In recent years, an increasing number of cybersecurity professionals have begun to agree that an organisation falling victim to a threat agent is not a matter of if, but when. This has often made the case for a proactive approach to information security a need of the hour for organisations of all sizes. Temitope Bakare, Strategic Security Consultant, Help AG, tells us more about a new approach organisations should look to implement.
With cyberattacks increasing in volume and sophistication, a reactive approach to information security is no longer considered sufficient.
As a result, in addition to measures such as security controls measurement, baselining, secure system and device configuration, periodic security assessments such as phishing exercises, vulnerability assessments and penetration testing are now regarded as necessary to defend an organisation’s IT infrastructure. By conducting periodic assessments, an organisation can proactively identify vulnerabilities within its environment and provide evidence that these vulnerabilities could be easily exploited.
While vulnerability assessment and penetration testing (VAPT) is relatively well known, another effective method that has thus far remained relatively unknown is compromise assessment. The security industry is usually littered with buzzwords and one must be careful as newly formulated terms often refer to well-known activities that are merely conducted in different ways.
So, given that a VAPT exercise could reveal an entity’s susceptibility to compromise, what would make a compromise assessment different and why does it provide added value?
Defining compromise assessment
A compromise assessment is an evaluation of the organisation’s network and systems for artefacts of compromise. These could include the communications of a resident malware with a command and control (C2) server, proof of data exfiltration via insecure ports or perhaps through DNS and lateral movement across the network.
Compromise assessment provides proof of the previously unidentified footprint of an attacker or of the existence of indicators of compromise (IOCs), whether the attacker has been successful or not and whether an attack is ongoing or dormant. This would usually involve a degree of forensic investigation, as it is important to be able to detect post-breach activity.
Analogous to a person trying to protect the valuables in their house, a vulnerability assessment aims to uncover weaknesses such as missing door locks, unlocked doors, weak burglary fences and inattentive security guards.
A penetration test involves physically verifying, through force or social engineering, that these weaknesses can be exploited i.e. sneaking past the inattentive security guards and going through unlocked doors into areas of the house.
A compromise assessment, then, is equivalent to combing through corners of the building for evidence of intrusion or attempted intrusion such as footprints not belonging to any house occupant, tools for further break-in left behind, or CCTV footage of intruders jumping in and out without detection.
Where is the value?
Going by the example above, it might sound tempting to dismiss the value of assessing the state of compromise of an entity since compromise could have already occurred. However, it is important to note that many the attacker may be unable to further their activities and would exercise patience, maintaining persistence within the network, until the right moment presents itself.
As cyberattackers now operate with different agendas and motives – political, nation-state funded or financial – and organisations deploy advanced detection solutions, cybercriminals have adapted their attacks to become increasingly evasive and persistent.
According to a recent FireEye report, firms in Europe, the Middle East and Africa on average take nearly six months to detect cyberattacks. An average attacker’s dwell time of six months is alarming and shows that a compromise assessment at any time could potentially prevent an attacker from claiming what they are after.
Compromise assessment – best practices
Approaches to a compromise assessment will usually vary by the engagement firm and client environment, however, an assessment of this type would usually involve the deployment of advanced diagnostic listening tools with behavioural analysis and forensics capability for a period to look for IOCs or advanced persistent threats (APTs). These IOCs could consist of malware hashes, filenames of files in wrong folders and malware execution pattern.
The service differentiator
Utilising the right approach and deploying best-in-class technologies is a critical part of conducting a thorough and effective compromise assessment. However, the analysis of the data captured during the listening phase is the most critical. Organisations should engage providers that have the right human competencies for threat hunting and forensics to identify appropriate relationships between indicators and artefacts.
A systematic approach to compromise prevention
External/Internal VA/PT
The first step to assessing how secure an infrastructure is, is to perform a vulnerability assessment / penetration test on it. These should be performed by seasoned ethical hackers who do not solely rely on tools but instead follow a stringent manual methodology that provides a 360-degree view of your security controls.
Solution deployment
This requires the deployment of intelligence sources in the infrastructure under investigation, such as sensors for monitoring anomalous events in network traffic and agents on endpoints for malware and digital forensic analysis.
Forensics analysis
Incident response handling procedures, including assessment of the incident damage and digital forensics investigations are among the top services needed in this phase.
Upon completion of the forensic analysis exercise, your provider should provide you with a thorough report of the findings, a comprehensive and detailed list of the indicators or artefacts of compromise, signatures of any malware extracted, an assessment of the potential damage that could have been sustained from the identified IOCs, and recommendations to avoid a potential breach.
Remediation analysis
Addressing the IOCs is just as, if not more, important than their identification. Therefore, it is imperative to receive the right remediation for compromise indicators found during the assessment.
Compromise assessment is not only a great tool that helps you address threats that exist in your IT infrastructure, it also serves to guide future investments by highlighting the flaws that have already been exploited. Thus, by supplementing VAPT with this vital service, you will give your organisation an accurate and comprehensive representation of its security posture.