What is a Compromise Assessment?
Would you know if you were breached? Cyber attackers often work undetected in a network for months or even years. They frequently enter through “legitimate” paths, setting off no alarms and leaving no trace of forced entry. Like a sniper, attackers lie in wait, gathering or exfiltrating confidential intel and building a profile of your business while looking for the perfect time to strike. Reducing the dwell time of an attack is the most crucial element to limiting the damage it can cause.
Compromise assessments seek to find attackers who are currently in the environment or that have been active in the recent past, in a similar way to what an incident response firm would do in the event of a breach: it is an inside–out investigation and security audit of the organization’s internal environment, applications, infrastructures, and endpoints.
Compromise assessments look at the system from the inside, searching for malware that has attempted to or successfully compromised the network to provide insights on which vulnerabilities are being exploited. Results are based on suspicious user behaviors, extensive log review, Indicators of Compromise (IOCs), and any other evidence of malicious activity (past or present) to identify attackers residing in the current environment.
Regular compromise assessments are also a regulatory requirement in many countries.
But how do compromise assessments work? Here is a rundown of the key steps that Blackpanda’s Level 3 Threat Hunting specialists carry out on client systems when conducting a compromise assessment.
Step 1: Onboarding and Network Normalization
While Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR) and other automated security solutions seek known malware and common malicious behaviors, new malware variants or attacks carried out by seemingly legitimate actors are often undetected. At Blackpanda our specialists perform a thorough investigation of our client’s systems to identify IOCs), hacker Tactics, Techniques, and Procedures (TTPs), and threats such as Advanced Persistent Threats (APTs) evading your existing security system.
After assessing an organization’s security posture, we deploy SentinelOne’s next-generation Singularity platform to gather security logs and data for two weeks. This creates a baseline of behavior, gives us a detailed view of the endpoint’s network traffic and security events and prepares the environment for advanced threat hunting queries.
Step 2: Active Threat Hunting
Our Level 3 Threat Hunting specialists conduct extensive log investigations using a proprietary list of over 120+ advanced threat hunting queries, updated weekly to reflect the most recent threat intelligence.
These hyper-customized queries are designed to uncover suspicious and malicious activities, including behavioral searches meant to identify highly-sophisticated and previously unknown (known for 0-days) strains of malware.
Sample queries used by Blackpanda include:
- T1081: Suspicious access to credentials
- T1083: Detected directory enumeration
- T1497: A hook was placed in the mouse
- T1503: Sensitive data was decrypted
Our bespoke Threat Hunting guarantees a clear picture of all ongoing, potential and past breaches in the system at the time of conducting the analysis.
"Our Level 3 Threat Hunting specialists conduct extensive log investigations using a proprietary list of over 120+ advanced threat hunting queries, updated weekly to reflect the most recent threat intelligence"
Step 3: Threat Reporting and Containment
Once our threat hunters have meticulously looked through all computer logs, a report is produced detailing findings and delineating a path to action based on the state of the system.
Typical findings include attacks in their early stages, such as an account password brute force attempt before it’s been breached. We also detect ongoing or past attacks with the identification of known malware and the presence of known-bad behaviors (network beaconing, IOCs, powershell scripting). Our Incident Response (IR) specialists can then proceed to containing a live incident and restoring the organization’s security baseline.
Ultimately, the goal of the assessment is to rapidly identify critical vulnerabilities, adversary activity, or malicious logic. Once the assessment is complete, Blackpanda makes recommendations regarding the proper response and offers to preserve collected evidence for the organization to allow them to conduct a formal forensic investigation into the root cause and attribution of the attack.
Step 4: Continued Support
Unlike AI-led, automated threat hunting, our compromise assessment services are human-driven. Experts personally pore through logs to create a holistic picture of the network. This way, we can support an organization’s cyber defences beyond the Threat Hunting exercise, flagging activities that are damaging to the organization’s security. Along the way, we gain a deep understanding of an organization’s security posture and its specific needs, tailoring our ongoing services to fit its custom requirement set by its industry, regional landscape, and the latest trends in cyber attacks.
How Often Should Your Business Conduct a Compromise Assessment?
Global financial institutions have internal teams, just like Blackpanda’s, conducting compromise assessments on a daily basis, as their risk tolerance for being unaware of an active breach is essentially nil. For smaller companies which can assume a higher risk tolerance, compromise assessments can be conducted weekly, monthly, or even quarterly -- the decision regarding frequency is ultimately a financial cost-benefit analysis for each business.
Blackpanda recommends a minimum of quarterly compromise assessments in Asia due to the average dwell time of 90 days, or the amount of time it takes for a victim to detect an active intrusion. Conducting compromise assessments on a quarterly basis helps victims to preempt an active breach instead of stumbling on it accidentally in a normal dwell time scenario. A Compromise Assessment results in a reduction of the damage otherwise to be inflicted.
Third-party compromise assessments are the gold standard, as they are objective and impartial, while limiting the possibility of insider threat during the course of the operation.
Blackpanda’s experts are able to dig deeper than what is expected day-to-day in real-time monitoring. Additionally, the assessment brings tools and techniques like Digital Forensic Analysis and Behavior Analytics that are typically reserved for incident response. Investigators are better suited for detecting post-compromise activity. Compromise assessments are an extremely effective defense in depth measure an organization can use to ensure any threats that made it past their defenses.
An independent compromise assessment can uncover compromises that may have gone undetected, thereby providing the evidence needed to justify additional security investments.
Many organizations do not have adequate investment levels for cyber security or do not have the time or resources to implement all the necessary cyber controls. A regular compromise assessment should thus be incorporated into your risk mitigation strategy to ensure your environment is not compromised by attacks that are more sophisticated than what your organization can detect with your current means.
Compromise assessments not only reduce attack dwell time by disrupting and eradicating hidden attackers before they can act, but also root out attackers who steal or abuse legitimate access credentials and show due diligence by assuring investors, regulators, and other stakeholders of your security.