include desktop computers, laptop/notebook computers, mobile devices, smartphones, servers, printers, routers, etc.);
- asset as used herein, is generally intended to include any digital file or data that is considered proprietary by the company, and should be protected (examples of assets include employees details and human resources (HR) records, customers' credit card records, customers' personally identifiable information (PII), code, financial records, internal documents, company emails, partners records, etc.);
- HR human resources
- PII personally identifiable information
- security policy is generally intended to include constraints on data, flow and access of a party's or individual's digital assets and systems;
- fix recipe (or remedy)—as used herein, is generally intended to include a configuration or an action that could be taken by a system administrator of a system in order to prevent a playbook move from succeeding.
- Each move can have any number of fix recipes.
- An example of a fix recipe may include adding a rule to a firewall to block a port between two sub networks;
- red, green, blue as used herein, is generally intended to refer to describing for example, red describes the attacker side, green describes the attacked side, and blue describes a fix;
- security campaign is generally intended to include a set of configurations that describes a subset of a security policy and assets, for which there is a business/personal driver to analyze and protect.
- threat level is generally intended to describe a sophistication level of an attacker that is needed in order to perform a playbook move.
- a higher threat level may indicate a lower sophistication (e.g., a non-sophisticated attacker that is capable of carrying out a move imposes a high level of threat to a system);
- accepted risk is generally intended to refer to a playbook move that is acceptable by the system administrator or end-user of a system and will not be blocked (e.g., an open share folder on a network server to which there is access from the corporate subnet).
- the present invention provides a protection system(s) and methods of using thereof for predicatively detecting and preventing threats such as data breaches, malware, compliance violation and any security event that could be described through a workflow.
- the systems and methods simulate breach scenarios and hacker activity to detect system vulnerabilities.
- Simulations of breach scenarios and hacker activity may be created by building and running attack workflows, compliance/policy validation workflows, malware simulation or any other security events.
- Breach scenarios may be created to effectively simulate the actions of a malicious user or hacker.
- Scenarios may employ one or more simulator nodes or devices within and/or without a network (e.g., of a company) to execute scenarios and report potential vulnerabilities.
- the scenarios may be carried out at the application-layer but may also be implemented on lower layers of the Open Systems Interconnection (OSI) model.
- OSI Open Systems Interconnection
- the protection system can be configured to simulate malicious actions, analyze the results, and apply or suggest remediation. By doing so, a system administrator of a computing system can get a true picture of open breaches in their system and quickly fix them.
- system administrators may create, edit, and configure breach scenario workflows and “play” them within any network, end point or application.
- a simulation playbook, suite, package, or menu may be updated with new scenarios created by a provider of the protection system, third party vendors and by end-users.
- the protection system can generate virtual appliances, control devices, configure system behavior and settings and be deployed within a networked computing environment; however, the technology is not limited to network-based scenarios and can be deployed on a PC, mobile device and cloud applications as well.
- the malware system may be either an enterprise business product or a consumer personal product.
- FIG. 1 presents a computing system according to an embodiment of the present invention.
- Computing system 100 provides for malware protection services, and operation of the computing system 100 can be employed (or one or more components of the computing system 100 may be implemented or deployed) on a target system to be protected.
- a target system may be a single client device, a network of client devices, one or more servers, databases, networking equipment, printers, or any device and combinations thereof.
- Client devices may comprise computing devices (e.g., desktop computers, television set top boxes, terminals, laptops, personal digital assistants (PDA), cell phones, smartphones, tablet computers, e-book readers, or any computing device having a central processing unit and memory unit capable of connecting to a network).
- computing devices e.g., desktop computers, television set top boxes, terminals, laptops, personal digital assistants (PDA), cell phones, smartphones, tablet computers, e-book readers, or any computing device having a central processing unit and memory unit capable of connecting to a network).
- PDA personal digital assistants
- Client devices may also comprise a graphical user interface (GUI) or a browser application provided on a display (e.g., monitor screen, LCD or LED display, projector, etc.).
- GUI graphical user interface
- a client device may vary in terms of capabilities or features.
- a client device may also include or execute an application to communicate content, such as, for example, textual content, multimedia content, or the like.
- a client device may also include or execute an application to perform a variety of possible tasks, such as browsing, searching, playing various forms of content, including locally stored or streamed video, or games.
- a client device may include or execute a variety of operating systems, including a personal computer operating system, such as a Windows, Mac OS or Linux, or a mobile operating system, such as iOS, Android, or Windows Mobile, or the like.
- a client device may include or may execute a variety of possible applications, such as a client software application enabling communication with other devices, such as communicating one or more messages, such as via email, short message service (SMS), or multimedia message service (MMS), including via a network, such as a social network, including, for example, Facebook, LinkedIn, Twitter, Flickr, or Google+, to provide only a few possible examples.
- a client software application enabling communication with other devices, such as communicating one or more messages, such as via email, short message service (SMS), or multimedia message service (MMS), including via a network, such as a social network, including, for example, Facebook, LinkedIn, Twitter, Flickr, or Google+, to provide only a few possible examples.
- SMS short message service
- MMS multimedia message service
- Servers may vary widely in configuration or capabilities but are comprised of at least a special-purpose digital computing device including at least one or more central processing units and memory.
- a server may also include one or more mass storage devices, one or more power supplies, one or more wired or wireless network interfaces, one or more input/output interfaces, or one or more operating systems, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, or the like.
- a server is operative to receive requests from client devices and/or other servers and process the requests to generate responses across one or more networks.
- a network may be any suitable type of network allowing transport of data communications across thereof.
- the network may couple devices so that communications may be exchanged, such as between servers and client devices or other types of devices, including between wireless devices coupled via a wireless network, for example.
- a network may also include mass storage, such as network attached storage (NAS), a storage area network (SAN), cloud computing and storage, or other forms of computer or machine readable media, for example.
- NAS network attached storage
- SAN storage area network
- the network may be the Internet, following known Internet protocols for data communication, or any other communication network, e.g., any local area network (LAN) or wide area network (WAN) connection, cellular network, wire-line type connections, wireless type connections, or any combination thereof.
- LAN local area network
- WAN wide area network
- the computing system 100 comprises a configuration platform 102 , orchestration platform 104 , data platform 106 , execution platform 108 , and client 110 .
- Configuration platform 102 may be configured as a storage container where the other platforms are able to communicatively connect with configuration platform 102 to read data such as system configuration data and knowledgebase data.
- the configuration platform 102 may expose application program interfaces (APIs) for create, read, update and delete (“CRUD”) operations on the data.
- FIG. 2A presents the configuration platform system according to an embodiment of the present invention.
- Configuration platform 102 comprises knowledgebase module 202 , configuration module 204 , user interface server 206 , and database 208 .
- Configuration module 204 comprises an interface operable to read and write (into database 208 ) configuration aspects of the system including users and roles, security policies, data assets, live notifications setting, user preferences, etc.
- Knowledgebase module 202 comprises an interface operable to read and write (into database 208 ) simulation and prevention knowledge of the system such as breach scenarios and fix recipes. Remediation history may also be stored into database 208 by knowledgebase module 202 .
- the knowledgebase module 202 may be configured for consumption by orchestrator platform 104 for generating simulation tasks and fix tasks.
- User interface server 206 is operable to serve client 110 to a web browser on a client device (of a system administrator or end-user) and provides at least a login process.
- Client may be a mobile client, a WINDOWS client, or a Web client, and so on.
- New scenarios and fix recipes may be updated via an update system 210 .
- Update system 210 may be hosted as a cloud service or on a server that can be accessed automatically (e.g., “auto update” mode), semi-automatic (e.g., “update now” button), and/or manually (e.g., download update file and upload it manually into database 208 ).
- Update system 210 may provide scenario workflows and fix recipes that can be downloaded (e.g., as a subscription or for free) from a provider of the protection system, private hackers or from third party vendors. Services provided by update system 210 may be consumed by knowledgebase module 202 . Alternatively, end-users may create new scenarios in an editor tool in a user interface (described in further detail with respect to the description of FIG. 7 ), or via an API.
- FIG. 2B presents an orchestration platform system according to an embodiment of the present invention.
- Orchestration platform 104 may be configured to serve as a task manager between various components of the computing system 100 .
- Exemplary functions of orchestrator platform 104 include generating simulation tasks, analyzing breach events and generating remediation tasks.
- Orchestration platform 104 comprises simulation orchestrator 212 and fix orchestrator 222 .
- Simulation orchestrator 212 is operable to generate red and/or green tasks.
- the simulation orchestrator 212 may be configured to read scheduling configuration from the configuration module 204 and breach scenarios from knowledgebase data from knowledgebase module 202 (e.g., via APIs).
- a scheduler may “wake” the simulation orchestrator 212 every time a campaign should run. That is, the scheduler can determine when to run tasks related to specific campaigns and notify the simulation orchestrator 212 .
- Simulation orchestrator 212 may also manage processes associated with generating tasks by delegating to a breach generator and a task maker, and sending simulation tasks from the task maker to the execution platform 108 .
- the simulation orchestrator 212 may also expose an external API for controlling tasks such as running and halting one, a plurality, or all tasks.
- Simulation orchestrator 212 may be configured to call the breach generator and instruct it to generate simulations required for a given campaign.
- the breach generator is operable to read security policy and campaign configuration from the configuration module 204 (e.g., via API), read scenarios from knowledgebase module 202 (e.g., via API), and generate a matrix of simulations to be run or executed.
- breach generator is able to generate a list or matrix of simulations to run.
- An example of a simulation may be to “use asset X in scenario Y, and run it on simulator nodes A and B.” The breach generator may then return the list of simulations to simulation orchestrator 212 .
- the simulation orchestrator 212 may then call the task maker and instruct it to generate tasks for the list of simulations.
- the task maker is operable to receive simulations from the breach generator, read data assets from the configuration module 204 (e.g., via API), and compile red and green scenarios as tasks based on the simulation matrices and data assets.
- the task maker uses assets it reads from configuration module 204 and the data in the list to compile and generate tasks that can run on the simulator nodes.
- the tasks may then be returned to the simulation orchestrator 212 of which they can be sent to an execution manager (on execution platform 108 ) for execution.
- Fix Orchestrator 222 is operable to generate blue tasks.
- fix orchestrator 222 includes learning features that attempt a remediation and re-run simulations in order to find the right remediation for a breach (which is described in further detail regarding the description of FIG. 8 ). Similar to the operation of simulation orchestrator 212 , fix orchestrator 222 may operate as a manager for processes associated with generating tasks for fix orchestrator 222 by delegating to a decider, a fix generator and a task maker (which may or may not be the same task maker as described for simulation orchestrator 212 ), and sending fix or remediation tasks generated by the fix generator to the execution platform 108 .
- a task manager may read breach events from a queue and call a decider to decide a remedy. For example, a breach event is read from the queue which indicates that a breached node A opens port 21 and sends malware via FTP to node B. Node B is able to activate malware locally and the malware reads local file (asset) and sends it via email to an unknown Gmail account.
- the queue may be, but not limited to, a communication system that transfers data associated with one or more events between components inside a computing device, or between computing devices and systems.
- the queue covers all related hardware components (wire, optical fiber, memory, etc.) and software, including communication protocols.
- the decider may be configured to receive the breach events from fix orchestrator 222 .
- the decider is able to read remediation history and fix recipes from data platform 106 , and based on the history data and the fix recipes, the decider is able to decide on a remedy to attempt (next remedy if a previous remedy was attempted and unsuccessful based on the remediation history).
- the decider may call the fix generator to decide how to implement a given remedy.
- the fix generator is able to read configuration data from the configuration module 204 (API) and the decision from the decider, and determine how to implement the remediation with a fix recipe.
- the decider may send a decision to the fix generator for blocking port 21 between two specific segments in the firewall.
- the fix generator may generate a fix recipe including a configuration file for a CISCO firewall on the target system and provide instruction(s) to deliver the configuration file via syslog.
- the fix recipe may then be sent to the task maker.
- the task maker is operable to “wrap” the fix recipe generated from the fix generator into a fix task that can run in a given gateway node.
- Fix orchestrator 222 may receive the fix task and send it to an execution manger (on execution platform 108 ) for implementation.
- task maker receives an instruction from the fix generator that a Cisco configuration file is to be sent to a target system via syslog.
- the task maker may generate a task addressed to the right syslog gateway with all the needed parameters
- Fix orchestrator 222 Upon performing a fix task by an execution manager, a fix event may be emitted to the queue.
- Fix orchestrator 222 is also able to read fix events from the queue and communicate them to decider. The decider decides if and which simulations have to re-run (to verify functionality of a fix task) and returns a response to fix orchestrator 222 .
- Fix orchestrator 222 may call simulation orchestrator 212 of the simulation orchestrator 212 and instructs it to re-run a given scenario corresponding to a fix task.
- FIG. 2C presents a data platform system according to an embodiment of the present invention.
- Data platform 106 may be configured to aggregate and expose business data and intelligence to other components and/or platforms of the computing system 100 .
- the business data and intelligence may include techniques and tools for the transformation of simulation results and breach events into meaningful and useful information for analysis purposes.
- the data platform 106 may analyze raw simulation events from the queue, identify full breach scenarios, and identify or produce breach scenario events.
- data platform 106 may further provide reporting, online/cloud analytical processing, analytics, data mining, process mining, complex event processing, benchmarking, predictive analytics and prescriptive analytics.
- Data platform 106 includes results analyzer 232 , notifications module 234 , reports manager 236 , real time data manager 238 , and database 240 .
- Results analyzer 232 is operable to read simulation results (produced by execution platform 108 ) from the queue, update an in-memory graph, and search the graph for new breaches or existing breaches that were fixed.
- the in-memory graph may include simulator nodes as nodes on the graph and specific scenarios with their simulation results as edges. For example, an edge between two simulator nodes A and B can represent a successful simulation that sent asset X using scenario Y.
- Results analyzer 232 is able to perform searches on the graph to find new breaches and emit breach events for each breach it finds.
- breached simulator node A can execute code on simulator node B using scenario X; node A can then take asset Y from node B, and send it to the Internet represented by node C using scenario Z.
- Results analyzer 232 is also able to perform searches on the graph to see if previously found breaches are now closed and emits a “breach heal event” for each breach that was closed.
- Notifications module 234 is operable to reads notifications configurations from the configuration API (configuration module 204 ), read breach events from the queue, and create notifications. Notifications may be published via SMS or email, or exposed to a user interface (e.g., user interface server 206 ) via an API. Reports manager 236 may be configured to generate business reports as requested via an API, or automatically by a scheduler, in which case it may publish reports via email. Various types of business reports may be generated including impact reports, trends reports, and technical reports.
- Impact reports can describe business impacts from certain malicious activities. Examples of impacts may include leaked credit cards, breached active directory, infiltration into the organization, etc.
- An impact report may include a current state per impact described by, for example, a number of breach scenarios, surface of attack, and impact magnitude.
- the number of breach scenarios may indicate how many different breach scenarios exist to create the impact.
- Surface of attack may be a statistical measurement of the number of successful actions out of a total number of actions (e.g., malicious activities) simulated for the different breach scenarios.
- the impact magnitude can indicate a measure or size of an impact under one or more breach scenarios. For example, an impact magnitude for a hacker leaking credit card numbers may be calculated by a number of credit card numbers that could be leaked by successful breach scenarios.
- the impact magnitude may be a maximum number of card numbers at risk between the two breach scenarios (100 thousand card numbers at risk).
- a trends report may show trends per impact item. Trends may be shown by a chart, graph or visualization of data points over a period of time such as for number of breach scenarios, surface of attack, and impact magnitude.
- Technical reports may show a breakdown (e.g., using histograms) of successful actions into different parameters.
- Exemplary parameters include protocol (what protocol was used, e.g., SSH, TCP, HTTP, SMTP, etc.), attacker level (what level of sophistication is required to carry the action, e.g., script kiddy, cyber crime, state backed organization), and approach (e.g., malware, brute force, exploit, etc.).
- the technical reports may be filtered by specific actions prior to generating a breakdown, for example, show only actions related to data leak.
- Real time data manager 238 may be configured to expose real time data of the computing system 100 to one or more components or platforms.
- the real time data manager is capable of reading events from the queue in addition to some of the aggregated data in the database 240 to generate the real time data and expose the data in an API. Examples of real time data may include the running of simulations, fixes, updates, etc. Real time data may be utilized by components such as a dashboard in the client 110 .
- FIG. 2D presents an execution platform system according to an embodiment of the present invention.
- Execution platform 108 may be configured to perform the execution of or running of tasks received from simulation orchestrator 212 and fix orchestrator 222 .
- components within execution platform 108 may create simulator nodes, manages the nodes' resources, run simulations and execute fixes.
- a simulator node as used herein, may refer to an instance of a virtual machine, virtual appliance, operating environment, agent, client, server, a physically installed device or any other emulation device or system that is capable of virtualizing and/or cloning devices, hardware, software, cloud computing, network and communication elements, etc.
- Execution platform 108 includes execution manager 250 , gateway node interface 252 , and simulator node 254 .
- Execution manager 250 can be configured to provide for the management of simulation and fix tasks.
- the execution manager 250 may expose an API that is consumed by the orchestrator platform 104 that allows for adding tasks, stopping a task, or stopping all tasks at the execution manager 250 .
- Execution manager 250 may utilize a queue to add and remove pending simulation and fix tasks.
- Execution manager 250 is operable to add simulation tasks received from simulation orchestrator 212 into a simulation task queue.
- the execution manager 250 is further capable of allocating simulator node resources.
- Simulator node generator 254 may be configured to accept simulation instructions from execution manager 250 and execute the simulation instructions. Specifically, simulator node generator 254 may generate or allocate one or more simulator nodes to simulate a scenario according to the simulation instructions.
- a simulator node could be deployed as a virtual appliance, agent (e.g., as a Linux daemon on a server in production or as a service on a Windows PC in the corporate network), appliance (hardware), or application (e.g., on a mobile device).
- Simulator nodes may be deployable to one or more computers or devices connected via one or more communication networks. Additionally, simulator nodes may also be distributed in different locations of a network in a target system so the computing system 100 can simulate complex attacks that move between various locations.
- the execution manager 250 may pop the task from the queue and send red (attack) and green (receiving attack) instructions to the respective simulator nodes.
- a given simulator node may run an interpreter for the simulation instructions and utilize a library bundle that helps run the simulation instructions.
- Tasks on simulator nodes may lock the simulator nodes for new tasks which can be managed by the execution manager 250 .
- execution manager 250 may send statistic events to the queue which may be consumed by a real time data API (real time data manager 238 ) and reported to a dashboard (as e.g., “now running simulations”).
- each simulator node carries out its instructions.
- a node can act as a red side (attacker) or a green side (being attacked).
- a red simulator node may read a file from the disk, take the first four bytes, encode it using base64 encoding, try to open a port to the green simulator node and send those bytes to the open port using telnet. At the same time, the green simulator node listens on port 23 waiting for transmission. Once received, the green simulator node decodes the data using base64. At the end of a simulation, each node may report back its results to execution manager 250 and execution manager 250 may transmit a simulation result event to the queue of which, the simulation result may be consumed by the results analyzer 232 .
- the red simulator node may send a hash of the four bytes that were sent to the green side to execution manager 250 .
- the green simulator node may send a hash of the data it decoded to the execution manager 250 . Execution manager 250 may compares both hashes and decide whether the simulation succeeded (the hacker managed to send the data), or failed.
- Gateway node interface 252 is operable to provide gateways (nodes) to third party systems associated with a target system such as firewalls, data lost prevention (DLP) systems, a syslog server, an email server, short message service (SMS) gateway, etc.
- the gateway node interface 252 is able to run interpreters for gateway instructions and utilize a library bundle that helps run the gateway instructions.
- Gateway nodes may be distributed in different locations of the network to allow connectivity to the third party systems involved.
- a gateway node may be deployed as a virtual appliance, agent, or appliance (hardware), etc.
- gateways may also be provided as cloud (service) gateways to services like email, SMS, etc., that can be consumed by gateway nodes in the execution platform in order to fulfill their requirements.
- execution manager 250 may pop the fix task from a fix task queue and send it to the gateway node.
- Gateway nodes may send results to execution manager 250 , and execution manager 250 may write fix events to the queue.
- the execution platform 108 may be configured, deployed, or on the premises of the target system where resources of the target system may be used to perform the simulations and fixes.
- one or more components of the execution platform 108 e.g., execution manager 250
- one or more instances of the components (e.g., execution manager 250 ) of the execution platform 108 may be deployed in a plurality of locations, a plurality of target systems or within a given target system.
- FIG. 2E presents a client system according to an embodiment of the present invention.
- Client 110 may be a server or cloud implementation configured to provide a main interface of the computing system 100 used for accessing analytics and configurations.
- the client 110 includes scenario editor module 260 , system configuration module 262 , alerts module 264 , and analytics module 266 .
- Modules (one or more of which may be user interfaces) within client 110 may be provided for a user to interact with the computing system 100 .
- the client 110 may be provided to the user via a website or via a networked application installed on the target system.
- System configuration module 262 may provide for the viewing and setting of the configuration of the system (e.g., corresponding to configuration module 204 ) such as users and role, security campaigns configuration, assets, etc.
- Alerts module 264 may be a user interface component operable to provide real time alerts that require the attention of a user.
- Analytics Module 266 may further include dashboards module 270 and reports module 268 .
- the dashboards module 270 may provide real-time information or status. Reports module may provide answers to questions such as “what is the threat level that I'm currently facing in regards to my customers' credit cards data?” “what is the trend of the security level of R&D code in the last 6 months?” “is my PCI environment fully compliant with PCI standards?
- Scenario Editor module 260 is operable to allow system administrators or end-users create their own scenarios and add them to a playbook that can be simulated in their environment (target system).
- computing system 100 may be deployed as a full on-premises solution, full cloud (SaaS) or hybrid. That is, one or more of the platforms and components described in FIG. 1 through 2E may be deployed, installed, or otherwise located at the target system (and installed on one or more devices within the target system), on a remote server or on a cloud platform. The platforms and components in different platforms can run as separate processes on the same server, or separated onto different servers. Furthermore, one or more instances of computing system 100 or its components (such as execution platform 108 ) may exist in a deployment for a target system.
- a first example may include configuration platform 102 , orchestration platform 104 and data platform 106 provided on a cloud while execution platform 108 will be on premises of the target system.
- a second example may include configuration platform 102 and orchestration platform 104 provided on a cloud while data platform 106 and execution platform 108 will be on premises of the target system.
- configuration platform 102 may be provided on a cloud while orchestration platform 104 , data platform 106 and execution platform 108 will be on premises of the target system.
- FIG. 3 presents a flowchart of a method for protecting a computing system according to an embodiment of the present invention.
- the method provides for breach protection on a target system by simulating scenarios and using predictive prevention. Examples of possible scenario genres that can be simulated include exfiltration, infiltration, and policy validation. Deployment of the method (and associated system) may be carried out based on the need as a virtual appliance, in singular or multiple locations, within the network (corporate, production, and etc.) or externally when the goal is to simulate infiltration or external breach scenarios.
- a user may be required to specify one or more simulation options such as what family of scenarios the user would like to use (e.g., data exfiltration, infiltration, malware, compliance or any other) and what internal or external simulator nodes should be part of the simulation.
- a user may be an end-user, a computer administrator, IT professional, or management personnel.
- policy/compliance validation the user can define the policy to validate (e.g., access to a server only via virtual private network (VPN) or allow a remote user to access production only through a terminal server).
- VPN virtual private network
- a user may be able to define what is confidential content by means of uploading actual templates and information into a simulator node (e.g., MS Word, source code, code names of products, etc.), by choosing dynamic real-time generators such as a fake person name, fake credit card, fake email, and etc., by choosing out of predefined data samples, or any combination thereof.
- a simulator node e.g., MS Word, source code, code names of products, etc.
- a simulation is started, step 302 .
- the simulation may be configured according to simulation options selected by the user and started either on-demand, periodically as scheduled, in response to an update, or in response to a high threat warning that may be received from a provider of a protection/security system.
- Starting the simulation may include initializing or generating simulator nodes.
- the simulator nodes may be virtualized devices, systems, or cloud services, for example. Simulation can occur on a single node or between multiple nodes. In simulations including multiple simulator nodes, connections between the simulator nodes may also be established.
- the simulation may include processes and/or communications between one or more devices or of a single device connected to a network system/cloud service.
- a simulator node may connect to another simulator node as a proxy, or will try to access the Internet and reach an external entity.
- Malicious action is simulated, step 304 .
- the malicious action may be simulated on one or more devices (internal or external) via the simulator nodes.
- the simulated malicious action may comprise a breach scenario including one or more steps that contribute to a result that is harmful to the user or owner of the target system. According to one embodiment, multiple malicious actions may be simulated simultaneously.
- the system determines whether the malicious action was successful executed, step 306 .
- Validation of successfully executed malicious action may be determined by any number of ways including determining the success of establishing a connection, determining the success of sending and receiving a series of data packages (e.g., reaching a certain state in the server-side), and applying metadata facts (e.g., check-sum, file size, regular expression, and etc.) sent over an encrypted out-of-band channel from one simulator node to another.
- metadata facts e.g., check-sum, file size, regular expression, and etc.
- the protection system may include one or more security controllers.
- Security controllers may be any product (technology) able to detect and mitigate one or more malicious actions that are executed as part of a breach scenario.
- security controllers include, but not limited to, firewall products, antivirus products, endpoint security products, web application firewall (WAF) products, access control list (ACL) features of network products (e.g., switches, routers, proxies and etc.), data leakage prevention (DLP) products, mobile device management (MDM) products, mobile access management (MAM) products, and content inspection products.
- WAF web application firewall
- ACL access control list
- DLP data leakage prevention
- MDM mobile device management
- MAM mobile access management
- Previously attempted security configurations may be passed on and the method continues to determine if there are other security configurations that can protect against the malicious action.
- a lack of security configurations to protect against the malicious action may result in the method to continue on to simulating other malicious actions at step 302 .
- the security controller is configured to protect against the malicious action, step 316 .
- Configuring the security controller may include offering a mitigation path (manual or automated).
- Implementing a security configuration may include connecting to the security controller and configuring the security controller according to a specific security configuration.
- a given security controller may be selected and configured to resolve a vulnerability exposed by the simulation of the malicious action.
- configuring a security controller may include displaying a recommendation on how to prevent the breach on a target system using a specific security controller product and providing an example configuration using the specified product, that once applied, will prevent the breach.
- a product may be made available for download or purchase to prevent the breach.
- the method may repeat looping through one or more simulations to ensure that malicious action vulnerabilities are continuously detected and protected against at 302 .
- the system may re-simulate the malicious action to determine if the malicious action has been prevented against.
- the method may re-simulate malicious actions with up-to-date security configurations (e.g., from updates to security software, etc.) where there were no security configurations to protect against in a previous simulation.
- FIG. 4 presents a flowchart of a method for preparing a breach simulation for verification according to an embodiment of the present invention.
- the method allows for the verification of a breach by determining proper execution of breach tasks and whether data received and transmitted from all parties involved in a breach are consistent with a breach. For example, data that was sent from one device to another is verified whether the data is received as is (e.g., identical, the same, equal or substantially similar).
- Breach simulation task(s) are prepared by the simulation orchestrator, step 402 .
- Preparing the breach simulation task(s) may include reading a configuration for a specific breach scenario type and preparing a list of tasks to be simulated, taking into account one or more moves in a playbook, one or more configured data assets, and simulator nodes in the system, etc.
- a breach scenario may comprise a sequence of one or more moves applied on the simulator nodes with specific configurations, data assets, etc.
- the simulation orchestrator can prepare tasks for all participating parties (characterized by simulator nodes) involved in a given simulation.
- a simulation can occur on a single simulator node or between multiple simulator nodes.
- Malware connects to a server (that also may, or may not be the command and control server) and downloads a configuration file.
- the protocol and configuration file format may vary, depends on the malware type and version.
- Simulator A will simulate an infected computer with malware installed on it.
- Simulator B will simulate a server that is serving malware configuration file.
- Simulator A will try to connect to Simulator B via HTTP protocol and download the malware configuration file.
- the command and command channel may vary, depends on the malware type and version.
- Simulator A will simulate an infected computer with malware installed on it.
- Simulator B will simulate a command and control channel server.
- Simulator A will try to connect to Simulator B via FTP protocol and upload an encrypted file that contains screenshots & logged keystrokes from the infected computer.
- malware When a malware is installed, it will create one or more files and/or directories and use it to store stolen credentials, keystrokes logging, screen captures and etc. before it will send it back to the attacker via the command and control channel.
- the file and directory names and locations on the file system may vary, depends on the malware type and version.
- Simulator A will simulate an infected computer with malware installed on it. Simulator A will attempt to create one or more of the following hidden files and/or directories:
- malware When a malware is installed, it will create one or processes for it to run, or, alternatively it will try to inject itself into another running processes in the system. In addition, malware may change system configuration in order to force the user to go through its filters/processes.
- the injection/creation method and processes names may vary, depends on the malware type and version.
- Simulator A will simulate an infected computer with malware installed on it. Simulator A will create a dummy process called SVCHOST.EXE. Simulator A will attempt to inject a code into the dummy process called SVCHOST.
- a botnet may be a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks.
- IRC Internet Relay Chat
- Simulator A will open an email account (e.g., Google Mail, Yahoo!, Hotmail and etc.) and periodically check it for new mails.
- Simulator B will simulate a bot installed on a computer.
- Simulator B will connect to an SMTP server and attempt to send a spam email to Simulator A email account.
- An Insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems.
- the threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.
- Simulator A will connect to DROPBOX website. Simulator A will login to DROPBOX Account. Simulator A will upload file with sensitive data to DROPBOX (e.g., HTTP POST).
- DROPBOX e.g., HTTP POST
- Simulator A will simulate an USB flash drive that is inserted into the computer. Simulator A will try to copy the sensitive files to the simulated USB flash drive.
- An employee tries to pair an unauthorized device (if there's a policy) or at all (if prohibited at all) and then copy sensitive data to it.
- Simulator A will simulate a BLUETOOTH device that is paired with the computer. Simulator A will try to send file via BLUETOOTH to the virtual device.
- a hacker seeks and exploits weaknesses in a computer system or computer network.
- Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge or enjoyment.
- Arbitrary code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It is commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code.
- a program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. Most of these vulnerabilities allow the execution of machine code and most exploits therefore inject and execute shellcode to give an attacker an easy way to manually run arbitrary commands.
- the ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution.
- the exploit and protocol may vary depending on the remote vulnerability.
- Simulator A will simulate a vulnerable HTTP server that has a buffer overflow problem in the GET method handler. Simulator B will connect to the vulnerable HTTP server and craft a malicious GET request in order to exploit the vulnerability.
- Scenario 3.2 Principal Escalation/Local Code Execution/Local Exploit Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
- Simulator A will simulate a service (daemon) running with administrator privileges that is vulnerable to insecure file creation vulnerability. Simulator A will attempt to exploit the vulnerable service via creation of multiple potential “temporary files” that includes malicious payload.
- Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.
- Simulator A will simulate a SSH Server. Simulator B will simulate a fuzzer that sends “broken” SSH requests. Simulator A will connect to the SSH server and start fuzzing.
- a vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses.
- a web application security scanner is a program, which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test.
- web application scanners don't have access to the source code and therefore detect vulnerabilities by actually performing attacks.
- Simulator A will simulate a HTTP Server with an interactive form. Simulator B will simulate a SQL injection scanner. Simulator A will connect to the HTTP server and start “enumerating” different SQL injection attacks using the interactive form fields.
- a brute-force attack or exhaustive key search
- a cryptanalytic attack that can, in theory, be used against any encrypted data (except for data encrypted in an information-theoretically secure manner).
- Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It is comprised of systematically checking at least one or all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space.
- Simulator A generates a dummy administrator account (username with a random password). Simulator A tries to blindly brute-force the dummy username password (e.g., 0, 1, 2, 3, 4, . . . , A, B, C, D, . . . AA, AB, AC, and etc.).
- the dummy username password e.g., 0, 1, 2, 3, 4, . . . , A, B, C, D, . . . AA, AB, AC, and etc.
- a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
- Simulator A generates a dummy administrator account (username with a random password). Simulator A will simulate a HTTP server with a dummy login form. Simulator B will connect to the HTTP server and attempt to login with different passwords (e.g., 12345, abc123, password, computer, 123456, tigger, 1234, a1b2c3, qwerty, 123, xxx, money, and etc.).
- different passwords e.g., 12345, abc123, password, computer, 123456, tigger, 1234, a1b2c3, qwerty, 123, xxx, money, and etc.
- a resource enumeration attack is a type of attack in which an attacker is able to make the target host enumerate, or list, the various resources available on said host or network. Examples of these resources include user names and privileges, services, shares, policies, etc.
- Simulator A will simulate a dummy service on random TCP port (e.g., 31337 ). Simulator B will port scan the server to determine which TCP ports are active.
- Spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data or resource.
- Simulator A generates a phishing email with a malicious link. Simulator A sends the email to Simulator B corporate email address. Simulator B receives the email via the corporate email server. Simulator B clicks on the malicious link.
- a covert channel may be defined as a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.
- Simulator A listens on TCP/IP port ‘31337’. Simulator B attempts to send a TCP SYN packet with data hidden in the SYN SEQUENCE field
- Security policy is a definition of what it means to be secure for a system, organization or other entity.
- the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
- PCI-DSS Payment Card Industry Data Security Standard
- Simulator A will simulate a HTTPS server that supports SSLv2 (a weak version of SSL that includes weak ciphers). Simulator B will try to connect to Simulator A via SSLv2 protocol and negotiate a weak cipher.
- SSLv2 a weak version of SSL that includes weak ciphers
- the security rule does not expressly prohibit the use of email for sending electronic PHI.
- the standards for access control (45 CFR ⁇ 164.312(a)), integrity (45 CFR ⁇ 164.312(c)(1)), and transmission security (45 CFR ⁇ 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI sent and received over email communications.
- the standard for transmission security ( ⁇ 164.312(e)) has been updated to enforce the use of encryption. This means that each covered entity must assess its use of open networks, identify the available and appropriate means to protect electronic PHI as it is transmitted, select a solution, and document the decision.
- the security rule allows for electronic PHI to be sent over an electronic open network as long as it is adequately protected.
- Simulator A will simulate an SMTP (mail server) server. Simulator B will try to connect to Simulator A via SMTP protocol and use it to send an email with an attachment that contains PHI.
- SMTP email server
- a password policy can be a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.
- a password policy is often part of an organization's official regulations and may be taught as part of security awareness training.
- Simulator A will try to change password to a weak one (one that does not meet or exceed the password complexity).
- the prepared tasks are sent to the simulator nodes, step 404 .
- Sending a task to a simulator node may include loading data onto a simulator node module, loading the data onto a programmable chip or memory for execution by a processor/processor core, or generating a virtual device configured to perform the task.
- Each simulator node may represent one or more parties (e.g., client devices and servers), devices, networks, and systems participating in a breach scenario.
- Tasks on the simulator nodes are executed/simulated, step 406 .
- the tasks executed on the simulator nodes may result in data transfers, file modifications, change in system configuration, and change to access permissions, to name a few.
- Each simulator node may report its result of the executed tasks/simulation.
- the results analyzer may receive the result of simulation from the simulator nodes, step 408 .
- a result may include a hash of transferred and received data or some other result.
- the transferred data may be any file including text, image, video, etc., to be verified.
- Results from the simulator nodes are analyzed, step 410 . Analyzing the results may include summarizing and comparing results of all parties (associated with the simulator nodes).
- a next step 412 comprises determining if all parties report on a same result.
- determining a same result may include performing a hash function on transferred data, and performing a hash function on a copy of the transferred data that was successfully received at a second simulator node (or party) from a first simulator node (or party).
- the hashes of the transferred data and the copy of the transferred data can be compared. Checking comparing hashes of the two files may help eliminate false-positives.
- a malicious attachment may be sent from someone outside of a company to someone within the company.
- a simulator node may be present in the Internet and another connected to the enterprise or company's intranet network.
- the enterprise simulator may receive the e-mail but the attachment may be removed by an email gateway product. In this case, it may be desired to verify that indeed what the Internet simulator sent was received by the enterprise simulator. However, in other embodiments, other data checking methods may be used to verify whether breached data and the transmitted copy of the breached data are the same.
- a breach is determined as unsuccessful, step 418 . Otherwise, if the two hashes are equal, the method proceeds to determine whether all parties report on a successful result at step 414 .
- the breach simulation task may attempt a connection between the first simulator node and the second simulator node. If the connection is unsuccessful, then the breach is determined to be unsuccessful, step 418 . Otherwise, a successful transmission along with all of the parties reporting on the same result leads to a determination that the breach was successful (verification of a breach), step 416 .
- Verifying an exfiltration breach scenario may include determining if a first simulator node generates a credit card (information), leaks the credit card via DNS query response and a second simulator node is able to successfully receive the DNS query result.
- a second exfiltration breach scenario may be verified by determining if a first simulator node takes a user-defined file, opens a FTP connection to a cloud instance, uploads the file, and a second simulator node is able to successfully receive the upload.
- a third exfiltration breach scenario may be verified by determining if a first simulator connects to a malware server, sends a malware client message and a second simulator node is able to successfully receive the message.
- Verifying an infiltration breach scenario may include determining if a first simulator node sends an email with a link, and a second simulator node receives the email, clicks on the link, and is able to reach an external malicious website.
- a second infiltration breach scenario may be verified by determining if a first simulator node tries to open TCP port 31337 to a second simulator node, and the second simulator node is able to receives the connection and open a socket (assuming port 31337 is not a standard port and is not allowed by the policy).
- a third infiltration breach scenario may be verified by determining if a subcontractor mobile app (first simulator node) attempts to connect to a production server (second simulator node), and the production server answers the connection (assuming this particular subcontractor should not have access to production server).
- Verifying a policy validation scenario may include determining if a first simulator node tries to open TCP port 80 to a second simulator node, and the second simulator node allows and receives the connection and opens a socket (assuming simulator nodes A and B should be segregated due to PCI Compliance).
- a second policy validation scenario may be verified by determining if a first simulator node mounts a share folder on a second simulator node, the second simulator node generates a sensitive document on the share folder, the first simulator node copies the sensitive document from the second simulator node, connects to Dropbox (or any other external system) and is able to upload the sensitive document.
- FIG. 5 presents a flowchart of a method for managing breach simulations results according to an embodiment of the present invention.
- Simulation results are aggregated, step 502 .
- the results analyzer may read the simulation results from the simulation orchestrator.
- a snapshot of currently known breaches in system is updated with the simulation results, step 504 .
- the snapshot may be an in-memory graph including simulator nodes as nodes and specific scenarios with their simulation results as edges.
- the system determines whether the snapshot has new breach scenarios or previously known scenarios that were closed (fixed). If there are no new or closed breach scenarios, no action is needed or taken, step 508 . Otherwise, new or closed breach scenarios are concluded, step 510 . New or closed breach scenarios may be concluded by searching the in-memory graph for new breaches and emit breach events for each breach it finds and identifying previously found breaches that have been closed and emits a “breach heal event” for each breach that was closed.
- FIG. 6 presents a flowchart of a method for executing a breach scenario according to an embodiment of the present invention.
- Breach scenarios are able to be executed in the form of executable workflows or graphs including malicious actions as nodes and each step may be connected to one or more further steps.
- a breach scenario is parsed, step 602 .
- the breach scenario may be parsed from a program file input, file, or data entry that models the flow of the breach scenario. Parsing the breach scenario includes extracting a graph (e.g., textual, numerical, symbolic or graphical) or flow of tasks/operations comprising action components as nodes connected together by edges and in a particular order.
- a graph e.g., textual, numerical, symbolic or graphical
- An action component may include executable code or instructions that can be written in any programming language for execution of tasks within a breach scenario by a simulation node.
- a breach scenario for simulating an attacker trying to connect to a given computer, login as an administrator, and afterward execute a FORMAT command on a disk C may include a directed graph with three nodes connected by two edges where the root node of the breach scenario is a “ConnectToComputer” action component node having a “LoginAsAdmin” child node, and the “LoginAsAdmin” action component node further includes a “FormatDiskC” child node.
- a root node is determined, step 604 .
- the root node can be used to establish a first step in a series of nodes in a breach scenario execution flow. Determining the root node may include finding a node with no parent node. Referring to the previous example, the “ConnectToComputer” action component node may be determined as the root node.
- the determined root node is set as a current node, step 606 .
- the current node may be a pointer that identifies a “visit” to a given node during a traversal of a graph of nodes (breach scenario).
- Breach point data may be comprised in a data structure (e.g., dictionary, associative array, serialized data container, hash, etc.) that includes keys and values that each action component can accept.
- the breach point data may contain values that can be accessed via keys such as IP addresses, ports, data, protocols, filenames (if applicable), and any other information that is related to a breach scenario execution flow. For example, information for running or executing action components are included in the breach point data such as a data key (e.g., breach data—an asset to leak in an exfiltration scenario).
- breach point data may include a debug key to allow for triggering number of prints in the action component for a user (such as a system administrator) to debug the action component logic.
- Breach point data may be initialized by the simulation orchestrator and provided to the root node of breach scenarios.
- breach point data may contain empty or initialized values to be received by an action component at a root node of a breach scenario.
- a return value is generated, step 610 .
- the return value may be indicative of a result of the execution of the current node.
- action component execution it may change the breach point data (e.g., by adding new keys, deleting keys, changing key values, etc.) and return a modified copy of the breach point data (the return value).
- the return value comprising the modified breach point data may be used as input for execution of a next action component in the breach scenario.
- the action component may also generate a false (or null) return value upon an unsuccessful execution (e.g., a “ConnectToComputer” action could not be completed).
- the child node may be a node connected to the root node that does not have a parent node. Alternatively, the child node may be a node that is connected to the root node and depends on the execution of the action component of the root node (e.g., uses the return value as input).
- Absence of a child node may indicate that there are no further action components remaining in the execution flow of the breach scenario for simulation. If the current node does not have a child node, the return value is generated as an output result, step 618 . A presence of a child node will set the current node to the child node, step 620 and the method may proceed to execute the new current node with the return value (modified breach point data) as the breach point data at step 608 .
- a plurality of children nodes may be connected to a current node such as when execution of a current node is followed by a condition statement or branching, that of which, a given one of the children node will be selected and set as the new current node based on a satisfied condition.
- FIG. 7 presents an interface tool for editing breach scenarios according to an embodiment of the present invention.
- the exemplary editing tool allow for users to create executable workflows/graphs for breach scenarios or modifying existing ones by changing the order of steps (nodes and edges), and/or adding new steps, and/or changing steps parameters, and/or removing already-existing steps.
- the editing tool may providing tools for adding steps, devices and other elements in a breach scenario workflow (similar to ones that may be found in engineering modeling and simulation tools).
- Breach scenarios may also be created or modified using domain specific language to describe the breach scenarios. Domain-specific languages may be able to capture both offensive and defensive security components into a workflow.
- FIGS. 1 through 8 are conceptual illustrations allowing for an explanation of the present invention.
- the figures and examples above are not meant to limit the scope of the present invention to a single embodiment, as other embodiments are possible by way of interchange of some or all of the described or illustrated elements.
- certain elements of the present invention can be partially or fully implemented using known components, only those portions of such known components that are necessary for an understanding of the present invention are described, and detailed descriptions of other portions of such known components are omitted so as not to obscure the invention.
- an embodiment showing a singular component should not necessarily be limited to other embodiments including a plurality of the same component, and vice-versa, unless explicitly stated otherwise herein.
- applicants do not intend for any term in the specification or claims to be ascribed an uncommon or special meaning unless explicitly set forth as such.
- the present invention encompasses present and future known equivalents to the known components referred to herein by way of illustration.
- Computer programs are stored in a main and/or secondary memory, and executed by one or more processors (controllers, or the like) to cause the one or more processors to perform the functions of the invention as described herein.
- processors controllers, or the like
- computer usable medium are used to generally refer to media such as a random access memory (RAM); a read only memory (ROM); a removable storage unit (e.g., a magnetic or optical disc, flash memory device, or the like); a hard disk; or the like.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
- A portion of the disclosure of this patent document contains material, which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all copyright rights whatsoever.
- 1. Field of the Invention
- The invention described herein generally relates to a computer protection system, and in particular, a system for detecting and protecting against threats from malware vulnerabilities by simulating malicious actions, analyzing the results, and applying or suggesting remediation.
- 2. Description of the Related Art
- Computing devices have increasingly become repositories for sensitive data of corporations and users. This has given rise to malicious users who try to gain access to these computing devices. Additionally, malicious users often attempt to install programs that track user interactions or utilize the computing resources of computing devices for malicious purposes. The Internet today is a breeding ground for criminal activity. Home users, small and medium businesses, international corporations and governmental bodies all suffer from constant attacks cause by malware such as viruses and Trojans. Malware, short for malicious software, is any hostile or intrusive software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of executable code, scripts, active content, and other software.
- Malware can steal personal and corporate bank account information, steal credit card numbers, conduct distributed-denial-of-service (DDoS) attacks with the instigators then demanding money to stop the attacks—a cyber racket, create networks of Trojan proxy servers (these can be used to send spam, and for commercial gain), create zombie networks, which can be exploited in multiple ways, create programs which download and install adware to the victim machine, install Trojan dialers which will repeatedly call pay services, etc. Consequently, anti-malware software has been developed to block these malicious users from gaining access to computing devices. However, malicious users continually attempt to circumvent the protection that anti-malware software provides. Malware has gotten more sophisticated and there is thus a need for new and advanced system and methods for securing against vulnerabilities to breaches from malware.
- The present invention provides a method and system for protecting a computing system. The system comprising a memory device having executable instructions stored therein and a processing device, in response to the executable instructions, operative to allocate simulator nodes, the simulator nodes emulating operations of devices in a target system, simulate malicious action utilizing the simulator nodes, and determine that the malicious action was successful.
- The simulator nodes may include at least one of virtual machines, virtual appliances, operating environments, and physical devices. In one embodiment, the simulator nodes are configured to virtualize or clone at least one of hardware, software, cloud computing, network and communication elements. The simulator nodes may also be operable to establish communication connections.
- In another embodiment, the processing device is operative to configure a security system of the target system based on the simulation of the malicious action. The security system may also include one or more security controllers. In a further embodiment, the one or more security controllers includes at least one of firewall products, antivirus products, endpoint security products, web application firewall (WAF) products, access control list (ACL) features of network products (e.g., switches, routers, proxies and etc.), data leakage prevention (DLP) products, mobile device management (MDM) products, mobile access management (MAM) products, and content inspection products.
- The processing device of the system may be further operable to configure the security controller, and re-simulate the malicious action. The malicious action may comprise a breach scenario. The breach scenario may include a plurality of operations performed by the simulator nodes. According to another embodiment, the processing device of the system is further operable to update a snapshot of currently known breaches with the determination that the malicious action was successful, the snapshot comprising a graph including nodes representative of simulator nodes and edges representative of specific scenarios and simulation results of the specific scenarios, determine whether the snapshot has new breach scenarios and previously known scenarios that have been fixed, and conclude the new breach scenarios and the previously known scenarios that have been fixed by searching the graph.
- In another aspect, the system for protecting a computing system comprises a memory device having executable instructions stored therein and a processing device, in response to the executable instructions, operative to prepare breach simulation tasks by reading configurations for types of breach scenarios and preparing a list of tasks to be simulated, send breach simulation tasks to simulator nodes, the simulator nodes simulating parties involved in the types of breach scenarios, execute the breach simulation tasks on the simulator nodes, receive results from the simulator nodes, determine that the parties report on a same result, determine that the parties report on successful results, and identify a successful breach based on the parties report on the same result and the parties report on the successful results.
- The parties may include at least one of client devices and servers. According to one embodiment, the processing device is further configured to determine proper execution of the breach simulation tasks, and verify data received by the parties and data transmitted from the parties are consistent with a breach. In another embodiment, the processing device is further configured to verify the data received by the parties and the data transmitted from the parties are identical. The breach scenarios may comprise sequences of moves executed on the simulator nodes with specific configurations and data assets. The processing device may be further configured to send the breach simulation tasks to the simulator nodes by generating one or more virtual devices configured to perform the breach simulation tasks. Breach simulation tasks may include data transfers, file modifications, change in system configuration, and changes to access permissions. The results received from the simulator nodes may include a hash of transferred and received data.
- According to another aspect, the system for protecting a computing system comprises a memory device having executable instructions stored therein and a processing device, in response to the executable instructions, operative to parse a breach scenario file, the breach scenario file comprising a graph including action component nodes connected by edges, determine a root node from the action component nodes, execute the root node with breach point data, generate a root node return value based on the execution of the root node, the root node return value including a modified copy of the breach point data, determine children nodes from the action component nodes connected to the root node, execute the children nodes wherein each execution of the children nodes produces children node return values for a subsequent one of the children nodes, and return a final return value from the execution of the children nodes.
- The root node return value may be representative of a result from the execution of the root node. According to another embodiment, the processing device is further configured to generate the root node return value by modifying the breach point data. In a further embodiment, the processing device is further configured to modify the breach point data by at least one of adding new keys, deleting key, and changing key values. Certain embodiments may include the processing device further configured to generate the root node return value by generating a false return value upon an unsuccessful execution of the root node. Action component nodes may include executable instructions for execution of breach tasks. The processing device can also be further configured to establish the root node as a first step among the action component nodes. The breach point data may comprise a data structure including keys and values and generally includes information for executing the action component nodes. The values can contain Internet protocol (IP) addresses, ports, data, protocols, and filenames that are accessible by the keys.
- Embodiments of the present invention may be used to protect systems against malicious actions. Additionally, embodiments of the present invention can quantify risk by identifying what types of malicious actions are possible on a system and their impact. Further, system administrators may validate security controllers and determine which security controllers are effective or ineffective in providing protection to a system.
- The invention is illustrated in the figures of the accompanying drawings which are meant to be exemplary and not limiting, in which like references are intended to refer to like or corresponding parts, and in which:
-
FIG. 1 illustrates a computing system according to an embodiment of the present invention; -
FIG. 2A illustrates a configuration platform system according to an embodiment of the present invention; -
FIG. 2B illustrates an orchestration platform system according to an embodiment of the present invention; -
FIG. 2C illustrates a data platform system according to an embodiment of the present invention; -
FIG. 2D illustrates an execution platform system according to an embodiment of the present invention; -
FIG. 2E illustrates a client system according to an embodiment of the present invention; -
FIG. 3 illustrates a flowchart of a method for protecting a computing system according to an embodiment of the present invention; -
FIG. 4 illustrates a flowchart of a method for preparing a breach simulation for verification according to an embodiment of the present invention; -
FIG. 5 illustrates a flowchart of a method for managing breach simulation results according to an embodiment of the present invention; -
FIG. 6 illustrates a flowchart of a method for executing a breach scenario according to an embodiment of the present invention; and -
FIG. 7 illustrates an interface tool for editing breach scenarios according to an embodiment of the present invention. - Subject matter will now be described more fully hereinafter with reference to the accompanying drawings, which form a part hereof, and which show, by way of illustration, exemplary embodiments in which the invention may be practiced. Subject matter may, however, be embodied in a variety of different forms and, therefore, covered or claimed subject matter is intended to be construed as not being limited to any example embodiments set forth herein; example embodiments are provided merely to be illustrative. It is to be understood that other embodiments may be utilized and structural changes may be made without departing from the scope of the present invention. Likewise, a reasonably broad scope for claimed or covered subject matter is intended. Among other things, for example, subject matter may be embodied as methods, devices, components, or systems. Accordingly, embodiments may, for example, take the form of hardware, software, firmware or any combination thereof (other than software per se). The following detailed description is, therefore, not intended to be taken in a limiting sense.
- Throughout the specification and claims, terms may have nuanced meanings suggested or implied in context beyond an explicitly stated meaning. Likewise, the phrase “in one embodiment” as used herein does not necessarily refer to the same embodiment and the phrase “in another embodiment” as used herein does not necessarily refer to a different embodiment. It is intended, for example, that claimed subject matter include combinations of exemplary embodiments in whole or in part.
- The following describes certain terminology that are referred to in the present application:
- a malicious action—as used herein, is generally intended to include an action executed by an attacker as part of a breach scenario;
- breach scenario (or simply referred to as a breach)—as used herein, is generally intended to include one or more malicious actions that represent a scenario that was found successful from an attacker point of view (e.g., by playing a sequence of moves in a scenario on one or more defined devices) and violating a security policy;
- scenario—as used herein, is generally intended to include a sequence of playbook moves executed over specific devices (e.g., by simulation) in attempt to violate a security policy (e.g., from device A, exploit operating system (OS) vulnerability on device B to run a remote process that will read finance report file from the local disk, encrypt it using some given key, and send it as attachment by using Gmail Simple Mail Transfer Protocol (SMTP) service to a given email address);
- playbook move (or simply referred to as a move)—as used herein, is generally intended to include a sequence of building blocks that could be executed by an attacker on a single device or between a plurality of devices (e.g., encode a file using base64 encoding, and send it over Transmission Control Protocol (TCP) port 80 to an external server on the Internet;
- building block—as used herein, is generally intended to include an action that could be executed by an attacker (e.g., open TCP socket to specific server on specific port);
- device—as used herein, is generally intended to include anything that is capable of executing or running a code, programming instructions (examples of devices include desktop computers, laptop/notebook computers, mobile devices, smartphones, servers, printers, routers, etc.);
- asset—as used herein, is generally intended to include any digital file or data that is considered proprietary by the company, and should be protected (examples of assets include employees details and human resources (HR) records, customers' credit card records, customers' personally identifiable information (PII), code, financial records, internal documents, company emails, partners records, etc.);
- security policy—as used herein, is generally intended to include constraints on data, flow and access of a party's or individual's digital assets and systems;
- fix recipe (or remedy)—as used herein, is generally intended to include a configuration or an action that could be taken by a system administrator of a system in order to prevent a playbook move from succeeding. Each move can have any number of fix recipes. An example of a fix recipe may include adding a rule to a firewall to block a port between two sub networks;
- red, green, blue—as used herein, is generally intended to refer to describing for example, red describes the attacker side, green describes the attacked side, and blue describes a fix;
- security campaign—as used herein, is generally intended to include a set of configurations that describes a subset of a security policy and assets, for which there is a business/personal driver to analyze and protect.
- threat level—as used herein, is generally intended to describe a sophistication level of an attacker that is needed in order to perform a playbook move. A higher threat level may indicate a lower sophistication (e.g., a non-sophisticated attacker that is capable of carrying out a move imposes a high level of threat to a system); and
- accepted risk—as used herein, is generally intended to refer to a playbook move that is acceptable by the system administrator or end-user of a system and will not be blocked (e.g., an open share folder on a network server to which there is access from the corporate subnet).
- The present invention according to embodiments described herein provide a protection system(s) and methods of using thereof for predicatively detecting and preventing threats such as data breaches, malware, compliance violation and any security event that could be described through a workflow. Specifically, the systems and methods simulate breach scenarios and hacker activity to detect system vulnerabilities. Simulations of breach scenarios and hacker activity may be created by building and running attack workflows, compliance/policy validation workflows, malware simulation or any other security events. Breach scenarios may be created to effectively simulate the actions of a malicious user or hacker. Scenarios may employ one or more simulator nodes or devices within and/or without a network (e.g., of a company) to execute scenarios and report potential vulnerabilities. The scenarios may be carried out at the application-layer but may also be implemented on lower layers of the Open Systems Interconnection (OSI) model.
- The protection system can be configured to simulate malicious actions, analyze the results, and apply or suggest remediation. By doing so, a system administrator of a computing system can get a true picture of open breaches in their system and quickly fix them. According to embodiments of the present invention, system administrators may create, edit, and configure breach scenario workflows and “play” them within any network, end point or application. A simulation playbook, suite, package, or menu may be updated with new scenarios created by a provider of the protection system, third party vendors and by end-users. The protection system can generate virtual appliances, control devices, configure system behavior and settings and be deployed within a networked computing environment; however, the technology is not limited to network-based scenarios and can be deployed on a PC, mobile device and cloud applications as well. Additionally, the malware system may be either an enterprise business product or a consumer personal product.
-
FIG. 1 presents a computing system according to an embodiment of the present invention.Computing system 100 provides for malware protection services, and operation of thecomputing system 100 can be employed (or one or more components of thecomputing system 100 may be implemented or deployed) on a target system to be protected. A target system may be a single client device, a network of client devices, one or more servers, databases, networking equipment, printers, or any device and combinations thereof. Client devices may comprise computing devices (e.g., desktop computers, television set top boxes, terminals, laptops, personal digital assistants (PDA), cell phones, smartphones, tablet computers, e-book readers, or any computing device having a central processing unit and memory unit capable of connecting to a network). Client devices may also comprise a graphical user interface (GUI) or a browser application provided on a display (e.g., monitor screen, LCD or LED display, projector, etc.). A client device may vary in terms of capabilities or features. A client device may also include or execute an application to communicate content, such as, for example, textual content, multimedia content, or the like. A client device may also include or execute an application to perform a variety of possible tasks, such as browsing, searching, playing various forms of content, including locally stored or streamed video, or games. A client device may include or execute a variety of operating systems, including a personal computer operating system, such as a Windows, Mac OS or Linux, or a mobile operating system, such as iOS, Android, or Windows Mobile, or the like. A client device may include or may execute a variety of possible applications, such as a client software application enabling communication with other devices, such as communicating one or more messages, such as via email, short message service (SMS), or multimedia message service (MMS), including via a network, such as a social network, including, for example, Facebook, LinkedIn, Twitter, Flickr, or Google+, to provide only a few possible examples. - Servers, as described herein, may vary widely in configuration or capabilities but are comprised of at least a special-purpose digital computing device including at least one or more central processing units and memory. A server may also include one or more mass storage devices, one or more power supplies, one or more wired or wireless network interfaces, one or more input/output interfaces, or one or more operating systems, such as Windows Server, Mac OS X, Unix, Linux, FreeBSD, or the like. A server is operative to receive requests from client devices and/or other servers and process the requests to generate responses across one or more networks.
- A network, as described herein, may be any suitable type of network allowing transport of data communications across thereof. The network may couple devices so that communications may be exchanged, such as between servers and client devices or other types of devices, including between wireless devices coupled via a wireless network, for example. A network may also include mass storage, such as network attached storage (NAS), a storage area network (SAN), cloud computing and storage, or other forms of computer or machine readable media, for example. In one embodiment, the network may be the Internet, following known Internet protocols for data communication, or any other communication network, e.g., any local area network (LAN) or wide area network (WAN) connection, cellular network, wire-line type connections, wireless type connections, or any combination thereof.
- Referring to
FIG. 1 , thecomputing system 100 comprises aconfiguration platform 102,orchestration platform 104,data platform 106,execution platform 108, andclient 110.Configuration platform 102 may be configured as a storage container where the other platforms are able to communicatively connect withconfiguration platform 102 to read data such as system configuration data and knowledgebase data. Theconfiguration platform 102 may expose application program interfaces (APIs) for create, read, update and delete (“CRUD”) operations on the data.FIG. 2A presents the configuration platform system according to an embodiment of the present invention.Configuration platform 102 comprisesknowledgebase module 202,configuration module 204,user interface server 206, anddatabase 208.Configuration module 204 comprises an interface operable to read and write (into database 208) configuration aspects of the system including users and roles, security policies, data assets, live notifications setting, user preferences, etc.Knowledgebase module 202 comprises an interface operable to read and write (into database 208) simulation and prevention knowledge of the system such as breach scenarios and fix recipes. Remediation history may also be stored intodatabase 208 byknowledgebase module 202. Theknowledgebase module 202 may be configured for consumption byorchestrator platform 104 for generating simulation tasks and fix tasks. -
User interface server 206 is operable to serveclient 110 to a web browser on a client device (of a system administrator or end-user) and provides at least a login process. Client may be a mobile client, a WINDOWS client, or a Web client, and so on. New scenarios and fix recipes may be updated via anupdate system 210.Update system 210 may be hosted as a cloud service or on a server that can be accessed automatically (e.g., “auto update” mode), semi-automatic (e.g., “update now” button), and/or manually (e.g., download update file and upload it manually into database 208).Update system 210 may provide scenario workflows and fix recipes that can be downloaded (e.g., as a subscription or for free) from a provider of the protection system, private hackers or from third party vendors. Services provided byupdate system 210 may be consumed byknowledgebase module 202. Alternatively, end-users may create new scenarios in an editor tool in a user interface (described in further detail with respect to the description ofFIG. 7 ), or via an API. -
FIG. 2B presents an orchestration platform system according to an embodiment of the present invention.Orchestration platform 104 may be configured to serve as a task manager between various components of thecomputing system 100. Exemplary functions oforchestrator platform 104 include generating simulation tasks, analyzing breach events and generating remediation tasks.Orchestration platform 104 comprisessimulation orchestrator 212 and fixorchestrator 222.Simulation orchestrator 212 is operable to generate red and/or green tasks. - The
simulation orchestrator 212 may be configured to read scheduling configuration from theconfiguration module 204 and breach scenarios from knowledgebase data from knowledgebase module 202 (e.g., via APIs). A scheduler may “wake” thesimulation orchestrator 212 every time a campaign should run. That is, the scheduler can determine when to run tasks related to specific campaigns and notify thesimulation orchestrator 212. -
Simulation orchestrator 212 may also manage processes associated with generating tasks by delegating to a breach generator and a task maker, and sending simulation tasks from the task maker to theexecution platform 108. Thesimulation orchestrator 212 may also expose an external API for controlling tasks such as running and halting one, a plurality, or all tasks.Simulation orchestrator 212 may be configured to call the breach generator and instruct it to generate simulations required for a given campaign. The breach generator is operable to read security policy and campaign configuration from the configuration module 204 (e.g., via API), read scenarios from knowledgebase module 202 (e.g., via API), and generate a matrix of simulations to be run or executed. Based on a list of simulator nodes and campaign settings read from theconfiguration module 204 and based on the scenarios read from theknowledgebase module 202, breach generator is able to generate a list or matrix of simulations to run. An example of a simulation may be to “use asset X in scenario Y, and run it on simulator nodes A and B.” The breach generator may then return the list of simulations tosimulation orchestrator 212. - The
simulation orchestrator 212 may then call the task maker and instruct it to generate tasks for the list of simulations. The task maker is operable to receive simulations from the breach generator, read data assets from the configuration module 204 (e.g., via API), and compile red and green scenarios as tasks based on the simulation matrices and data assets. The task maker uses assets it reads fromconfiguration module 204 and the data in the list to compile and generate tasks that can run on the simulator nodes. The tasks may then be returned to thesimulation orchestrator 212 of which they can be sent to an execution manager (on execution platform 108) for execution. -
Fix Orchestrator 222 is operable to generate blue tasks. According to one embodiment, fixorchestrator 222 includes learning features that attempt a remediation and re-run simulations in order to find the right remediation for a breach (which is described in further detail regarding the description ofFIG. 8 ). Similar to the operation ofsimulation orchestrator 212,fix orchestrator 222 may operate as a manager for processes associated with generating tasks forfix orchestrator 222 by delegating to a decider, a fix generator and a task maker (which may or may not be the same task maker as described for simulation orchestrator 212), and sending fix or remediation tasks generated by the fix generator to theexecution platform 108. - A task manager may read breach events from a queue and call a decider to decide a remedy. For example, a breach event is read from the queue which indicates that a breached node A opens port 21 and sends malware via FTP to node B. Node B is able to activate malware locally and the malware reads local file (asset) and sends it via email to an unknown Gmail account. The queue may be, but not limited to, a communication system that transfers data associated with one or more events between components inside a computing device, or between computing devices and systems. The queue covers all related hardware components (wire, optical fiber, memory, etc.) and software, including communication protocols.
- The decider may be configured to receive the breach events from
fix orchestrator 222. The decider is able to read remediation history and fix recipes fromdata platform 106, and based on the history data and the fix recipes, the decider is able to decide on a remedy to attempt (next remedy if a previous remedy was attempted and unsuccessful based on the remediation history). The decider may call the fix generator to decide how to implement a given remedy. - The fix generator is able to read configuration data from the configuration module 204 (API) and the decision from the decider, and determine how to implement the remediation with a fix recipe. For example, the decider may send a decision to the fix generator for blocking port 21 between two specific segments in the firewall. The fix generator may generate a fix recipe including a configuration file for a CISCO firewall on the target system and provide instruction(s) to deliver the configuration file via syslog. The fix recipe may then be sent to the task maker. The task maker is operable to “wrap” the fix recipe generated from the fix generator into a fix task that can run in a given gateway node. Fix orchestrator 222 may receive the fix task and send it to an execution manger (on execution platform 108) for implementation. For example, task maker receives an instruction from the fix generator that a Cisco configuration file is to be sent to a target system via syslog. The task maker may generate a task addressed to the right syslog gateway with all the needed parameters for the target system.
- Upon performing a fix task by an execution manager, a fix event may be emitted to the queue. Fix
orchestrator 222 is also able to read fix events from the queue and communicate them to decider. The decider decides if and which simulations have to re-run (to verify functionality of a fix task) and returns a response to fixorchestrator 222. Fix orchestrator 222 may callsimulation orchestrator 212 of thesimulation orchestrator 212 and instructs it to re-run a given scenario corresponding to a fix task. -
FIG. 2C presents a data platform system according to an embodiment of the present invention.Data platform 106 may be configured to aggregate and expose business data and intelligence to other components and/or platforms of thecomputing system 100. The business data and intelligence may include techniques and tools for the transformation of simulation results and breach events into meaningful and useful information for analysis purposes. Thedata platform 106 may analyze raw simulation events from the queue, identify full breach scenarios, and identify or produce breach scenario events. In one or more embodiments,data platform 106 may further provide reporting, online/cloud analytical processing, analytics, data mining, process mining, complex event processing, benchmarking, predictive analytics and prescriptive analytics. -
Data platform 106 includesresults analyzer 232,notifications module 234,reports manager 236, realtime data manager 238, anddatabase 240. Results analyzer 232 is operable to read simulation results (produced by execution platform 108) from the queue, update an in-memory graph, and search the graph for new breaches or existing breaches that were fixed. The in-memory graph may include simulator nodes as nodes on the graph and specific scenarios with their simulation results as edges. For example, an edge between two simulator nodes A and B can represent a successful simulation that sent asset X using scenario Y. Results analyzer 232 is able to perform searches on the graph to find new breaches and emit breach events for each breach it finds. For example, breached simulator node A can execute code on simulator node B using scenario X; node A can then take asset Y from node B, and send it to the Internet represented by node C using scenario Z. Results analyzer 232 is also able to perform searches on the graph to see if previously found breaches are now closed and emits a “breach heal event” for each breach that was closed. - For every such breach that was found or fixed, results analyzer 232 writes them to the
database 240 and emits breach events to the queue. In addition, results analyzer 232 may write raw simulation events or data to thedatabase 240.Notifications module 234 is operable to reads notifications configurations from the configuration API (configuration module 204), read breach events from the queue, and create notifications. Notifications may be published via SMS or email, or exposed to a user interface (e.g., user interface server 206) via an API.Reports manager 236 may be configured to generate business reports as requested via an API, or automatically by a scheduler, in which case it may publish reports via email. Various types of business reports may be generated including impact reports, trends reports, and technical reports. - Impact reports can describe business impacts from certain malicious activities. Examples of impacts may include leaked credit cards, breached active directory, infiltration into the organization, etc. An impact report may include a current state per impact described by, for example, a number of breach scenarios, surface of attack, and impact magnitude. The number of breach scenarios may indicate how many different breach scenarios exist to create the impact. Surface of attack may be a statistical measurement of the number of successful actions out of a total number of actions (e.g., malicious activities) simulated for the different breach scenarios. The impact magnitude can indicate a measure or size of an impact under one or more breach scenarios. For example, an impact magnitude for a hacker leaking credit card numbers may be calculated by a number of credit card numbers that could be leaked by successful breach scenarios. Under a first breach scenario, 10 thousand card numbers may be at risk while under a second breach scenario, 100 thousand card numbers may be at risk. Using a worst-case scenario, the impact magnitude may be a maximum number of card numbers at risk between the two breach scenarios (100 thousand card numbers at risk).
- A trends report may show trends per impact item. Trends may be shown by a chart, graph or visualization of data points over a period of time such as for number of breach scenarios, surface of attack, and impact magnitude.
- Technical reports may show a breakdown (e.g., using histograms) of successful actions into different parameters. Exemplary parameters include protocol (what protocol was used, e.g., SSH, TCP, HTTP, SMTP, etc.), attacker level (what level of sophistication is required to carry the action, e.g., script kiddy, cyber crime, state backed organization), and approach (e.g., malware, brute force, exploit, etc.). The technical reports may be filtered by specific actions prior to generating a breakdown, for example, show only actions related to data leak.
- Real
time data manager 238 may be configured to expose real time data of thecomputing system 100 to one or more components or platforms. The real time data manager is capable of reading events from the queue in addition to some of the aggregated data in thedatabase 240 to generate the real time data and expose the data in an API. Examples of real time data may include the running of simulations, fixes, updates, etc. Real time data may be utilized by components such as a dashboard in theclient 110. -
FIG. 2D presents an execution platform system according to an embodiment of the present invention.Execution platform 108 may be configured to perform the execution of or running of tasks received fromsimulation orchestrator 212 and fixorchestrator 222. According to one embodiment, components withinexecution platform 108 may create simulator nodes, manages the nodes' resources, run simulations and execute fixes. A simulator node, as used herein, may refer to an instance of a virtual machine, virtual appliance, operating environment, agent, client, server, a physically installed device or any other emulation device or system that is capable of virtualizing and/or cloning devices, hardware, software, cloud computing, network and communication elements, etc. -
Execution platform 108 includesexecution manager 250,gateway node interface 252, andsimulator node 254.Execution manager 250 can be configured to provide for the management of simulation and fix tasks. Theexecution manager 250 may expose an API that is consumed by theorchestrator platform 104 that allows for adding tasks, stopping a task, or stopping all tasks at theexecution manager 250.Execution manager 250 may utilize a queue to add and remove pending simulation and fix tasks. -
Execution manager 250 is operable to add simulation tasks received fromsimulation orchestrator 212 into a simulation task queue. Theexecution manager 250 is further capable of allocating simulator node resources.Simulator node generator 254 may be configured to accept simulation instructions fromexecution manager 250 and execute the simulation instructions. Specifically,simulator node generator 254 may generate or allocate one or more simulator nodes to simulate a scenario according to the simulation instructions. A simulator node could be deployed as a virtual appliance, agent (e.g., as a Linux daemon on a server in production or as a service on a Windows PC in the corporate network), appliance (hardware), or application (e.g., on a mobile device). Simulator nodes may be deployable to one or more computers or devices connected via one or more communication networks. Additionally, simulator nodes may also be distributed in different locations of a network in a target system so thecomputing system 100 can simulate complex attacks that move between various locations. - When simulator nodes are available for simulation of a given task, the
execution manager 250 may pop the task from the queue and send red (attack) and green (receiving attack) instructions to the respective simulator nodes. A given simulator node may run an interpreter for the simulation instructions and utilize a library bundle that helps run the simulation instructions. Tasks on simulator nodes may lock the simulator nodes for new tasks which can be managed by theexecution manager 250. Upon or during simulation,execution manager 250 may send statistic events to the queue which may be consumed by a real time data API (real time data manager 238) and reported to a dashboard (as e.g., “now running simulations”). In each simulation, each simulator node carries out its instructions. A node can act as a red side (attacker) or a green side (being attacked). - For example, a red simulator node may read a file from the disk, take the first four bytes, encode it using base64 encoding, try to open a port to the green simulator node and send those bytes to the open port using telnet. At the same time, the green simulator node listens on port 23 waiting for transmission. Once received, the green simulator node decodes the data using base64. At the end of a simulation, each node may report back its results to
execution manager 250 andexecution manager 250 may transmit a simulation result event to the queue of which, the simulation result may be consumed by theresults analyzer 232. Using the same example, the red simulator node may send a hash of the four bytes that were sent to the green side toexecution manager 250. The green simulator node may send a hash of the data it decoded to theexecution manager 250.Execution manager 250 may compares both hashes and decide whether the simulation succeeded (the hacker managed to send the data), or failed. -
Gateway node interface 252 is operable to provide gateways (nodes) to third party systems associated with a target system such as firewalls, data lost prevention (DLP) systems, a syslog server, an email server, short message service (SMS) gateway, etc. Thegateway node interface 252 is able to run interpreters for gateway instructions and utilize a library bundle that helps run the gateway instructions. Gateway nodes may be distributed in different locations of the network to allow connectivity to the third party systems involved. A gateway node may be deployed as a virtual appliance, agent, or appliance (hardware), etc. In another embodiment, gateways may also be provided as cloud (service) gateways to services like email, SMS, etc., that can be consumed by gateway nodes in the execution platform in order to fulfill their requirements. When a relevant gateway node for a fix task is available,execution manager 250 may pop the fix task from a fix task queue and send it to the gateway node. Gateway nodes may send results toexecution manager 250, andexecution manager 250 may write fix events to the queue. - According to one embodiment, the
execution platform 108 may be configured, deployed, or on the premises of the target system where resources of the target system may be used to perform the simulations and fixes. In an alternative embodiment, one or more components of the execution platform 108 (e.g., execution manager 250) may be embodied on a target system as a cloud service such that simulations may be performed on a cloned version of the target system on a cloud computing system and fixes may be transmitted to the actual target system based on the simulation on the cloned target system. In a further embodiment, one or more instances of the components (e.g., execution manager 250) of theexecution platform 108 may be deployed in a plurality of locations, a plurality of target systems or within a given target system. -
FIG. 2E presents a client system according to an embodiment of the present invention.Client 110 may be a server or cloud implementation configured to provide a main interface of thecomputing system 100 used for accessing analytics and configurations. Theclient 110 includesscenario editor module 260,system configuration module 262,alerts module 264, andanalytics module 266. Modules (one or more of which may be user interfaces) withinclient 110 may be provided for a user to interact with thecomputing system 100. Theclient 110 may be provided to the user via a website or via a networked application installed on the target system. -
System configuration module 262 may provide for the viewing and setting of the configuration of the system (e.g., corresponding to configuration module 204) such as users and role, security campaigns configuration, assets, etc.Alerts module 264 may be a user interface component operable to provide real time alerts that require the attention of a user.Analytics Module 266 may further includedashboards module 270 andreports module 268. Thedashboards module 270 may provide real-time information or status. Reports module may provide answers to questions such as “what is the threat level that I'm currently facing in regards to my customers' credit cards data?” “what is the trend of the security level of R&D code in the last 6 months?” “is my PCI environment fully compliant with PCI standards? if not, what specifically has to be fixed?” and “is my system immunized against the same breach X that was recently published in the news in company Y?Scenario Editor module 260 is operable to allow system administrators or end-users create their own scenarios and add them to a playbook that can be simulated in their environment (target system). - According to embodiments of the present invention,
computing system 100 may be deployed as a full on-premises solution, full cloud (SaaS) or hybrid. That is, one or more of the platforms and components described inFIG. 1 through 2E may be deployed, installed, or otherwise located at the target system (and installed on one or more devices within the target system), on a remote server or on a cloud platform. The platforms and components in different platforms can run as separate processes on the same server, or separated onto different servers. Furthermore, one or more instances ofcomputing system 100 or its components (such as execution platform 108) may exist in a deployment for a target system. A first example may includeconfiguration platform 102,orchestration platform 104 anddata platform 106 provided on a cloud whileexecution platform 108 will be on premises of the target system. A second example may includeconfiguration platform 102 andorchestration platform 104 provided on a cloud whiledata platform 106 andexecution platform 108 will be on premises of the target system. In a third example,configuration platform 102 may be provided on a cloud whileorchestration platform 104,data platform 106 andexecution platform 108 will be on premises of the target system. -
FIG. 3 presents a flowchart of a method for protecting a computing system according to an embodiment of the present invention. The method provides for breach protection on a target system by simulating scenarios and using predictive prevention. Examples of possible scenario genres that can be simulated include exfiltration, infiltration, and policy validation. Deployment of the method (and associated system) may be carried out based on the need as a virtual appliance, in singular or multiple locations, within the network (corporate, production, and etc.) or externally when the goal is to simulate infiltration or external breach scenarios. To run a scenario, a user may be required to specify one or more simulation options such as what family of scenarios the user would like to use (e.g., data exfiltration, infiltration, malware, compliance or any other) and what internal or external simulator nodes should be part of the simulation. A user may be an end-user, a computer administrator, IT professional, or management personnel. For policy/compliance validation the user can define the policy to validate (e.g., access to a server only via virtual private network (VPN) or allow a remote user to access production only through a terminal server). For data exfiltration a user may be able to define what is confidential content by means of uploading actual templates and information into a simulator node (e.g., MS Word, source code, code names of products, etc.), by choosing dynamic real-time generators such as a fake person name, fake credit card, fake email, and etc., by choosing out of predefined data samples, or any combination thereof. - The method attempts to resolve breaches by systemically simulating breach scenarios and trying to apply different security controllers and configurations until a security policy is enforced. A simulation is started,
step 302. The simulation may be configured according to simulation options selected by the user and started either on-demand, periodically as scheduled, in response to an update, or in response to a high threat warning that may be received from a provider of a protection/security system. Starting the simulation may include initializing or generating simulator nodes. The simulator nodes may be virtualized devices, systems, or cloud services, for example. Simulation can occur on a single node or between multiple nodes. In simulations including multiple simulator nodes, connections between the simulator nodes may also be established. The simulation may include processes and/or communications between one or more devices or of a single device connected to a network system/cloud service. A simulator node may connect to another simulator node as a proxy, or will try to access the Internet and reach an external entity. - Malicious action is simulated,
step 304. The malicious action may be simulated on one or more devices (internal or external) via the simulator nodes. The simulated malicious action may comprise a breach scenario including one or more steps that contribute to a result that is harmful to the user or owner of the target system. According to one embodiment, multiple malicious actions may be simulated simultaneously. The system determines whether the malicious action was successful executed,step 306. Validation of successfully executed malicious action may be determined by any number of ways including determining the success of establishing a connection, determining the success of sending and receiving a series of data packages (e.g., reaching a certain state in the server-side), and applying metadata facts (e.g., check-sum, file size, regular expression, and etc.) sent over an encrypted out-of-band channel from one simulator node to another. - If the malicious action was not successful, the target system is rated as currently safe from the simulated malicious action,
step 308. Otherwise, if the malicious action was successful, a breach is reported,step 310 and the protection system determines whether a security configuration is available to protect against the malicious action,step 312. The protection system may include one or more security controllers. Security controllers may be any product (technology) able to detect and mitigate one or more malicious actions that are executed as part of a breach scenario. Examples of security controllers include, but not limited to, firewall products, antivirus products, endpoint security products, web application firewall (WAF) products, access control list (ACL) features of network products (e.g., switches, routers, proxies and etc.), data leakage prevention (DLP) products, mobile device management (MDM) products, mobile access management (MAM) products, and content inspection products. - If a security configuration is available, a determination is made whether the configuration has been previously attempted,
step 314. Previously attempted security configurations may be passed on and the method continues to determine if there are other security configurations that can protect against the malicious action. A lack of security configurations to protect against the malicious action may result in the method to continue on to simulating other malicious actions atstep 302. However, if a security configuration is available that has not been previously attempted, the security controller is configured to protect against the malicious action,step 316. Configuring the security controller may include offering a mitigation path (manual or automated). Implementing a security configuration may include connecting to the security controller and configuring the security controller according to a specific security configuration. A given security controller may be selected and configured to resolve a vulnerability exposed by the simulation of the malicious action. In some embodiments, configuring a security controller may include displaying a recommendation on how to prevent the breach on a target system using a specific security controller product and providing an example configuration using the specified product, that once applied, will prevent the breach. A product may be made available for download or purchase to prevent the breach. - The method may repeat looping through one or more simulations to ensure that malicious action vulnerabilities are continuously detected and protected against at 302. For example, the system may re-simulate the malicious action to determine if the malicious action has been prevented against. Additionally, the method may re-simulate malicious actions with up-to-date security configurations (e.g., from updates to security software, etc.) where there were no security configurations to protect against in a previous simulation.
-
FIG. 4 presents a flowchart of a method for preparing a breach simulation for verification according to an embodiment of the present invention. The method allows for the verification of a breach by determining proper execution of breach tasks and whether data received and transmitted from all parties involved in a breach are consistent with a breach. For example, data that was sent from one device to another is verified whether the data is received as is (e.g., identical, the same, equal or substantially similar). Breach simulation task(s) are prepared by the simulation orchestrator,step 402. Preparing the breach simulation task(s) may include reading a configuration for a specific breach scenario type and preparing a list of tasks to be simulated, taking into account one or more moves in a playbook, one or more configured data assets, and simulator nodes in the system, etc. A breach scenario may comprise a sequence of one or more moves applied on the simulator nodes with specific configurations, data assets, etc. The simulation orchestrator can prepare tasks for all participating parties (characterized by simulator nodes) involved in a given simulation. A simulation can occur on a single simulator node or between multiple simulator nodes. - The following are exemplary breach scenarios that may be simulated according to the embodiments of the present invention:
- Scenario 1.1—Activation/Update
- Network
- Malware connects to a server (that also may, or may not be the command and control server) and downloads a configuration file. The protocol and configuration file format may vary, depends on the malware type and version.
- Simulator A will simulate an infected computer with malware installed on it. Simulator B will simulate a server that is serving malware configuration file. Simulator A will try to connect to Simulator B via HTTP protocol and download the malware configuration file.
- Scenario 1.2—Phoning home/Command and Control Channel
- Network
- When a malware wants to communicate with the attacker and to transmit back stolen credential or files, it will use a command and control channel that was setup for this purpose. The command and command channel may vary, depends on the malware type and version.
- Simulator A will simulate an infected computer with malware installed on it. Simulator B will simulate a command and control channel server. Simulator A will try to connect to Simulator B via FTP protocol and upload an encrypted file that contains screenshots & logged keystrokes from the infected computer.
-
- [or]
Simulator A will simulate an infected computer with malware installed on it. Simulator B will simulate a command and control channel. Simulator A will try to connect to Simulator B via IRC protocol and wait in an IRC channel for further commands from a “bot herder”/attacker. - [or]
Simulator A will simulate an infected computer with malware installed on it. Simulator B will simulate a command and control channel. Simulator A will try to connect to Simulator B via sending crafted ICMP ECHO_REQUEST packets and wait for further commands from the bot herder/attacker via crafted ICMP ECHO_REPLY packets.
- [or]
- Scenario 1.3—Stash Creation
- Local
- When a malware is installed, it will create one or more files and/or directories and use it to store stolen credentials, keystrokes logging, screen captures and etc. before it will send it back to the attacker via the command and control channel. The file and directory names and locations on the file system may vary, depends on the malware type and version.
- Simulator A will simulate an infected computer with malware installed on it. Simulator A will attempt to create one or more of the following hidden files and/or directories:
-
TABLE 1 File Description C:\WINDOWS\system32\sdra64.exe Trojan binary C:\WINDOWS\system32\lowsec\local.ds Contains the stolen data C:\WINDOWS\system32\lowsec\user.ds Contains the encrypted config - Scenario 1.4—Infection/Running
- Network & Local
- When a malware is installed, it will create one or processes for it to run, or, alternatively it will try to inject itself into another running processes in the system. In addition, malware may change system configuration in order to force the user to go through its filters/processes. The injection/creation method and processes names may vary, depends on the malware type and version.
- Simulator A will simulate an infected computer with malware installed on it. Simulator A will create a dummy process called SVCHOST.EXE. Simulator A will attempt to inject a code into the dummy process called SVCHOST.
-
- [or]
Simulator A will simulate an infected computer with malware installed on it. Simulator A will create a dummy process called SVCHOST2.EXE. - [or]
Simulator A will attempt to modify the HOSTS file and add a dummy malicious entry (e.g., resolve evil.com to 1.2.3.4).
- [or]
- Scenario 1.5—Abusing
- Network
- Some malwares turn the computer that they are installed on into a “zombie” or “bot” that is part of a botnet. A botnet may be a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks.
- Simulator A will open an email account (e.g., Google Mail, Yahoo!, Hotmail and etc.) and periodically check it for new mails. Simulator B will simulate a bot installed on a computer. Simulator B will connect to an SMTP server and attempt to send a spam email to Simulator A email account.
- Scenario 2—Insider Threat (Data Leakage/Data Loss)
- An Insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.
- Scenario 2.1—Data Leakage Via Network Connection
- Network
- An employee tries to upload to an unauthorized online storage service (a.k.a. “Shadow IT”) files with sensitive data.
- Simulator A will connect to DROPBOX website. Simulator A will login to DROPBOX Account. Simulator A will upload file with sensitive data to DROPBOX (e.g., HTTP POST).
- Scenario 2.2—Data Leakage via Physical Connection
- Local
- An employee tries to copy sensitive data to unauthorized device (if there's a policy) or at all (if prohibited at all).
- Simulator A will simulate an USB flash drive that is inserted into the computer. Simulator A will try to copy the sensitive files to the simulated USB flash drive.
- Scenario 2.3—Data Leakage via Wireless Connection
- Local
- An employee tries to pair an unauthorized device (if there's a policy) or at all (if prohibited at all) and then copy sensitive data to it.
- Simulator A will simulate a BLUETOOTH device that is paired with the computer. Simulator A will try to send file via BLUETOOTH to the virtual device.
-
- [or]
Simulator A will simulate a Wi-Fi access point on a given computer. Simulator A will attempt to connect to the simulated Wi-Fi access point. Simulator A will attempt to upload a file (via HTTP POST) to an endpoint that is exists on the simulated Wi-Fi access point network.
- [or]
- Scenario 3—Hacker
- A hacker seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge or enjoyment.
- Scenario 3.1—Arbitrary Code Execution/Remote Code Execution/Remote Exploit
- Arbitrary code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It is commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. Most of these vulnerabilities allow the execution of machine code and most exploits therefore inject and execute shellcode to give an attacker an easy way to manually run arbitrary commands. The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution. The exploit and protocol may vary depending on the remote vulnerability.
- Network
- Hacker tries to exploit a remote vulnerability
- Simulator A will simulate a vulnerable HTTP server that has a buffer overflow problem in the GET method handler. Simulator B will connect to the vulnerable HTTP server and craft a malicious GET request in order to exploit the vulnerability.
-
- [or]
Simulator A will simulate a HTTP server that serves an HTML page with exploit in it. Simulator B will simulate a vulnerable browser that connects to Simulator A HTTP server and renders the maliciously crafted HTML page with the exploit in it.
- [or]
- Scenario 3.2—Privilege Escalation/Local Code Execution/Local Exploit Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
- Local
- Hacker tries to exploit a local vulnerability
- Simulator A will simulate a service (daemon) running with administrator privileges that is vulnerable to insecure file creation vulnerability. Simulator A will attempt to exploit the vulnerable service via creation of multiple potential “temporary files” that includes malicious payload.
- Scenario 3.3—Fuzzing
- Fuzz testing or fuzzing is a software testing technique, often automated or semi-automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Fuzzing is commonly used to test for security problems in software or computer systems.
- Network & Local
- Hacker tries to fuzz SSH server by sending incomplete SSH handshake requests.
- Simulator A will simulate a SSH Server. Simulator B will simulate a fuzzer that sends “broken” SSH requests. Simulator A will connect to the SSH server and start fuzzing.
- Scenario 3.4—Scanning
- A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. For example, a web application security scanner is a program, which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses. It performs a black-box test. Unlike source code scanners, web application scanners don't have access to the source code and therefore detect vulnerabilities by actually performing attacks.
- Network & Local
- Hacker attempts to find and exploit a SQL injection in a website
- Simulator A will simulate a HTTP Server with an interactive form. Simulator B will simulate a SQL injection scanner. Simulator A will connect to the HTTP server and start “enumerating” different SQL injection attacks using the interactive form fields.
-
- [or]
Simulator A will simulate an application within a container (e.g., Mobile Application Management Solution). Simulator B will simulate a server with exposed TCP port on production site. Simulator A will attempt to scan the simulated server and reach the open TCP port.
- [or]
- Scenario 3.5—Brute-Force
- In cryptography, a brute-force attack, or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It is comprised of systematically checking at least one or all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space.
- Network & Local
- Hacker tries to brute-force the administrator password
- Simulator A generates a dummy administrator account (username with a random password). Simulator A tries to blindly brute-force the dummy username password (e.g., 0, 1, 2, 3, 4, . . . , A, B, C, D, . . . AA, AB, AC, and etc.).
- Scenario 3.6—Dictionary Attack
- In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
- Network & Local
- Hacker tries to dictionary attack a company web portal.
- Simulator A generates a dummy administrator account (username with a random password). Simulator A will simulate a HTTP server with a dummy login form. Simulator B will connect to the HTTP server and attempt to login with different passwords (e.g., 12345, abc123, password, computer, 123456, tigger, 1234, a1b2c3, qwerty, 123, xxx, money, and etc.).
- Scenario 3.7—Browsing and Enumeration
- A resource enumeration attack is a type of attack in which an attacker is able to make the target host enumerate, or list, the various resources available on said host or network. Examples of these resources include user names and privileges, services, shares, policies, etc.
- Network & Local
- Hacker tries to enumerate at least one or all open ports on a given server.
- Simulator A will simulate a dummy service on random TCP port (e.g., 31337). Simulator B will port scan the server to determine which TCP ports are active.
-
- [or]
Simulator A will simulate an application installed within a container (e.g., Mobile Application Management Solution). Simulator A will attempt to enumerate system files outside the container (e.g., password files, network configuration, other application home directories and etc.).
- [or]
- Scenario 3.8—Spear Phishing
- Spear phishing is a targeted email scam with the sole purpose of obtaining unauthorized access to sensitive data or resource.
- Hacker attempts to social engineer an employee to install a malware
- Simulator A generates a phishing email with a malicious link. Simulator A sends the email to Simulator B corporate email address. Simulator B receives the email via the corporate email server. Simulator B clicks on the malicious link.
- Scenario 3.9—Data Exfiltration (Covert Channels)
- In computer security, a covert channel may be defined as a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy.
- Hacker attempts to exfiltrate data using covert channel
- Simulator A listens on TCP/IP port ‘31337’. Simulator B attempts to send a TCP SYN packet with data hidden in the SYN SEQUENCE field
- Scenario 4—Compliance & Security Policy
- Security policy is a definition of what it means to be secure for a system, organization or other entity. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
- Scenario 4.1—PCI/Strong Cryptography
- According to section 4.1 of the Payment Card Industry Data Security Standard (PCI-DSS) v1.2, merchants handling credit card data are required to “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.”
- Network
- Customer tries to connect to eCommerce store via weak cryptography
- Simulator A will simulate a HTTPS server that supports SSLv2 (a weak version of SSL that includes weak ciphers). Simulator B will try to connect to Simulator A via SSLv2 protocol and negotiate a weak cipher.
- Scenario 4.2—Health Insurance Portability and Accountability Act (HIPAA)/Protected Health Information (PHI) Encryption
- The security rule does not expressly prohibit the use of email for sending electronic PHI. However, the standards for access control (45 CFR §164.312(a)), integrity (45 CFR §164.312(c)(1)), and transmission security (45 CFR §164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against the unauthorized access to electronic PHI sent and received over email communications. The standard for transmission security (§164.312(e)) has been updated to enforce the use of encryption. This means that each covered entity must assess its use of open networks, identify the available and appropriate means to protect electronic PHI as it is transmitted, select a solution, and document the decision. The security rule allows for electronic PHI to be sent over an electronic open network as long as it is adequately protected.
- Network
- Employee tries to send PHI (unencrypted) via email.
- Simulator A will simulate an SMTP (mail server) server. Simulator B will try to connect to Simulator A via SMTP protocol and use it to send an email with an attachment that contains PHI.
-
- [or]
Simulator A will open an email account (e.g., Google Mail, Yahoo!, Hotmail and etc.) and periodically check it for new mails. Simulator B will connect to an email server (can be the company's email server, or any other email server) and send an email to Simulator A email's address with an attachment that contains PHI.
- [or]
- Scenario 4.3—Password Policy/Internal Security Policy
- A password policy can be a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training.
- Local
- User attempts to change password to one that violates the company's password policy (e.g., the password does not meet or exceed the length and formation required)
- Simulator A will try to change password to a weak one (one that does not meet or exceed the password complexity).
- Many of the examples provided in this document are “atomic” steps. In real life, an hacker can use one or more “atomic” steps in order to achieve his or her goal. The following are a few examples that combine one or more “atomic” steps:
- 1. Employee clicks on a malicious link (sent via email).
2. As a result, malware is being installed on the employee computer.
3. Malware activates itself and connects to a command & control server.
4. Hacker gains access to the employee computer.
5. Hacker steals source code files from the employee computer via FTP. - 1. Hacker scans a website for vulnerabilities.
2. Hacker exploits SQL injection in a website to get command execution.
3. Hacker opens reverse connection from the server to his computer.
4. Hacker enumerates the network for remote access services (SSH, Telnet, and etc.).
5. Hacker finds SSH (Secure Shell) service on a server in production.
6. Hacker brute forces the administrator password and logs in.
7. Hacker uses SCP (Secure Copy) to copy data from the brute forced server to the original compromised website server.
8. Hacker puts data in the website directory and downloads it from the Internet. - 1. Employee installs a mobile application that turns out to be a malware.
2. Malware activates itself and connects to a command & control server.
3. Hacker gains access to the employee mobile phone.
4. Hacker sends premium SMS (fraud). - The prepared tasks are sent to the simulator nodes,
step 404. Sending a task to a simulator node may include loading data onto a simulator node module, loading the data onto a programmable chip or memory for execution by a processor/processor core, or generating a virtual device configured to perform the task. Each simulator node may represent one or more parties (e.g., client devices and servers), devices, networks, and systems participating in a breach scenario. Tasks on the simulator nodes are executed/simulated,step 406. The tasks executed on the simulator nodes may result in data transfers, file modifications, change in system configuration, and change to access permissions, to name a few. - Each simulator node may report its result of the executed tasks/simulation. The results analyzer may receive the result of simulation from the simulator nodes,
step 408. A result may include a hash of transferred and received data or some other result. The transferred data may be any file including text, image, video, etc., to be verified. Results from the simulator nodes are analyzed,step 410. Analyzing the results may include summarizing and comparing results of all parties (associated with the simulator nodes). - A
next step 412 comprises determining if all parties report on a same result. According to one embodiment, determining a same result may include performing a hash function on transferred data, and performing a hash function on a copy of the transferred data that was successfully received at a second simulator node (or party) from a first simulator node (or party). The hashes of the transferred data and the copy of the transferred data can be compared. Checking comparing hashes of the two files may help eliminate false-positives. In an exemplary simulation, a malicious attachment may be sent from someone outside of a company to someone within the company. A simulator node may be present in the Internet and another connected to the enterprise or company's intranet network. The enterprise simulator may receive the e-mail but the attachment may be removed by an email gateway product. In this case, it may be desired to verify that indeed what the Internet simulator sent was received by the enterprise simulator. However, in other embodiments, other data checking methods may be used to verify whether breached data and the transmitted copy of the breached data are the same. - If the hashes are not equal (all parties do not report on the same result), then a breach is determined as unsuccessful,
step 418. Otherwise, if the two hashes are equal, the method proceeds to determine whether all parties report on a successful result atstep 414. For example, the breach simulation task may attempt a connection between the first simulator node and the second simulator node. If the connection is unsuccessful, then the breach is determined to be unsuccessful,step 418. Otherwise, a successful transmission along with all of the parties reporting on the same result leads to a determination that the breach was successful (verification of a breach),step 416. - The following includes additional exemplary breach verification methods that may be used to analyze results from the simulator nodes:
- Verifying an exfiltration breach scenario may include determining if a first simulator node generates a credit card (information), leaks the credit card via DNS query response and a second simulator node is able to successfully receive the DNS query result. A second exfiltration breach scenario may be verified by determining if a first simulator node takes a user-defined file, opens a FTP connection to a cloud instance, uploads the file, and a second simulator node is able to successfully receive the upload. A third exfiltration breach scenario may be verified by determining if a first simulator connects to a malware server, sends a malware client message and a second simulator node is able to successfully receive the message.
- Verifying an infiltration breach scenario may include determining if a first simulator node sends an email with a link, and a second simulator node receives the email, clicks on the link, and is able to reach an external malicious website. A second infiltration breach scenario may be verified by determining if a first simulator node tries to open TCP port 31337 to a second simulator node, and the second simulator node is able to receives the connection and open a socket (assuming port 31337 is not a standard port and is not allowed by the policy). A third infiltration breach scenario may be verified by determining if a subcontractor mobile app (first simulator node) attempts to connect to a production server (second simulator node), and the production server answers the connection (assuming this particular subcontractor should not have access to production server).
- Verifying a policy validation scenario may include determining if a first simulator node tries to open TCP port 80 to a second simulator node, and the second simulator node allows and receives the connection and opens a socket (assuming simulator nodes A and B should be segregated due to PCI Compliance). A second policy validation scenario may be verified by determining if a first simulator node mounts a share folder on a second simulator node, the second simulator node generates a sensitive document on the share folder, the first simulator node copies the sensitive document from the second simulator node, connects to Dropbox (or any other external system) and is able to upload the sensitive document.
-
FIG. 5 presents a flowchart of a method for managing breach simulations results according to an embodiment of the present invention. - Simulation results are aggregated,
step 502. The results analyzer may read the simulation results from the simulation orchestrator. A snapshot of currently known breaches in system is updated with the simulation results,step 504. The snapshot may be an in-memory graph including simulator nodes as nodes and specific scenarios with their simulation results as edges. In anext step 506, the system determines whether the snapshot has new breach scenarios or previously known scenarios that were closed (fixed). If there are no new or closed breach scenarios, no action is needed or taken,step 508. Otherwise, new or closed breach scenarios are concluded,step 510. New or closed breach scenarios may be concluded by searching the in-memory graph for new breaches and emit breach events for each breach it finds and identifying previously found breaches that have been closed and emits a “breach heal event” for each breach that was closed. -
FIG. 6 presents a flowchart of a method for executing a breach scenario according to an embodiment of the present invention. Breach scenarios are able to be executed in the form of executable workflows or graphs including malicious actions as nodes and each step may be connected to one or more further steps. A breach scenario is parsed,step 602. The breach scenario may be parsed from a program file input, file, or data entry that models the flow of the breach scenario. Parsing the breach scenario includes extracting a graph (e.g., textual, numerical, symbolic or graphical) or flow of tasks/operations comprising action components as nodes connected together by edges and in a particular order. An action component may include executable code or instructions that can be written in any programming language for execution of tasks within a breach scenario by a simulation node. For example, a breach scenario for simulating an attacker trying to connect to a given computer, login as an administrator, and afterward execute a FORMAT command on a disk C may include a directed graph with three nodes connected by two edges where the root node of the breach scenario is a “ConnectToComputer” action component node having a “LoginAsAdmin” child node, and the “LoginAsAdmin” action component node further includes a “FormatDiskC” child node. - A root node is determined,
step 604. The root node can be used to establish a first step in a series of nodes in a breach scenario execution flow. Determining the root node may include finding a node with no parent node. Referring to the previous example, the “ConnectToComputer” action component node may be determined as the root node. The determined root node is set as a current node,step 606. The current node may be a pointer that identifies a “visit” to a given node during a traversal of a graph of nodes (breach scenario). - The current node is executed with breach point data,
Step 608. Code or instructions from the action component corresponding to the current node can be executed with breach point data provided as input. Breach point data may be comprised in a data structure (e.g., dictionary, associative array, serialized data container, hash, etc.) that includes keys and values that each action component can accept. The breach point data may contain values that can be accessed via keys such as IP addresses, ports, data, protocols, filenames (if applicable), and any other information that is related to a breach scenario execution flow. For example, information for running or executing action components are included in the breach point data such as a data key (e.g., breach data—an asset to leak in an exfiltration scenario). Optionally, breach point data may include a debug key to allow for triggering number of prints in the action component for a user (such as a system administrator) to debug the action component logic. Breach point data may be initialized by the simulation orchestrator and provided to the root node of breach scenarios. For example, breach point data may contain empty or initialized values to be received by an action component at a root node of a breach scenario. - A return value is generated,
step 610. The return value may be indicative of a result of the execution of the current node. During action component execution, it may change the breach point data (e.g., by adding new keys, deleting keys, changing key values, etc.) and return a modified copy of the breach point data (the return value). The return value comprising the modified breach point data may be used as input for execution of a next action component in the breach scenario. The action component may also generate a false (or null) return value upon an unsuccessful execution (e.g., a “ConnectToComputer” action could not be completed). - A determination is made whether the return value is equal to a false return value,
step 612. If the return value is false, current flow of the breach scenario is terminated,step 614. The unsuccessful execution of an action component can indicate that a breach attempt has failed, and that further traversal of the nodes (and execution of their action components) for the breach scenario is unnecessary. Otherwise, if the return value is not equal to a false return value (e.g., modified breach point data), it is determined whether the current node has a child node,step 616. The child node may be a node connected to the root node that does not have a parent node. Alternatively, the child node may be a node that is connected to the root node and depends on the execution of the action component of the root node (e.g., uses the return value as input). - Absence of a child node may indicate that there are no further action components remaining in the execution flow of the breach scenario for simulation. If the current node does not have a child node, the return value is generated as an output result,
step 618. A presence of a child node will set the current node to the child node,step 620 and the method may proceed to execute the new current node with the return value (modified breach point data) as the breach point data atstep 608. In certain instances, a plurality of children nodes may be connected to a current node such as when execution of a current node is followed by a condition statement or branching, that of which, a given one of the children node will be selected and set as the new current node based on a satisfied condition. -
FIG. 7 presents an interface tool for editing breach scenarios according to an embodiment of the present invention. The exemplary editing tool allow for users to create executable workflows/graphs for breach scenarios or modifying existing ones by changing the order of steps (nodes and edges), and/or adding new steps, and/or changing steps parameters, and/or removing already-existing steps. The editing tool may providing tools for adding steps, devices and other elements in a breach scenario workflow (similar to ones that may be found in engineering modeling and simulation tools). Breach scenarios may also be created or modified using domain specific language to describe the breach scenarios. Domain-specific languages may be able to capture both offensive and defensive security components into a workflow. -
FIGS. 1 through 8 are conceptual illustrations allowing for an explanation of the present invention. Notably, the figures and examples above are not meant to limit the scope of the present invention to a single embodiment, as other embodiments are possible by way of interchange of some or all of the described or illustrated elements. Moreover, where certain elements of the present invention can be partially or fully implemented using known components, only those portions of such known components that are necessary for an understanding of the present invention are described, and detailed descriptions of other portions of such known components are omitted so as not to obscure the invention. In the present specification, an embodiment showing a singular component should not necessarily be limited to other embodiments including a plurality of the same component, and vice-versa, unless explicitly stated otherwise herein. Moreover, applicants do not intend for any term in the specification or claims to be ascribed an uncommon or special meaning unless explicitly set forth as such. Further, the present invention encompasses present and future known equivalents to the known components referred to herein by way of illustration. - It should be understood that various aspects of the embodiments of the present invention could be implemented in hardware, firmware, software, or combinations thereof. In such embodiments, the various components and/or steps would be implemented in hardware, firmware, and/or software to perform the functions of the present invention. That is, the same piece of hardware, firmware, or module of software could perform one or more of the illustrated blocks (e.g., components or steps). In software implementations, computer software (e.g., programs or other instructions) and/or data is stored on a machine readable medium as part of a computer program product, and is loaded into a computer system or other device or machine via a removable storage drive, hard drive, or communications interface. Computer programs (also called computer control logic or computer readable program code) are stored in a main and/or secondary memory, and executed by one or more processors (controllers, or the like) to cause the one or more processors to perform the functions of the invention as described herein. In this document, the terms “machine readable medium,” “computer readable medium,” “computer program medium,” and “computer usable medium” are used to generally refer to media such as a random access memory (RAM); a read only memory (ROM); a removable storage unit (e.g., a magnetic or optical disc, flash memory device, or the like); a hard disk; or the like.
- The foregoing description of the specific embodiments will so fully reveal the general nature of the invention that others can, by applying knowledge within the skill of the relevant art(s) (including the contents of the documents cited and incorporated by reference herein), readily modify and/or adapt for various applications such specific embodiments, without undue experimentation, without departing from the general concept of the present invention. Such adaptations and modifications are therefore intended to be within the meaning and range of equivalents of the disclosed embodiments, based on the teaching and guidance presented herein. It is to be understood that the phraseology or terminology herein is for the purpose of description and not of limitation, such that the terminology or phraseology of the present specification is to be interpreted by the skilled artisan in light of the teachings and guidance presented herein, in combination with the knowledge of one skilled in the relevant art(s).
- While various embodiments of the present invention have been described above, it should be understood that they have been presented by way of example, and not limitation. It would be apparent to one skilled in the relevant art(s) that various changes in form and detail could be made therein without departing from the spirit and scope of the invention. Thus, the present invention should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.
Claims (20)
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/691,027 US9473522B1 (en) | 2015-04-20 | 2015-04-20 | System and method for securing a computer system against malicious actions by utilizing virtualized elements |
PCT/US2016/028362 WO2016172151A1 (en) | 2015-04-20 | 2016-04-20 | System and method for securing a computer system against malicious actions by utilizing virtualized elements |
EP16783722.8A EP3286649A4 (en) | 2015-04-20 | 2016-04-20 | System and method for securing a computer system against malicious actions by utilizing virtualized elements |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/691,027 US9473522B1 (en) | 2015-04-20 | 2015-04-20 | System and method for securing a computer system against malicious actions by utilizing virtualized elements |
Publications (2)
Publication Number | Publication Date |
---|---|
US9473522B1 US9473522B1 (en) | 2016-10-18 |
US20160308895A1 true US20160308895A1 (en) | 2016-10-20 |
Family
ID=57120932
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/691,027 Active US9473522B1 (en) | 2015-04-20 | 2015-04-20 | System and method for securing a computer system against malicious actions by utilizing virtualized elements |
Country Status (1)
Country | Link |
---|---|
US (1) | US9473522B1 (en) |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9787715B2 (en) | 2015-06-08 | 2017-10-10 | Iilusve Networks Ltd. | System and method for creation, deployment and management of augmented attacker map |
US20170372593A1 (en) * | 2016-06-23 | 2017-12-28 | Intel Corporation | Threat monitoring for crowd environments with swarm analytics |
WO2018027244A3 (en) * | 2016-12-08 | 2018-05-03 | Atricore Inc. | Systems, devices and methods for application and privacy compliance monitoring and security threat analysis processing |
US10037429B1 (en) | 2017-05-03 | 2018-07-31 | International Business Machines Corporation | Copy protection for secured files |
US10298720B1 (en) * | 2015-12-07 | 2019-05-21 | Amazon Technologies, Inc. | Client-defined rules in provider network environments |
US10333976B1 (en) | 2018-07-23 | 2019-06-25 | Illusive Networks Ltd. | Open source intelligence deceptions |
US10333977B1 (en) | 2018-08-23 | 2019-06-25 | Illusive Networks Ltd. | Deceiving an attacker who is harvesting credentials |
US10382484B2 (en) | 2015-06-08 | 2019-08-13 | Illusive Networks Ltd. | Detecting attackers who target containerized clusters |
US10382483B1 (en) | 2018-08-02 | 2019-08-13 | Illusive Networks Ltd. | User-customized deceptions and their deployment in networks |
US10404747B1 (en) | 2018-07-24 | 2019-09-03 | Illusive Networks Ltd. | Detecting malicious activity by using endemic network hosts as decoys |
US10432665B1 (en) | 2018-09-03 | 2019-10-01 | Illusive Networks Ltd. | Creating, managing and deploying deceptions on mobile devices |
US10462116B1 (en) * | 2015-09-15 | 2019-10-29 | Amazon Technologies, Inc. | Detection of data exfiltration |
WO2020095684A1 (en) * | 2018-11-05 | 2020-05-14 | 日本電信電話株式会社 | Inspection assistance device, inspection assistance method, and inspection assistance program |
US10791128B2 (en) * | 2017-09-28 | 2020-09-29 | Microsoft Technology Licensing, Llc | Intrusion detection |
EP3873056A1 (en) * | 2020-02-26 | 2021-09-01 | AO Kaspersky Lab | System and method for assessing an impact of software on industrial automation and control systems |
US11316886B2 (en) * | 2020-01-31 | 2022-04-26 | International Business Machines Corporation | Preventing vulnerable configurations in sensor-based devices |
US11385987B2 (en) | 2020-02-26 | 2022-07-12 | AO Kaspersky Lab | System and method for assessing an impact of software on industrial automation and control systems |
WO2022183245A1 (en) * | 2021-03-04 | 2022-09-09 | Lorenzo Modesto | A hyper-scale cloud environment standard control deviation remediation application |
US20220377102A1 (en) * | 2020-04-10 | 2022-11-24 | AttackIQ, Inc. | System and method for emulating a multi-stage attack on a node within a target network |
US11552987B2 (en) * | 2017-09-28 | 2023-01-10 | L3 Technologies, Inc. | Systems and methods for command and control protection |
US11550898B2 (en) | 2017-10-23 | 2023-01-10 | L3 Technologies, Inc. | Browser application implementing sandbox based internet isolation |
US11601467B2 (en) | 2017-08-24 | 2023-03-07 | L3 Technologies, Inc. | Service provider advanced threat protection |
GB2612380A (en) * | 2021-11-02 | 2023-05-03 | Inst Information Ind | Verification method and verification system for information and communication safety protection mechanism |
US12079378B2 (en) | 2021-10-25 | 2024-09-03 | Kyndryl, Inc. | Gathering universal serial bus threat intelligence |
Families Citing this family (48)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9886581B2 (en) * | 2014-02-25 | 2018-02-06 | Accenture Global Solutions Limited | Automated intelligence graph construction and countermeasure deployment |
US10826928B2 (en) * | 2015-07-10 | 2020-11-03 | Reliaquest Holdings, Llc | System and method for simulating network security threats and assessing network security |
US20180063170A1 (en) * | 2016-04-05 | 2018-03-01 | Staffan Truvé | Network security scoring |
US10395040B2 (en) | 2016-07-18 | 2019-08-27 | vThreat, Inc. | System and method for identifying network security threats and assessing network security |
WO2018138608A2 (en) * | 2017-01-30 | 2018-08-02 | XM Ltd. | Penetration testing of a networked system |
US10257220B2 (en) | 2017-01-30 | 2019-04-09 | Xm Cyber Ltd. | Verifying success of compromising a network node during penetration testing of a networked system |
US10068095B1 (en) | 2017-05-15 | 2018-09-04 | XM Cyber Ltd | Systems and methods for selecting a termination rule for a penetration testing campaign |
US10686822B2 (en) | 2017-01-30 | 2020-06-16 | Xm Cyber Ltd. | Systems and methods for selecting a lateral movement strategy for a penetration testing campaign |
US10122750B2 (en) | 2017-01-30 | 2018-11-06 | XM Cyber Ltd | Setting-up penetration testing campaigns |
US10225276B2 (en) | 2017-01-31 | 2019-03-05 | Scythe Inc. | Endpoint vulnerability analysis platform |
US10581802B2 (en) | 2017-03-16 | 2020-03-03 | Keysight Technologies Singapore (Sales) Pte. Ltd. | Methods, systems, and computer readable media for advertising network security capabilities |
US10523699B1 (en) * | 2017-06-20 | 2019-12-31 | Amazon Technologies, Inc. | Privilege escalation vulnerability detection using message digest differentiation |
US10534917B2 (en) | 2017-06-20 | 2020-01-14 | Xm Cyber Ltd. | Testing for risk of macro vulnerability |
US10574684B2 (en) | 2017-07-09 | 2020-02-25 | Xm Cyber Ltd. | Locally detecting phishing weakness |
US10412112B2 (en) | 2017-08-31 | 2019-09-10 | Xm Cyber Ltd. | Time-tagged pre-defined scenarios for penetration testing |
US10447721B2 (en) | 2017-09-13 | 2019-10-15 | Xm Cyber Ltd. | Systems and methods for using multiple lateral movement strategies in penetration testing |
US10713365B2 (en) * | 2017-09-28 | 2020-07-14 | Oracle International Corporation | Testing cloud application integrations, data, and protocols |
US10705949B2 (en) * | 2017-11-03 | 2020-07-07 | Oracle International Corporation | Evaluation of library test suites using mutation testing |
EP3711279A1 (en) | 2017-11-15 | 2020-09-23 | XM Cyber Ltd. | Selectively choosing between actual-attack and simulation/evaluation for validating a vulnerability of a network node during execution of a penetration testing campaign |
US10990432B1 (en) | 2017-11-30 | 2021-04-27 | Ila Corporation | Method and system for interactive cyber simulation exercises |
US10440044B1 (en) | 2018-04-08 | 2019-10-08 | Xm Cyber Ltd. | Identifying communicating network nodes in the same local network |
US20190362318A1 (en) * | 2018-05-28 | 2019-11-28 | Open Invention Network Llc | Audio-based notifications |
US10771347B2 (en) * | 2018-07-10 | 2020-09-08 | Informatica Llc | Method, apparatus, and computer-readable medium for data breach simulation and impact analysis in a computer network |
CN109144665B (en) * | 2018-07-27 | 2023-04-18 | 平安科技(深圳)有限公司 | Simulator identification method, simulator identification equipment and computer readable medium |
US10382473B1 (en) | 2018-09-12 | 2019-08-13 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
WO2020060503A1 (en) * | 2018-09-20 | 2020-03-26 | Ucar Ozan | An email threat simulator for identifying security vulnerabilities in email protection mechanisms |
WO2020089698A1 (en) | 2018-11-04 | 2020-05-07 | Xm Cyber Ltd. | Using information about exportable data in penetration testing |
US10574687B1 (en) | 2018-12-13 | 2020-02-25 | Xm Cyber Ltd. | Systems and methods for dynamic removal of agents from nodes of penetration testing systems |
US10846062B1 (en) | 2019-01-31 | 2020-11-24 | Splunk Inc. | Multi-prompt blocks for a visual playbook editor |
WO2020161532A1 (en) | 2019-02-06 | 2020-08-13 | Xm Cyber Ltd. | Taking privilege escalation into account in penetration testing campaigns |
US11283827B2 (en) | 2019-02-28 | 2022-03-22 | Xm Cyber Ltd. | Lateral movement strategy during penetration testing of a networked system |
US11206281B2 (en) | 2019-05-08 | 2021-12-21 | Xm Cyber Ltd. | Validating the use of user credentials in a penetration testing campaign |
US10637883B1 (en) | 2019-07-04 | 2020-04-28 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
US10880326B1 (en) | 2019-08-01 | 2020-12-29 | Xm Cyber Ltd. | Systems and methods for determining an opportunity for node poisoning in a penetration testing campaign, based on actual network traffic |
US11489868B2 (en) * | 2019-09-05 | 2022-11-01 | Proofpoint, Inc. | Dynamically initiating and managing automated spear phishing in enterprise computing environments |
US11533329B2 (en) | 2019-09-27 | 2022-12-20 | Keysight Technologies, Inc. | Methods, systems and computer readable media for threat simulation and threat mitigation recommendations |
US11005878B1 (en) | 2019-11-07 | 2021-05-11 | Xm Cyber Ltd. | Cooperation between reconnaissance agents in penetration testing campaigns |
US11902327B2 (en) * | 2020-01-06 | 2024-02-13 | Microsoft Technology Licensing, Llc | Evaluating a result of enforcement of access control policies instead of enforcing the access control policies |
US11575700B2 (en) | 2020-01-27 | 2023-02-07 | Xm Cyber Ltd. | Systems and methods for displaying an attack vector available to an attacker of a networked system |
US11582256B2 (en) | 2020-04-06 | 2023-02-14 | Xm Cyber Ltd. | Determining multiple ways for compromising a network node in a penetration testing campaign |
US10999164B1 (en) | 2020-04-30 | 2021-05-04 | Splunk Inc. | Securely executing custom playbook code in a hybrid execution environment |
US11487513B1 (en) * | 2020-07-31 | 2022-11-01 | Splunk Inc. | Reusable custom functions for playbooks |
US11366901B2 (en) | 2020-10-07 | 2022-06-21 | Bank Of America Corporation | System and method for identifying insider threats in source code |
US11790093B2 (en) | 2021-04-29 | 2023-10-17 | Bank Of America Corporation | Cognitive tokens for authorizing restricted access for cyber forensics |
CN113378182B (en) * | 2021-07-13 | 2023-05-12 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for detecting right-raising loopholes |
US12124584B2 (en) | 2021-08-05 | 2024-10-22 | Bank Of America Corporation | System and method for detecting insider threats in source code |
US11949696B2 (en) | 2021-12-17 | 2024-04-02 | Bank Of America Corporation | Data security system with dynamic intervention response |
US11972250B2 (en) | 2022-01-18 | 2024-04-30 | Hewlett Packard Enterprise Development Lp | Out-of-band firmware update |
Family Cites Families (41)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6088804A (en) | 1998-01-12 | 2000-07-11 | Motorola, Inc. | Adaptive system and method for responding to computer network security attacks |
EP1346534B1 (en) * | 2000-12-28 | 2012-11-14 | Abb Ab | Method, system architecture and computer software for communication between devices |
US7257630B2 (en) | 2002-01-15 | 2007-08-14 | Mcafee, Inc. | System and method for network vulnerability detection and reporting |
US20120023572A1 (en) | 2010-07-23 | 2012-01-26 | Q-Track Corporation | Malicious Attack Response System and Associated Method |
US8230497B2 (en) | 2002-11-04 | 2012-07-24 | Hewlett-Packard Development Company, L.P. | Method of identifying software vulnerabilities on a computer system |
US7784099B2 (en) | 2005-02-18 | 2010-08-24 | Pace University | System for intrusion detection and vulnerability assessment in a computer network using simulation and machine learning |
US7308394B2 (en) * | 2005-02-24 | 2007-12-11 | Ultravision Security Systems, Inc. | Method for modeling and testing a security system |
WO2007076624A1 (en) | 2005-12-30 | 2007-07-12 | Intel Corporation | Virtual machine to detect malicious code |
US8413237B2 (en) | 2006-10-23 | 2013-04-02 | Alcatel Lucent | Methods of simulating vulnerability |
US8392997B2 (en) * | 2007-03-12 | 2013-03-05 | University Of Southern California | Value-adaptive security threat modeling and vulnerability ranking |
US8402529B1 (en) * | 2007-05-30 | 2013-03-19 | M86 Security, Inc. | Preventing propagation of malicious software during execution in a virtual machine |
EP2174252A1 (en) | 2007-07-31 | 2010-04-14 | Sony Corporation | Automatically protecting computer systems from attacks that exploit security vulnerabilities |
US7559086B2 (en) | 2007-10-02 | 2009-07-07 | Kaspersky Lab, Zao | System and method for detecting multi-component malware |
KR100955281B1 (en) | 2007-10-18 | 2010-04-30 | 한국정보보호진흥원 | Security Risk Evaluation Method for Threat Management |
US8434151B1 (en) | 2008-01-04 | 2013-04-30 | International Business Machines Corporation | Detecting malicious software |
US8397301B2 (en) | 2009-11-18 | 2013-03-12 | Lookout, Inc. | System and method for identifying and assessing vulnerabilities on a mobile communication device |
US8516596B2 (en) | 2010-01-26 | 2013-08-20 | Raytheon Company | Cyber attack analysis |
US8712596B2 (en) | 2010-05-20 | 2014-04-29 | Accenture Global Services Limited | Malicious attack detection and analysis |
US9032521B2 (en) | 2010-10-13 | 2015-05-12 | International Business Machines Corporation | Adaptive cyber-security analytics |
US10043011B2 (en) | 2011-01-19 | 2018-08-07 | Rapid7, Llc | Methods and systems for providing recommendations to address security vulnerabilities in a network of computing systems |
US9060239B1 (en) * | 2011-08-09 | 2015-06-16 | Zscaler, Inc. | Cloud based mobile device management systems and methods |
ES2755780T3 (en) * | 2011-09-16 | 2020-04-23 | Veracode Inc | Automated behavior and static analysis using an instrumented sandbox and machine learning classification for mobile security |
US8793790B2 (en) | 2011-10-11 | 2014-07-29 | Honeywell International Inc. | System and method for insider threat detection |
US9426169B2 (en) | 2012-02-29 | 2016-08-23 | Cytegic Ltd. | System and method for cyber attacks analysis and decision support |
IL219361A (en) | 2012-04-23 | 2017-09-28 | Verint Systems Ltd | Systems and methods for combined physical and cyber data security |
KR101462311B1 (en) | 2012-05-18 | 2014-11-14 | (주)이스트소프트 | Method for preventing malicious code |
CN104520871A (en) * | 2012-07-31 | 2015-04-15 | 惠普发展公司,有限责任合伙企业 | Vulnerability vector information analysis |
US9177139B2 (en) | 2012-12-30 | 2015-11-03 | Honeywell International Inc. | Control system cyber security |
US9208323B1 (en) * | 2013-01-14 | 2015-12-08 | Zimperium, Inc. | Classifier-based security for computing devices |
US9185124B2 (en) | 2013-02-27 | 2015-11-10 | Sayan Chakraborty | Cyber defense systems and methods |
US20140259095A1 (en) | 2013-03-06 | 2014-09-11 | James Alvin Bryant | Method of providing cyber security as a service |
WO2014144246A1 (en) | 2013-03-15 | 2014-09-18 | Cyberricade, Inc. | Cyber security |
US9292695B1 (en) * | 2013-04-10 | 2016-03-22 | Gabriel Bassett | System and method for cyber security analysis and human behavior prediction |
US9043922B1 (en) | 2013-04-19 | 2015-05-26 | Symantec Corporation | Systems and methods for determining malicious-attack exposure levels based on field-data analysis |
US9171167B2 (en) | 2013-06-20 | 2015-10-27 | The Boeing Company | Methods and systems for use in analyzing cyber-security threats in an aviation platform |
US9195833B2 (en) * | 2013-11-19 | 2015-11-24 | Veracode, Inc. | System and method for implementing application policies among development environments |
US20150205966A1 (en) * | 2014-01-17 | 2015-07-23 | MalCrawler Co. | Industrial Control System Emulator for Malware Analysis |
US9367694B2 (en) | 2014-05-16 | 2016-06-14 | Raytheon Bbn Technologies Corp. | Probabilistic cyber threat recognition and prediction |
US9565204B2 (en) | 2014-07-18 | 2017-02-07 | Empow Cyber Security Ltd. | Cyber-security system and methods thereof |
US10812516B2 (en) | 2014-08-05 | 2020-10-20 | AttackIQ, Inc. | Cyber security posture validation platform |
US20160080408A1 (en) | 2014-09-15 | 2016-03-17 | Lookingglass Cyber Solutions | Apparatuses, methods and systems for a cyber security assessment mechanism |
-
2015
- 2015-04-20 US US14/691,027 patent/US9473522B1/en active Active
Cited By (41)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10623442B2 (en) | 2015-06-08 | 2020-04-14 | Illusive Networks Ltd. | Multi-factor deception management and detection for malicious actions in a computer network |
US10291650B2 (en) | 2015-06-08 | 2019-05-14 | Illusive Networks Ltd. | Automatically generating network resource groups and assigning customized decoy policies thereto |
US9954878B2 (en) | 2015-06-08 | 2018-04-24 | Illusive Networks Ltd. | Multi-factor deception management and detection for malicious actions in a computer network |
US9787715B2 (en) | 2015-06-08 | 2017-10-10 | Iilusve Networks Ltd. | System and method for creation, deployment and management of augmented attacker map |
US9794283B2 (en) | 2015-06-08 | 2017-10-17 | Illusive Networks Ltd. | Predicting and preventing an attacker's next actions in a breached network |
US10382484B2 (en) | 2015-06-08 | 2019-08-13 | Illusive Networks Ltd. | Detecting attackers who target containerized clusters |
US10142367B2 (en) | 2015-06-08 | 2018-11-27 | Illusive Networks Ltd. | System and method for creation, deployment and management of augmented attacker map |
US9985989B2 (en) | 2015-06-08 | 2018-05-29 | Illusive Networks Ltd. | Managing dynamic deceptive environments |
US10097577B2 (en) | 2015-06-08 | 2018-10-09 | Illusive Networks, Ltd. | Predicting and preventing an attacker's next actions in a breached network |
US10462116B1 (en) * | 2015-09-15 | 2019-10-29 | Amazon Technologies, Inc. | Detection of data exfiltration |
US11269673B2 (en) | 2015-12-07 | 2022-03-08 | Amazon Technologies, Inc. | Client-defined rules in provider network environments |
US10298720B1 (en) * | 2015-12-07 | 2019-05-21 | Amazon Technologies, Inc. | Client-defined rules in provider network environments |
US10032361B2 (en) * | 2016-06-23 | 2018-07-24 | Intel Corporation | Threat monitoring for crowd environments with swarm analytics |
US20170372593A1 (en) * | 2016-06-23 | 2017-12-28 | Intel Corporation | Threat monitoring for crowd environments with swarm analytics |
WO2018027244A3 (en) * | 2016-12-08 | 2018-05-03 | Atricore Inc. | Systems, devices and methods for application and privacy compliance monitoring and security threat analysis processing |
US10037429B1 (en) | 2017-05-03 | 2018-07-31 | International Business Machines Corporation | Copy protection for secured files |
US10303888B2 (en) | 2017-05-03 | 2019-05-28 | International Business Machines Corporation | Copy protection for secured files |
US10726137B2 (en) | 2017-05-03 | 2020-07-28 | International Business Machines Corporation | Copy protection for secured files |
US11601467B2 (en) | 2017-08-24 | 2023-03-07 | L3 Technologies, Inc. | Service provider advanced threat protection |
US11552987B2 (en) * | 2017-09-28 | 2023-01-10 | L3 Technologies, Inc. | Systems and methods for command and control protection |
US10791128B2 (en) * | 2017-09-28 | 2020-09-29 | Microsoft Technology Licensing, Llc | Intrusion detection |
US11550898B2 (en) | 2017-10-23 | 2023-01-10 | L3 Technologies, Inc. | Browser application implementing sandbox based internet isolation |
US10333976B1 (en) | 2018-07-23 | 2019-06-25 | Illusive Networks Ltd. | Open source intelligence deceptions |
US10404747B1 (en) | 2018-07-24 | 2019-09-03 | Illusive Networks Ltd. | Detecting malicious activity by using endemic network hosts as decoys |
US10382483B1 (en) | 2018-08-02 | 2019-08-13 | Illusive Networks Ltd. | User-customized deceptions and their deployment in networks |
US10333977B1 (en) | 2018-08-23 | 2019-06-25 | Illusive Networks Ltd. | Deceiving an attacker who is harvesting credentials |
US10432665B1 (en) | 2018-09-03 | 2019-10-01 | Illusive Networks Ltd. | Creating, managing and deploying deceptions on mobile devices |
JP6989781B2 (en) | 2018-11-05 | 2022-01-12 | 日本電信電話株式会社 | Inspection support equipment, inspection support methods, and inspection support programs |
JP2020077910A (en) * | 2018-11-05 | 2020-05-21 | 日本電信電話株式会社 | Inspection support apparatus, inspection support method, and inspection support program |
WO2020095684A1 (en) * | 2018-11-05 | 2020-05-14 | 日本電信電話株式会社 | Inspection assistance device, inspection assistance method, and inspection assistance program |
US11316886B2 (en) * | 2020-01-31 | 2022-04-26 | International Business Machines Corporation | Preventing vulnerable configurations in sensor-based devices |
US11385987B2 (en) | 2020-02-26 | 2022-07-12 | AO Kaspersky Lab | System and method for assessing an impact of software on industrial automation and control systems |
US11599443B2 (en) | 2020-02-26 | 2023-03-07 | AO Kaspersky Lab | System and method for assessing an impact of malicious software causing a denial of service of components of industrial automation and control systems |
EP3873056A1 (en) * | 2020-02-26 | 2021-09-01 | AO Kaspersky Lab | System and method for assessing an impact of software on industrial automation and control systems |
US20220377102A1 (en) * | 2020-04-10 | 2022-11-24 | AttackIQ, Inc. | System and method for emulating a multi-stage attack on a node within a target network |
US11677775B2 (en) * | 2020-04-10 | 2023-06-13 | AttackIQ, Inc. | System and method for emulating a multi-stage attack on a node within a target network |
US20230269266A1 (en) * | 2020-04-10 | 2023-08-24 | AttackIQ, Inc. | System and method for emulating a multi-stage attack on a node within a target network |
US12081580B2 (en) * | 2020-04-10 | 2024-09-03 | AttackIQ, Inc. | System and method for emulating a multi-stage attack on a node within a target network |
WO2022183245A1 (en) * | 2021-03-04 | 2022-09-09 | Lorenzo Modesto | A hyper-scale cloud environment standard control deviation remediation application |
US12079378B2 (en) | 2021-10-25 | 2024-09-03 | Kyndryl, Inc. | Gathering universal serial bus threat intelligence |
GB2612380A (en) * | 2021-11-02 | 2023-05-03 | Inst Information Ind | Verification method and verification system for information and communication safety protection mechanism |
Also Published As
Publication number | Publication date |
---|---|
US9473522B1 (en) | 2016-10-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11853434B2 (en) | System and method for creating and executing breach scenarios utilizing virtualized elements | |
US9473522B1 (en) | System and method for securing a computer system against malicious actions by utilizing virtualized elements | |
US9710653B2 (en) | System and method for verifying malicious actions by utilizing virtualized elements | |
Shafiq et al. | The Rise of “Internet of Things”: Review and Open Research Issues Related to Detection and Prevention of IoT‐Based Security Attacks | |
Tabrizchi et al. | A survey on security challenges in cloud computing: issues, threats, and solutions | |
Nazir et al. | Survey on wireless network security | |
US11509683B2 (en) | System and method for securing a network | |
Patel | A survey on vulnerability assessment & penetration testing for secure communication | |
Ravindran et al. | A Review on Web Application Vulnerability Assessment and Penetration Testing. | |
Wang et al. | Educational modules and research surveys on critical cybersecurity topics | |
WO2016172151A1 (en) | System and method for securing a computer system against malicious actions by utilizing virtualized elements | |
Sharif | Web attacks analysis and mitigation techniques | |
Bhardwaj et al. | Framework to perform taint analysis and security assessment of IoT devices in smart cities | |
US12088618B2 (en) | Methods and systems for asset risk determination and utilization for threat mitigation | |
Jawad et al. | Intelligent Cybersecurity Threat Management in Modern Information Technologies Systems | |
Odirichukwu et al. | Security concept in Web database development and administration—A review perspective | |
Deshpande et al. | Major web application threats for data privacy & security–detection, analysis and mitigation strategies | |
Elghaly | Learn Penetration Testing with Python 3. x: Perform Offensive Pentesting and Prepare Red Teaming to Prevent Network Attacks and Web Vulnerabilities (English Edition) | |
Dahle | Large scale vulnerability scanning | |
Bravo et al. | Mastering Defensive Security: Effective techniques to secure your Windows, Linux, IoT, and cloud infrastructure | |
Lakshmi | Beginning Security with Microsoft Technologies | |
Holm et al. | A manual for the cyber security modeling language | |
Buecker et al. | Stopping Internet Threats Before They Affect Your Business by Using the IBM Security Network Intrusion Prevention System | |
US20230412631A1 (en) | Methods and systems for system vulnerability determination and utilization for threat mitigation | |
Vasilakis | Penetration testing in computer systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: SAFEBREACH LTD., ISRAEL Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KOTLER, ITZHAK;LIVNI, IDAN;BAR-SHALOM, DAN;AND OTHERS;REEL/FRAME:042763/0522 Effective date: 20170604 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 4 |
|
AS | Assignment |
Owner name: BANK LEUMI LE-ISRAEL B.M., ISRAEL Free format text: SECURITY INTEREST;ASSIGNOR:SAFEBREACH LTD;REEL/FRAME:053824/0746 Effective date: 20200908 |
|
AS | Assignment |
Owner name: SAFEBREACH LTD., ISRAEL Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:BANK LEUMI LE-ISRAEL B.M.;REEL/FRAME:067113/0037 Effective date: 20240415 Owner name: AVENUE VENTURE OPPORTUNITIES FUND, L.P., AS AGENT, NEW YORK Free format text: SECURITY INTEREST;ASSIGNORS:SAFEBREACH INC.;SAFEBREACH LTD.;REEL/FRAME:067129/0498 Effective date: 20240410 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY Year of fee payment: 8 |