We’ve achieved a significant milestone in transforming the offensive security space with the recent patent grant award of our innovative technique known as perceptual analysis (US Patent No. 11,218,496), invented by Principal Researchers Rob Ragan and Oscar Salazar. Officially, the U.S. Patents and Trademark Office refers to this technique as the application of computer visual classification to security events but in the spirit of brevity we’ll refer to it as “perceptual analysis.”
Astute observers may recognize this terminology; its inventors featured the technique in their AppSec California presentation in January 2019 titled, “Pose a Threat: How Perceptual Analysis Helps Bug Hunters.” While Rob and Oscar were excited to share this technique during their presentation, the “secret sauce” of the invention was withheld given our intent to formally apply for a patent and incorporate the technology into our award-winning Cosmos platform.
So, What is Perceptual Analysis?
Security teams have long leveraged open source tools such as Amass and DirBuster to find security vulnerabilities. While those tools help improve accuracy by mapping attack surfaces and performing asset discovery, they do not scale as effectively as needed by many organizations. The impact of that is compounded by the differences in how testers assess, which can easily create gaps in coverage. Imagine a large spreadsheet where multiple testers are updating attack targets — it is easy to see how confusion and mishaps occur.
Traditional scanners also have limits to their effectiveness, primarily because they require in-depth knowledge of each issue to write a signature and they don’t perform well in finding unknown issues. Changes in the target environment also add to the complexity, as modern security postures are not static. Dynamic load balancers and virtual hosting mean penetration testers cannot rely on IP addresses alone to assemble their target lists.
But what if there was a better way that not only solved all the problems described above, but also only required a target and a path to find potential (and unknown) exposures? The answer lies in screenshots. No, seriously.
Perceptual analysis makes it easy for humans to analyze screenshots through fuzzing and brute force attacks. It visually reveals anomalies and outliers that could indicate a vulnerability. This technique creates a new method that can speed testing, find previously unknown critical exposures without exact signatures, improve accuracy, and create a continuously refreshed target list and asset inventory. When applied at scale, it can reduce millions of results to thousands of vulnerable candidates – and do it quickly. It is the rare technology that improves testing accuracy and coverage while also reducing false positives. Future enhancements include more automation, optical character recognition that can filter based on text in the screen shot, and machine learning to sort initial results into more granular categorizations.
“As cybersecurity challenges increase in complexity and intensity, we are seeing commensurate demand for the innovative solutions we are bringing to market through our Cosmos platform and continuous offensive security offerings. By assembling the best technical minds in the industry and drawing upon insights gleaned from thousands of customer environments, Bishop Fox is driving innovation and fueling the expansion of our offerings to stay ahead of attackers, which is incredibly rewarding.”
- Vinnie Liu, Co-founder & CEO, Bishop Fox
The Future of Offensive Security
Despite 700K professionals entering the cybersecurity field in the last year, there is still a shortage of talent, giving attackers a strategic advantage. Bishop Fox is committed to developing innovative technologies, like perceptual analysis, to provide continuous, scalable ways to improve the security of dynamic attack surfaces and to help overburdened security teams reclaim the upper hand.
We believe every company should be able to proactively protect their most vital assets – no matter their size, industry, or budgets. We are committed to evolving our technology portfolio and hope these innovations have a positive impact to improve the security of the products, applications, and networks people use every day.
To get the technical details of our patent and learn more about perceptual analysis, please visit:
- Google Patents: US Patent No. 11,218,496
- Video: AppSec California 2019 Presentation
- Slide Deck: Pose a threat: How Perceptual Analysis Helps Bug Hunters
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.