Cyber Security Compromise Assessments vs Vulnerability Assessments
During the International Cyber Security and Intelligence Conference, infosec executives — including CISOs with extensive experience in cyber defense and the foremost thought leaders in cyber threat intelligence, incident response, threat hunting, and endpoint detection — lectured on the importance of being proactive vs. reactive in stopping cyber attacks.
As part of a proactive security strategy, speaker Nik Alleyne, senior manager of cybersecurity at Forsythe Solutions Group, recommended vulnerability assessments and regular penetration tests.
While these red team activities are important tools for evaluating cybersecurity and overall IT risk, they only answer half of the security paradox, “Can I be hacked?” They do not answer the more vital question, “Am I already hacked?”
With growing global regulations around data protection in the enterprise, from GDPR in Europe to the new NIST framework in the US, information security managers need the ability to quickly discover and address security breaches, malicious activity, and indicators of compromise (IOCs) already present in their IT environments.
Further, security analysts must be able to quickly validate whether their network and endpoints are in fact free of malware, threat actors, APTs capable of lateral movement, and unauthorized or remote access. That’s precisely why assessing your cyber security risk with a security Compromise Assessment is more important than a vulnerability scan, penetration testing, and/or network traffic analysis.
What is a Cyber Security Compromise Assessment?
Any proactive cyber security strategy needs to include a security/risk assessment of your current ecosystem and the state of your network environment. Sophisticated threat actors, advanced persistent threats, and other new types of malware (e.g. file-less malware and polymorphic malware) are often resident inside an IT environment for months, sometimes years, before being detected and remediated.
As evidenced by the growing number of data breaches, existing technologies are no longer enough to stop threats (and threat actors) from penetrating your perimeter. While vulnerability assessments and penetration tests look for security gaps and vulnerabilities, they do not detect existing compromises and the underlying attacker activity. Today’s enterprises need to add compromise assessments to their security program to proactively verify whether a network has already been breached and more effectively mitigate risk, enabling faster security incident response and allowing network managers to act quickly and remediate cyber attacks in near real-time.
Since a Compromise Assessment focuses on identifying previously unknown, successful or ongoing compromises, the tools and techniques used to perform the assessment must be able to identify post breach activity, dormant and hidden malware, malicious use of credentials, and Command and Control (C2) traffic.
This differs from traditional log-based EDR platforms and network traffic analysis solutions, which focus on early detection of cyber attacks, exploits, malware installation events. These platforms and techniques attempt to prevent an attack from succeeding or catching an attack early enough to reduce damage (e.g. data exfiltration) during a data breach.
Assessing Your Compromise State
How do you assess your environment’s compromised state? While there are a handful of custom methodologies for conducting cyber security compromise assessments, these are often bundled with response services engagements that use mostly manual processes to comb through logs and analytics from security systems and event logging platforms — sometimes taking months to complete and being littered with noise, namely false positives and false negatives.
What’s needed now (and going forward) is an approach that utilizes automated scanning to speed up the process of assessing your environment for malicious cyber threats.
We have found that independent scans of your network’s endpoints using a methodology called Forensic State Analysis (FSA) is the most effective approach. An FSA-based approach allows you to:
- Identify all endpoints (hosts, systems, servers, and workloads) within your network environment
- Scan endpoints for installed applications and identify vulnerabilities
- Expose unknown threats — active or dormant — including malware, suspicious code, scripts, autostarts, memory injections, processes, and more
- Review collected threat intelligence data and actionable insights for swift remediation and faster cybersecurity incident response
- Quickly identify entry points, egress points, and root cause analysis (RCA) enabling incident responders to peg and isolate patient zero (the first machine, host or system infected)
- Cost-effectively complete a full cyber security compromise and risk assessment in a matter of days, not months (like most CA solutions)
- Run compromise assessments as frequently as needed: daily, monthly, quarterly, annually, etc.
A Holistic Approach to Network Security, Endpoint Security, and Overall IT Health
Alleyne also talked about the importance of “cyber threat hunting” to support an approach to proactive security. Cyber threat hunting is similar to a compromise assessment, but instead of simply exposing threats, threat hunters seek to isolate, contain, eradicate, and run post-incident certification (to verify threats are indeed removed). Essentially, threat hunting is cyber security incident response, without the incident.
Establishing your IT environment’s initial compromise state is a great start, but organizations need to incorporate ongoing post-breach detection (aka, threat hunting) into security operations as a proactive measure. This approach enables security and operations teams to create an iterative process for detecting infections that defensive technologies (EDR, AV, etc.) often miss, and mitigate damage that can be caused by hidden persistent compromises.
Datto makes it easy for organizations to incorporate security compromise assessments and ongoing cyber threat hunting into a proactive information and IT risk management strategy.
Using our patent-pending FSA methodology to scan every endpoint in your environment (workstations, servers, workloads, and devices) the HUNT survey validates everything running on them, what may be triggered to run (via an autostart or persistence mechanism), and analyzes each system’s volatile memory to discover signs of manipulation or hidden processes. Datto has the unique ability to complete these inspections agentlessly. This means it does not require software to be pre-installed on systems it is scanning and it is completely independent of the network’s existing security infrastructure, so your results are untainted.
Conclusion
Our networks will always have a degree of vulnerability as organizations struggle to keep determined attackers out of their networks, and skilled attackers can successfully remain hidden for months, sometimes years, before being discovered. Unless you can measure the current compromise state of your network, your cybersecurity risk profile is incomplete.