Cyber Security Compromise Assessments vs Vulnerability Assessments
Security Compromise (Risk) Assessments vs. Vulnerability Assessments: Which Should You Choose First?
During the recent International Cyber Security and Intelligence Conference, info-security executives — including CISOs with extensive experience in cyber defense and the foremost thought leaders in cyber threat intelligence, incident response, threat hunting, and endpoint detection — lectured on the importance of being proactive vs. reactive in stopping cyber attacks.
As part of a proactive security strategy, speaker Nik Alleyne, senior manager of cybersecurity at Forsythe Solutions Group, recommended vulnerability assessments and regular penetration tests.
While these red team activities are important tools for evaluating cybersecurity risk, establishing your security posture, and exposing indicators of compromise (IOCs) they only answer half of the security paradox, “Can I be hacked?”
They do not answer the more vital question, “Am I already breached?”
With growing global regulations around data protection in the enterprise, from GDPR in Europe to the new NIST framework in the US, information security managers need the ability to quickly discover and address security breaches, malicious activity, and indicators of compromise (IOCs).
Further, they must be able to quickly validate whether the network and its endpoints are in fact free of malware, threat actors, APTs capable of lateral movement, and unauthorized access. That’s why assessing your cyber security risk with a Compromise Assessment is just as important as penetration testing, network traffic analysis, and real-time vulnerability assessments.
What is a Cyber Security Compromise Assessment?
Any proactive cyber security strategy needs to include a security/risk assessment of your current security posture and the state of your network environment. Sophisticated threat actors, advanced threats, and other new types of malware (e.g. file-less malware) are often resident inside an IT environment for months, sometimes years, before being detected and remediated.
As evidenced by the growing number of data breaches, existing technologies are no longer enough to stop threats (and threat actors) from penetrating your perimeter. The 2017 Hacker’s Playbook™ Findings Report found “malware infiltration success rates in excess of 60 percent, and the ability to successfully move laterally as high as 70 percent of the time.”
While vulnerability assessments and penetration tests look for security gaps and vulnerabilities, they do not detect existing compromises and attacker activity. Today’s enterprises need to add compromise assessments to their security program to proactively verify whether a network has already been breached and more effectively mitigate risk, enabling faster incident response and allowing network managers to act quickly and remediate cyber attacks in near real-time.
Since a Compromise Assessment focuses on identifying previously unknown, successful or ongoing compromises, the tools and techniques used to perform the assessment must be able to identify post breach activity, dormant and hidden malware, malicious use of credentials, and Command and Control (C2) traffic.
This differs from traditional log-based EDR platforms and network traffic analysis solutions, which focus on early detection of cyber attacks, exploits, malware installation events. These platforms and techniques attempt to prevent an attack from succeeding or catching an attack early enough to reduce damage (e.g. data exfiltration) during a breach.
Assessing Your Compromise State
How do you assess your compromise state? While there are a handful of custom methodologies for conducting cyber security compromise assessments, these are often bundled with response services engagements that use mostly manual processes to comb through logs and analytics from security systems — sometimes taking months to complete and being littered with false positives/false negatives.
What’s needed now and in the future, is an approach that utilizes automated scanning to speed up the process of assessing your environment for threats.
Infocyte has found that independent scans of your network’s endpoints using a methodology called Forensic State Analysis (FSA) is the most effective approach. An FSA based approach allows you to:
- Identify all endpoints on your network and scan them to discover the presence of active or dormant malware, or suspicious code.
- Review collected intelligence and actionable data for swift remediation and incident response.
- Quickly identify egress points and root cause analysis.
- Complete an assessment in days, not months.
- Run as frequently as needed: daily, monthly, quarterly, annually, etc.
A Holistic Approach to Network Security and IT Health
Alleyne also talked about the importance of threat hunting for proactive security. Establishing your initial compromise state is a great start, additionally, organizations need to incorporate ongoing post breach detection into security operations as a proactive measure. This will enable operations teams to create an iterative process for detecting infections that defensive technologies miss, and mitigate the possible damage that can be caused by hidden persistent compromises.
Infocyte makes it easy for an organization to incorporate compromise assessments and iterative threat hunting into a proactive information and IT risk management strategy.
Infocyte HUNT uses the FSA methodology to scan every endpoint on the network (workstations, servers and endpoint devices). The survey validates everything running on them, what may be triggered to run (via an autostart or persistence mechanism), and analyzes each system’s volatile memory to discover signs of manipulation or hidden processes. The scan is agentless, meaning it does not require software to be pre-installed on systems it is scanning, and it is completely independent of the network’s existing security infrastructure, so your results are untainted.
Our networks will always have a degree of vulnerability as organizations struggle to keep determined attackers out of their networks, and skilled attackers can successfully remain hidden for months, sometimes years, before being discovered. Unless you can measure the current compromise state of your network, your cybersecurity risk profile is incomplete.