(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2017/0048266A1
`(43) Pub. Date:
`Feb. 16, 2017
`HOVOr et al.
`
`US 2017004.8266A1
`
`(54) COMPUTER ASSET VULNERABILITIES
`(71) Applicant: Accenture Global Services Limited,
`Dublin (IE)
`(72) Inventors: Elvis Hovor, Clarksburg, MD (US);
`Shaan Mulchandani, Arlington, VA
`(US); Matthew Carver, Washington,
`DC (US)
`
`(21) Appl. No.: 14/841,007
`
`(22) Filed:
`
`Aug. 31, 2015
`
`Related U.S. Application Data
`(60) Provisional application No. 62/204.830, filed on Aug.
`13, 2015.
`
`Publication Classification
`
`(51) Int. Cl.
`H04L 29/06
`
`(2006.01)
`
`(52) U.S. Cl.
`CPC ................................. H04L 63/1433 (2013.01)
`ABSTRACT
`(57)
`Methods, systems, and apparatus, including computer pro
`grams encoded on computer storage media, for determining
`a network path between computer assets. One of the meth
`ods includes receiving an asset topology that includes an
`identifier for each computer-related asset that may be an
`entry point for an attack simulation, receiving threat data
`that identifies vulnerabilities of computer-related assets,
`determining a first computer-related asset that may be an
`entry point for an attack simulation, identifying one or more
`first vulnerabilities of the first computer-related asset, deter
`mining a path from the first computer-related asset to a
`second computer-related asset, determining one or more
`second Vulnerabilities of the second computer-related asset,
`determining a probability that the second computer-related
`asset will be compromised by an adversary, and determining
`a change to the asset topology to reduce the probability that
`the second computer-related asset will be compromised by
`an adversary.
`
`so
`
`
`
`For at east one computer
`asset on a path between a first computer
`asset and a Second computer asset
`
`Determine, using an asset topology, ail of
`subsequent computer assets directly
`connected to the computer asset not
`including any computer assets used to
`access the computer asset
`502
`
`Determine, for each of the subsequent
`computer assets, one or more vulnerabilities
`of the subsequent computer asset 504
`
`Determine, for each of the subsequent
`Computer assets using the vulnerabilities of
`the subsequent computer asset, a probability
`that the subsequent computer asset will be
`Compromised by an adversary
`506
`
`Select a particular subsequent computer
`asset with the probability greater than the
`probabilities of the other subsequent
`Computer assets as the next computer asset
`in the path between the first computer asset
`and the second computer asset 508
`
`WIZ, Inc. EXHIBIT - 1085
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`
`Feb. 16, 2017. Sheet 1 of 7
`
`US 2017/0048266 A1
`
`
`
`!= ) ? ? ? ? ? ? ? ? ? ? ?
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Feb. 16, 2017. Sheet 2 of 7
`
`US 2017/0048266 A1
`
`• • • • • • • • ? ? ? ? ? ? ? ? ?
`
`
`
`
`
`Žo.
`
`

`

`Patent Application Publication
`
`Feb. 16, 2017. Sheet 3 of 7
`
`US 2017/0048266 A1
`
`
`
`r- ----- -
`
`|%seoons|
`
`III
`
`III
`
`= = ==
`
`
`
`
`
`·002
`
`

`

`Patent Application Publication
`
`Feb. 16, 2017. Sheet 4 of 7
`
`US 2017/0048266 A1
`
`
`
`?assy
`
`ºst
`
`

`

`Patent Application Publication
`
`Feb. 16, 2017 Sheet 5 of 7
`
`US 2017/0048266 A1
`
`so
`
`
`
`Receive an asset topology that
`identifies One of more first
`computer assets each of which
`is directly connected to a
`network that is not controlled by
`an entity without intervening
`hardware and One or more
`second Computer assets each
`of which is not directly
`Connected to a network that is
`not controlled by the entity02
`
`Receive threat data that
`identifies Wunerabilities of
`Computer assets
`404
`
`Determine, using the asset
`topology, a first Computer asset
`that is one of the first computer
`aSSetS
`406
`
`identify, using the threat data,
`one or more vulnerabilities of
`the first computer asset4.08
`
`Determine, using the asset
`topology and the threat data, a
`path from the first computer
`asset to a second computer
`asset that is one of the second
`Computer assets
`410
`
`Determine, using the threat
`data, one or more vulnerabilities
`of the second computer asset
`412
`
`Determine a probability that the
`second Computer asset will be
`compromised by an adversary
`414
`
`Determine, using the asset
`topology, a change to the asset
`topology to reduce the
`probability that the second
`computer asset will be
`Compromised by an adversary
`416
`
`Provide information about the
`change to the asset topology for
`presentation to a user 48
`
`implement the change to the
`asset topology
`420
`
`Receive new threat data Over a
`predetermined period of time
`422
`
`Determine, using the new threat
`data, paths from the first
`computer assets to the Second
`computer assets over the
`predetermined period of time
`424
`
`Determine trends in the paths
`from the first computer assets to
`the Second Computer assets
`over the predetermined period
`of time
`426
`
`FG. 4
`
`

`

`Patent Application Publication
`
`Feb. 16, 2017 Sheet 6 of 7
`
`US 2017/0048266 A1
`
`so
`
`
`
`For at least one computer
`asset on a path between a first computer
`asset and a second computer asset
`
`Determine, using an asset topology, all of
`subsequent computer assets directly
`connected to the computer asset not
`including any computer assets used to
`access the Computer asset
`02
`
`Determine, for each of the subsequent
`Computer assets, one or more vulnerabilities
`of the subsequent Computer asset 504
`
`Determine, for each of the subsequent
`Computer assets using the vulnerabilities of
`the subsequent computer asset, a probability
`that the subsequent Computer asset will be
`Compromised by an adversary
`506
`
`Select a particular subsequent computer
`asset with the probability greater than the
`probabilities of the other subsequent
`Computer assets as the next Computer asset
`in the path between the first computer asset
`and the second computer asset 508
`
`F.G. 5
`
`

`

`Patent Application Publication
`
`Feb. 16, 2017 Sheet 7 of 7
`
`US 2017/0048266 A1
`
`
`
`5
`
`22222222
`
`S
`
`
`
`
`
`

`

`US 2017/0048266 A1
`
`Feb. 16, 2017
`
`COMPUTER ASSET VUILNERABILITIES
`
`BACKGROUND
`0001. Some entities in the security industry face an
`increasing necessity to understand the impact and priorities
`of cyber threats against entities, while being constrained by
`limited resources to respond by adapting controls and Vali
`dating patches. For instance. Some threat actors and vectors
`have a significantly disproportionate growth and presence
`compared to that of practical, Scalable remediation
`approaches.
`
`SUMMARY
`0002. In general, one innovative aspect of the subject
`matter described in this specification can be embodied in
`methods that include the actions of receiving an asset
`topology that identifies an entity's computer-related assets,
`how the computer-related assets are connected together via
`one or more networks controlled by the entity, and an
`identifier for each computer-related asset that is an external
`facing asset, wherein the asset topology identifies one or
`more first computer-related assets each of which is an
`external facing asset and one or more second computer
`related assets each of which is not an external facing asset,
`receiving threat data that identifies vulnerabilities of com
`puter-related assets, determining, using the identifiers for the
`computer-related assets that may be an entry point for an
`attack simulation, a first computer-related asset that is one of
`the first computer-related assets, identifying, using the threat
`data, one or more first vulnerabilities of the first computer
`related asset, determining, using the asset topology and the
`threat data, a path from the first computer-related asset to a
`second computer-related asset that is one of the second
`computer-related assets, determining, using the threat data,
`one or more second Vulnerabilities of the second computer
`related asset, determining, using the one or more second
`Vulnerabilities of the second computer-related asset, a prob
`ability that the second computer-related asset will be com
`promised by an adversary's device, determining, using the
`asset topology and the threat data, a change to the asset
`topology to reduce the probability that the second computer
`related asset will be compromised by an adversary’s device,
`and providing information about the change to the asset
`topology for presentation to a user or implementing the
`change to the asset topology. Other embodiments of this
`aspect include corresponding computer systems, apparatus,
`and computer programs recorded on one or more computer
`storage devices, each configured to perform the actions of
`the methods. A system of one or more computers can be
`configured to perform particular operations or actions by
`virtue of having software, firmware, hardware, or a combi
`nation of them installed on the system that in operation
`causes or cause the system to perform the actions. One or
`more computer programs can be configured to perform
`particular operations or actions by virtue of including
`instructions that, when executed by data processing appa
`ratus, cause the apparatus to perform the actions.
`0003. In general, one innovative aspect of the subject
`matter described in this specification can be embodied in
`methods that include the actions of receiving an asset
`topology that identifies an entity's computer-related assets,
`how the computer-related assets are connected together via
`one or more networks controlled by the entity, and an
`
`identifier for each computer-related asset that may be an
`entry point for an attack simulation, wherein the asset
`topology identifies one or more first computer-related assets
`each of which is a potential entry point for an attack
`simulation and one or more second computer-related assets
`each of which is not a potential entry point for an attack
`simulation, receiving threat data that identifies vulnerabili
`ties of computer-related assets, determining, using the iden
`tifiers for the computer-related assets that may be an entry
`point for an attack simulation, a first computer-related asset
`that is one of the first computer-related assets, identifying,
`using the threat data, one or more first vulnerabilities of the
`first computer-related asset, determining, using the asset
`topology and the threat data, a path from the first computer
`related asset to a second computer-related asset that is one
`of the second computer-related assets, determining, using
`the threat data, one or more second Vulnerabilities of the
`second computer-related asset, determining, using the one or
`more second vulnerabilities of the second computer-related
`asset, a probability that the second computer-related asset
`will be compromised by an adversary, determining, using
`the asset topology and the threat data, a change to the asset
`topology to reduce the probability that the second computer
`related asset will be compromised by an adversary, and
`providing information about the change to the asset topology
`for presentation to a user or implementing the change to the
`asset topology. Other embodiments of this aspect include
`corresponding computer systems, apparatus, and computer
`programs recorded on one or more computer storage
`devices, each configured to perform the actions of the
`methods. A system of one or more computers can be
`configured to perform particular operations or actions by
`virtue of having software, firmware, hardware, or a combi
`nation of them installed on the system that in operation
`causes or cause the system to perform the actions. One or
`more computer programs can be configured to perform
`particular operations or actions by virtue of including
`instructions that, when executed by data processing appa
`ratus, cause the apparatus to perform the actions.
`0004. The foregoing and other embodiments can each
`optionally include one or more of the following features,
`alone or in combination. The method may include deter
`mining, for each of the first computer related assets and each
`of the second computer related assets, a path from the first
`computer related asset to the second computer related asset.
`The method may include receiving new threat data over a
`predetermined period of time, determining, using the new
`threat data, paths from the first computer related assets to the
`second computer related assets over the predetermined
`period of time, and determining trends in the paths from the
`first computer related assets to the second computer related
`assets over the predetermined period of time. Determining
`the trends in the paths from the first computer related assets
`to the second computer related assets over the predetermined
`period of time may include determining a recurring path of
`compromise that has a high probability that one or more
`assets on the recurring path will be compromised by an
`adversary’s device over at least a threshold value of times
`during the predetermined period of time.
`0005. In some implementations, the method may include
`determining, using the trends in the paths from the first
`computer related assets to the second computer related
`assets, a probability that a particular second computer
`related asset will be compromised by an adversary’s device
`
`

`

`US 2017/0048266 A1
`
`Feb. 16, 2017
`
`over the predetermined period of time that is greater than
`probabilities that the other second computer related assets
`will be compromised by an adversary’s device over the
`predetermined period of time, and determining, using the
`asset topology and the new threat data, a change to the asset
`topology to reduce the probability that the particular second
`computer related asset will be compromised by an adver
`sary's device. The method may include providing informa
`tion about the change to the asset topology for presentation
`to a user. The method may include implementing the change
`to the asset topology. Determining, using the asset topology
`and the new threat data, a change to the asset topology to
`reduce the probability that the particular second computer
`related asset will be compromised by an adversary’s device
`may include determining a software update to apply to one
`of the computer related assets identified by the asset topol
`ogy. Implementing the change to the asset topology may
`include applying the Software update to the one of the
`computer related assets identified by the asset topology.
`0006. In some implementations, the method may include
`determining, for the one or more first vulnerabilities, a first
`probability that the Vulnerability will be compromised by an
`adversary's device. Determining, using the asset topology
`and the threat data, the path from the first computer related
`asset to the second computer related asset may include
`determining, for each computer related asset on the path
`between the first computer related asset and the second
`computer related asset, one or more vulnerabilities for the
`computer related asset, and determining, for the one or more
`Vulnerabilities of the computer related asset, corresponding
`probabilities that the computer related asset will be com
`promised by an adversary’s device. The method may include
`for at least one of the computer related assets on the path
`between the first computer related asset and the second
`computer related asset: determining, using the asset topol
`ogy, all of Subsequent computer related assets directly
`connected to the computer related asset not including any
`computer related assets used to access the computer related
`asset, determining, for each of the Subsequent computer
`related assets, one or more Vulnerabilities of the Subsequent
`computer related asset, determining, for each of the Subse
`quent computer related assets using the Vulnerabilities of the
`Subsequent computer related asset, a probability that the
`Subsequent computer related asset will be compromised by
`an adversary's device, and selecting a particular Subsequent
`computer related asset with the probability greater than the
`probabilities of the other subsequent computer related assets
`as the next computer related asset in the path between the
`first computer related asset and the second computer related
`asset. Determining, using the one or more Vulnerabilities of
`the second computer related asset, the probability that the
`second computer related asset will be compromised by an
`adversary's device may include determining, using the path
`from the first computer related asset to the second computer
`related asset, the first probability, and the one or more
`second Vulnerabilities of the second computer related asset,
`the probability that the second computer related asset will be
`compromised by an adversary's device.
`0007. In some implementations, determining the prob
`ability that the second computer related asset will be com
`promised by an adversary's device may include determining
`a score that represents the probability. Determining the
`probability that the second computer related asset will be
`compromised by an adversary's device may include deter
`
`mining a percentage probability. Determining the probabil
`ity that the second computer related asset will be compro
`mised by an adversary's device may include determining,
`for each of the Vulnerabilities of the second computer related
`asset, a particular probability, and combining all of the
`particular probabilities for the Vulnerabilities of the second
`computer related to determine the probability that the second
`computer related asset will be compromised by an adver
`sary’s device. The method may include providing the prob
`ability for presentation to a user. Receiving the asset topol
`ogy that identifies the entity's computer related assets may
`include receiving data input by a user that identifies the asset
`topology. Receiving the asset topology that identifies the
`entity's computer related assets may include analyzing one
`or more computer networks of the entity to determine the
`asset topology.
`0008. In some implementations, receiving the asset topol
`ogy that identifies the entity's computer related assets may
`include receiving the asset topology that identifies the one or
`more first computer related assets each of which is directly
`connected to a network that is not controlled by the entity
`without intervening hardware and the one or more second
`computer related assets each of which is not directly con
`nected to a network that is not controlled by the entity.
`Receiving the asset topology that identifies the entity's
`computer related assets may include receiving the asset
`topology and an identifier for at least one of the first
`computer related assets that is directly connected to the
`Internet. Receiving the asset topology that identifies the
`entity's computer related assets may include receiving the
`asset topology and an identifier for at least one of the first
`computer related assets that is a wireless router.
`0009. In some implementations, the method may include
`determining, for each of the computer-related assets, a
`category to which the computer-related asset belongs, deter
`mining, for a particular category from the determined cat
`egories, paths from an external facing asset to each of the
`assets in the category, and determining, using the paths from
`the external facing asset to each of the assets in the category,
`a category probability of compromise for the particular
`category. The method may include comparing the category
`probability of compromise for the particular category with a
`second category probability of compromise for a second
`category, ranking the particular category and the second
`category using the category probability of compromise and
`the second category probability of compromise, and gener
`ating instructions for the presentation of a user interface that
`includes the ranking of the particular category and the
`second category. Determining, for each of the computer
`related assets, the category to which the computer-related
`asset belongs may include determining, for each of the
`computer-related assets, a business function of the entity to
`which the computer-related asset belongs, and determining,
`for the particular category from the determined categories,
`the paths from the external facing asset to each of the assets
`in the category may include determining, for a particular
`business function from the determined business functions,
`the paths from the external facing asset to each of the assets
`in the category. The method may include determining, for
`the particular business function, an overall probability of
`impact to the particular business function using probabilities
`that the computer-related assets which belong to the par
`ticular business function will be compromised by an adver
`sary's device. Determining, for each of the computer-related
`
`

`

`US 2017/0048266 A1
`
`Feb. 16, 2017
`
`assets, the category to which the computer-related asset
`belongs may include determining, for each of the computer
`related assets, the category to which the computer-related
`asset belongs using a network topology of the computer
`related assets.
`0010. In some implementations, the method may include
`determining a particular computer-related asset or a type of
`computer-related assets that are a potential target of an
`attack by the adversary’s device, wherein determining the
`path from the first computer related asset to the second
`computer related asset that is one of the second computer
`related assets may include determining a path from the first
`computer-related asset to the particular computer-related
`asset, or determining a path from the first computer-related
`asset to the second computer related asset that includes at
`least one computer-related asset of the type of computer
`related assets that are a potential target of the attack.
`Determining the particular computer-related asset or the
`type of computer-related assets that are the potential target
`of an attack by the adversary's device may include deter
`mining the particular computer-related asset or the type of
`computer-related assets that are the potential target of an
`attack by the adversary's device using the threat data.
`Determining the particular computer-related asset or the
`type of computer-related assets that are the potential target
`of an attack by the adversary's device may include deter
`mining the type of computer-related assets that Support a
`particular business function of an entity. The method may
`include determining a type of computer-related assets that
`are a potential target of an attack by the adversary's device,
`wherein determining the path from the first computer related
`asset to the second computer related asset that is one of the
`second computer related assets may include determining a
`path from the first computer-related asset to the second
`computer related asset that includes only computer-related
`asset of the type of computer-related assets that are a
`potential target of the attack, both the first computer-related
`asset and the second computer related asset being of the type
`of computer-related assets that are a potential target of the
`attack.
`0011. The subject matter described in this specification
`can be implemented in particular embodiments and may
`result in one or more of the following advantages. In some
`implementations, a system may use threat data and an asset
`topology to determine how to change the asset topology
`most effectively, e.g., when a new asset should be placed in
`the asset topology. In some implementations, a system as
`described below may determine whether security assets,
`e.g., firewalls or intrusion detection systems, are being
`utilized optimally or if certain configuration changes result
`in a reduced probability of attack, e.g., a reduced attack
`Surface. In some implementations, a system as described
`below may verify that desired or implemented security
`policies are in effect, e.g., for audit or compliance purposes.
`In some implementations, a system as described below may
`determine whether certain assets should be reconfigured or
`eliminated, e.g., without affecting business objectives, to
`reduce a probability of attack, e.g., result in a reduced attack
`Surface. In some implementations, a system as described
`below may determine where gaps in System defenses exist
`that may not be further mitigated by existing security assets
`or solutions. The system may utilize gap information to
`determine how to allocate or prioritize, or both, budgets for
`new security Solutions.
`
`0012. The details of one or more implementations of the
`subject matter described in this specification are set forth in
`the accompanying drawings and the description below.
`Other features, aspects, and advantages of the Subject matter
`will become apparent from the description, the drawings,
`and the claims.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`0013 FIGS. 1A-B show an asset topology for an entity
`that includes an entity network and a non-entity network.
`0014 FIG. 2 shows an environment in which a system
`generates as asset threat model using an asset inventory and
`threat data.
`0015 FIG. 3 shows an environment in which a cyber-risk
`system uses threat data and an asset topology to simulate
`attacks on the assets in the asset topology.
`0016 FIG. 4 is a flow diagram of a process for deter
`mining Vulnerabilities of computer assets.
`0017 FIG. 5 is a flow diagram of a process for generating
`a path through an asset topology.
`0018 FIG. 6 is a block diagram of a computing system
`that can be used in connection with computer-implemented
`methods described in this document.
`0019. Like reference numbers and designations in the
`various drawings indicate like elements.
`
`DETAILED DESCRIPTION
`0020. A system may receive threat data, describing asset
`Vulnerabilities, ways in which those vulnerabilities are
`exploited, frequencies of exploit utilization and Success, and
`likely paths of compromise, and receive data that defines
`assets of an entity and which assets provide access to which
`of the other assets of the entity, e.g., an asset topology. The
`assets may be hardware, Software, accounts, e.g., user
`accounts, and other types of assets. The assets may be
`publicly accessible or discoverable, e.g. a web portal served
`by one or more applications, or a server that can be accessed
`remotely via SSH. In some examples, a system may include
`mechanisms to restrict access to at least some of the assets
`to a specific set of people. The system uses the threat data to
`simulate attacks on the assets starting with assets that are
`accessible from networks that are not managed by the entity
`or assets that are otherwise accessible to people who do not
`work for the entity, e.g., wireless routers or web based
`acCOunts.
`0021. The system simulates an attack by determining the
`probability that a particular asset will be attacked and the
`probability that an attack will be successful. For instance,
`the system may select a particular external facing asset, that
`is connected to an external network or is otherwise acces
`sible to people who do not work for the entity, and deter
`mines, using the threat data, the probability that Vulnerabili
`ties of the particular external facing asset will be
`compromised by an adversary. The system determines the
`assets connected to the particular external facing asset and,
`for each of those assets, may determine probabilities that the
`assets will be targeted by the adversary. The system deter
`mines, using the threat data, probabilities that each of those
`assets will be compromised by an adversary. In some
`implementations, the probabilities that those assets will be
`targeted may be based on or related to the probabilities that
`
`

`

`US 2017/0048266 A1
`
`Feb. 16, 2017
`
`the assets will be compromised, e.g., an asset with a higher
`probability of being compromised may have a higher prob
`ability of being targeted.
`0022. The system determines the probabilities for mul
`tiple assets, making a "path’ through the assets from the
`particular external facing asset to a current asset, e.g., an
`asset currently being analyzed by the system. The system
`uses the path to determine particular weaknesses in the asset
`topology for the entity. The system may use a path, or
`multiple paths determined during a single simulation or
`multiple simulations, to determine where a new asset should
`be placed in the asset topology, such as a firewall to provide
`additional protection for a particular critical asset of the
`entity, or likely paths that an adversary may take if they gain
`access to the entity's assets.
`0023. When performing multiple simulations, the system
`may receive new threat data over time indicating changes to
`the threats of the entity's assets and other assets. The system
`may model the changes to the Vulnerabilities or paths of
`attack, or both, over time and present the model or infor
`mation about the model to a user. In some implementations,
`the system may use the model to determine recommended
`changes to the entity's assets, such as new policies, new
`assets that should be acquired by the entity, or a particular
`location in the asset topology at which to place a particular
`asset that will maximize the efficiency or benefits provided
`by the particular asset, Such as a firewall.
`0024. In some implementations, a system may build a
`cyber-risk model using current threat intelligence data and
`information about assets and their interdependencies
`through a Software defined infrastructure. The system may
`use a multi-dimensional probabilistic approach to determine
`potential paths of compromise that pose the greatest risk, the
`business impacts of the paths of compromise to an entity,
`and prioritized, contextualized courses of action that are
`actionable, given resource constraints, to reduce the risk of
`potential paths of compromise.
`0025. The system may create an asset topology and use
`the asset topology with threat data to determine an asset
`threat model. The asset threat model may indicate assets,
`categories, priorities of assets, asset degrees of separation
`from an edge, e.g., a network edge, Vulnerabilities, and
`severities of the Vulnerabilities. Categories may represent
`how assets align with or map to business processes used by
`an entity. For instance, a particular server may be used for
`human resources or payroll operations and the system may
`associate the particular server with a corresponding human
`resources category. The categories may indicate a priority of
`the corresponding assets. For example, assets assigned to the
`human resources category may have personally identifiable
`information and a high priority for protection.
`0026. In some implementations, the asset topology may
`be a hierarchical, interconnected, graph that shows relation
`ships between an entity's assets. The system may assign
`each asset a functional category and a priority, e.g., based on
`importance to the entity. The system may use exploit targets
`to determine a quantity and a severity of Vulnerabilities;
`incidents to determine a probability of attack severity and
`Success; and adversary tactics, techniques, and procedures
`(TTPs) to determine attack paths and prioritizations of the
`attack paths.
`0027. In some implementations, a system may use adap
`tive Markov Chain Monte Carlo (MCMC) simulations. The
`system may determine, using the simulations or some of the
`
`simulations, information about how various factors impact
`the simulation, number of simulations runs used to analyze
`particular paths or Vulnerabilities or both, and Success prob
`abilities of an attack, e.g., an overall probability for an attack
`or that particular assets are attacked or compromised or both.
`Some implementations of the factors that impact the simu
`lation may include an asset's degrees of separation from the
`edge, severity and recency of Vulnerabilities, and indicator
`or observable confidence. For instance, the system may
`determine to perform more simulations that take advantage
`of more severe vulnerabilities than simulations that take
`advantage of less severe Vulnerabilities, e.g., in an exponen
`tially decreasing manner.
`0028. The system may use the simulations to determine
`an impact and probability of simultaneous breaches, com
`promise-latency based on multiple assets succumbing to the
`same or similar vulnerabilities, or both. The system may use
`previous knowledge, e.g., determined from previous simu
`lations, in multi-step attacks that is char