During the recent International Cyber Security and Intelligence Conference, info security execs were lectured on the importance of being proactive vs reactive to stop cyberattacks. As part of a proactive strategy speaker Nik Alleyne, senior manager of cyber security at Forsythe Solutions Group, recommended vulnerability assessments and regular penetration tests. While these are important tools for evaluating cybersecurity risk, they only answer half of the security paradox; “Can I be hacked?” They do not answer the more vital question; “Am I already breached?”
With growing global regulations around data protection in the enterprise, from GDPR in Europe to the new NIST framework in the US, information security managers need the ability to quickly discover and address security breaches, and then validate whether the network and its endpoints are in fact clean of malware, APTs and unauthorized access. That’s why Compromise Assessments are just as important as their more widely adopted cousins the pen test and vulnerability assessment.
What is a Compromise Assessment?
Any proactive cybersecurity strategy needs to include an assessment of your current security posture and state. Attackers are often resident inside a network for months, sometimes years, before being detected using malware to infect endpoints. As evidenced by the growing number of breaches, existing technologies are no longer enough to stop all threats from penetrating the perimeter. The 2017 Hacker’s Playbook™ Findings Report found “malware infiltration success rates in excess of 60 percent, and the ability to successfully move laterally as high as 70 percent of the time.”
While vulnerability assessments and penetration tests look for security gaps and vulnerabilities, they do not detect existing compromises. Today’s enterprises need to add compromise assessments to their security practices to proactively verify whether a network has already been breached and more effectively mitigate risk.
Since a Compromise Assessment focuses on identifying previously unknown, successful or ongoing compromises, the tools and techniques used to perform the assessment must be able to identify post breach activity, dormant and hidden malware, malicious use of credentials, and Command and Control (C2) traffic. This differs from traditional solutions which focus on early detection of attacks, exploits, malware installation events which attempt to prevent an attack from succeeding or catching an attack early enough to reduce damage during a breach.
Assessing Your Compromise State
How do you assess your compromise state? While there are a handful of custom methodologies for conducting compromise assessments, these are often services engagements that use mostly manual processes to comb through logs and analytics from security systems – taking months to complete. What’s needed is an approach that utilizes automated scanning to speed up the process of assessing your environment for threats.
Infocyte has found that independent scans of your network’s endpoints using a methodology called Forensic State Analysis (FSA) is the most effective approach. An FSA based approach allows you to:
- Identify all endpoints on your network and scan them to discover the presence of active or dormant malware, or suspicious code.
- Review collected intelligence and actionable data for swift remediation and incident response.
- Complete an assessment in days, not months.
- Run as frequently as needed: daily, monthly, quarterly, annually, etc.
A Holistic Approach to Network Health
Alleyne also talked about the importance of threat hunting for proactive security. Establishing your initial compromise state is a great start, additionally, organizations need to incorporate ongoing post breach detection into security operations as a proactive measure. This will enable operations teams to create an iterative process for detecting infections that defensive technologies miss, and mitigate the possible damage that can be caused from hidden persistent compromises.
Infocyte makes it easy for an organization to incorporate compromise assessments and iterative threat hunting into a proactive information and IT risk management strategy.
Infocyte HUNT uses the FSA methodology to scan every endpoint on the network (workstations, servers and endpoint devices). The survey validates everything running on them, what may be triggered to run (via an autostart or persistence mechanism), and analyzes each system’s volatile memory to discover signs of manipulation or hidden processes. The scan is agentless, meaning it does not require software to be pre-installed on systems it is scanning, and it is completely independent of the network’s existing security infrastructure, so your results are untainted.
Our networks will always have a degree of vulnerability as organizations struggle to keep determined attackers out of their networks, and skilled attackers can successfully remain hidden for months, sometimes years, before being discovered. Unless you can measure the current compromise state of your network, your cybersecurity risk profile is incomplete.