US2021336971A1PendingUtilityA1

System and method for continuous collection, analysis and reporting of attack paths in a directory services environment

54
Assignee: SPECTER OPS INCPriority: Apr 23, 2020Filed: Apr 23, 2020Published: Oct 28, 2021
Est. expiryApr 23, 2040(~13.8 yrs left)· nominal 20-yr term from priority
G06F 16/9024H04L 63/1416G06F 16/212
54
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system and method for analyzing directory service environment attack paths for an enterprise may continuously collect data about the attack paths and provide alerts. The system and method may also analyze the nested object relationships within Directory Services alongside objects at risk for Credential Theft to calculate all possible attack paths within the environment.

Claims

exact text as granted — not AI-modified
1 . An apparatus for analyzing attack paths in a directory services system of an enterprise infrastructure in which a permission to each asset in the enterprise infrastructure is managed by a directory services systems that is coupled to each of the one or more assets of the enterprise infrastructure, the apparatus comprising:
 a computer, located in a cloud and being connected to the one or more assets in a data center of the infrastructure of the enterprise, with a processor and a plurality of instructions executed by the processor that continuously collects data about one or more assets;   a graph database coupled to the computer that stores the continuously collected data for the one or more assets; and   the computer processor is further configured to retrieve data from the graph database to identify a plurality of attack paths for the one or more assets and the directory services system in the enterprise infrastructure.   
     
     
         2 . The apparatus of  claim 1 , wherein the computer is further configured to generate an alert for each identified attack path. 
     
     
         3 . The apparatus of  claim 2 , wherein the computer is further configured to convert the continuously collected data into a format for storage in the graph database. 
     
     
         4 . The apparatus of  claim 1 , wherein the directory services is a Microsoft Active Directory system. 
     
     
         5 . The apparatus of  claim 1 , wherein the one or more assets further comprises a domain controller, a domain computer and a security information and event system. 
     
     
         6 . The apparatus of  claim 1 , wherein the computer and the graph database are in the enterprise infrastructure data center. 
     
     
         7 . (canceled) 
     
     
         8 . The apparatus of  claim 1  further comprising a second computer in a cloud separate from the enterprise infrastructure data center configured to identity the attack paths and wherein the graph database is in the cloud. 
     
     
         9 . The apparatus of  claim 8 , wherein the computer further comprises a set of rules wherein each rule has a condition that is tested against the continuously collected data of the network to identify an attack path. 
     
     
         10 . The apparatus of  claim 9 , wherein the computer is further configured to execute continuously each rule in the set of rules. 
     
     
         11 - 12 . (canceled) 
     
     
         13 . The apparatus of  claim 29 , wherein the plurality of rules that identify abuseable Kerberos configurations further comprises a rule that hardens Kerberoastable User Accounts, a rule that addresses computers trusted for unconstrained delegation and a rule that restricts control of computers trusted for unconstrained delegation. 
     
     
         14 . The apparatus of  claim 29 , wherein the plurality of rules that identify least privilege enforcement further comprises a rule that reduces execution rights held by large security groups and a rule that audits potential vulnerable account passwords. 
     
     
         15 . A method for analyzing attack paths in a directory services system, the method comprising:
 continuously collecting data about one or more assets that are controlled by a directory services system, each asset being a device in an enterprise infrastructure that has its permissions determined by the directory services system;   storing the collected data about the one or more assets in a graph database;   performing an analysis of the collected data stored in the graph database to identify a plurality of attack paths for the one or more assets and the directory services system in the enterprise infrastructure; and   generating an alert for each identified attack path.   
     
     
         16 . The method of  claim 15 , wherein the directory services is a Microsoft Active Directory system. 
     
     
         17 . The method of  claim 15 , wherein continuously collecting the data further comprises continuously collecting data from a domain controller, a domain computer and a security information and event system. 
     
     
         18 . The method of  claim 15  further comprising converting the data from the one or assets into a common format. 
     
     
         19 . The method of  claim 15 , wherein performing the analysis further comprises testing a set of rules against the continuously collected data to identify one or more attack path. 
     
     
         20 . The method of  claim 19 , wherein each rule in the set of rules has a condition that is tested against the continuously collected data of the network to identify the attack path. 
     
     
         21 . The method of  claim 20 , wherein testing the set of rules further comprises continuously executing each rule in the set of rules against the continuously collected data. 
     
     
         22 . An apparatus for analyzing attack paths in a directory services system, the apparatus comprising:
 an enterprise infrastructure having a plurality of locations wherein each location has one or more assets of the enterprise infrastructure, wherein a permission to each asset is managed by a directory services system;   a computer based data collector unit housed in each location of the enterprise infrastructure and being connected to the one or more assets in the location, the data collector continuously collecting data about one or more assets in each location;   a graph database, at different location from the plurality of locations of the enterprise infrastructure and being coupled to the each of the data collector units in each location, that stores the continuously collected data for the one or more assets; and   a computer based analytics unit, coupled to the graph database and housed in the same location as the graph database, that retrieves data from the graph database to identify a plurality of attack paths for the one or more assets and the directory services system in the enterprise infrastructure.   
     
     
         23 . The apparatus of  claim 22  further comprising a computer based alerting unit coupled to the analytics unit that generates an alert for each identified attack path. 
     
     
         24 . The apparatus of  claim 23  further comprising a computer based data ingestor unit coupled between the data collector unit and the graph database that converts the continuously collected data into a format for storage in the graph database. 
     
     
         25 . The apparatus of  claim 22  wherein the directory services is a Microsoft Active Directory system. 
     
     
         26 . The apparatus of  claim 22 , wherein the one or more assets further comprises a domain controller, a domain computer and a security information and event system. 
     
     
         27 . The apparatus of  claim 22 , wherein the computer based analytics unit further comprises a set of rules wherein each rule has a condition that is tested against the continuously collected data of the network to identify an attack path. 
     
     
         28 . The apparatus of  claim 27 , wherein the computer based analytics unit continuously executes each rule in the set of rules. 
     
     
         29 . The apparatus of  claim 9 , wherein the set of rules further comprises a plurality of rules that identify Kerberos configurations that are abuseable and a plurality of rules that identify least privilege enforcement.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.