Why a Compromise Assessment?
The role of intrusion detection is typically fulfilled by real-time intrusion detection systems and anti-virus software in conjunction with a continuous monitoring strategy. A compromise assessment differs from intrusion detection in that it is an active dedication of analytical resources with a focus on indicators of successful compromise. For the period of the assessment, there is more time and a wider authority to dig deeper than what is expected day-to-day in real-time monitoring. Additionally, the assessment brings to bare tools and techniques, typically reserved for incident response, that are better suited for detecting post-compromise activity. Compromise assessments are the most effective defense in depth measure an organization can use to ensure no threats make it past their defenses.
Many organizations, especially those in thin margin industries, have yet to define a sufficiently viable investment level for security. These organizations do what is recommended to meet compliance regulations and then accept or shift remaining risk to an insurance policy. For these organizations, a regular assessment should be incorporated into their respective risk mitigation strategies to ensure their environment is not compromised by attacks that are more sophisticated than what the organization can detect at their current level of investment.
Additionally, many organizations have difficulty justifying an increase in their security posture when a breach has not been experienced before. The resulting “catch 22” renders breach detection unlikely due to a continuing weak security posture. An independent compromise assessment can uncover compromises that may have gone undetected, thereby providing the evidence needed to justify additional security investments.
In some cases and industries, a regular compromise assessment may be a viable risk management alternative when continuous monitoring is cost prohibitive or unnecessary.
Goals for a Successful Compromise Assessment
Over the years, compromise assessments only existed in limited forms as specialized services rendered by boutique incident response firms. The practice has rapidly grown as publicly disclosed breaches reached a fevered pitch. Unfortunately, the methodologies, approaches, and effectiveness of these offerings vary widely as standardization does not yet exist.
The first step is to standardizing this security practice is to define what a compromise assessment is, as well as the goals and objectives, so we may understand how to best accomplish it and what the minimum requirements would be.
Our definition of a Compromise Assessment is an objective survey of a network and its’ devices to discover unknown security breaches, malware, and signs of unauthorized access. More specifically, the assessment seeks to find attackers who are currently in the environment or that have been active in the recent past.
To be widely applicable, the compromise assessment should be:
- Effective – At detecting all known variants of malware, remote access tools, and indications of unauthorized access. Advanced offerings and solutions should have the ability to go deeper in detection of unknown (zero day) malware variants as well.
- Fast – Assess a large network within hours/days.
- Affordable – The average organization should be able to conduct it proactively and regularly (i.e. monthly/quarterly).
- Independent – The assessment should not rely on existing security tools.
Any assessment methodology selected should deliver on these requirements and should seek to optimize time, cost, and effectiveness. It should be efficient and affordable enough to run at least once a month for the average sized organization. Additionally, the effectiveness of the assessment should not vary significantly with different security stacks, monitoring and logging practices, or network topologies. Independence enables the assessment to be equally useful to a regional business with only basic protections like a firewall and antivirus or a sophisticated global institution equipped with their own Security Operations Center.
Ultimately, the goal of the assessment is to rapidly identify adversarial activity or malicious logic – not to perform a complete forensic examination. Once the assessment is complete, recommendations should be made regarding proper response and collected evidence should be packaged for the organization to allow them to conduct investigation into root cause or actors behind the attack.
Interested in having a Compromise Assessment performed? Learn about our assessment services.