A compromise assessment is a comprehensive review of an organization with one objective inquiry – have we been compromised? In other words, based upon your organization’s data and existing log files, are there any indicators of compromise (IoC), or threat actors currently or previously present in the environment?
Compromise Assessment: A Case Study
Cyberattacks that give rise to high-profile data breaches have rapidly and progressively increased in parallel to the ever-expanding threat surface and sophistication of threat actors and their attack methodologies. With such a significant opportunity for threat actors, and regardless of the growing security investments, organizations still battle to identify whether or not they have been compromised. Understanding whether or not your organization has been breached and identifying methods to reduce risk is essential in the prevention of successful cyber threats – something a compromise assessment accomplishes by design.
Reflecting on the indicators of compromise identified in the SolarWinds’ compromise assessment, Microsoft President, Brad Smith, told ‘60 Minutes’ that it was “probably fair to say that this is the largest and most sophisticated attack the world has ever seen.” Further, Brad continued, “When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000,”
The supply chain attack, first discovered and disclosed by security firm FireEye and Microsoft in December, after noticing their penetration testing tools were stolen, may have impacted as many as 18,000 organizations as a result of the Sunburst malware planted inside SolarWinds’s Orion software updates – updates most take for granted.
In a White House press briefing, Deputy National Security Advisor for Cyber and Emerging Technology said nine government agencies were breached and much of the 100 private sector US organizations that were breached were technology companies. The attack was unprecedented in scope and impertinence. Suspected Russian spies went digging through the digital files of the U.S. departments of Justice, State, Treasury, Energy, and Commerce and for nine months had unrestricted access to government communications, court documents and even weapons intelligence, including nuclear secrets. “We believe it took months to plan and execute this compromise. It’ll take us some time to uncover this, layer by layer,” said Neuberger as the full depth compromise assessment remains ongoing.
At Packetlabs, the primary objective of our compromise assessment is to assist an organization in identifying risks, security incidents and any persistent threat activity (active or dormant) within your network environment. A compromise assessment is not a penetration test. A compromise assessment makes use of specific tools to identify infected assets within your organization with an amalgamation of advanced technologies to look at the current state of the health of your organizations’ security posture and is integral to outlining the remediation of any identified threats.
Compromise Assessment Core Objectives
- Gain visibility of malicious files and activity, identify and confirm a security breach.
- Reduce the impact of a breach due to early discovery and prompt engagement of the incident response process.
- Improve understanding of the effectiveness and limitations of existing control processes.
- Provide your IT teams with an increased situational awareness of systematic risk exposure.
- Increase an organization’s readiness for future incidents.
At the initiation of a compromise assessment, security consultants work up a plan of action. The plan serves to develop a working understanding of the course of action, for the compromise assessment, based on the individual system requirements of each client – strategy is vital. Since understanding the environment is critical to the success of any compromise assessment, it is very important to settle on a clear plan with clients before beginning.
The compromise assessment phase is then initiated by security consultants in accordance with the devised plan. Consultants typically initiate the compromise assessment process by monitoring, scanning and manually checking all networks, endpoints and security log files for indicators of compromise. To do this, consultants use existing security tools already in place including Intrusion Detection, Intrusion Prevention and SIEM tools, and further, consultants deploy a variety of additional monitoring and detection solutions for a more in-depth analysis.
In the next phase, we identify all the systems and applications affected by the compromise. We review the affected assets involved in the attack and try to determine the attacker’s methodology and course of action. Our consultants carry out an in-depth review of the attack and try to find the weak vectors in your security infrastructure that may have enabled initial access to the threat actors. Finally, our consultants then conduct a business impact evaluation which includes establishing if and how your organization’s sensitive data may have been exposed or affected based on the nature of the attack as well as the legal and financial consequences. To conclude the compromise assessment, our consultants make recommendations for remediation to deal with the impact of the compromise.
A Packetlabs compromise assessment, in addition to our penetration testing services, provide any organization with the security expertise required to avoid undue financial impacts, (including compliance and regulatory fines), business interruption and reputation loss by increasing overall security posture, staff awareness and identifying any additional methods or risk reduction.