As threat technology rapidly advances, hackers and threat actors leverage all the means at their disposal to deliver malware and compromise your systems and information. To expose these threat actors, a lot of organizations rely heavily on experts in the cyber security field to perform penetration tests and compromise assessments.
We assume that most readers are familiar with penetration testing, but compromise assessments are less well known and can be extremely valuable to an organization. While pen tests spotlight vulnerabilities that could be exploited by a hacker, a compromise assessment exposes threat actors that are operating in your environment. Compromise assessments look for evidence of hackers and malware doing things like reconnaissance, building a bot net, exfiltrating data, or moving laterally in your network from one machine to another. Sensitive information could be leaving your network as you read this. Credit card data, patient information, or privileged client information – anything you hold dear in your network – is up for grabs.
How does a compromise assessment work?
A compromise assessment is run by placing multiple diagnostic utilities within your network to look for Indicators of Compromise or “IOCs.” These IOCs are the telltale evidence of malicious activities that occur on systems, or between systems. IOCs can include signatures of known-bad files, processes, or URLs. But IOCs can also be based on patterns of known-bad behavior. Compromise assessments look for both signature-based and behavio- based evidence of attacks because current malware and attackers now circumvent traditional security detection methods. Adding an additional method of assessment greatly increases your chances to identify malicious software or hackers.
Which diagnostic tools should be used?
A compromise assessment should use the best tools available in their class. There isn’t one single appliance that can cover every critical vector, so using multiple vendors is a likely route. This strategy also offers the ability to leverage threat intelligence from multiple sources which is a big bonus to organizations. The more intelligence sources, when it comes to new and emerging threats, the better. Bad guys are using every resource at their disposal to find new ways to compromise target networks. It only seems reasonable to bring as much knowledge to the table as you can.
Which vectors are covered?
When examining your environment, pay attention to the “Critical 4.” These vectors include: network (or perimeter), application, email, and endpoint. A compromise assessment provider should be able to specialize in one or more of these Critical 4 vectors, with less comprehensive analysis for the others. A simultaneous multi-vector diagnostic is crucial to gaining a comprehensive view of an environment and rapidly identifying compromise indicators. It is widely understood that layered security is a best practice, so why shouldn’t a compromise assessment be multi-layered as well?
What can you expect from a compromise assessment?
As soon as a compromise assessment begins, you should be getting daily check-ins from your security provider with information on both minor and major findings. While some information may be considered uninteresting, you may see information that allows you to respond quickly and disrupt an attack as it is happening. In the long term, a comprehensive report, along with an executive summary, should be delivered shortly after the engagement concludes. The provider should sit down with you and address every finding on the report, along with providing the proper context and a remediation strategy for each. Identifying problems is a start, but finding solutions is key. As a CISO or CIO, this will allow these recommendations to be leveraged in a security implementation roadmap that prioritizes known exploits.
Why should my company invest in a compromise assessment?
A compromise assessment is a great tool to help you decide what type(s) of anti-malware tools and architecture are best suited for your organization. You’ll be able to provide your management team with the patterns of behavior currently present in your environment so that they can make timely decisions. Consider incorporating a compromise assessment into your overall information security strategy. Be sure to recognize the that no one security assessment can provide a complete picture of your security posture. However, by incorporating a variety of assessments appropriate to your organization, you’ll get a well-rounded and truer representation of what your security posture looks like.
Additional reading: “What Kind of Security Assessments Do I Need?”