A Compromise Assessment is a high-level review of the security posture of an organization to identify if they are already compromised or breached. Compromise Assessment checks if any attacker activity or unauthorized access is already present in your network by analyzing data, logs, and existing telemetry, to identify indicators of compromise, advanced persistent threats, or threat actors present in the environment.
Compromise Assessment is the next-generation security assessment service by independent security teams. Traditional security testing services like Vulnerability Assessment and Penetration testing focus only on the application or infrastructure components alone. Compromise Assessment goes far beyond traditional VAPT.
During a Compromise Assessment, we detect indicators of compromise and hidden malware within your IT infrastructure and assess the scale of damage to determine which assets in the network were attacked and how the attack happened.
Scoping: To identify important systems and applications within your environment.
Assessment of endpoints/applications: We work with you to deploy agents to monitor networks, endpoints, and applications for compromise activity. Endpoints will be analyzed for autorun, event logs, registry, running processes, and scheduled jobs to identify any indication of compromise.
Extracting and processing of suspicious files: We will extract files with no known signature in a secure sandbox environment to determine whether they contain polymorphic malware or 0-day exploit code.
Analyze Network Traffic: We will be assessing your network traffic for evidence of compromise, intrusions, or policy violations.
Assessment of security controls: Identify potential gaps in controls and processes.
Reporting: Identified gaps are reported in a detailed report along with mitigations to fix the gap.
During the Compromise Assessment, the team looks for anomalies and known indicators of compromise. A compromise assessment can identify if insufficient logging exists within the organization. In addition, a compromise assessment can help highlight the risk associated with a compromise not being effectively communicated to senior leadership within the organization. Compromise Assessment is often confused with Threat hunting, which is a mature, hypothesis-driven process for organizations that relies on manual interaction with the data.
Compromise Assessment Framework
Our compromise assessment consists of the below activities
• Performing triage package collection, analyzing endpoint artifacts such as autorun, event logs, registry, running processes, schedule jobs, and network traffic to identify any indication of compromise.
• We will be looking for signatures of known Indicators of Attack (IOAs), Indicators of Compromise (IOCs), and policy violations on endpoints and network traffic.
• Extracting and processing all suspicious files with no known signature in a secure sandbox environment to determine whether they contain polymorphic malware or 0-day exploit code.
• We will be assessing your network traffic for evidence of compromise, intrusions, or policy violations.
• We will be performing email audit log analysis to identify any suspicious activities across the email services.
• We will utilize the ransomware control effectiveness questionnaire and use the input gathered to analyze and evaluate the existing security measures.
On completion of the engagement, we will present our observations as follows:
• Indicators of attack
• Indicators of compromise
• Potential policy violations
• Ransomware Control Effectiveness
Frequently used tools: We will use tools such as Velociraptor, Security Onion, SIFT Workstation, KAPE, Registry Explorer, Volatility, Wireshark, Nessus, UAC (Unix-like Artifacts Collector), CyLR, and Custom PowerShell Scripts.
Benefits of Compromise Assessment
> Identify suspicious and unusual app & user behavior.
> Uncover internal risks by keeping an eye on users’ internet activity and system behavior.
> Identify potential data leakage and misuse of IT resources.
> Detect past cyber breaches and early detection of any initiated attacks.
> Determine potentially unauthorized transactions and access.
> Using the most recent threat intelligence feeds, identify indicators of compromise (IOCs).
> Hardware and software vulnerabilities.
> Search through billions of network traffic data to look for any indicators of a cyber security attack.
Compromise Assessment – The difference
The purpose of the Compromise Assessment is to analyze a customer’s environment end to end and provide higher visibility into their existing security posture across a wide field of view against sophisticated attacks. This is a broad security assessment for those organizations that need a macro view of their environment to ensure all of the industry-recommended security best practices are implemented, vulnerabilities are fixed, and security controls are in alignment with the information security policy and compliance standards against various threat actors.
This makes sure that threat monitoring is effective to proactively hunt malware with the latest threat intelligence, policies and standards are well developed and maintained, and cyber defenses, access control & content filtering are effective. It also makes sure that the risk register is properly maintained, logging and auditing are proper, incident response measures are well developed and implemented, Patch Management is up to date, the security architecture is flawless and endpoint detection and network security controls are properly implemented to prevent any security breaches.
The data derived in the form of a detailed report from Compromise Assessment will lead to the presentation of the findings report outlining any key observations of general security risks, threats, vulnerabilities, and recommendations to remediate the identified issues for better cyber-security. These recommendations are a combination of industry-leading tools, industry best practices, and professional services suitable to the customer environment. Implementation of a solution or remediation of any identified issues will be available as a separate service if requested by the customer.