Search

US-12621336-B2 - Systems and methods for addressing inconsistencies in attack paths

US12621336B2US 12621336 B2US12621336 B2US 12621336B2US-12621336-B2

Abstract

In one embodiment, a method includes receiving a plurality of records associated with a plurality of assets in a cloud system and one or more risks associated with one or more of the plurality of assets from one or more microservices, identifying one or more inconsistencies within the plurality of records, initiating a reconcile process to resolve the one or more inconsistencies, determining that a condition for an attack-path analysis is satisfied, and triggering the attack-path analysis to identify one or more attack paths.

Inventors

  • Hendrikus G. P. Bosch
  • Jeffrey Michael Napper
  • Andre Jean Marie Surcouf
  • Roee Yankelevsky

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260505
Application Date
20240130

Claims (20)

  1. 1 . A method comprising, by a cloud management system: receiving, from one or more microservices of the cloud management system, a plurality of records associated with a plurality of assets in a cloud system and one or more risks associated with one or more of the plurality of assets, wherein each of the one or more microservices of the cloud management system is configured to detect assets and their associated risks in corresponding cloud resources; identifying one or more inconsistencies within the plurality of records; initiating a reconcile process to resolve the one or more inconsistencies; determining that a condition for an attack-path analysis is satisfied; and triggering the attack-path analysis to identify one or more attack paths.
  2. 2 . The method of claim 1 , wherein a particular microservice of the one or more microservices performs a scan of cloud resources corresponding to the particular microservice at a pre-determined interval, and wherein the particular microservice reports one or more records containing a result of the scan.
  3. 3 . The method of claim 1 , wherein a particular microservice of the one or more microservice detects an event associated with cloud resources corresponding to the particular microservice, and wherein the particular microservice reports one or more records associated with the event.
  4. 4 . The method of claim 1 , wherein a particular microservice of the one or more microservice performs a scan of cloud resources corresponding to the particular microservice based on a user input.
  5. 5 . The method of claim 1 , further comprising: storing the plurality of records to a first database.
  6. 6 . The method of claim 1 , wherein each of the plurality of records includes one or more timestamps.
  7. 7 . The method of claim 6 , wherein: the one or more inconsistencies include an inconsistency between a first record reported by a first microservice and a second record reported by a second microservice; a first timestamp associated with the first record is older than a second timestamp associated with the second record; and the reconcile process includes: sending, to the first microservice, a request to update information of the first record; and receiving, from the first microservice, a third record that contains updated information of the first record.
  8. 8 . The method of claim 7 , wherein: the reconcile process further includes displaying a user interface indicating the inconsistency between the first record reported by the first microservice and the second record reported by the second microservice; and the user interface further indicates that the inconsistency between the first record and the second record is being resolved.
  9. 9 . The method of claim 1 , wherein the reconcile process includes: displaying a user interface indicating the one or more inconsistencies; receiving a user confirmation for resolving the one or more inconsistencies; sending, upon receiving the user confirmation, to the one or more microservices, requests to scan cloud resources; and receiving, from the one or more microservices, a plurality of updated records associated with the plurality of assets in the cloud and one or more risks associated with one or more of the plurality of assets.
  10. 10 . The method of claim 1 , wherein the condition for the attack-path analysis includes a timeout for an analysis scheduled at a pre-determined interval, an identification of one or more inconsistencies within the plurality of records, or a detection of changes in assets or in risks.
  11. 11 . The method of claim 1 , wherein the attack-path analysis comprises: identifying one or more vulnerabilities by processing the plurality of records associated with the plurality of assets and the one or more risks; constructing an asset dependency graph representing dependencies between the plurality of assets; and identifying one or more attack paths.
  12. 12 . The method of claim 11 , wherein: the one or more vulnerabilities are stored in a second database; the asset dependency graph is maintained in a third database; and the one or more identified attack paths are maintained in a fourth database.
  13. 13 . The method of claim 1 , wherein the attack-path analysis is performed based on information associated with previously known attack paths and their associated patterns.
  14. 14 . The method of claim 1 , wherein the attack-path analysis is performed by a machine-learning model.
  15. 15 . The method of claim 1 , further comprising: presenting the one or more identified attack paths to a user.
  16. 16 . A cloud management system comprising: one or more processors; and one or more computer-readable non-transitory storage media coupled to one or more of the processors and comprising instructions operable when executed by one or more of the processors to: receive, from one or more microservices of the cloud management system, a plurality of records associated with a plurality of assets in a cloud system and one or more risks associated with one or more of the plurality of assets, wherein each of the one or more microservices of the cloud management system is configured to detect assets and their associated risks in corresponding cloud resources; identify one or more inconsistencies within the plurality of records; initiate a reconcile process to resolve the one or more inconsistencies; determine that a condition for an attack-path analysis is satisfied; and trigger the attack-path analysis to identify one or more attack paths.
  17. 17 . The cloud management system of claim 16 , wherein a particular microservice of the one or more microservices performs a scan of cloud resources corresponding to the particular microservice at a pre-determined interval, and wherein the particular microservice reports one or more records containing a result of the scan.
  18. 18 . The cloud management system of claim 16 , wherein a particular microservice of the one or more microservice detects an event associated with cloud resources corresponding to the particular microservice, and wherein the particular microservice reports one or more records associated with the event.
  19. 19 . The cloud management system of claim 16 , wherein a particular microservice of the one or more microservice performs a scan of cloud resources corresponding to the particular microservice based on a user input.
  20. 20 . One or more computer-readable non-transitory storage media embodying software that is operable when executed by a cloud management system to: receive, from one or more microservices of the cloud management system, a plurality of records associated with a plurality of assets in a cloud system and one or more risks associated with one or more of the plurality of assets, wherein each of the one or more microservices of the cloud management system is configured to detect assets and their associated risks in corresponding cloud resources; identify one or more inconsistencies within the plurality of records; initiate a reconcile process to resolve the one or more inconsistencies; determine that a condition for an attack-path analysis is satisfied; and trigger the attack-path analysis to identify one or more attack paths.

Description

PRIORITY This application claims the benefit under 35 U.S.C. § 119 (e) of U.S. Provisional Patent Application No. 63/608,420, filed 11 Dec. 2023, which is incorporated herein by reference. TECHNICAL FIELD The present disclosure relates generally to security in information systems, and more particularly, to addressing inconsistencies in attack paths. BACKGROUND A security solution may analyze an application that is being hosted on a cloud system to discover vulnerabilities, misconfigurations, and mishaps in that application, its cloud environment, the continuous integration and continuous delivery/continuous deployment (CI/CD) pipeline, and storage systems. Then, to understand what an attacker can do to that application, the security solution may find attack paths/kill chains to the application. The attack paths/kill chains represent steps attackers may take to steal central processing unit (CPU), create general mayhem in the application, and/or steal data. A cloud-native application protection platform (CNAPP) may be used to determine the attack paths. The CNAPP may need to present active attack paths in real-time or at least near real-time. If a customer deploys a container set with a series of critical vulnerabilities that enable hackers to get access to, for example, a set of credentials for the entire enterprise registry, that singular critical vulnerability has become a serious threat to the entire enterprise. Therefore, detecting the vulnerability in a timely manner would be highly important. However, presenting attack paths in real-time or near-real-time may be challenging because calculating attack paths is computationally and financially expensive. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 illustrates an example logical architecture of a cloud management system for identifying attack paths in near-real-time. FIG. 2 illustrates an example reconcile process. FIG. 3 illustrates an example user interface indicating one or more inconsistencies. FIG. 4 illustrates an example process flow of an attack-path analysis. FIG. 5 illustrates an example method for identifying one or more attack paths within a cloud system in near-real-time. FIG. 6 illustrates an example computing system. DESCRIPTION OF EXAMPLE EMBODIMENTS Overview In one or more embodiments, a method, by a cloud management system, may include receiving a plurality of records associated with a plurality of assets in a cloud system and one or more risks associated with one or more of the plurality of assets from one or more microservices. The method may include identifying one or more inconsistencies within the plurality of records. The method may include initiating a reconcile process to resolve the one or more inconsistencies. The method may include determining that a condition for an attack-path analysis is satisfied. The method may further include triggering the attack-path analysis to identify one or more attack paths. In particular embodiments, a particular microservice of the one or more microservices may perform a scan of cloud resources corresponding to the particular microservice at a pre-determined interval. The particular microservice may report one or more records containing a result of the scan. In other embodiments, a particular microservice of the one or more microservice may detect an event associated with cloud resources corresponding to the particular microservice. The particular microservice may report one or more records associated with the event. In yet other embodiments, a particular microservice of the one or more microservice may perform a scan of cloud resources corresponding to the particular microservice based on a user input. The particular microservice may report one or more records containing a result of the scan. In particular embodiments, the cloud management system may store the plurality of records to a first database. In particular embodiments, the plurality of records may include one or more timestamps. In particular embodiments, the one or more inconsistencies may include an inconsistency between a first record reported by a first microservice and a second record reported by a second microservice. A first timestamp associated with the first record may be older than a second timestamp associated with the second record. The reconcile process may include sending a request to the first microservice to update information of the first record and receiving a third record from the first microservice that contains updated information of the first record. In particular embodiments, the reconcile process may further include displaying a user interface indicating the inconsistency between the first record reported by the first microservice and the second record reported by the second microservice. In particular embodiments, the user interface may further indicate that the inconsistency between the first record and the second record is being resolved. In particular embodiments, the reconcile process may include displaying a