P RE D I C T I V E I NTELLIGEN CE
can be exploited i.e. sneaking past the
inattentive security guards and going
through unlocked doors into areas of
the house.
A compromise assessment, then, is
equivalent to combing through corners
of the building for evidence of intrusion
or attempted intrusion such as footprints
not belonging to any house occupant,
tools for further break-in left behind, or
CCTV footage of intruders jumping in
and out without detection.
Where is the value?
Going by the example above, it might
sound tempting to dismiss the value
of assessing the state of compromise
of an entity since compromise could
have already occurred. However, it is
important to note that many the attacker
may be unable to further their activities
and would exercise patience, maintaining
persistence within the network, until the
right moment presents itself.
As cyberattackers now operate with
different agendas and motives – political,
nation-state funded or financial – and
organisations deploy advanced detection
solutions, cybercriminals have adapted
their attacks to become increasingly
evasive and persistent.
According to a recent FireEye report,
firms in Europe, the Middle East and
Africa on average take nearly six months
to detect cyberattacks. An average
attacker’s dwell time of six months is
alarming and shows that a compromise
assessment at any time could potentially
prevent an attacker from claiming what
they are after.
Compromise assessment –
best practices
Approaches to a compromise
assessment will usually vary by the
engagement firm and client environment,
however, an assessment of this type
would usually involve the deployment
of advanced diagnostic listening tools
with behavioural analysis and forensics
capability for a period to look for IOCs
or advanced persistent threats (APTs).
These IOCs could consist of malware
34
Compromise
assessment
provides proof
of the previously
unidentified footprint
of an attacker or
of the existence
of indicators of
compromise.
hashes, filenames of files in wrong
folders and malware execution pattern.
The service differentiator
Utilising the right approach and deploying
best-in-class technologies is a critical part
of conducting a thorough and effective
compromise assessment. However, the
analysis of the data captured during
the listening phase is the most critical.
Organisations should engage providers
that have the right human competencies
for threat hunting and forensics to identify
appropriate relationships between
indicators and artefacts.
A systematic approach to
compromise prevention
External/internal VA/PT
The first step to assessing how secure
an infrastructure is, is to perform a
vulnerability assessment/penetration
test on it. These should be performed
by seasoned ethical hackers who do not
solely rely on tools but instead follow
a stringent manual methodology that
provides a 360-degree view of your
security controls.
Solution deployment
This requires the deployment of
intelligence sources in the infrastructure
under investigation, such as sensors for
monitoring anomalous events in network
traffic and agents on endpoints for
malware and digital forensic analysis.
Forensics analysis
Incident response handling procedures
including assessment of the incident
damage and digital forensics
investigations are among the top
services needed in this phase.
Issue 09
|
www.intelligentciso.com