The Role of Compromise Assessments in Enterprise Security

By Elizabeth Fichtner

Why a Compromise Assessment?

The role of intrusion detection and prevention is typically fulfilled by real-time intrusion protection and detection systems and anti-virus software in conjunction with a continuous monitoring strategy. A compromise or threat assessment differs from intrusion detection in that it is an independent, evidence based assessment reporting your vulnerabilities, suspicious behaviors, possible exploits and indicators of a successful compromise.

Think of a Compromise Assessment or Threat Assessment as a third-party audit of an organisation’s security practices based on the evidence collected during the investigation.

During the assessment, providers bring in experts who have a wider authority to dig deeper than what is expected day-to-day in real-time monitoring. Additionally, the assessment brings tools and techniques like Digital Forensic Analysis and Behavior Analytics that are typically reserved for incident response that are better suited for detecting post-compromise activity. Compromise assessments are the most effective defense in depth measure an organisation can use to ensure vulnerabilities are known and no threats make it past their defenses.

Many organisations do not have adequate investment levels for cybersecurity or do not have the time or resources to implement all the necessary cyber controls. These organisations do what is recommended to meet compliance regulations and then accept or shift the remaining risk to their cyber insurance policy. For these organisations, a regular assessment should be incorporated into their respective risk mitigation strategies to ensure their environment is not compromised by attacks that are more sophisticated than what the organisation can detect at their current level of investment.

Additionally, many organisations have difficulty justifying an increase in their budget or resources when their security posture is not known. An independent compromise assessment can uncover compromises that may have gone undetected, thereby providing the evidence needed to justify additional security investments.

In some cases and industries, a regular compromise assessment may be a viable risk management alternative when continuous monitoring via MDR is cost prohibitive.

Goals for a Successful Compromise Assessment

Over the years, compromise assessments only existed in limited forms as specialised services rendered by boutique incident response firms. The practice has rapidly grown as publicly disclosed breaches reached a fevered pitch. Unfortunately, the methodologies, approaches, and effectiveness of these offerings vary widely as standardisation does not yet exist.

The first step to standardise this security practice is to define what a compromise assessment is, as well as the goals and objectives, so we may understand how to best accomplish it and what the minimum requirements would be.

To be widely applicable, the compromise assessment should be:

  • Effective – At detecting all known variants of malware, remote access tools, and indications of suspicious behaviors and unauthorised access.

  • Fast – Assess a large network within hours/days using automated network discovery and standard IT access protocols to interrogate the environment.

  • Affordable – The average organisation should be able to conduct it proactively and regularly (i.e. monthly/quarterly) with fixed pricing per endpoint inspected.

  • Independent – The assessment should not rely exclusively on existing security tools or personnel.

Advanced offerings and solutions should have the ability to go deeper into the detection of new vulnerabilities (Solarigate, Kaseya, etc) and unknown (zero day) malware variants as well. Any assessment methodology selected should deliver on these requirements and should seek to optimise time, cost, and effectiveness. It should be efficient and affordable enough to run at least once a month for the average-sized organisation. Additionally, the effectiveness of the assessment should not vary significantly with different security stacks, monitoring and logging practices, or network topologies. Independence enables the assessment to be equally useful to a regional business with only basic protections like a firewall and antivirus or a sophisticated global institution equipped with its own Security Operations Center.

Ultimately, the goal of the assessment is to rapidly identify critical vulnerabilities, adversarial activity or malicious logic – not to perform a complete forensic examination. Once the assessment is complete, recommendations should be made regarding proper response and collected evidence should be packaged for the organisation to allow them to conduct an investigation into root cause or actors behind the attack.

Suggested Next Reads