What is a Compromise Assessment?
Compromise assessments seek to find attackers who are currently in the environment or that have been active in the recent past, in a similar way to what an incident response firm would do in the event of a breach: it is an inside–out investigation and security audit of the organisation’s internal environment, applications, infrastructures, and endpoints.
Compromise assessments look at the system from the inside, searching for malware that has attempted to or successfully compromised the network to provide insights on which vulnerabilities are being exploited. Results are based on suspicious user behaviours, extensive log review, Indicators of Compromise (IOCs), and any other evidence of malicious activity (past or present) to identify attackers residing in the current environment.
A compromise assessment is composed of 4 key steps:
- Onboarding and Network Normalisation—After assessing an organisation’s security posture, we deploy EDR to gather security logs and data for two weeks. This creates a baseline of behaviour, gives us a detailed view of the endpoint’s network traffic and security events and prepares the environment for advanced threat hunting queries.
- Active Threat Hunting — Our Level 3 Threat Hunting specialists conduct extensive log investigations using a proprietary list of over 120+ advanced threat hunting queries, updated weekly to reflect the most recent threat intelligence.
- Threat Reporting and Containment — Once our threat hunters have meticulously looked through all computer logs, a report is produced detailing findings and delineating a path to action based on the state of the system.
- Continued Support — Experts personally pore through logs to create a holistic picture of the network. This way, we can support an organisation’s cyber defences beyond the Threat Hunting exercise, flagging activities that are damaging to the organisation’s security. Along the way, we gain a deep understanding of an organisation’s security posture and its specific needs, tailoring our ongoing services to fit its custom requirement set by its industry, regional landscape, and the latest trends in cyber attacks.
Learn more about how Blackpanda conducts compromise assessments here.
Who needs a compromise assessment?
Global financial institutions have internal teams, just like Blackpanda’s, conducting compromise assessments on a daily basis, as their risk tolerance for being unaware of an active breach is essentially nil.
For smaller companies which can assume a higher risk tolerance, compromise assessments can be conducted weekly, monthly, or even quarterly -- the decision regarding frequency is ultimately a financial cost-benefit analysis for each business.
Whilst a strong digital infrastructure and good cyber hygiene can protect organisations from up to 90% of cyber risks, they are not sufficient. Attackers are continuously working to find loopholes in the system, and a singular instance of negligence can severely compromise the cyber security of the company. Blackpanda’s cyber security compromise assessment services for small businesses can help your organisation improve its cyber security posture. Learn more about who needs a compromise assessment here.
What is the Difference Between Penetration Testing and Compromise Assessments?
Vulnerability Assessment and Penetration Testing (VAPT), also known as “red teaming”, is a preventive measure to gain awareness of the organisation’s cyber weaknesses, so they can be patched before an attack takes place.
Whilst VAPT can be useful in determining what may go wrong, if an attacker is currently compromising the system, there is no way of detecting this through VAPT alone. Limiting the dwell time of an attack is the single best thing that can be done to limit its damages and improve the chances of eradicating it and successfully restoring system health.
Given the speed at which attacks can spread from one infected endpoint to all network endpoints, early detection of an incident can make the difference between a business surviving an attack and having to shut down due to extensive damages.
Compromise Assessments fulfil the same due diligence requirements as VAPTs, but look at the system from the inside, searching for malware that has attempted to or has successfully compromised the network and providing insights on what vulnerabilities are being exploited.
Compromise assessments thus offer a real-time view of the company’s security posture, and offer the opportunity to promptly respond to any attack before it gets out of hand. By adopting the same inside-out strategy as incident response, compromise assessments are both a preventive and a proactive tool to safeguard and improve an organisation’s cyber security.
Once an attack has been identified in a compromise assessment, the company can immediately initiate the process of containing and eradicating the incident. This is key in safeguarding the organisation’s cyber health and even its overall survival, as the dwell time of a cyber attack is the most important factor determining the severity of the compromise. The longer an attack dwells in the network, the more damage the attackers can do and the higher the chances that the organisation will not be able to recover from the breach.
Learn more about the key differences between VAPT and compromise assessments here.
Regular compromise assessments are crucial to protect a company’s cyber security. An independent compromise assessment can uncover compromises that may have gone undetected, thereby providing the evidence needed to justify additional security investments.
To request information about a Blackpanda compromise assessment on your network, contact us.