March 02, 2022
The Role of Compromise Assessments in Enterprise Security
Why a Compromise Assessment?
The role of intrusion detection and prevention is typically fulfilled by real-time intrusion protection and detection systems and anti-virus software in conjunction with a continuous monitoring strategy. A compromise or threat assessment differs from intrusion detection in that it is an independent, evidence based assessment reporting your vulnerabilities, suspicious behaviors, possible exploits and indicators of a successful compromise.
Think of a Compromise Assessment or Threat Assessment as a third-party audit of an organization’s security practices based on the evidence collected during the investigation.
During the assessment, providers bring in experts who have a wider authority to dig deeper than what is expected day-to-day in real-time monitoring. Additionally, the assessment brings tools and techniques like Digital Forensic Analysis and Behavior Analytics that are typically reserved for incident response that are better suited for detecting post-compromise activity. Compromise assessments are the most effective defense in depth measure an organization can use to ensure vulnerabilities are known and no threats make it past their defenses.
Many organizations do not have adequate investment levels for cybersecurity or do not have the time or resources to implement all the necessary cyber controls. These organizations do what is recommended to meet compliance regulations and then accept or shift the remaining risk to their cyber insurance policy. For these organizations, a regular assessment should be incorporated into their respective risk mitigation strategies to ensure their environment is not compromised by attacks that are more sophisticated than what the organization can detect at their current level of investment.
Additionally, many organizations have difficulty justifying an increase in their budget or resources when their security posture is not known. An independent compromise assessment can uncover compromises that may have gone undetected, thereby providing the evidence needed to justify additional security investments.
In some cases and industries, a regular compromise assessment may be a viable risk management alternative when continuous monitoring via MDR is cost prohibitive.
Goals for a Successful Compromise Assessment
Over the years, compromise assessments only existed in limited forms as specialized services rendered by boutique incident response firms. The practice has rapidly grown as publicly disclosed breaches reached a fevered pitch. Unfortunately, the methodologies, approaches, and effectiveness of these offerings vary widely as standardization does not yet exist.
The first step to standardize this security practice is to define what a compromise assessment is, as well as the goals and objectives, so we may understand how to best accomplish it and what the minimum requirements would be.
To be widely applicable, the compromise assessment should be:
Effective – At detecting all known variants of malware, remote access tools, and indications of suspicious behaviors and unauthorized access.
Fast – Assess a large network within hours/days using automated network discovery and standard IT access protocols to interrogate the environment.
Affordable – The average organization should be able to conduct it proactively and regularly (i.e. monthly/quarterly) with fixed pricing per endpoint inspected.
Independent – The assessment should not rely exclusively on existing security tools or personnel.
Advanced offerings and solutions should have the ability to go deeper into the detection of new vulnerabilities (Solarigate, Kaseya, etc) and unknown (zero day) malware variants as well. Any assessment methodology selected should deliver on these requirements and should seek to optimize time, cost, and effectiveness. It should be efficient and affordable enough to run at least once a month for the average-sized organization. Additionally, the effectiveness of the assessment should not vary significantly with different security stacks, monitoring and logging practices, or network topologies. Independence enables the assessment to be equally useful to a regional business with only basic protections like a firewall and antivirus or a sophisticated global institution equipped with its own Security Operations Center.
Ultimately, the goal of the assessment is to rapidly identify critical vulnerabilities, adversarial activity or malicious logic – not to perform a complete forensic examination. Once the assessment is complete, recommendations should be made regarding proper response and collected evidence should be packaged for the organization to allow them to conduct an investigation into root cause or actors behind the attack.