Compromise vs Vulnerability Assessments: Which Should You Choose First?
During the recent International Cyber Security and Intelligence Conference, info security execs were lectured on the importance of being proactive vs reactive to stop cyber attacks. As part of a proactive strategy speaker Nik Alleyne, senior manager of cybersecurity at Forsythe Solutions Group, recommended vulnerability assessments and regular penetration tests. While these are important tools for evaluating cybersecurity risk, they only answer half of the security paradox; “Can I be hacked?” They do not answer the more vital question; “Am I already breached?”
With growing global regulations around data protection in the enterprise, from GDPR in Europe to the new NIST framework in the US, information security managers need the ability to quickly discover and address security breaches and then validate whether the network and its endpoints are in fact clean of malware, APTs, and unauthorized access. That’s why Compromise Assessments are just as important as their more widely adopted cousins the pen test and vulnerability assessment.
What is a Compromise Assessment?
Any proactive cybersecurity strategy needs to include an assessment of your current security posture and state. Attackers are often resident inside a network for months, sometimes years, before being detected using malware to infect endpoints. As evidenced by the growing number of breaches, existing technologies are no longer enough to stop all threats from penetrating the perimeter. The 2017 Hacker’s Playbook™ Findings Report found “malware infiltration success rates in excess of 60 percent, and the ability to successfully move laterally as high as 70 percent of the time.”
While vulnerability assessments and penetration tests look for security gaps and vulnerabilities, they do not detect existing compromises. Today’s enterprises need to add compromise assessments to their security practices to proactively verify whether a network has already been breached and more effectively mitigate risk.
Since a Compromise Assessment focuses on identifying previously unknown, successful or ongoing compromises, the tools and techniques used to perform the assessment must be able to identify post breach activity, dormant and hidden malware, malicious use of credentials, and Command and Control (C2) traffic. This differs from traditional solutions which focus on early detection of attacks, exploits, malware installation events which attempt to prevent an attack from succeeding or catching an attack early enough to reduce damage during a breach.
Assessing Your Compromise State
How do you assess your compromise state? While there are a handful of custom methodologies for conducting compromise assessments, these are often services engagements that use mostly manual processes to comb through logs and analytics from security systems – taking months to complete. What’s needed is an approach that utilizes automated scanning to speed up the process of assessing your environment for threats.
Infocyte has found that independent scans of your network’s endpoints using a methodology called Forensic State Analysis (FSA) is the most effective approach. An FSA based approach allows you to:
- Identify all endpoints on your network and scan them to discover the presence of active or dormant malware, or suspicious code.
- Review collected intelligence and actionable data for swift remediation and incident response.
- Complete an assessment in days, not months.
- Run as frequently as needed: daily, monthly, quarterly, annually, etc.
A Holistic Approach to Network Health
Alleyne also talked about the importance of threat hunting for proactive security. Establishing your initial compromise state is a great start, additionally, organizations need to incorporate ongoing post breach detection into security operations as a proactive measure. This will enable operations teams to create an iterative process for detecting infections that defensive technologies miss, and mitigate the possible damage that can be caused by hidden persistent compromises.
Infocyte makes it easy for an organization to incorporate compromise assessments and iterative threat hunting into a proactive information and IT risk management strategy.
Infocyte HUNT uses the FSA methodology to scan every endpoint on the network (workstations, servers and endpoint devices). The survey validates everything running on them, what may be triggered to run (via an autostart or persistence mechanism), and analyzes each system’s volatile memory to discover signs of manipulation or hidden processes. The scan is agentless, meaning it does not require software to be pre-installed on systems it is scanning, and it is completely independent of the network’s existing security infrastructure, so your results are untainted.
Our networks will always have a degree of vulnerability as organizations struggle to keep determined attackers out of their networks, and skilled attackers can successfully remain hidden for months, sometimes years, before being discovered. Unless you can measure the current compromise state of your network, your cybersecurity risk profile is incomplete.
More from our blog
Despite the rich data provided by SIEMs, organizations find themselves drowning in false positives, making it difficult to focus on high-priority events. This problem of alert fatigue prevents cyber security teams from identifying and addressing real threats – impacting small teams with no SOC, large enterprise teams with a SOC, and MSSPs overseeing the security for many SOCs/customers.Read More »
In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches. Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry. It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and…Read More »
A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…Read More »