US 9350753 B2 - Computer System For Distributed Discovery Of Vulnerabilities In Applications - The Lens

Computer System For Distributed Discovery Of Vulnerabilities In Applications

Published: May 24, 2016
Earliest Priority: May 06 2014
Family: 15
Cited Works: 0
Cited by: 15
Cites: 17
Additional Info: Full text

Abstract

In one aspect, the disclosure provides: A method comprising: inviting a distributed plurality of researchers to participate in one or more computer vulnerability research projects directed to identifying computer vulnerabilities of one or more networks and/or computers that are owned or operated by a third party; assessing reputation and skills of one or more of the researchers, and accepting a subset of the researchers who have a positive reputation and sufficient skills to perform the investigations of the computer vulnerabilities; assigning a particular computer vulnerability research project, relating to a particular network under test, to a particular researcher from among the subset of the researchers; using a computer that is logically interposed between the particular researcher and the particular network under test, monitoring communications between the particular researcher and the particular network under test, wherein the communications relate to attempting to identify a candidate security vulnerability of the particular network under test; validating a report of the candidate security vulnerability of the particular network under test that is received from the particular researcher; determining and providing an award to the particular researcher in response to successfully validating the report of the candidate security vulnerability of the particular network under test that is received from the particular researcher.

Claims

A method of computer vulnerability discovery comprising:
determining a plurality of researcher computers that are to be provided access to control logic, wherein a researcher computer of the plurality of researcher computers is a computer operated by, or to be operated by, an invited researcher, wherein an invited researcher is a person or organization selected to participate in one or more computer vulnerability research projects directed to researching and/or identifying computer vulnerabilities of one or more target systems comprising one or more network component and/or one or more computer component, wherein the control logic is logically interposed between the researcher computer and the one or more target systems;

providing the plurality of researcher computers with access credentials for a management computer associated with the control logic to allow access to the control logic by particular ones of the plurality of researcher computers;

tracking assignment of a particular computer vulnerability research project of the one or more computer vulnerability research projects to the researcher computer or to the invited researcher, wherein the particular computer vulnerability research project relates to a particular target system;

establishing a communications path between the control logic and the particular target system;

monitoring, using the control logic, networked data communications between the researcher computer and the particular target system, wherein the networked data communications include communications that are usable to identify a candidate vulnerability of the particular target system;

determining a candidate vulnerability of the particular target system based on a report received from the invited researcher resulting from the invited researcher's use of the researcher computer to interact with the particular target system via the control logic;

validating the report of the candidate vulnerability of the particular target system, wherein validating comprises attempting duplication of the candidate vulnerability after receiving the report; and

triggering one or more remediation operations on the particular target system based at least in part upon the report.
The method of claim 1, wherein attempting duplication of the candidate vulnerability comprises:
reading data relating to the networked data communications monitored;

determining a sequence of operations, based on the report, usable to duplicate at least a portion of the networked data communications for validating the report;

performing the sequence of operations from the control logic; and

determining whether the candidate vulnerability of the particular target system is present, based on results of the sequence of operations.
The method of claim 1, further comprising:
providing the invited researcher, prior to receiving the report, an indication of an award to be awarded in response to finding target system vulnerabilities that are subsequently validated through attempted duplication; and

crediting the invited researcher with the award after validation of finding of the target system vulnerabilities.
The method of claim 3, wherein the award for a given target system vulnerability of the target system vulnerabilities is a function of (1) one or more of a vulnerability score for the given target system vulnerability, wherein the vulnerability score indicates a relative importance of the given target system vulnerability, (2) a stored minimum award value and a stored maximum award value that are stored in a record identifying the given target system vulnerability in a database, (3) a number of researcher computers reporting the given target system vulnerability, and/or (4) a number of reports received from researcher computers reporting the given target system vulnerability.
The method of claim 3, wherein the award for a given target system vulnerability is calculated using a real-time, market value calculation for the value of a report of the given target system vulnerability.
The method of claim 3, wherein the award for a given target system vulnerability is calculated according to a weighted impact score and an exploitability score, wherein the weighted impact score is a function of an impact score that is a function of a confidentiality impact metric, an integrity impact metric, and an availability impact metric, and wherein the exploitability score is a function of an access complexity metric, an authentication metric, and an access weighting.
The method of claim 3, wherein the award for a given target system vulnerability is calculated according to a blended mapping function that blends (1) values for a vulnerability score, (2) a submission quality score that represents the quality of a vulnerability report or submission, and/or (3) a perceived value of an asset of the particular target system.
The method of claim 1, further comprising:
assigning the particular computer vulnerability research project to a first researcher computer of the plurality of researcher computers;

assigning the particular computer vulnerability research project to a second researcher computer of the plurality of researcher computers;

using the control logic, monitoring first communications between the first researcher computer and particular target system;

using the control logic, monitoring second communications between the second researcher computer and particular target system;

for the candidate vulnerability of the particular target system, determining which of the first researcher computer and the second researcher computer is a first reporting computer that first reported the candidate vulnerability;

determining an award for discovery of the candidate vulnerability; and

providing the award only to the researcher associated with the first reporting computer.
The method of claim 1, further comprising:
generating a leaderboard data structure that includes records of researchers, researcher identifiers, awards the researchers have earned or obtained; and

generating a display presentation for viewing by researchers wherein the display presentation illustrates relative awards over multiple unrelated or distributed researchers so as to encourage competition to find vulnerabilities.
The method of claim 1, further comprising:
obtaining a customer-selected subset of researchers selected by an operator of the particular target system; and

identifying a researcher computer subset comprising researcher computers of the plurality of researcher computers that are researcher computers associated with the customer-selected subset of researchers,

wherein providing access credentials comprises providing access credentials for vulnerability testing of the particular target system only to the researcher computers associated with the customer-selected subset of researchers.
The method of claim 10, further comprising providing the operator of the particular target system with levels of trust for the plurality of researcher computers and representations of particular skill sets of researchers associated with the plurality of researcher computers, for use in selecting a subset of researchers.
The method of claim 1, further comprising:
performing an initial assessment of security aspects of the particular target system prior to testing the particular target system;

based on the initial assessment, determining which site-specific computer vulnerability research projects to assign to researchers; and

assigning site-specific computer vulnerability research projects to researcher computers.
The method of claim 1, further comprising:
providing a candidate researcher with access credentials for a test computer system;

monitoring computer interactions of the candidate researcher with the test computer system;

assessing skill levels of the candidate researcher based on the computer interactions;

providing the candidate researcher with access credentials for the management computer based on results of assessing skill levels; and

assessing the candidate researcher for reliability and competence in real time as the candidate researcher communicates with the particular target system via the control logic.
The method of claim 1, further comprising:
providing instructions to the operator of the particular target system for modifying a security posture of the particular target system, wherein the modification is a reduction in security of the particular target system; and

establishing a connection between the control logic and the particular target system that is configured to take advantage of the reduction in security.
The method of claim 14, wherein the reduction in security comprises opening up network ports that would otherwise be blocked to network traffic from the control logic.
The method of claim 1, further comprising:
modifying, at the control logic, network messages from particular target system to the researcher computer to obscure an identity of the particular target system; and

modifying, at the control logic, network messages from the researcher computer to the particular target system to be consistent with network messages from particular target system if the identity of the particular target system were not obscured.
The method of claim 1, further comprising storing an audit trail of URLs that the researcher computer sends to the particular target system via the control logic.
The method of claim 1, further comprising storing keystroke logs of the researcher computer while accessing the particular target system via the control logic.
The method of claim 18, further comprising:
providing a payload to the researcher; and

directing the researcher to install the payload onto the target system following a successful exploitation of a vulnerability of the target system.
The method of claim 19, wherein the payload includes logic to direct communications between the target and the researcher computer through control logic.
The method of claim 1, further comprising storing URLs of dynamically generated pages that the particular target system generates in response to action by the researcher computer.
The method of claim 1, further comprising:
storing flow records based upon packet flow identifiers; and

storing packets, segments, messages or request-response pairs based upon 5-tuple identifying data.
The method of claim 1, wherein determining a candidate vulnerability of the particular target system based on a report received from the invited researcher comprises:
determining a potentially matching previously reported vulnerability; and

performing a literal or fuzzy comparison of the potentially matching previously reported vulnerability with the candidate vulnerability.
A computer vulnerability discovery system comprising:
interfaces to a plurality of researcher computers;

control logic logically interposed between a researcher computer of the plurality of researcher computers and one or more target systems, wherein the researcher computer is a computer operated by, or to be operated by, an invited researcher, wherein an invited researcher is a person or organization selected to participate in one or more computer vulnerability research projects directed to researching and/or identifying computer vulnerabilities of the one or more target systems comprising one or more network component and/or one or more computer component;

storage for access credentials for a management computer associated with the control logic to allow access to the control logic by particular ones of the plurality of researcher computers;

storage for data about an assignment of a particular computer vulnerability research project of the one or more computer vulnerability research projects to the researcher computer or to the invited researcher, wherein the particular computer vulnerability research project relates to a particular target system;

an interface for a communications path between the control logic and the particular target system;

a monitor, coupled to the control logic, for monitoring networked data communications between the researcher computer and the particular target system, wherein the networked data communications include communications that are usable to identify a candidate vulnerability of the particular target system;

storage for data about a candidate vulnerability of the particular target system based on a report received from the invited researcher resulting from the invited researcher's use of the researcher computer to interact with the particular target system via the control logic;

storage for validation data about the report of the candidate vulnerability of the particular target system, including data about attempted duplication of the candidate vulnerability after receiving the report; and

an output for providing a message triggering one or more remediation operations on the particular target system based at least in part upon the report.
The computer vulnerability discovery system of claim 24, further comprising:
a leaderboard data structure that includes records of researchers, researcher identifiers, awards the researchers have earned or obtained; and

a display presentation for viewing by researchers wherein the display presentation illustrates relative awards over multiple unrelated or distributed researchers so as to encourage competition to find vulnerabilities.
The computer vulnerability discovery system of claim 24, further comprising storage for an audit trail of URLs that the researcher computer sends to the particular target system via the control logic.
The computer vulnerability discovery system of claim 24, further comprising storage for keystroke logs of the researcher computer while accessing the particular target system via the control logic.
The computer vulnerability discovery system of claim 24, further comprising a payload to be provided to the researcher for use of the researcher to install onto the target system following a successful exploitation of a vulnerability of the target system.
The computer vulnerability discovery system of claim 28, wherein the payload includes logic to direct communications between the target and the researcher computer through control logic.
The computer vulnerability discovery system of claim 24, further comprising storage for URLs of dynamically generated pages that the particular target system generates in response to action by the researcher computer.
The computer vulnerability discovery system of claim 24, further comprising:
storage for flow records based upon packet flow identifiers; and

storage for packets, segments, messages or request-response pairs based upon 5-tuple identifying data.