The Role of Compromise Assessments in Enterprise Security
This post was last updated on August 10th, 2021 at 06:06 pm
Why a Compromise Assessment?
The role of intrusion detection and prevention is typically fulfilled by real-time intrusion protection and detection systems and anti-virus software in conjunction with a continuous monitoring strategy. A compromise or threat assessment differs from intrusion detection in that it is an independent, evidence based assessment reporting your vulnerabilities, possible exploits and indicators of a successful compromise. CISA recommends external threat assessments as a best practice and will also require them for certain industries when threat activity increases. Think of a Compromise Assessment or Threat Assessment as a third party audit of an organization’s security practices based on the evidence collected during the investigation.
During the assessment, providers bring in the experts who have a wider authority to dig deeper than what is expected day-to-day in real-time monitoring. Additionally, the assessment brings tools and techniques like Digital Forensic Analysis and Behavior Analytics that are typically reserved for incident response that are better suited for detecting post-compromise activity. Compromise assessments are the most effective defense in depth measure an organization can use to ensure vulnerabilities are known and no threats make it past their defenses.
Many organizations do not have adequate investment levels for cybersecurity or do not have the time or resources to implement all the necessary cyber controls. These organizations do what is recommended to meet compliance regulations and then accept or shift remaining risk to their cyber insurance policy. For these organizations, a regular assessment should be incorporated into their respective risk mitigation strategies to ensure their environment is not compromised by attacks that are more sophisticated than what the organization can detect at their current level of investment.
Additionally, many organizations have difficulty justifying an increase in their budget or resources when their security posture is not known. An independent compromise assessment can uncover compromises that may have gone undetected, thereby providing the evidence needed to justify additional security investments.
In some cases and industries, a regular compromise assessment may be a viable risk management alternative when continuous monitoring via MDR is cost prohibitive.
Goals for a Successful Compromise Assessment
Over the years, compromise assessments only existed in limited forms as specialized services rendered by boutique incident response firms. The practice has rapidly grown as publicly disclosed breaches reached a fevered pitch. Unfortunately, the methodologies, approaches, and effectiveness of these offerings vary widely as standardization does not yet exist.
The first step is to standardize this security practice is to define what a compromise assessment is, as well as the goals and objectives, so we may understand how to best accomplish it and what the minimum requirements would be.
Our definition of a Compromise Assessment is an objective survey of a network and its’ endpoints to discover unknown vulnerabilities, security breaches, malware, and signs of unauthorized access or indicators of compromise. More specifically, the assessment seeks to find attackers who are currently in the environment or that have been active in the recent past.
To be widely applicable, the compromise assessment should be:
- Effective – At detecting all known variants of malware, remote access tools, and indications of unauthorized access. Advanced offerings and solutions should have the ability to go deeper into the detection of unknown (zero day) malware variants as well.
- Fast – Assess a large network within hours/days.
- Affordable – The average organization should be able to conduct it proactively and regularly (i.e. monthly/quarterly).
- Independent – The assessment should not rely on existing security tools.
Any assessment methodology selected should deliver on these requirements and should seek to optimize time, cost, and effectiveness. It should be efficient and affordable enough to run at least once a month for the average sized organization. Additionally, the effectiveness of the assessment should not vary significantly with different security stacks, monitoring and logging practices, or network topologies. Independence enables the assessment to be equally useful to a regional business with only basic protections like a firewall and antivirus or a sophisticated global institution equipped with its own Security Operations Center.
Ultimately, the goal of the assessment is to rapidly identify adversarial activity or malicious logic – not to perform a complete forensic examination. Once the assessment is complete, recommendations should be made regarding proper response and collected evidence should be packaged for the organization to allow them to conduct an investigation into root cause or actors behind the attack.
Interested in having a Compromise Assessment performed? Learn about our assessment services.